Merge branch 'main' into update-new-site-tree-deps

content/actions/learn-github-actions/migrating-from-circleci-to-github-actions.md

@@ -443,7 +443,9 @@ jobs:
           path: vendor/bundle
           key: administrate-${{ matrix.image }}-${{ hashFiles('Gemfile.lock') }}
       - name: Install postgres headers
-        run: sudo apt-get install libpq-dev
+        run: |
+          sudo apt-get update
+          sudo apt-get install libpq-dev
       - name: Install dependencies
         run: bundle install --path vendor/bundle
       - name: Setup environment configuration

content/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks.md

@@ -0,0 +1,19 @@
+---
+title: Approving workflow runs from public forks
+intro: 'When a first-time contributor submits a pull request to a public repository, a maintainer with write access must approve any workflow runs.'
+product: '{% data reusables.gated-features.actions %}'
+versions:
+  free-pro-team: '*'
+---
+
+Forks of public repositories can submit pull requests that propose changes to a repository's {% data variables.product.prodname_actions %} workflows. Although workflows from forks do not have access to sensitive data such as secrets, they can be an annoyance for maintainers if they are modified for abusive purposes. To help prevent this, workflows on pull requests are not run automatically if they are received from first-time contributors, and must be approved first.
+
+Maintainers with write access to the repository can use the following procedure to review and run workflows on pull requests from first-time contributors. After a contributor has at least one pull request merged into a project's repository, any future pull requests from that contributor's fork will automatically run workflows.
+
+{% data reusables.repositories.sidebar-pr %}
+{% data reusables.repositories.choose-pr-review %}
+{% data reusables.repositories.changed-files %}
+1. Inspect the proposed changes in the pull request and ensure that you are comfortable running your workflows on the pull request branch. You should be especially alert to any proposed changes in the `.github/workflows/` directory that affect workflow files.
+1. If you are comfortable with running workflows on the pull request branch, return to the {% octicon "comment-discussion" aria-label="The discussion icon" %} **Conversation** tab, and under "Workflow(s) awaiting approval", click **Approve and run**.
+
+   ![Approve and run workflows](/assets/images/help/pull_requests/actions-approve-and-run-workflows-from-fork.png)

content/actions/managing-workflow-runs/index.md

@@ -26,6 +26,7 @@ versions:
 {% link_in_list /manually-running-a-workflow %}
 {% link_in_list /re-running-a-workflow %}
 {% link_in_list /canceling-a-workflow %}
+{% link_in_list /approving-workflow-runs-from-public-forks %}
 {% link_in_list /reviewing-deployments %}
 {% link_in_list /disabling-and-enabling-a-workflow %}
 {% link_in_list /deleting-a-workflow-run %}

content/actions/using-github-hosted-runners/about-github-hosted-runners.md

@@ -93,6 +93,10 @@ We recommend using actions to interact with the software installed on runners. T
 
 If there is a tool that you'd like to request, please open an issue at [actions/virtual-environments](https://github.com/actions/virtual-environments). This repository also contains announcements about all major software updates on runners.
 
+#### Installing additional software
+
+You can install additional software on {% data variables.product.prodname_dotcom %}-hosted runners. For more information, see "[Customizing GitHub-hosted runners](/actions/using-github-hosted-runners/customizing-github-hosted-runners)".
+
 ### IP addresses
 
 {% note %}

content/actions/using-github-hosted-runners/customizing-github-hosted-runners.md

@@ -0,0 +1,92 @@
+---
+title: Customizing GitHub-hosted runners
+intro: >-
+  You can install additional software on GitHub-hosted runners as a
+  part of your workflow.
+product: '{% data reusables.gated-features.actions %}'
+versions:
+  free-pro-team: '*'
+  enterprise-server: '>=2.22'
+type: tutorial
+topics:
+  - Workflows
+---
+
+{% data reusables.actions.enterprise-github-hosted-runners %}
+
+If you require additional software packages on {% data variables.product.prodname_dotcom %}-hosted runners, you can create a job that installs the packages as part of your workflow. 
+
+To see which packages are already installed by default, see "[Preinstalled software](/actions/using-github-hosted-runners/about-github-hosted-runners#preinstalled-software)."
+
+This guide demonstrates how to create a job that installs additional software on a {% data variables.product.prodname_dotcom %}-hosted runner.
+
+### Installing software on Ubuntu runners
+
+The following example demonstrates how to install an `apt` package as part of a job.
+
+{% raw %}
+```yaml
+name: Build on Ubuntu
+on: push
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out repository code
+      uses: actions/checkout@v2
+    - name: Install jq tool
+      run: |
+        sudo apt-get update
+        sudo apt-get install jq
+```
+{% endraw %}
+
+{% note %}
+
+**Note:** Always run `sudo apt-get update` before installing a package. In case the `apt` index is stale, this command fetches and re-indexes any available packages, which helps prevent package installation failures. 
+
+{% endnote %}
+
+### Installing software on macOS runners
+
+The following example demonstrates how to install Brew packages and casks as part of a job.
+
+{% raw %}
+```yaml
+name: Build on macOS
+on: push
+
+jobs:
+  build:
+    runs-on: macos-latest
+    steps:
+    - name: Check out repository code
+      uses: actions/checkout@v2
+    - name: Install GitHub CLI
+      run: |
+        brew update
+        brew install gh
+    - name: Install Microsoft Edge
+      run: |
+        brew update
+        brew install --cask microsoft-edge
+```
+{% endraw %}
+
+### Installing software on Windows runners
+
+The following example demonstrates how to use [Chocolatey](https://community.chocolatey.org/packages) to install the {% data variables.product.prodname_dotcom %} CLI as part of a job.
+
+{% raw %}
+```yaml
+name: Build on Windows
+on: push
+jobs:
+  build:
+    runs-on: windows-latest
+    steps:
+      - run: choco install gh
+      - run: gh version
+```
+{% endraw %}

content/actions/using-github-hosted-runners/index.md

@@ -11,6 +11,7 @@ versions:
 {% data reusables.actions.enterprise-github-hosted-runners %}
 
 {% link_in_list /about-github-hosted-runners %}
+{% link_in_list /customizing-github-hosted-runners %}
 {% link_in_list /about-ae-hosted-runners %}
 {% link_in_list /adding-ae-hosted-runners %}
 {% link_in_list /using-ae-hosted-runners-in-a-workflow %}

content/admin/github-actions/using-the-latest-version-of-the-official-bundled-actions.md

@@ -26,12 +26,19 @@ You can use {% data variables.product.prodname_github_connect %} to allow {% dat
 
 Once {% data variables.product.prodname_github_connect %} is configured, you can use the latest version of an action by deleting its local repository in the `actions` organization on your instance. For example, if your enterprise instance is using the `actions/checkout@v1` action, and you need to use `actions/checkout@v2` which isn't available on your enterprise instance, perform the following steps to be able to use the latest `checkout` action from {% data variables.product.prodname_dotcom_the_website %}:
 
-1. To get the required access to delete the `checkout` repository, use the `ghe-org-admin-promote` command to promote a user to be an owner of the bundled `actions` organization. For more information, see "[Accessing the administrative shell (SSH)](/admin/configuration/accessing-the-administrative-shell-ssh)" and "[`ghe-org-admin-promote`](/admin/configuration/command-line-utilities#ghe-org-admin-promote)." For example:
+1. By default, site administrators are not owners of the bundled actions organization. To get the required access to delete the `checkout` repository, use the `ghe-org-admin-promote` command to promote a user to be an owner of the bundled `actions` organization. For more information, see "[Accessing the administrative shell (SSH)](/admin/configuration/accessing-the-administrative-shell-ssh)" and "[`ghe-org-admin-promote`](/admin/configuration/command-line-utilities#ghe-org-admin-promote)." For example:
 
    ```shell
-   ghe-org-admin-promote -u <em>USERNAME</em> -o actions
+   $ ghe-org-admin-promote -u octocat -o actions
+    Do you want to give organization admin privileges for actions to octocat? (y/N) y
+    Making octocat an admin of actions
+     --> Adding octocat as an admin of actions
+     --> octocat is now an admin of the actions organization
+     --> Done.
    ```
 1. On your {% data variables.product.product_name %} instance, delete the `checkout` repository within the `actions` organization. For information on how to delete a repository, see "[Deleting a repository
 ](/github/administering-a-repository/deleting-a-repository)."
+1. It is recommended that you leave the `actions` organization once you no longer require administrative access. For more information, see "[Removing yourself from an organization
+](/github/setting-up-and-managing-your-github-user-account/removing-yourself-from-an-organization)."
 1. Configure your workflow's YAML to use `actions/checkout@v2`.
 1. Each time your workflow runs, the runner will use the `v2` version of `actions/checkout` from {% data variables.product.prodname_dotcom_the_website %}.

content/github/authenticating-to-github/adding-a-new-ssh-key-to-your-github-account.md

@@ -87,6 +87,7 @@ After adding a new SSH key to your {% data variables.product.product_name %} acc
   If your SSH public key file has a different name than the example code, modify the filename to match your current setup. When copying your key, don't add any newlines or whitespace.
 
   ```shell
+  $ sudo apt-get update
   $ sudo apt-get install xclip
   # Downloads and installs xclip. If you don't have `apt-get`, you might need to use another installer (like `yum`)
 

content/github/authenticating-to-github/using-ssh-over-the-https-port.md

@@ -11,7 +11,7 @@ topics:
 
 {% tip %}
 
-**GitHub Enterprise users**: Accessing GitHub Enterprise via SSH over the HTTPS port is currently not supported.
+**{% data variables.product.prodname_ghe_server %} users**: Accessing {% data variables.product.prodname_ghe_server %} via SSH over the HTTPS port is currently not supported.
 
 {% endtip %}
 

data/reusables/developer-site/pull_request_forked_repos_link.md

@@ -10,6 +10,10 @@ When you create a pull request from a forked repository to the base repository,
 
 Workflows don't run on forked repositories by default. You must enable GitHub Actions in the **Actions** tab of the forked repository.
 
+{% if currentVersion == "free-pro-team@latest"%}
+When a first-time contributor submits a pull request to a public repository, a maintainer with write access must approve running workflows on the pull request. For more information, see "[Approving workflow runs from public forks](/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks)."
+{% endif %}
+
 {% data reusables.actions.forked-secrets %} The permissions for the `GITHUB_TOKEN` in forked repositories is read-only. For more information, see "[Authenticating with the GITHUB_TOKEN](/actions/configuring-and-managing-workflows/authenticating-with-the-github_token)."
 
 {% note %}

data/reusables/secret-scanning/partner-secret-list-private-repo.md

@@ -32,6 +32,7 @@ Dropbox | Dropbox Short Lived Access Token | dropbox_short_lived_access_token
 Dynatrace | Dynatrace Access Token | dynatrace_access_token
 Dynatrace | Dynatrace Internal Token | dynatrace_internal_token
 Facebook | Facebook Access Token | facebook_access_token
+Fastly | Fastly API Token | fastly_api_token
 Finicity | Finicity App Key | finicity_app_key
 Frame.io | Frame.io JSON Web Token | frameio_jwt
 Frame.io| Frame.io Developer Token | frameio_developer_token
@@ -54,6 +55,7 @@ Mailchimp | Mailchimp API Key | mailchimp_api_key
 Mailgun | Mailgun API Key | mailgun_api_key
 npm | npm Access Token | npm_access_token
 NuGet | NuGet API Key | nuget_api_key
+OpenAI | OpenAI API Key | openai_api_key
 Palantir | Palantir JSON Web Token | palantir_jwt
 Postman | Postman API Key | postman_api_key
 Proctorio | Proctorio Consumer Key | proctorio_consumer_key

data/reusables/secret-scanning/partner-secret-list-public-repo.md

@@ -47,6 +47,7 @@ Mailgun | Mailgun API Key
 MessageBird | MessageBird API Key
 npm | npm Access Token
 NuGet | NuGet API Key
+OpenAI | OpenAI API Key
 Palantir | Palantir JSON Web Token
 Plivo | Plivo Auth Token
 Postman | Postman API Key