From 0a0269999b8382aeb94922a111463eee6fc6d4de Mon Sep 17 00:00:00 2001 From: "release-controller[bot]" <110195724+release-controller[bot]@users.noreply.github.com> Date: Wed, 18 Dec 2024 05:30:18 +1000 Subject: [PATCH 1/2] Patch release notes for GitHub Enterprise Server (#53601) Co-authored-by: Release-Controller Co-authored-by: Rachael Rose Renk <91027132+rachaelrenk@users.noreply.github.com> Co-authored-by: Vanessa Co-authored-by: Devin Dooley --- .../enterprise-server/3-11/19.yml | 52 ++++++++++ .../enterprise-server/3-12/13.yml | 56 +++++++++++ .../enterprise-server/3-13/9.yml | 60 ++++++++++++ .../enterprise-server/3-14/6.yml | 78 +++++++++++++++ .../enterprise-server/3-15/1.yml | 94 +++++++++++++++++++ 5 files changed, 340 insertions(+) create mode 100644 data/release-notes/enterprise-server/3-11/19.yml create mode 100644 data/release-notes/enterprise-server/3-12/13.yml create mode 100644 data/release-notes/enterprise-server/3-13/9.yml create mode 100644 data/release-notes/enterprise-server/3-14/6.yml create mode 100644 data/release-notes/enterprise-server/3-15/1.yml diff --git a/data/release-notes/enterprise-server/3-11/19.yml b/data/release-notes/enterprise-server/3-11/19.yml new file mode 100644 index 000000000000..7dad0338bad2 --- /dev/null +++ b/data/release-notes/enterprise-server/3-11/19.yml @@ -0,0 +1,52 @@ +date: '2024-12-17' +sections: + security_fixes: + - | + Packages have been updated to the latest security versions. + bugs: + - | + The audit log cluster rebalance script incorrectly proceeded before all shards were ready. This caused the script to exit before the necessary data was available, potentially leading to issues with the audit log migration. + - | + For instances hosted on Azure, if a pre-upgrade check failed due to insufficient user disk size, the Management Console displayed an internal server error. + - | + Pull request synchronization—the process keeping pull requests up to date with the latest commits to a branch—sometimes failed to retry if the initial synchronization process failed. + - | + When creating a pre-receive hook environment, attempts to include an image URL over 255 characters failed with a database error. The maximum length is still 255 characters, but the URL length is now validated before the process starts. + - | + Performing a browser back navigation to a pull request now displays up-to-date status checks. + - | + Subversion services were non-functional in some cases. + changes: + - | + Pull request merges are handled more efficiently, allowing more Git objects to be created before timeout. Additionally, loose objects created by merges that time out are now discarded, limiting the accumulation of these objects. + known_issues: + - | + Custom firewall rules are removed during the upgrade process. + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account). + - | + The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning. + - | + {% data reusables.release-notes.2023-11-aws-system-time %} + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.2023-10-git-push-made-but-not-registered %} + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + {% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %} + - | + Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions. + - | + The `reply.[hostname]` subdomain is falsely always displaying as having no ssl and dns record, when testing the domain settings via management console **without subdomain isolation**. When regenerating the certificates with management console, the `subdomain reply.[hostname]` is missing from the ssl certification. + - | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + Some customers upgrading from 3.11.x or 3.12.x may experience a bug with the feature "Automatic update checks", filling the root disk with logs causing a system degradation. To prevent this, you can turn off the feature [Enable automatic update check](/admin/upgrading-your-instance/preparing-to-upgrade/enabling-automatic-update-checks#enabling-automatic-update-checks) in the management console. diff --git a/data/release-notes/enterprise-server/3-12/13.yml b/data/release-notes/enterprise-server/3-12/13.yml new file mode 100644 index 000000000000..028f9855e693 --- /dev/null +++ b/data/release-notes/enterprise-server/3-12/13.yml @@ -0,0 +1,56 @@ +date: '2024-12-17' +sections: + security_fixes: + - | + Packages have been updated to the latest security versions. + bugs: + - | + The `--no-async` flag was not implemented for the `ghe-cluster-support-bundle` command, leading to a potentially increased load. + - | + In a high availability configuration, with GitHub Actions, replication would fail on nodes where MSSQL was not configured to run. + - | + The audit log cluster rebalance script incorrectly proceeded before all shards were ready. This caused the script to exit before the necessary data was available, potentially leading to issues with the audit log migration. + - | + For instances hosted on Azure, if a pre-upgrade check failed due to insufficient user disk size, the Management Console displayed an internal server error. + - | + On an instance with secret scanning enabled, when selecting repositories for a dry run of an enterprise-level custom pattern, searches for full repository names (`ORGANIZATION/REPOSITORY`) did not return results. + - | + When creating a pre-receive hook environment, attempts to include an image URL over 255 characters failed with a database error. The maximum length is still 255 characters, but the URL length is now validated before the process starts. + - | + Performing a browser back navigation to a pull request now displays up-to-date status checks. + - | + Subversion services were non-functional in some cases. + changes: + - | + When exporting repositories to blob storage using the migrations REST API endpoint to start an organization migration, the maximum compressed archive size is limited to 90 GB. This is an increase from 30 GB. + - | + Pull request merges are handled more efficiently, allowing more Git objects to be created before timeout. Additionally, loose objects created by merges that time out are now discarded, limiting the accumulation of these objects. + - | + When exporting repositories using the migrations REST API, prior to blob storage upload the tarball is staged in the root volume. For more disk capacity, the tarball will now be staged in the data volume. + known_issues: + - | + Custom firewall rules are removed during the upgrade process. + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account). + - | + The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning. + - | + {% data reusables.release-notes.2023-11-aws-system-time %} + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions. + - | + The `reply.[hostname]` subdomain is falsely always displaying as having no ssl and dns record, when testing the domain settings via management console **without subdomain isolation**. When regenerating the certificates with management console, the `subdomain reply.[hostname]` is missing from the ssl certification. + - | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + Some customers upgrading from 3.11.x or 3.12.x may experience a bug with the feature "Automatic update checks", filling the root disk with logs causing a system degradation. To prevent this, you can turn off the feature [Enable automatic update check](/admin/upgrading-your-instance/preparing-to-upgrade/enabling-automatic-update-checks#enabling-automatic-update-checks) in the management console. diff --git a/data/release-notes/enterprise-server/3-13/9.yml b/data/release-notes/enterprise-server/3-13/9.yml new file mode 100644 index 000000000000..7f9064cbcc91 --- /dev/null +++ b/data/release-notes/enterprise-server/3-13/9.yml @@ -0,0 +1,60 @@ +date: '2024-12-17' +sections: + security_fixes: + - | + Packages have been updated to the latest security versions. + bugs: + - | + On an instance in a cluster configuration, `ghe-repl-promote` failed if the primary node was unavailable. + - | + In a high availability configuration, with GitHub Actions, replication would fail on nodes where MSSQL was not configured to run. + - | + The `--no-async` flag was not implemented for the `ghe-cluster-support-bundle` command, leading to a potentially increased load. + - | + Pre-receive hook environments with shared memory enabled could not access shared memory at runtime. + - | + For instances hosted on Azure, if a pre-upgrade check failed due to insufficient user disk size, the Management Console displayed an internal server error. + - | + The Enterprise Overview page incorrectly displayed a Beta label, even though it is generally available. + - | + After a user made changes to the isolated subdomain setting, some user assets did not display properly. + - | + On an instance with secret scanning enabled, when selecting repositories for a dry run of an enterprise-level custom pattern, searches for full repository names (`ORGANIZATION/REPOSITORY`) did not return results. + - | + When adding bypass permissions to a ruleset, the dropdown menu failed to load if one of the suggested actors was an invalid integration. + - | + When creating a pre-receive hook environment, attempts to include an image URL over 255 characters failed with a database error. The maximum length is still 255 characters, but the URL length is now validated before the process starts. + - | + Performing a browser back navigation to a pull request now displays up-to-date status checks. + - | + Jekyll-build tooling for GitHub pages could fail when using the `jekyll-relative-links` plugin, see [Failure details](https://github.com/jekyll/jekyll/issues/9544). + - | + Subversion services were non-functional in some cases. + changes: + - | + When exporting repositories to blob storage using the migrations REST API endpoint to start an organization migration, the maximum compressed archive size is limited to 90 GB. This is an increase from 30 GB. + - | + Removes the minimum date for the new commit filter bar. + - | + When exporting repositories using the migrations REST API, prior to blob storage upload the tarball is staged in the root volume. For more disk capacity, the tarball will now be staged in the data volume. + known_issues: + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account). + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions. + - | + For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. diff --git a/data/release-notes/enterprise-server/3-14/6.yml b/data/release-notes/enterprise-server/3-14/6.yml new file mode 100644 index 000000000000..8b17d6293d58 --- /dev/null +++ b/data/release-notes/enterprise-server/3-14/6.yml @@ -0,0 +1,78 @@ +date: '2024-12-17' +sections: + security_fixes: + - | + Packages have been updated to the latest security versions. + bugs: + - | + On an instance in a cluster configuration, `ghe-repl-promote` failed if the primary node was unavailable. + - | + In a high availability configuration, with GitHub Actions, replication would fail on nodes where MSSQL was not configured to run. + - | + The `--no-async` flag was not implemented for the `ghe-cluster-support-bundle` command, leading to a potentially increased load. + - | + Pre-receive hook environments with shared memory enabled could not access shared memory at runtime. + - | + For instances hosted on Azure, if a pre-upgrade check failed due to insufficient user disk size, the Management Console displayed an internal server error. + - | + The Enterprise Overview page incorrectly displayed a Beta label, even though it is generally available. + - | + After a user made changes to the isolated subdomain setting, some user assets did not display properly. + - | + On an instance with secret scanning enabled, when selecting repositories for a dry run of an enterprise-level custom pattern, searches for full repository names (`ORGANIZATION/REPOSITORY`) did not return results. + - | + When adding bypass permissions to a ruleset, the dropdown menu failed to load if one of the suggested actors was an invalid integration. + - | + When creating a pre-receive hook environment, attempts to include an image URL over 255 characters failed with a database error. The maximum length is still 255 characters, but the URL length is now validated before the process starts. + - | + On an instance with GitHub Actions disabled, status check icons on a repositorys commit list failed to render. + - | + Site administrators were unable to use the "Disable repository access" functionality on the site admin dashboard. + - | + Attempting to access the code security settings page for a non-existent enterprise returned a 500 error instead of a 404 error. + - | + Performing a browser back navigation to a pull request now displays up-to-date status checks. + - | + Jekyll-build tooling for GitHub pages could fail when using the `jekyll-relative-links` plugin, see [Failure details](https://github.com/jekyll/jekyll/issues/9544). + - | + The removal rate of issues from Git repositories was slower than necessary. + changes: + - | + Log output for git maintenance now includes the time taken to complete the maintenance process. + - | + When exporting repositories to blob storage using the migrations REST API endpoint to start an organization migration, the maximum compressed archive size is limited to 90 GB. This is an increase from 30 GB. + - | + Removes the minimum date for the new commit filter bar. + - | + When exporting repositories using the migrations REST API, prior to blob storage upload the tarball is staged in the root volume. For more disk capacity, the tarball will now be staged in the data volume. + known_issues: + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account). + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions. + - | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. + - | + An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + In the header bar displayed to site administrators, some icons are not available. + - | + When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded. + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. diff --git a/data/release-notes/enterprise-server/3-15/1.yml b/data/release-notes/enterprise-server/3-15/1.yml new file mode 100644 index 000000000000..bf92ed5bcde1 --- /dev/null +++ b/data/release-notes/enterprise-server/3-15/1.yml @@ -0,0 +1,94 @@ +date: '2024-12-17' +sections: + security_fixes: + - | + Packages have been updated to the latest security versions. + bugs: + - | + On an instance in a cluster configuration, `ghe-repl-promote` failed if the primary node was unavailable. + - | + In a high availability configuration, with GitHub Actions, replication would fail on nodes where MSSQL was not configured to run. + - | + The `--no-async` flag was not implemented for the `ghe-cluster-support-bundle` command, leading to a potentially increased load. + - | + Pre-receive hook environments with shared memory enabled could not access shared memory at runtime. + - | + For instances hosted on Azure, if a pre-upgrade check failed due to insufficient user disk size, the Management Console displayed an internal server error. + - | + Preflight checks now recognize the updated 500GB user disk as a recommendation, not a requirement. + - | + The Enterprise Overview page incorrectly displayed a Beta label, even though it is generally available. + - | + After a user made changes to the isolated subdomain setting, some user assets did not display properly. + - | + Customers performing a feature version upgrade to 3.13.6 or 3.14.3 could experience issues with database migrations due to data issues during database conversions. + - | + On an instance with secret scanning enabled, when selecting repositories for a dry run of an enterprise-level custom pattern, searches for full repository names (`ORGANIZATION/REPOSITORY`) did not return results. + - | + When adding bypass permissions to a ruleset, the dropdown menu failed to load if one of the suggested actors was an invalid integration. + - | + When creating a pre-receive hook environment, attempts to include an image URL over 255 characters failed with a database error. The maximum length is still 255 characters, but the URL length is now validated before the process starts. + - | + On an instance with GitHub Actions disabled, status check icons on a repositorys commit list failed to render. + - | + Site administrators were unable to use the "Disable repository access" functionality on the site admin dashboard. + - | + Attempting to access the code security settings page for a non-existent enterprise returned a 500 error instead of a 404 error. + - | + Performing a browser back navigation to a pull request now displays up-to-date status checks + - | + The removal rate of issues from Git repositories was slower than necessary. + changes: + - | + When connecting to an appliance via SSH, a notification about upcoming root disk changes displays. + - | + Log output for git maintenance now includes the time taken to complete the maintenance process. + - | + When exporting repositories to blob storage using the migrations REST API endpoint to start an organization migration, the maximum compressed archive size is limited to 90 GB. This is an increase from 30 GB. + - | + Removes the minimum date for the new commit filter bar. + - | + When exporting repositories using the migrations REST API, prior to blob storage upload the tarball is staged in the root volume. For more disk capacity, the tarball will now be staged in the data volume. + known_issues: + - | + Admins setting up cluster high availability (HA) may encounter a `spokes` error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories. + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account). + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions. + - | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. + - | + An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + In the header bar displayed to site administrators, some icons are not available. + - | + When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded. + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning. + - | + When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration. + deprecations: + # https://github.com/github/releases/issues/4037 + - heading: Upcoming deprecation of projects (classic) + notes: + - | + Projects (classic) will be removed from GitHub Enterprise Server 3.16 and later. For more information, see [Sunset Notice – Projects (classic)](https://github.blog/changelog/2024-05-23-sunset-notice-projects-classic). From bc02699a2e53b9baa78ed1da81707ba930767a27 Mon Sep 17 00:00:00 2001 From: Marco Gario Date: Tue, 17 Dec 2024 21:25:41 +0100 Subject: [PATCH 2/2] Add Actions as supported language (#53606) Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com> Co-authored-by: Andrew Eisenberg --- .../security-hardening-for-github-actions.md | 13 ++++++++++++- .../about-code-scanning-with-codeql.md | 2 ++ data/features/code-scanning-actions-language.yml | 6 ++++++ .../code-scanning/beta-actions-analysis.md | 6 ++++++ .../codeql-language-identifiers-table.md | 9 +++++++-- .../code-scanning/codeql-languages-bullets.md | 2 ++ 6 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 data/features/code-scanning-actions-language.yml create mode 100644 data/reusables/code-scanning/beta-actions-analysis.md diff --git a/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md b/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md index 3c38b5b604d4..72baa66deb2e 100644 --- a/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md +++ b/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md @@ -224,7 +224,18 @@ The same principles described above for using third-party actions also apply to For more information on how to configure this setting, see {% ifversion ghes or ghec %}[AUTOTITLE](/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests),{% endif %} [Disabling or limiting {% data variables.product.prodname_actions %} for your organization](/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests), and [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests). -## Using OpenSSF Scorecards to secure workflows +{% ifversion code-scanning-actions-language %} + +## Using {% data variables.product.prodname_code_scanning %} to secure workflows + +{% data reusables.code-scanning.beta-actions-analysis %} + +{% data variables.product.prodname_code_scanning_caps %} can automatically detect and suggest improvements for common vulnerable patterns used in {% data variables.product.prodname_actions %} workflows. +For more information on how to enable {% data variables.product.prodname_code_scanning %}, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). + +{% endif %} + +## Using OpenSSF Scorecards to secure workflow dependencies [Scorecards](https://github.com/ossf/scorecard) is an automated security tool that flags risky supply chain practices. You can use the [Scorecards action](https://github.com/marketplace/actions/ossf-scorecard-action) and [workflow template](https://github.com/actions/starter-workflows) to follow best security practices. Once configured, the Scorecards action runs automatically on repository changes, and alerts developers about risky supply chain practices using the built-in {% data variables.product.prodname_code_scanning %} experience. The Scorecards project runs a number of checks, including script injection attacks, token permissions, and pinned actions. diff --git a/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md b/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md index b69d87dfa50e..91eaf0483d36 100644 --- a/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md +++ b/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md @@ -49,6 +49,8 @@ For information about {% data variables.product.prodname_code_scanning %} alerts {% data reusables.code-scanning.codeql-languages-bullets %} +{% data reusables.code-scanning.beta-actions-analysis %} + {% ifversion fpt or ghec or ghes > 3.10 %} ## Modeling custom or niche frameworks diff --git a/data/features/code-scanning-actions-language.yml b/data/features/code-scanning-actions-language.yml new file mode 100644 index 000000000000..374625e99d44 --- /dev/null +++ b/data/features/code-scanning-actions-language.yml @@ -0,0 +1,6 @@ +# Reference: #16135 +# Code scanning is able to analyze Actions workflows. +# This feature is not yet available for GitHub Enterprise Server. +versions: + fpt: '*' + ghec: '*' diff --git a/data/reusables/code-scanning/beta-actions-analysis.md b/data/reusables/code-scanning/beta-actions-analysis.md new file mode 100644 index 000000000000..5e687ab053ee --- /dev/null +++ b/data/reusables/code-scanning/beta-actions-analysis.md @@ -0,0 +1,6 @@ +{% ifversion code-scanning-actions-language %} + +> [!NOTE] +> The ability to use {% data variables.product.prodname_code_scanning %} to find vulnerabilities in {% data variables.product.prodname_actions %} workflows is currently in {% data variables.release-phases.public_preview %} and subject to change. + +{% endif %} diff --git a/data/reusables/code-scanning/codeql-language-identifiers-table.md b/data/reusables/code-scanning/codeql-language-identifiers-table.md index 2524f9acd6a9..5990905105ce 100644 --- a/data/reusables/code-scanning/codeql-language-identifiers-table.md +++ b/data/reusables/code-scanning/codeql-language-identifiers-table.md @@ -8,8 +8,13 @@ | Java/Kotlin | `java-kotlin` | `java` or `kotlin` | | JavaScript/TypeScript | `javascript-typescript` | `javascript` or `typescript` | | Python | `python` | -| Ruby | `ruby` -| Swift | `swift` +| Ruby | `ruby` | +| Swift | `swift` | +| {% ifversion code-scanning-actions-language %} | +{% data variables.product.prodname_actions %} workflows | `actions` +| {% endif %} + +{% data reusables.code-scanning.beta-actions-analysis %} > [!NOTE] > If you specify one of the alternative identifiers, this is equivalent to using the standard language identifier. For example, specifying `javascript` instead of `javascript-typescript` will not exclude analysis of TypeScript code. You can do this in an advanced setup workflow with the `--paths-ignore` option. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan)." diff --git a/data/reusables/code-scanning/codeql-languages-bullets.md b/data/reusables/code-scanning/codeql-languages-bullets.md index 1fa7df71f47f..c5d2010e22f3 100644 --- a/data/reusables/code-scanning/codeql-languages-bullets.md +++ b/data/reusables/code-scanning/codeql-languages-bullets.md @@ -7,8 +7,10 @@ * Python * Ruby * Swift +{% ifversion code-scanning-actions-language %}* {% data variables.product.prodname_actions %} workflows{% endif %} > [!NOTE] +> > * Use {% ifversion codeql-language-identifiers-311 %}`java-kotlin`{% else %}`java`{% endif %} to analyze code written in Java, Kotlin or both. > * Use {% ifversion codeql-language-identifiers-311 %}`javascript-typescript`{% else %}`javascript`{% endif %} to analyze code written in JavaScript, TypeScript or both.