From 5e1954d69f4d7608e5895ead0e447463dca6dd23 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 14:23:32 -0400 Subject: [PATCH 1/3] Bump docker/setup-buildx-action from 3.3.0 to 3.4.0 (#51622) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/azure-preview-env-deploy-public.yml | 2 +- .github/workflows/azure-preview-env-deploy.yml | 2 +- .github/workflows/azure-prod-build-deploy.yml | 2 +- .github/workflows/azure-staging-build-deploy.yml | 2 +- .github/workflows/main-preview-docker-cache.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/azure-preview-env-deploy-public.yml b/.github/workflows/azure-preview-env-deploy-public.yml index 6cdf30f44852..020550d37a47 100644 --- a/.github/workflows/azure-preview-env-deploy-public.yml +++ b/.github/workflows/azure-preview-env-deploy-public.yml @@ -66,7 +66,7 @@ jobs: password: ${{ secrets.NONPROD_REGISTRY_PASSWORD }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb + uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 - name: Check out main branch uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/azure-preview-env-deploy.yml b/.github/workflows/azure-preview-env-deploy.yml index 3fd51fb3e399..fd6fd2a9181d 100644 --- a/.github/workflows/azure-preview-env-deploy.yml +++ b/.github/workflows/azure-preview-env-deploy.yml @@ -79,7 +79,7 @@ jobs: password: ${{ secrets.NONPROD_REGISTRY_PASSWORD }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb + uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 - name: Check out PR code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/azure-prod-build-deploy.yml b/.github/workflows/azure-prod-build-deploy.yml index 0fa9a79d57eb..bd1cc03963ac 100644 --- a/.github/workflows/azure-prod-build-deploy.yml +++ b/.github/workflows/azure-prod-build-deploy.yml @@ -49,7 +49,7 @@ jobs: password: ${{ secrets.PROD_REGISTRY_PASSWORD }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb + uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 - name: Check out repo uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/azure-staging-build-deploy.yml b/.github/workflows/azure-staging-build-deploy.yml index df5e29b8fd44..1506b74f9498 100644 --- a/.github/workflows/azure-staging-build-deploy.yml +++ b/.github/workflows/azure-staging-build-deploy.yml @@ -57,7 +57,7 @@ jobs: password: ${{ secrets.NONPROD_REGISTRY_PASSWORD }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb + uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 - name: Check out repo uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/main-preview-docker-cache.yml b/.github/workflows/main-preview-docker-cache.yml index d8dc052e8994..01c8a64cfc0d 100644 --- a/.github/workflows/main-preview-docker-cache.yml +++ b/.github/workflows/main-preview-docker-cache.yml @@ -42,7 +42,7 @@ jobs: password: ${{ secrets.NONPROD_REGISTRY_PASSWORD }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb + uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 - name: Check out repo uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 From 4c18cd4e6c3d1f95e724502a728039361a33904a Mon Sep 17 00:00:00 2001 From: docs-bot <77750099+docs-bot@users.noreply.github.com> Date: Mon, 22 Jul 2024 12:40:24 -0700 Subject: [PATCH 2/3] Delete orphaned features (2024-07-22-16-27) (#51740) --- data/features/actions-job-summaries.yml | 6 ------ data/features/actions-macos-arm.yml | 6 ------ data/features/bypass-branch-protections.yml | 6 ------ data/features/code-scanning-tool-status-page.yml | 5 ----- data/features/dependabot-version-updates-for-forks.yml | 4 ---- 5 files changed, 27 deletions(-) delete mode 100644 data/features/actions-job-summaries.yml delete mode 100644 data/features/actions-macos-arm.yml delete mode 100644 data/features/bypass-branch-protections.yml delete mode 100644 data/features/code-scanning-tool-status-page.yml delete mode 100644 data/features/dependabot-version-updates-for-forks.yml diff --git a/data/features/actions-job-summaries.yml b/data/features/actions-job-summaries.yml deleted file mode 100644 index 71d96f8e6e4a..000000000000 --- a/data/features/actions-job-summaries.yml +++ /dev/null @@ -1,6 +0,0 @@ -# Reference: #6405 -# Documentation for job summaries for jobs on the workflow run summary page. -versions: - fpt: '*' - ghec: '*' - ghes: '>3.5' diff --git a/data/features/actions-macos-arm.yml b/data/features/actions-macos-arm.yml deleted file mode 100644 index 7b1910121184..000000000000 --- a/data/features/actions-macos-arm.yml +++ /dev/null @@ -1,6 +0,0 @@ -# Reference: #6732 -# Self-hosted runners with macOS ARM -versions: - fpt: '*' - ghec: '*' - ghes: '>= 3.7' diff --git a/data/features/bypass-branch-protections.yml b/data/features/bypass-branch-protections.yml deleted file mode 100644 index dc2ade316c06..000000000000 --- a/data/features/bypass-branch-protections.yml +++ /dev/null @@ -1,6 +0,0 @@ -# Issue: 6667 -# Description: Allow merging pull requests without complying with branch protection rules. -versions: - fpt: '*' - ghec: '*' - ghes: '>= 3.8' diff --git a/data/features/code-scanning-tool-status-page.yml b/data/features/code-scanning-tool-status-page.yml deleted file mode 100644 index a9fd1f02c465..000000000000 --- a/data/features/code-scanning-tool-status-page.yml +++ /dev/null @@ -1,5 +0,0 @@ -# Reference: #8882 for the new page and #10029 for CodeQL CLI information -versions: - fpt: '*' - ghec: '*' - ghes: '>= 3.9' diff --git a/data/features/dependabot-version-updates-for-forks.yml b/data/features/dependabot-version-updates-for-forks.yml deleted file mode 100644 index 3674b3983660..000000000000 --- a/data/features/dependabot-version-updates-for-forks.yml +++ /dev/null @@ -1,4 +0,0 @@ -versions: - fpt: '*' - ghec: '*' - ghes: '>=3.8' From d8598df7a408a524c26c5fb55f5029e65e0dc061 Mon Sep 17 00:00:00 2001 From: Siara <108543037+SiaraMist@users.noreply.github.com> Date: Mon, 22 Jul 2024 14:11:48 -0700 Subject: [PATCH 3/3] Recombine two deployment environment articles (#51699) --- .../about-continuous-deployment.md | 4 +-- ...ring-custom-deployment-protection-rules.md | 2 +- ...-security-hardening-with-openid-connect.md | 2 +- .../targeting-different-environments/index.md | 2 +- ...> managing-environments-for-deployment.md} | 18 +++++-------- .../reviewing-deployments.md | 6 ++--- .../security-hardening-for-github-actions.md | 2 +- content/actions/using-jobs/index.md | 2 +- .../using-environments-for-deployment.md | 25 +++++++++++++++++++ .../using-jobs/using-environments-for-jobs.md | 15 ----------- .../using-workflows/about-workflows.md | 2 +- .../using-workflows/reusing-workflows.md | 2 +- .../using-workflows/triggering-a-workflow.md | 2 +- .../about-deployment-with-github-actions.md | 2 +- data/reusables/actions/about-environments.md | 2 +- data/reusables/actions/environment-example.md | 2 +- .../section-using-environments-for-jobs.md | 5 +++- .../oidc-deployment-protection-rules.md | 2 +- ...rmissions-statement-secrets-environment.md | 2 +- 19 files changed, 53 insertions(+), 46 deletions(-) rename content/actions/deployment/targeting-different-environments/{using-environments-for-deployment.md => managing-environments-for-deployment.md} (94%) create mode 100644 content/actions/using-jobs/using-environments-for-deployment.md delete mode 100644 content/actions/using-jobs/using-environments-for-jobs.md diff --git a/content/actions/deployment/about-deployments/about-continuous-deployment.md b/content/actions/deployment/about-deployments/about-continuous-deployment.md index 573bc8010687..03f9b3e38595 100644 --- a/content/actions/deployment/about-deployments/about-continuous-deployment.md +++ b/content/actions/deployment/about-deployments/about-continuous-deployment.md @@ -27,7 +27,7 @@ You can set up a {% data variables.product.prodname_actions %} workflow to deplo You can configure your CD workflow to run when a {% data variables.product.product_name %} event occurs (for example, when new code is pushed to the default branch of your repository), on a set schedule, manually, or when an external event occurs using the repository dispatch webhook. For more information about when your workflow can run, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows)." -{% data variables.product.prodname_actions %} provides features that give you more control over deployments. For example, you can use environments to require approval for a job to proceed, restrict which branches can trigger a workflow, or limit access to secrets. You can use concurrency to limit your CD pipeline to a maximum of one in-progress deployment and one pending deployment. For more information about these features, see "[AUTOTITLE](/actions/deployment/about-deployments/deploying-with-github-actions)" and "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment)." +{% data variables.product.prodname_actions %} provides features that give you more control over deployments. For example, you can use environments to require approval for a job to proceed, restrict which branches can trigger a workflow, or limit access to secrets. You can use concurrency to limit your CD pipeline to a maximum of one in-progress deployment and one pending deployment. For more information about these features, see "[AUTOTITLE](/actions/deployment/about-deployments/deploying-with-github-actions)" and "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)." ## Using OpenID Connect to access cloud resources @@ -40,5 +40,5 @@ You can configure your CD workflow to run when a {% data variables.product.produ ## Further reading * [AUTOTITLE](/actions/deployment/about-deployments/deploying-with-github-actions) -* [AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment){% ifversion fpt or ghec %} +* [AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment){% ifversion fpt or ghec %} * "[AUTOTITLE](/billing/managing-billing-for-github-actions)"{% endif %} diff --git a/content/actions/deployment/protecting-deployments/configuring-custom-deployment-protection-rules.md b/content/actions/deployment/protecting-deployments/configuring-custom-deployment-protection-rules.md index 3be23eb1614b..0300604d29dd 100644 --- a/content/actions/deployment/protecting-deployments/configuring-custom-deployment-protection-rules.md +++ b/content/actions/deployment/protecting-deployments/configuring-custom-deployment-protection-rules.md @@ -19,7 +19,7 @@ topics: Custom deployment protection rules are powered by {% data variables.product.prodname_github_apps %}. Once a deployment protection rule is configured and installed in a repository, it can be enabled for any environments in the repository. -After you enable a custom deployment protection rule on an environment, every time a workflow step targets that environment, the deployment protection rule will run automatically. For more information about targeting an environment for deployments, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment)." +After you enable a custom deployment protection rule on an environment, every time a workflow step targets that environment, the deployment protection rule will run automatically. For more information about targeting an environment for deployments, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)." When a custom deployment protection rule is triggered it will wait for up to 30 days for a webhook event response before it times out and the workflow job fails. diff --git a/content/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md b/content/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md index f73c96e1dda1..5e84bdf35031 100644 --- a/content/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md +++ b/content/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md @@ -178,7 +178,7 @@ The following examples demonstrate how to use "Subject" as a condition, and expl The subject claim includes the environment name when the job references an environment. -You can configure a subject that filters for a specific [environment](/actions/deployment/targeting-different-environments/using-environments-for-deployment) name. In this example, the workflow run must have originated from a job that has an environment named `Production`, in a repository named `octo-repo` that is owned by the `octo-org` organization: +You can configure a subject that filters for a specific [environment](/actions/deployment/targeting-different-environments/managing-environments-for-deployment) name. In this example, the workflow run must have originated from a job that has an environment named `Production`, in a repository named `octo-repo` that is owned by the `octo-org` organization: * Syntax: `repo::environment:` * Example: `repo:octo-org/octo-repo:environment:Production` diff --git a/content/actions/deployment/targeting-different-environments/index.md b/content/actions/deployment/targeting-different-environments/index.md index 83b796d35e4f..8bd30b17ce28 100644 --- a/content/actions/deployment/targeting-different-environments/index.md +++ b/content/actions/deployment/targeting-different-environments/index.md @@ -7,6 +7,6 @@ versions: ghes: '*' ghec: '*' children: - - /using-environments-for-deployment + - /managing-environments-for-deployment --- diff --git a/content/actions/deployment/targeting-different-environments/using-environments-for-deployment.md b/content/actions/deployment/targeting-different-environments/managing-environments-for-deployment.md similarity index 94% rename from content/actions/deployment/targeting-different-environments/using-environments-for-deployment.md rename to content/actions/deployment/targeting-different-environments/managing-environments-for-deployment.md index 6ed7b80887ee..097f820cf764 100644 --- a/content/actions/deployment/targeting-different-environments/using-environments-for-deployment.md +++ b/content/actions/deployment/targeting-different-environments/managing-environments-for-deployment.md @@ -1,12 +1,14 @@ --- -title: Using environments for deployment -shortTitle: Use environments for deployment -intro: You can configure environments with protection rules and secrets. A workflow job that references an environment must follow any protection rules for the environment before running or accessing the environment's secrets. +title: Managing environments for deployment +shortTitle: Manage environments +intro: You can create environments and secure those environments with deployment protection rules. A job that references an environment must follow any protection rules for the environment before running or accessing the environment's secrets. product: '{% data reusables.gated-features.environments %}' +permissions: 'Repository owners' redirect_from: - /actions/reference/environments - /actions/deployment/environments - /actions/deployment/using-environments-for-deployment + - /actions/deployment/targeting-different-environments/using-environments-for-deployment topics: - CD - Deployment @@ -204,7 +206,7 @@ Variables stored in an environment are only available to workflow jobs that refe 1. Select the custom protection rule you want to enable. 1. Click **Save protection rules**. {%- endif %} -1. Optionally, specify what branches{% ifversion deployment-protections-tag-patterns %} and tags{% endif %} can deploy to this environment. For more information, see "[Deployment branches{% ifversion deployment-protections-tag-patterns %} and tags{% endif %}](/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-branches{% ifversion deployment-protections-tag-patterns %}-and-tags{% endif %})." +1. Optionally, specify what branches{% ifversion deployment-protections-tag-patterns %} and tags{% endif %} can deploy to this environment. For more information, see "[Deployment branches{% ifversion deployment-protections-tag-patterns %} and tags{% endif %}](/actions/deployment/targeting-different-environments/managing-environments-for-deployment#deployment-branches{% ifversion deployment-protections-tag-patterns %}-and-tags{% endif %})." 1. Select the desired option in the **Deployment branches** dropdown. 1. If you chose **Selected branches{% ifversion deployment-protections-tag-patterns %} and tags{% endif %}**, to add a new rule, click **Add deployment branch{% ifversion deployment-protections-tag-patterns %} or tag{% endif %} rule** {% ifversion deployment-protections-tag-patterns %}1. In the "Ref type" dropdown menu, depending on what rule you want to apply, click **{% octicon "git-branch" aria-label="The branch icon" %} Branch** or **{% octicon "tag" aria-label="The tag icon" %} Tag**.{% endif %} @@ -230,14 +232,6 @@ You can also create and configure environments through the REST API. For more in Running a workflow that references an environment that does not exist will create an environment with the referenced name. The newly created environment will not have any protection rules or secrets configured. Anyone that can edit workflows in the repository can create environments via a workflow file, but only repository admins can configure the environment. -## Using an environment - -Each job in a workflow can reference a single environment. Any protection rules configured for the environment must pass before a job referencing the environment is sent to a runner. The job can access the environment's secrets only after the job is sent to a runner. - -When a workflow references an environment, the environment will appear in the repository's deployments. For more information about viewing current and previous deployments, see "[AUTOTITLE](/actions/deployment/managing-your-deployments/viewing-deployment-history)." - -{% data reusables.actions.environment-example %} - ## Deleting an environment {% data reusables.actions.permissions-statement-environment %} diff --git a/content/actions/managing-workflow-runs/reviewing-deployments.md b/content/actions/managing-workflow-runs/reviewing-deployments.md index e3888480fcff..e521136bf340 100644 --- a/content/actions/managing-workflow-runs/reviewing-deployments.md +++ b/content/actions/managing-workflow-runs/reviewing-deployments.md @@ -14,7 +14,7 @@ versions: Jobs that reference an environment configured with required reviewers will wait for an approval before starting. While a job is awaiting approval, it has a status of "Waiting". If a job is not approved within 30 days, it will automatically fail. -For more information about environments and required approvals, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment)." For information about how to review deployments with the REST API, see "[AUTOTITLE](/rest/actions/workflow-runs)." +For more information about environments and required approvals, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)." For information about how to review deployments with the REST API, see "[AUTOTITLE](/rest/actions/workflow-runs)." ## Approving or rejecting a job @@ -27,7 +27,7 @@ For more information about environments and required approvals, see "[AUTOTITLE] {% ifversion deployments-prevent-self-approval %}{% note %} -**Note:** If the targeted environment is configured to prevent self-approvals for deployments, you will not be able to approve a deployment from a workflow run you initiated. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment#required-reviewers)." +**Note:** If the targeted environment is configured to prevent self-approvals for deployments, you will not be able to approve a deployment from a workflow run you initiated. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment#required-reviewers)." {% endnote %}{% endif %} @@ -41,7 +41,7 @@ If you have configured deployment protection rules that control whether software **Notes:** -* You cannot bypass deployment protection rules if the environment has been configured to prevent admins from bypassing configured protection rules. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment#creating-an-environment)." +* You cannot bypass deployment protection rules if the environment has been configured to prevent admins from bypassing configured protection rules. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment#creating-an-environment)." * You can only bypass deployment protection rules during workflow execution when a job referencing the environment is in a "Pending" state. {% endnote %} diff --git a/content/actions/security-guides/security-hardening-for-github-actions.md b/content/actions/security-guides/security-hardening-for-github-actions.md index e186c0eb0932..12aa6e17c243 100644 --- a/content/actions/security-guides/security-hardening-for-github-actions.md +++ b/content/actions/security-guides/security-hardening-for-github-actions.md @@ -43,7 +43,7 @@ To help prevent accidental disclosure, {% data variables.product.product_name %} * Periodically review the registered secrets to confirm they are still required. Remove those that are no longer needed. * Rotate secrets periodically to reduce the window of time during which a compromised secret is valid. * **Consider requiring review for access to secrets** - * You can use required reviewers to protect environment secrets. A workflow job cannot access environment secrets until approval is granted by a reviewer. For more information about storing secrets in environments or requiring reviews for environments, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)" and "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment)." + * You can use required reviewers to protect environment secrets. A workflow job cannot access environment secrets until approval is granted by a reviewer. For more information about storing secrets in environments or requiring reviews for environments, see "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)" and "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)." {% warning %} diff --git a/content/actions/using-jobs/index.md b/content/actions/using-jobs/index.md index c67b458c0529..867d8f936dea 100644 --- a/content/actions/using-jobs/index.md +++ b/content/actions/using-jobs/index.md @@ -14,7 +14,7 @@ children: - /using-conditions-to-control-job-execution - /using-a-matrix-for-your-jobs - /using-concurrency - - /using-environments-for-jobs + - /using-environments-for-deployment - /running-jobs-in-a-container - /setting-default-values-for-jobs - /assigning-permissions-to-jobs diff --git a/content/actions/using-jobs/using-environments-for-deployment.md b/content/actions/using-jobs/using-environments-for-deployment.md new file mode 100644 index 000000000000..3ba1ea3d9ffd --- /dev/null +++ b/content/actions/using-jobs/using-environments-for-deployment.md @@ -0,0 +1,25 @@ +--- +title: Using environments for deployment +shortTitle: Environments +intro: Specify a deployment environment in your workflow. +versions: + fpt: '*' + ghes: '> 3.0' + ghec: '*' +redirect_from: + - /actions/using-jobs/using-environments-for-jobs +--- + +{% data reusables.actions.enterprise-github-hosted-runners %} + +## About environments + +{% data reusables.actions.about-environments %} + +Each job in a workflow can reference a single environment. Any protection rules configured for the environment must pass before a job referencing the environment is sent to a runner. The job can access the environment's secrets only after the job is sent to a runner. + +When a workflow references an environment, the environment will appear in the repository's deployments. For more information about viewing current and previous deployments, see "[AUTOTITLE](/actions/deployment/managing-your-deployments/viewing-deployment-history)." + +## Using an environment in a workflow + +{% data reusables.actions.environment-example %} diff --git a/content/actions/using-jobs/using-environments-for-jobs.md b/content/actions/using-jobs/using-environments-for-jobs.md deleted file mode 100644 index bd0b7f8ee192..000000000000 --- a/content/actions/using-jobs/using-environments-for-jobs.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Using environments for jobs -shortTitle: Environments -intro: Specify an environment for a job. -versions: - fpt: '*' - ghes: '> 3.0' - ghec: '*' ---- - -{% data reusables.actions.enterprise-github-hosted-runners %} - -## Overview - -{% data reusables.actions.jobs.section-using-environments-for-jobs %} diff --git a/content/actions/using-workflows/about-workflows.md b/content/actions/using-workflows/about-workflows.md index c57040abe427..9e634c8d9087 100644 --- a/content/actions/using-workflows/about-workflows.md +++ b/content/actions/using-workflows/about-workflows.md @@ -206,4 +206,4 @@ To learn more about {% data variables.product.prodname_dotcom %}-hosted runner l ### Using environments -You can configure environments with protection rules and secrets to control the execution of jobs in a workflow. Each job in a workflow can reference a single environment. Any protection rules configured for the environment must pass before a job referencing the environment is sent to a runner. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment)." +You can configure environments with protection rules and secrets to control the execution of jobs in a workflow. Each job in a workflow can reference a single environment. Any protection rules configured for the environment must pass before a job referencing the environment is sent to a runner. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)." diff --git a/content/actions/using-workflows/reusing-workflows.md b/content/actions/using-workflows/reusing-workflows.md index 193954dd4238..01025ae6a194 100644 --- a/content/actions/using-workflows/reusing-workflows.md +++ b/content/actions/using-workflows/reusing-workflows.md @@ -172,7 +172,7 @@ You can define inputs and secrets, which can be passed from the caller workflow {% note %} - **Note**: Environment secrets are {% ifversion fpt or ghec %}encrypted {% endif %}strings that are stored in an environment that you've defined for a repository. Environment secrets are only available to workflow jobs that reference the appropriate environment. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets)." + **Note**: Environment secrets are {% ifversion fpt or ghec %}encrypted {% endif %}strings that are stored in an environment that you've defined for a repository. Environment secrets are only available to workflow jobs that reference the appropriate environment. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment#environment-secrets)." {% endnote %} diff --git a/content/actions/using-workflows/triggering-a-workflow.md b/content/actions/using-workflows/triggering-a-workflow.md index be2eddb6af51..06b8c049bb91 100644 --- a/content/actions/using-workflows/triggering-a-workflow.md +++ b/content/actions/using-workflows/triggering-a-workflow.md @@ -277,7 +277,7 @@ For more information about what information is available in the event context, s ### Using environments to manually trigger workflow jobs -If you want to manually trigger a specific job in a workflow, you can use an environment that requires approval from a specific team or user. First, configure an environment with required reviewers. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment)." Then, reference the environment name in a job in your workflow using the `environment:` key. Any job referencing the environment will not run until at least one reviewer approves the job. +If you want to manually trigger a specific job in a workflow, you can use an environment that requires approval from a specific team or user. First, configure an environment with required reviewers. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)." Then, reference the environment name in a job in your workflow using the `environment:` key. Any job referencing the environment will not run until at least one reviewer approves the job. For example, the following workflow will run whenever there is a push to main. The `build` job will always run. The `publish` job will only run after the `build` job successfully completes (due to `needs: [build]`) and after all of the rules (including required reviewers) for the environment called `production` pass (due to `environment: production`). diff --git a/data/reusables/actions/about-deployment-with-github-actions.md b/data/reusables/actions/about-deployment-with-github-actions.md index 9da6f2f95e44..d53b435cb81c 100644 --- a/data/reusables/actions/about-deployment-with-github-actions.md +++ b/data/reusables/actions/about-deployment-with-github-actions.md @@ -1 +1 @@ -You can deliver deployments through {% data variables.product.prodname_actions %} and environments or with the REST API and third party apps. For more information about using environments to deploy with {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment)." For more information about deployments with the REST API, see "[AUTOTITLE](/rest/repos#deployments)." +You can deliver deployments through {% data variables.product.prodname_actions %} and environments or with the REST API and third party apps. For more information about using environments to deploy with {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)." For more information about deployments with the REST API, see "[AUTOTITLE](/rest/repos#deployments)." diff --git a/data/reusables/actions/about-environments.md b/data/reusables/actions/about-environments.md index feb69946e134..b8c0d8d7144f 100644 --- a/data/reusables/actions/about-environments.md +++ b/data/reusables/actions/about-environments.md @@ -1 +1 @@ -Environments are used to describe a general deployment target like `production`, `staging`, or `development`. When a {% data variables.product.prodname_actions %} workflow deploys to an environment, the environment is displayed on the main page of the repository. You can use environments to require approval for a job to proceed, restrict which branches can trigger a workflow{% ifversion actions-custom-deployment-protection-rules-beta %}, gate deployments with custom deployment protection rules{% endif %}, or limit access to secrets. For more information about creating environments, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment)." +Environments are used to describe a general deployment target like `production`, `staging`, or `development`. When a {% data variables.product.prodname_actions %} workflow deploys to an environment, the environment is displayed on the main page of the repository. You can use environments to require approval for a job to proceed, restrict which branches can trigger a workflow{% ifversion actions-custom-deployment-protection-rules-beta %}, gate deployments with custom deployment protection rules{% endif %}, or limit access to secrets. For more information about creating environments, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)." diff --git a/data/reusables/actions/environment-example.md b/data/reusables/actions/environment-example.md index 33dcc0224729..eb02d228267f 100644 --- a/data/reusables/actions/environment-example.md +++ b/data/reusables/actions/environment-example.md @@ -1,4 +1,4 @@ -You can specify an environment for each job in your workflow. To do so, add a `jobs..environment` key followed by the name of the environment. +You can specify an environment for each job in your workflow. To do so, add a [`jobs..environment`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idenvironment) key followed by the name of the environment. For example, this workflow will use an environment called `production`. diff --git a/data/reusables/actions/jobs/section-using-environments-for-jobs.md b/data/reusables/actions/jobs/section-using-environments-for-jobs.md index 3e3bc34f6150..66015f307a7d 100644 --- a/data/reusables/actions/jobs/section-using-environments-for-jobs.md +++ b/data/reusables/actions/jobs/section-using-environments-for-jobs.md @@ -1,7 +1,10 @@ -Use `jobs..environment` to define the environment that the job references. All deployment protection rules must pass before a job referencing the environment is sent to a runner. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment)." +Use `jobs..environment` to define the environment that the job references. You can provide the environment as only the environment `name`, or as an environment object with the `name` and `url`. The URL maps to `environment_url` in the deployments API. For more information about the deployments API, see "[AUTOTITLE](/rest/repos#deployments)." +> [!NOTE] +> All deployment protection rules must pass before a job referencing the environment is sent to a runner. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)." + ### Example: Using a single environment name {% raw %} diff --git a/data/reusables/actions/oidc-deployment-protection-rules.md b/data/reusables/actions/oidc-deployment-protection-rules.md index 68d35cce78f6..967b5683feb0 100644 --- a/data/reusables/actions/oidc-deployment-protection-rules.md +++ b/data/reusables/actions/oidc-deployment-protection-rules.md @@ -1,5 +1,5 @@ {% note %} -**Note**: When environments are used in workflows or in OIDC policies, we recommend adding protection rules to the environment for additional security. For example, you can configure deployment rules on an environment to restrict which branches and tags can deploy to the environment or access environment secrets. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules)." +**Note**: When environments are used in workflows or in OIDC policies, we recommend adding protection rules to the environment for additional security. For example, you can configure deployment rules on an environment to restrict which branches and tags can deploy to the environment or access environment secrets. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment#deployment-protection-rules)." {% endnote %} diff --git a/data/reusables/actions/permissions-statement-secrets-environment.md b/data/reusables/actions/permissions-statement-secrets-environment.md index a181b5a3371d..2454550cbfa6 100644 --- a/data/reusables/actions/permissions-statement-secrets-environment.md +++ b/data/reusables/actions/permissions-statement-secrets-environment.md @@ -1 +1 @@ -To create secrets or variables for an environment in a personal account repository, you must be the repository owner. To create secrets or variables for an environment in an organization repository, you must have `admin` access. For more information on environments, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment)." +To create secrets or variables for an environment in a personal account repository, you must be the repository owner. To create secrets or variables for an environment in an organization repository, you must have `admin` access. For more information on environments, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/managing-environments-for-deployment)."