From e3ed561050a7dee102a02cc4fc35fa1ce6896c64 Mon Sep 17 00:00:00 2001 From: Roniece Ricardo <33437850+RonRicardo@users.noreply.github.com> Date: Tue, 26 Nov 2024 12:09:32 -0500 Subject: [PATCH 1/4] Add reviewers dependabot action (#52983) Co-authored-by: Kevin Heis Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .github/workflows/reviewers-dependabot.yml | 34 ++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/reviewers-dependabot.yml diff --git a/.github/workflows/reviewers-dependabot.yml b/.github/workflows/reviewers-dependabot.yml new file mode 100644 index 000000000000..8c5855846afa --- /dev/null +++ b/.github/workflows/reviewers-dependabot.yml @@ -0,0 +1,34 @@ +name: Add Dependabot Core Maintainers as Reviewers + +# **What it does**: Automatically add reviewers based on paths, for docs-internal and docs repos. +# **Why we have it**: So dependabot maintainers can be notified about relevant pull requests. +# **Who does it impact**: dependabot-core. + +on: + pull_request: + paths: + - 'data/reusable/dependabot/**' + - 'content/code-security/dependabot/**' + - 'content/rest/dependabot/**' + +jobs: + add-reviewer: + if: github.repository == 'github/docs-internal' || github.repository == 'github/docs' + runs-on: ubuntu-latest + steps: + - name: Check out repo + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Add Dependabot Core Maintainers as reviewers + env: + GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} + PR: ${{ github.event.pull_request.html_url }} + run: | + has_reviewer=$( + gh pr view $PR --json reviews | + jq 'any(.reviews[]; select(length > 0))' + ) + if ! $has_reviewer + then + gh pr edit $PR --add-reviewer github/dependabot-core + fi From b56010a3c9aa97fa143a185aaaa87e121704c68e Mon Sep 17 00:00:00 2001 From: Artur Kordowski <9746197+akordowski@users.noreply.github.com> Date: Tue, 26 Nov 2024 18:14:11 +0100 Subject: [PATCH 2/4] Fix alert header (#35425) --- .../dependabot-alerts/viewing-and-updating-dependabot-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md b/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md index 71d5b6c612e5..2c46ee5f04d0 100644 --- a/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md +++ b/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md @@ -146,7 +146,7 @@ With a {% data variables.product.prodname_copilot_enterprise %} license, you can ## Dismissing {% data variables.product.prodname_dependabot_alerts %} -> [!TIP] +> [!NOTE] > You can only dismiss open alerts. If you schedule extensive work to upgrade a dependency, or decide that an alert does not need to be fixed, you can dismiss the alert. Dismissing alerts that you have already assessed makes it easier to triage new alerts as they appear. From e8c69a2acffc3c0529b67e8c5338069beea4487b Mon Sep 17 00:00:00 2001 From: Artur Kordowski <9746197+akordowski@users.noreply.github.com> Date: Tue, 26 Nov 2024 18:28:49 +0100 Subject: [PATCH 3/4] Fix alert header - part 2 (#35427) Co-authored-by: Alex Nguyen <150945400+nguyenalex836@users.noreply.github.com> --- .../configuration-options-for-the-dependabot.yml-file.md | 2 +- .../about-dependabot-on-github-actions-runners.md | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md b/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md index ea3fc1925b8c..100d81a4b6f9 100644 --- a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md +++ b/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md @@ -190,7 +190,7 @@ updates: interval: "daily" ``` ->[!TIP] +> [!NOTE] > The `directories` key supports globbing and the wildcard character `*`. These features are not supported by the `directory` key. ```yaml diff --git a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md index 60743efa50b3..55f7d09fb645 100644 --- a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md +++ b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md @@ -23,7 +23,8 @@ topics: Using {% data variables.product.prodname_actions %} runners allows you to more easily identify {% data variables.product.prodname_dependabot %} job errors and manually detect and troubleshoot failed runs. You can also integrate {% data variables.product.prodname_dependabot %} into your CI/CD pipelines by using {% data variables.product.prodname_actions %} APIs and webhooks to detect {% data variables.product.prodname_dependabot %} job status such as failed runs, and perform downstream processing. For more information, see "[AUTOTITLE](/rest/actions)" and "[AUTOTITLE](/webhooks/webhook-events-and-payloads)." ->[!TIP] Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_dotcom %}-hosted and self-hosted runners **does not** count towards your included {% data variables.product.prodname_actions %} minutes. For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)." +> [!NOTE] +> Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_dotcom %}-hosted and self-hosted runners **does not** count towards your included {% data variables.product.prodname_actions %} minutes. For more information, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)." You can run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} using: * {% data variables.product.prodname_dotcom %}-hosted runners From 5d94c62415df7d5547f0077299f387f33b1e0935 Mon Sep 17 00:00:00 2001 From: Artur Kordowski <9746197+akordowski@users.noreply.github.com> Date: Tue, 26 Nov 2024 19:06:10 +0100 Subject: [PATCH 4/4] Fix NuGet typo (#35428) Co-authored-by: Alex Nguyen <150945400+nguyenalex836@users.noreply.github.com> --- .../about-server-statistics.md | 2 +- .../codeql-code-scanning-for-compiled-languages.md | 10 +++++----- ...onfiguration-options-for-the-dependabot.yml-file.md | 2 +- ...nfiguration-of-private-registries-for-dependabot.md | 4 ++-- .../removing-dependabot-access-to-public-registries.md | 6 +++--- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/content/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/about-server-statistics.md b/content/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/about-server-statistics.md index 3ed1d4baef7c..aba6e5b66427 100644 --- a/content/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/about-server-statistics.md +++ b/content/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/about-server-statistics.md @@ -141,7 +141,7 @@ The following aggregate metrics will be collected and transmitted on a daily bas | CF | `packages_stats.ecosystems.nuget.internal_packages_count` | Number of internal NuGet packages | | CG | `packages_stats.ecosystems.nuget.user_packages_count` | Number of NuGet packages owned by user accounts | | CH | `packages_stats.ecosystems.nuget.organization_packages_count` | Number of NuGet packages owned by organizations | -| CI | `packages_stats.ecosystems.nuget.daily_download_count` | Number of downloads of Nuget packages | +| CI | `packages_stats.ecosystems.nuget.daily_download_count` | Number of downloads of NuGet packages | | CJ | `packages_stats.ecosystems.nuget.daily_update_count` | Number of NuGet packages updated | | CK | `packages_stats.ecosystems.nuget.daily_delete_count` | Number of NuGet packages deleted | | CL | `packages_stats.ecosystems.nuget.daily_create_count` | Number of NuGet packages created | diff --git a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md index a88a4415038a..935508eb4999 100644 --- a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md +++ b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md @@ -334,8 +334,8 @@ Creating a {% data variables.product.prodname_codeql %} database without buildin You can ensure a more accurate analysis by taking the following steps: -* Provide access to the public internet or ensure that access to a private Nuget feed is available. -* Check whether the repository requires multiple versions of the same Nuget dependency. {% data variables.product.prodname_codeql %} can use only one version and usually chooses the newer version where there are multiple versions. This approach may not work for all repositories. +* Provide access to the public internet or ensure that access to a private NuGet feed is available. +* Check whether the repository requires multiple versions of the same NuGet dependency. {% data variables.product.prodname_codeql %} can use only one version and usually chooses the newer version where there are multiple versions. This approach may not work for all repositories. * Check whether multiple versions of .NET are referenced, for example, `net48`, `net5.0`, and `netstandard1.6`. {% data variables.product.prodname_codeql %} can use only one version and this may affect accuracy. * Avoid colliding class names, otherwise this may cause missing method call targets, which has an impact on dataflow analysis. @@ -379,13 +379,13 @@ If `autobuild` detects multiple solution or project files at the same (shortest) For .NET Core application development on self-hosted runners, the .NET SDK is required (for `dotnet`). -For .NET Framework application development, you will need Microsoft Build Tools (for `msbuild`) and Nuget CLI (for `nuget`). +For .NET Framework application development, you will need Microsoft Build Tools (for `msbuild`) and NuGet CLI (for `nuget`). Windows runners require `powershell.exe` to be on the `PATH`. {% ifversion codeql-no-build-csharp %} -If you plan to create {% data variables.product.prodname_codeql %} databases using `build-mode: none`, you also need to provide access to the public internet, or you must ensure that access to a private Nuget feed is available. +If you plan to create {% data variables.product.prodname_codeql %} databases using `build-mode: none`, you also need to provide access to the public internet, or you must ensure that access to a private NuGet feed is available. {% endif %} @@ -404,7 +404,7 @@ For .NET Framework application development, you will require Mono Runtime (to ru {% ifversion codeql-no-build-csharp %} -If you plan to create {% data variables.product.prodname_codeql %} databases using `build-mode: none`, you also need to provide access to the public internet, or you must ensure that access to a private Nuget feed is available. +If you plan to create {% data variables.product.prodname_codeql %} databases using `build-mode: none`, you also need to provide access to the public internet, or you must ensure that access to a private NuGet feed is available. {% endif %} diff --git a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md b/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md index 100d81a4b6f9..986df68a0268 100644 --- a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md +++ b/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md @@ -1027,7 +1027,7 @@ You can give {% data variables.product.prodname_dependabot %} access to private > * Gradle > * Maven > * Npm -> * Nuget{% ifversion dependabot-updates-pub-private-registry %} +> * NuGet{% ifversion dependabot-updates-pub-private-registry %} > * Pub{% endif %} > * Python > * Yarn diff --git a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md index eb8faacac258..50a15135b959 100644 --- a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md @@ -34,7 +34,7 @@ You'll find detailed guidance for the setup of the following package managers: * [Gradle](#gradle) * [Maven](#maven) * [npm](#npm) -* [Nuget](#nuget){% ifversion dependabot-updates-pub-private-registry %} +* [NuGet](#nuget){% ifversion dependabot-updates-pub-private-registry %} * [pub](#pub){% endif %} * [Python](#python) * [Yarn](#yarn) @@ -323,7 +323,7 @@ For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_d Registries should be configured using the `https` protocol. -### Nuget +### NuGet Supported by Artifactory, Artifacts, Cloudsmith, {% data variables.product.prodname_registry %} registry, Nexus, and ProGet. diff --git a/content/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries.md b/content/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries.md index b9b63f1f6d74..78d41777e3bd 100644 --- a/content/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries.md +++ b/content/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries.md @@ -226,11 +226,11 @@ If the `yarn.lock` file doesn't list the private registry as the dependency sour > [!NOTE] > For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.yarnrc` file. To define private registries for individual scopes, use `"@myscope:registry" "https://private_registry_url"`. -## Nuget +## NuGet -To allow the Nuget ecosystem to only access private registries, you can configure the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#nuget-feed)." +To allow the NuGet ecosystem to only access private registries, you can configure the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#nuget-feed)." -The Nuget ecosystem additionally requires a `nuget.config` file to be checked into the repository, with either a `< clear />` tag in `` section or a key `nuget.org` as true in the `disabledPackageSources` section of the `nuget.config` file. +The NuGet ecosystem additionally requires a `nuget.config` file to be checked into the repository, with either a `< clear />` tag in `` section or a key `nuget.org` as true in the `disabledPackageSources` section of the `nuget.config` file. This is an example of a `< clear />` tag in the `packageSources` section of the `nuget.config`.