[pull] main from github:main

.github/workflows/azure-preview-env-deploy-public.yml

@@ -112,7 +112,7 @@ jobs:
         run: src/workflows/prune-for-preview-env.sh
 
       - name: 'Build and push image'
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c
         with:
           context: .
           push: true

.github/workflows/azure-preview-env-deploy.yml

@@ -171,7 +171,7 @@ jobs:
         run: src/workflows/prune-for-preview-env.sh
 
       - name: 'Build and push image'
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c
         with:
           context: .
           push: true

.github/workflows/azure-prod-build-deploy.yml

@@ -52,9 +52,6 @@ jobs:
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb
 
       - name: Check out repo
-        # If any of the steps above fail, we'll need a checkout so we
-        # have access to the `.github/actions/slack-alert/action.yml` file.
-        if: ${{ always() && github.event_name != 'workflow_dispatch' }}
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           ref: ${{ github.sha }}
@@ -90,7 +87,7 @@ jobs:
           token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
 
       - name: 'Build and push image'
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c
         with:
           context: .
           push: true

.github/workflows/azure-staging-build-deploy.yml

@@ -91,7 +91,7 @@ jobs:
         run: src/early-access/scripts/merge-early-access.sh
 
       - name: 'Build and push image'
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c
         with:
           context: .
           push: true

.github/workflows/main-preview-docker-cache.yml

@@ -68,7 +68,7 @@ jobs:
         run: src/workflows/prune-for-preview-env.sh
 
       - name: 'Build and push image'
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c
         with:
           context: .
           push: true

.github/workflows/repo-sync.yml

@@ -10,7 +10,7 @@ name: Repo Sync
 on:
   workflow_dispatch:
   schedule:
-    - cron: '20,50 * * * *' # Run every hour at 20 and 50 minutes after
+    - cron: '20 */3 * * *' # Run every 3rd hour at 20 minutes after
 
 permissions:
   contents: write

content/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications.md

@@ -159,7 +159,7 @@ For more information, see "[AUTOTITLE](/account-and-profile/managing-subscriptio
 
 ## Configuring your watch settings for an individual repository
 
-You can choose whether to watch or unwatch an individual repository. You can also choose to only be notified of certain event types such as {% data reusables.notifications-v2.custom-notification-types %} (if enabled for the repository) , or completely ignore an individual repository.
+You can choose whether to watch or unwatch an individual repository. You can also choose to only be notified of certain event types such as {% data reusables.notifications-v2.custom-notification-types %} (if enabled for the repository), or completely ignore an individual repository.
 
 {% data reusables.repositories.navigate-to-repo %}
 1. In the upper-right corner, select the "Watch" drop-down menu, then click a watch option.
@@ -232,9 +232,9 @@ For repositories that are set up with {% data variables.product.prodname_actions
 1. On the "Notification settings" page, under "System", then under "Actions", select the **Don't notify** dropdown menu.
 
    ![Screenshot of the "System" section of the notification settings. Under "Actions," a dropdown menu, titled "Don't notify", is highlighted with an orange outline.](/assets/images/help/notifications/github-actions-customize-notifications.png)
-1. To opt into web notifications, from the dropdown menu, select "On {% data variables.product.prodname_dotcom %}".
+1. To opt into web notifications, from the dropdown menu, select "On {% data variables.product.prodname_dotcom %}."
 
-   To opt into email notifications, from the dropdown menu, select "Email".
+   To opt into email notifications, from the dropdown menu, select "Email."
 1. Optionally, to only receive notifications for failed workflow runs, from the dropdown menu, select "Only notify for failed workflows", then click **Save**.{% endif %}
 
 {% ifversion ghes %}

content/actions/publishing-packages/publishing-docker-images.md

@@ -52,7 +52,7 @@ In this guide, we will use the Docker `build-push-action` action to build the Do
 
 ## Publishing images to Docker Hub
 
-{% data reusables.actions.release-trigger-workflow %}
+Each time you create a new release on {% data variables.product.product_name %}, you can trigger a workflow to publish your image. The workflow in the example below runs when the `release` event triggers with the `published` activity type.
 
 In the example workflow below, we use the Docker `login-action` and `build-push-action` actions to build the Docker image and, if the build succeeds, push the built image to Docker Hub.
 
@@ -129,7 +129,7 @@ The above workflow checks out the {% data variables.product.prodname_dotcom %} r
 {% data reusables.package_registry.container-registry-ghes-beta %}
 {% endif %}
 
-{% data reusables.actions.release-trigger-workflow %}
+Each time you create a new release on {% data variables.product.product_name %}, you can trigger a workflow to publish your image. The workflow in the example below runs when a change is pushed to the `release` branch.
 
 In the example workflow below, we use the Docker `login-action`{% ifversion fpt or ghec %}, `metadata-action`,{% endif %} and `build-push-action` actions to build the Docker image, and if the build succeeds, push the built image to {% data variables.product.prodname_registry %}.
 

content/actions/publishing-packages/publishing-java-packages-with-gradle.md

@@ -31,7 +31,7 @@ For more information about creating a CI workflow for your Java project with Gra
 
 You may also find it helpful to have a basic understanding of the following:
 
-* "[AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-npm-registry)"
+* "[AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry)"
 * "[AUTOTITLE](/actions/learn-github-actions/variables)"
 * "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)"
 * "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)"

content/actions/publishing-packages/publishing-java-packages-with-maven.md

@@ -31,7 +31,7 @@ For more information about creating a CI workflow for your Java project with Mav
 
 You may also find it helpful to have a basic understanding of the following:
 
-* "[AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-npm-registry)"
+* "[AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry)"
 * "[AUTOTITLE](/actions/learn-github-actions/variables)"
 * "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions)"
 * "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)"

content/actions/security-guides/enforcing-artifact-attestations-with-a-kubernetes-admission-controller.md

@@ -42,10 +42,10 @@ We have packaged the Sigstore Policy Controller as a [GitHub distributed Helm ch
 First, install the Helm chart that deploys the Sigstore Policy Controller:
 
 ```bash copy
-helm install policy-controller --atomic \
+helm upgrade policy-controller --install --atomic \
   --create-namespace --namespace artifact-attestations \
   oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller \
-  --version v0.9.0-github3
+  --version v0.9.0-github4
 ```
 
 This installs the Policy Controller into the `artifact-attestations` namespace. At this point, no policies have been configured, and it will not enforce any attestations.
@@ -55,10 +55,10 @@ This installs the Policy Controller into the `artifact-attestations` namespace.
 Once the policy controller has been deployed, you need to add the GitHub `TrustRoot` and a `ClusterImagePolicy` to your cluster. Use the Helm chart we provide to do this. Make sure to replace `MY-ORGANIZATION` with your GitHub organization's name (e.g., `github` or `octocat-inc`).
 
 ```bash copy
-helm install trust-policies --atomic \
+helm upgrade trust-policies --install --atomic \
  --namespace artifact-attestations \
  oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies \
- --version v0.4.0 \
+ --version v0.5.0 \
  --set policy.enabled=true \
  --set policy.organization=MY-ORGANIZATION
 ```
@@ -86,19 +86,40 @@ Alternatively, you may run:
 kubectl label namespace MY-NAMESPACE policy.sigstore.dev/include=true
 ```
 
+### Matching images
+
+By default, the policy installed with the `trust-policies` Helm chart will verify attestations for all images before admitting them into the cluster. If you only intend to enforce attestations for a subset of images, you can use the Helm values `policy.images` and `policy.exemptImages` to specify a list of images to match against. These values can be set to a list of glob patterns that match the image names. The globbing syntax uses Go [filepath](https://pkg.go.dev/path/filepath#Match) semantics, with the addition of `**` to match any character sequence, including slashes.
+
+For example, to enforce attestations for images that match the pattern `ghcr.io/MY-ORGANIZATION/*` and admit `busybox` without a valid attestation, you can run:
+
+```bash copy
+helm upgrade trust-policies --install --atomic \
+ --namespace artifact-attestations \
+ oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies \
+ --version v0.5.0 \
+ --set policy.enabled=true \
+ --set policy.organization=MY-ORGANIZATION \
+ --set-json 'policy.exemptImages=["index.docker.io/library/busybox**"]' \
+ --set-json 'policy.images=["ghcr.io/MY-ORGANIZATION/**"]'
+ ```
+
+Note that to match `busybox`, we need to provide the fully-qualified image name with double-star glob: `index.docker.io/library/busybox**`.
+
+Also note that any image you intend to admit _must_ have a matching glob pattern in the `policy.images` list. If an image does not match any pattern, it will be rejected.
+
 ### Advanced usage
 
 To see the full set of options you may configure with the Helm chart, you can run either of the following commands.
 For policy controller options:
 
 ```bash copy
-helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller --version v0.9.0-github3
+helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller --version v0.9.0-github4
 ```
 
 For trust policy options:
 
 ```bash copy
-helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies --version v0.4.0
+helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies --version v0.5.0
 ```
 
 For more information on the Sigstore Policy Controller, see the [Sigstore Policy Controller documentation](https://docs.sigstore.dev/policy-controller/overview/).

content/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners.md

@@ -180,7 +180,9 @@ You can install additional software on {% data variables.product.prodname_dotcom
 
 {% data variables.product.prodname_dotcom %} hosts Linux and Windows runners on virtual machines in Microsoft Azure with the {% data variables.product.prodname_actions %} runner application installed. The {% data variables.product.prodname_dotcom %}-hosted runner application is a fork of the Azure Pipelines Agent. Inbound ICMP packets are blocked for all Azure virtual machines, so ping or traceroute commands might not work. {% data variables.product.prodname_dotcom %} hosts macOS runners in Azure data centers.
 
-For Linux and Windows runners, GitHub uses `Dadsv5-series` virtual machines. For more information, see [Dasv5 and Dadsv5-series](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dadsv5-series) in the Microsoft Azure documentation.
+For Linux and Windows runners, {% data variables.product.company_short %} uses `Dadsv5-series` virtual machines. For more information, see [Dasv5 and Dadsv5-series](https://learn.microsoft.com/en-us/azure/virtual-machines/dasv5-dadsv5-series#dadsv5-series) in the Microsoft Azure documentation.
+
+GPU runners use `NCasT4_v3-series` virtual machines. For more information, see [NCasT4_v3-series](https://learn.microsoft.com/en-us/azure/virtual-machines/nct4-v3-series) in the Microsoft Azure documentation.
 
 ## Workflow continuity
 

content/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners.md

@@ -100,12 +100,6 @@ You can choose from several specifications for {% data variables.actions.hosted_
 
 ### Specifications for GPU {% data variables.actions.hosted_runners %}
 
-{% note %}
-
-**Note:** GPU runners are currently in beta and subject to change.
-
-{% endnote %}
-
 | CPU | GPU | GPU card | Memory (RAM) | GPU memory (VRAM) | Storage (SSD) | Operating system (OS) |
 | --- | --- | -------- | ------------ | ----------------- | ------------- | --------------------- |
 | 4   | 1   | Tesla T4 | 28 GB        | 16 GB             | 176 GB        | Ubuntu, Windows       |

content/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners.md

@@ -14,7 +14,7 @@ redirect_from:
 **Notes:**
 
 * {% data reusables.actions.windows-linux-larger-runners-note %}
-* GPU-powered runners and ARM-powered runners are currently in beta and are subject to change.
+* ARM-powered runners are currently in beta and are subject to change.
 
 {% endnote %}