github · docs-bot · Nov 5, 2024 · Nov 5, 2024 · Nov 5, 2024
diff --git a/...actions/administering-github-actions/usage-limits-billing-and-administration.md b/...actions/administering-github-actions/usage-limits-billing-and-administration.md
@@ -48,6 +48,7 @@ There are some limits on {% data variables.product.prodname_actions %} usage whe
 * **Job execution time** - Each job in a workflow can run for up to 6 hours of execution time. If a job reaches this limit, the job is terminated and fails to complete.
 {% data reusables.actions.usage-workflow-run-time %}
 {% data reusables.actions.usage-api-requests %}
+* **Webhook rate limit** - Each repository is limited to 1500 triggered events every 10 seconds.
 * **Concurrent jobs** - The number of concurrent jobs you can run in your account depends on your {% data variables.product.prodname_dotcom %} plan, as well as the type of runner used. If exceeded, any additional jobs are queued.
 
   **Standard {% data variables.product.prodname_dotcom %}-hosted runners**

diff --git a/...for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md b/...for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md
@@ -136,6 +136,8 @@ Anyone can fork a public repository, then submit a pull request to propose chang
 
 You can configure which pull requests require approval before they are run.
 
+>[!WARNING] When requiring approvals only for first-time contributors (the first two settings), a user that has had any commit or pull request merged into the repository will not require approval. A malicious user could meet this requirement by getting a simple typo or other innocuous change accepted by a maintainer, either as part of a pull request they have authored or as part of another user's pull request.
+
 * **Require approval for first-time contributors who are new to {% data variables.product.prodname_dotcom %}**. Requires approval for users who have never committed to the repository and have new {% data variables.product.prodname_dotcom %} accounts.
 * **Require approval for first-time contributors**. Requires approval for users who have never committed to the repository.
 * **Require approval for all outside collaborators**. Requires approval for all users who are not organization members.

diff --git a/data/reusables/actions/azure-vnet-procedures-prereqs.md b/data/reusables/actions/azure-vnet-procedures-prereqs.md
@@ -135,9 +135,18 @@ You will use a script to automate configuring your Azure resources.
             direction: 'Outbound'
             destinationAddressPrefixes: [
               '140.82.112.0/20'
+              '140.82.112.33/32'
+              '140.82.112.34/32'
+              '140.82.113.33/32'
+              '140.82.113.34/32'
+              '140.82.114.33/32'
+              '140.82.114.34/32'
+              '140.82.121.33/32'
+              '140.82.121.34/32'
               '143.55.64.0/20'
               '185.199.108.0/22'
               '192.30.252.0/22'
+              '192.30.255.164/31'
               '20.175.192.146/32'
               '20.175.192.147/32'
               '20.175.192.149/32'
@@ -166,6 +175,7 @@ You will use a script to automate configuring your Azure resources.
               '20.207.73.85/32'
               '20.207.73.86/32'
               '20.207.73.88/32'
+              '20.217.135.1/32'
               '20.233.83.145/32'
               '20.233.83.146/32'
               '20.233.83.147/32'
@@ -178,6 +188,7 @@ You will use a script to automate configuring your Azure resources.
               '20.248.137.55/32'
               '20.26.156.215/32'
               '20.26.156.216/32'
+              '20.26.156.211/32'
               '20.27.177.113/32'
               '20.27.177.114/32'
               '20.27.177.116/32'
@@ -198,6 +209,8 @@ You will use a script to automate configuring your Azure resources.
               '4.208.26.198/32'
               '4.208.26.199/32'
               '4.208.26.200/32'
+              '4.225.11.196/32'
+              '4.237.22.32/32'
             ]
           }
         }

diff --git a/data/reusables/actions/workflow-run-approve-public-fork.md b/data/reusables/actions/workflow-run-approve-public-fork.md
@@ -1,9 +1,12 @@
 Anyone can fork a public repository, and then submit a pull request that proposes changes to the repository's {% data variables.product.prodname_actions %} workflows. Although workflows from forks do not have access to sensitive data such as secrets, they can be an annoyance for maintainers if they are modified for abusive purposes.
 
-To help prevent this, workflows on pull requests to public repositories from some outside contributors will not run automatically, and might need to be approved first. By default, all first-time contributors require approval to run workflows.
+To help prevent this, workflows on pull requests to public repositories from some outside contributors will not run automatically, and might need to be approved first. Depending on the "Approval for running fork pull request workflows from contributors" setting, workflows on pull requests to public repositories will not run automatically and may need approval if:
 
-{% note %}
+* The pull request is **created by** a user that requires approvals based on the selected policy.
+* The pull request event is **triggered by** a user that requires approvals based on the selected policy.
 
-**Note:** Workflows triggered by `pull_request_target` events are run in the context of the base branch. Since the base branch is considered trusted, workflows triggered by these events will always run, regardless of approval settings. For more information about the `pull_request_target` event, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#pull_request_target)."
+By default, all first-time contributors require approval to run workflows.
 
-{% endnote %}
+Workflows triggered by `pull_request_target` events are run in the context of the base branch. Since the base branch is considered trusted, workflows triggered by these events will always run, regardless of approval settings. For more information about the `pull_request_target` event, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#pull_request_target)."
+
+>[!WARNING] These workflow approval policies are intended to restrict the set of users that can execute workflows in {% data variables.product.prodname_actions %} runners that could lead to unexpected resource and compute consumption when using {% data variables.product.prodname_dotcom %}-hosted runners. If you are using self-hosted runners, potentially malicious user-controlled workflow code will execute automatically if the user is allowed to bypass approval in the set approval policy or if the pull request is approved. You must consider the risk of executing this code in your infrastructure and should review and follow the self-hosted runner security recommendations regardless of the approval settings utilized. See "[AUTOTITLE](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners)."
diff --git a/data/reusables/actions/workflows-from-public-fork-setting.md b/data/reusables/actions/workflows-from-public-fork-setting.md
@@ -1,7 +1,9 @@
-1. Under **Fork pull request workflows from outside collaborators**, choose one of the options.
+1. Under **Approval for running fork pull request workflows from contributors**, choose which subset of users will require approval before running workflows on their pull requests. Both the pull request author and the actor of the pull request event triggering the workflow will be checked to determine if approval is required. If approval is required, a user with write access to the repository must approve the pull request workflow to be run. See "[AUTOTITLE](/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/approving-workflow-runs-from-public-forks)."
 
-   * **Require approval for first-time contributors who are new to {% data variables.product.prodname_dotcom %}**. This option requires approval to run workflows for users who have never committed to the repository and have new {% data variables.product.prodname_dotcom %} accounts.
-   * **Require approval for first-time contributors**. This option requires approval to run workflows for users who have never committed to the repository.
-   * **Require approval for all outside collaborators**. This option requires approval to run workflows for all users who are not repository collaborators. If the repository is owned by an organization, this option requires approval to run workflows for all repository collaborators who are not organization members.
+   >[!WARNING] When requiring approvals only for first-time contributors (the first two settings), a user that has had any commit or pull request merged into the repository will not require approval. A malicious user could meet this requirement by getting a simple typo or other innocuous change accepted by a maintainer, either as part of a pull request they have authored or as part of another user's pull request.
+
+   * **Require approval for first-time contributors who are new to {% data variables.product.prodname_dotcom %}**. Only users who are both new on {% data variables.product.prodname_dotcom %} and who have never had a commit or pull request merged into this repository will require approval to run workflows.  
+   * **Require approval for first-time contributors**. Only users who have never had a commit or pull request merged into this repository will require approval to run workflows.
+   * **Require approval for all external contributors** All users that are not a member or owner of this repository and not a member of the organization will require approval to run workflows.
 
 1. Click **Save** to apply the settings.
diff --git a/src/archives/middleware/archived-enterprise-versions-assets.ts b/src/archives/middleware/archived-enterprise-versions-assets.ts
@@ -1,5 +1,3 @@
-import path from 'path'
-
 import got from 'got'
 import type { Response, NextFunction } from 'express'
 
@@ -14,13 +12,7 @@ import type { ExtendedRequest } from '@/types'
 
 // This module handles requests for the CSS and JS assets for
 // deprecated GitHub Enterprise versions by routing them to static content in
-// help-docs-archived-enterprise-versions
-//
-// Note that as of GHES 3.2, we no longer store assets for deprecated versions
-// in help-docs-archived-enterprise-versions. Instead, we store them in the
-// Azure blob storage `githubdocs` in the `enterprise` container. All HTML files
-// have been updated to use references to this blob storage for all assets.
-//
+// one of the docs-ghes-<release number> repos.
 // See also ./archived-enterprise-versions.js for non-CSS/JS paths
 
 export default async function archivedEnterpriseVersionsAssets(
@@ -33,12 +25,13 @@ export default async function archivedEnterpriseVersionsAssets(
   // or /_next/static/foo.css
   if (!patterns.assetPaths.test(req.path)) return next()
 
-  // We now know the URL is either /enterprise/2.22/_next/static/foo.css
-  // or the regular /_next/static/foo.css. But we're only going to
-  // bother looking it up on https://github.github.com/help-docs-archived-enterprise-versions
-  // if the URL has the enterprise bit in it, or if the path was
-  // /_next/static/foo.css *and* its Referrer had the enterprise
-  // bit in it.
+  // The URL is either in the format
+  // /enterprise/2.22/_next/static/foo.css,
+  // /enterprise-server@<release>,
+  // or /_next/static/foo.css.
+  // If the URL is prefixed with the enterprise version and release number
+  // or if the Referrer contains the enterprise version and release number,
+  // then we'll fetch it from the docs-ghes-<release number> repo.
   if (
     !(
       patterns.getEnterpriseVersionNumber.test(req.path) ||
@@ -59,25 +52,28 @@ export default async function archivedEnterpriseVersionsAssets(
   const { isArchived, requestedVersion } = isArchivedVersion(req)
   if (!isArchived || !requestedVersion) return next()
 
-  const assetPath = req.path.replace(`/enterprise/${requestedVersion}`, '')
+  // In all of the `docs-ghes-<relase number` repos, the asset directories
+  // are at the root. This removes the version and release number from the
+  // asset path so that we can proxy the request to the correct location.
+  const newEnterprisePrefix = `/enterprise-server@${requestedVersion}`
+  const legacyEnterprisePrefix = `/enterprise/${requestedVersion}`
+  const assetPath = req.path.replace(newEnterprisePrefix, '').replace(legacyEnterprisePrefix, '')
 
   // Just to be absolutely certain that the path can not contain
   // a URL that might trip up the GET we're about to make.
   if (
-    assetPath.includes('..') ||
+    assetPath.includes('../') ||
     assetPath.includes('://') ||
     (assetPath.includes(':') && assetPath.includes('@'))
   ) {
     defaultCacheControl(res)
     return res.status(404).type('text/plain').send('Asset path not valid')
   }
 
-  const proxyPath = path.join('/', requestedVersion, assetPath)
-
+  const proxyPath = `https://github.github.com/docs-ghes-${requestedVersion}${assetPath}`
   try {
-    const r = await got(
-      `https://github.github.com/help-docs-archived-enterprise-versions${proxyPath}`,
-    )
+    const r = await got(proxyPath)
+
     res.set('accept-ranges', 'bytes')
     res.set('content-type', r.headers['content-type'])
     res.set('content-length', r.headers['content-length'])