Merge branch 'main' into patch-2

.github/actions-scripts/merge-early-access.sh

@@ -6,6 +6,6 @@
 #
 # [end-readme]
 
-mv docs-early-access/assets assets/images/early-access
+mv docs-early-access/assets/images assets/images/early-access
 mv docs-early-access/content content/early-access
 mv docs-early-access/data data/early-access

.github/workflows/staging-build-and-deploy-azure.yml → .github/workflows/azure-preview-env-deploy.yml

@@ -1,7 +1,7 @@
-name: Staging - Azure Deploy App Service
+name: Azure - Deploy Preview Environment
 
-# **What it does**: Build and deploy staging PRs to Azure
-# **Why we have it**: It's our new staging deployment mechanism, only applicable to docs-internal
+# **What it does**: Build and deploy to an Azure preview environment
+# **Why we have it**: It's our preview environment deploy mechanism, only applicable to docs-internal
 # **Who does it impact**: All contributors.
 
 # This whole workflow is only guaranteed to be secure in the *private
@@ -28,18 +28,19 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  build-and-deploy-staging-azure:
+  build-and-deploy-azure-preview:
     if: ${{ github.repository == 'github/docs-internal' }}
-    name: Build and deploy image to staging App Service
+    name: Build and deploy Azure preview environment
     runs-on: ubuntu-latest
     timeout-minutes: 15
     environment:
-      name: staging-pr-${{ github.event.number }}
+      name: preview-env-${{ github.event.number }}
       url: ${{ steps.deploy.outputs.defaultHostName }}
     env:
       GITHUB_EVENT_NUMBER: ${{ github.event.number }}
-      STAGING_RESOURCE_GROUPS: 4
+      PREVIEW_ENV_RESOURCE_GROUPS: 4
       NONPROD_REGISTRY_USERNAME: ghdocs
+      APP_LOCATION: eastus
       ENABLE_EARLY_ACCESS: ${{ github.repository == 'github/docs-internal' }}
       # Image tag is unique to each workflow run so that it always triggers a new deployment
       DOCKER_IMAGE: ${{ secrets.NONPROD_REGISTRY_SERVER }}/${{ github.repository }}/pr-${{ github.event.number }}:${{ github.event.pull_request.head.sha }}-${{ github.run_number }}-${{ github.run_attempt }}
@@ -51,8 +52,8 @@ jobs:
           REPO_NAME=${GITHUB_REPOSITORY#*\/}
           echo "REPO_NAME=${REPO_NAME}" >> $GITHUB_ENV
           echo "DEPLOYMENT_NAME=${REPO_NAME}-pr-${GITHUB_EVENT_NUMBER}" >> $GITHUB_ENV
-          echo "RESOURCE_GROUP=preview-env-${REPO_NAME}-$((${GITHUB_EVENT_NUMBER} % ${STAGING_RESOURCE_GROUPS}))" >> $GITHUB_ENV
-          echo "APP_NAME=gh${REPO_NAME}-staging-${GITHUB_EVENT_NUMBER}" >> $GITHUB_ENV
+          echo "RESOURCE_GROUP=preview-env-${REPO_NAME}-$((${GITHUB_EVENT_NUMBER} % ${PREVIEW_ENV_RESOURCE_GROUPS}))" >> $GITHUB_ENV
+          echo "APP_NAME=${REPO_NAME}-preview-${GITHUB_EVENT_NUMBER}" >> $GITHUB_ENV
 
       - name: 'Az CLI login'
         uses: azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
@@ -152,10 +153,10 @@ jobs:
         with:
           resourceGroupName: ${{ env.RESOURCE_GROUP }}
           subscriptionId: ${{ secrets.NONPROD_SUBSCRIPTION_ID }}
-          template: ./staging-azure-deploy-template.json
+          template: ./azure-preview-env-template.json
           deploymentName: ${{ env.DEPLOYMENT_NAME }}
           parameters: appName="${{ env.APP_NAME }}"
-            location="East US"
+            location="${{ env.APP_LOCATION }}"
             linuxFxVersion="DOCKER|${{ env.DOCKER_IMAGE }}"
             dockerRegistryUrl="https://${{ secrets.NONPROD_REGISTRY_SERVER }}"
             dockerRegistryUsername="${{ env.NONPROD_REGISTRY_USERNAME }}"

.github/workflows/staging-undeploy-azure.yml → .github/workflows/azure-preview-env-destroy.yml

@@ -1,34 +1,41 @@
-name: Staging - Undeploy Azure PR
+name: Azure - Destroy Preview Env
 
-# **What it does**: To undeploy PRs from Azure staging environment, i.e. destroy the App and associated resources.
-# **Why we have it**: To save money spent on deployments for closed PRs.
+# **What it does**: Destroys resources associated with a PRs Azure preview environment
+# **Why we have it**: Closed PRs don't need apps
 # **Who does it impact**: All contributors.
 
 on:
   pull_request:
     types:
       - closed
       - locked
+  workflow_dispatch:
+    inputs:
+      PR_NUMBER:
+        description: 'PR Number'
+        type: string
+        required: true
 
 jobs:
-  undeploy:
-    name: Undeploy
+  destory-azure-preview-env:
+    name: Destroy
+    if: ${{ github.repository == 'github/docs-internal' }}
     runs-on: ubuntu-latest
     timeout-minutes: 5
     env:
-      GITHUB_EVENT_NUMBER: ${{ github.event.number }}
-      STAGING_RESOURCE_GROUPS: 4
+      PR_NUMBER: ${{ github.event.number || github.event.inputs.PR_NUMBER }}
+      PREVIEW_ENV_RESOURCE_GROUPS: 4
       NONPROD_REGISTRY_NAME: ghdocs
-      IMAGE_REPO: ${{ github.repository }}/pr-${{ github.event.number }}
 
     steps:
       - name: 'Set env vars'
         id: vars
         run: |
           REPO_NAME=${GITHUB_REPOSITORY#*\/}
-          echo "RESOURCE_GROUP=preview-env-${REPO_NAME}-$((${GITHUB_EVENT_NUMBER} % ${STAGING_RESOURCE_GROUPS}))" >> $GITHUB_ENV
-          echo "DEPLOYMENT_NAME=${REPO_NAME}-pr-${GITHUB_EVENT_NUMBER}" >> $GITHUB_ENV
-          echo "APP_NAME=gh${REPO_NAME}-staging-${GITHUB_EVENT_NUMBER}" >> $GITHUB_ENV
+          echo "RESOURCE_GROUP=preview-env-${REPO_NAME}-$((${PR_NUMBER} % ${PREVIEW_ENV_RESOURCE_GROUPS}))" >> $GITHUB_ENV
+          echo "DEPLOYMENT_NAME=${REPO_NAME}-pr-${PR_NUMBER}" >> $GITHUB_ENV
+          echo "APP_NAME=${REPO_NAME}-preview-${PR_NUMBER}" >> $GITHUB_ENV
+          echo "IMAGE_REPO=${GITHUB_REPOSITORY}/pr-${PR_NUMBER}" >> $GITHUB_ENV
 
       - name: 'Az CLI login'
         uses: azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
@@ -40,11 +47,18 @@ jobs:
         run: |
           az deployment group cancel --name ${{ env.DEPLOYMENT_NAME }} -g ${{ env.RESOURCE_GROUP }} || true
 
+      # The full app name is obfuscated by an identifier, so we need to query to find the one for this PR
+      - name: 'Get full app name'
+        id: full-app-name
+        run: |
+          FULL_APP_NAME=$(az webapp list -g ${{ env.RESOURCE_GROUP }} --query "[?tags.DocsAppName == '${{ env.APP_NAME }}'].name | [0]")
+          echo "::set-output name=result::${FULL_APP_NAME}"
+
       # Delete web app (which will also delete the App Service plan)
       # This will succeed even if the app doesn't exist / has already been deleted
       - name: 'Delete App Service App (which will also delete the App Service plan)'
         run: |
-          az webapp delete -n ${{ env.APP_NAME }} -g ${{ env.RESOURCE_GROUP }}
+          az webapp delete -n ${{ steps.full-app-name.outputs.result }} -g ${{ env.RESOURCE_GROUP }}
 
       # Untag all images under this PR's container registry repo - the container registry will automatically remove untagged images.
       # This will fail if the IMAGE_REPO doesn't exist, but we don't care
@@ -56,4 +70,4 @@ jobs:
       - uses: strumwolf/delete-deployment-environment@45c821e46baa405e25410700fe2e9643929706a0
         with:
           token: ${{ secrets.DOCUBOT_REPO_PAT }}
-          environment: staging-pr-${{ github.event.number }}
+          environment: preview-env-${{ env.PR_NUMBER }}

.github/workflows/optimize-images.yml

@@ -50,6 +50,6 @@ jobs:
           git push --set-upstream origin $BRANCH
 
           echo "Open a pull request"
-          gh pr create --title "Optimize images" --body "Optimize images"
+          gh pr create --title "Optimize images" --body "Optimize images" --reviewer "@github/docs-engineering"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/triage-pull-requests.yml

@@ -11,6 +11,7 @@ on:
       - opened
 
 permissions:
+  issues: write
   pull-requests: write
   repository-projects: write
 

.github/workflows/workflow-lint.yml

@@ -30,4 +30,4 @@ jobs:
       - name: Run linter
         uses: cschleiden/actions-linter@caffd707beda4fc6083926a3dff48444bc7c24aa
         with:
-          workflows: '[".github/workflows/*.yml", ".github/workflows/*.yaml", "!.github/workflows/remove-from-fr-board.yaml", "!.github/workflows/staging-deploy-pr.yml", "!.github/workflows/triage-issue-comments.yml", "!.github/workflows/staging-build-and-deploy-azure.yml", "!.github/workflows/staging-undeploy-azure.yml"]'
+          workflows: '[".github/workflows/*.yml", ".github/workflows/*.yaml", "!.github/workflows/remove-from-fr-board.yaml", "!.github/workflows/staging-deploy-pr.yml", "!.github/workflows/triage-issue-comments.yml", "!.github/workflows/azure-preview-env-deploy.yml", "!.github/workflows/azure-preview-env-destroy.yml"]'

Dockerfile

@@ -76,9 +76,6 @@ ENV NODE_ENV production
 # Whether to hide iframes, add warnings to external links
 ENV AIRGAP false
 
-# By default we typically don't want to run in clustered mode
-ENV WEB_CONCURRENCY 1
-
 # Preferred port for server.mjs
 ENV PORT 4000
 

staging-azure-deploy-template.json → azure-preview-env-template.json

@@ -22,7 +22,8 @@
       }
   },
   "variables": {
-      "appServicePlanName": "[concat('ASP-', parameters('appName'))]"
+    "appServicePlanName": "[concat('ASP-', parameters('appName'))]",
+    "dnsName": "[concat(parameters('appName'), '-', take(uniqueString(subscription().subscriptionId, resourceGroup().id, deployment().name), 6))]"
   },
   "resources": [
       {
@@ -42,14 +43,16 @@
       {
           "type": "Microsoft.Web/sites",
           "apiVersion": "2018-11-01",
-          "name": "[parameters('appName')]",
+          "name": "[variables('dnsName')]",
           "location": "[parameters('location')]",
           "dependsOn": [
               "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
           ],
-          "tags": {},
+          "tags": {
+              "DocsAppName": "[parameters('appName')]"
+          },
           "properties": {
-              "name": "[parameters('appName')]",
+              "name": "[variables('dnsName')]",
               "siteConfig": {
                   "appSettings": [
                       {
@@ -80,10 +83,6 @@
                           "name": "DEPLOYMENT_ENV",
                           "value": "azure"
                       },
-                      {
-                          "name": "WEB_CONCURRENCY",
-                          "value": "1"
-                      },
                       {
                           "name": "ENABLED_LANGUAGES",
                           "value": "en"
@@ -105,7 +104,7 @@
   "outputs": {
       "defaultHostName": {
           "type": "string",
-          "value": "[concat('https://', parameters('appName'), '.azurewebsites.net')]"
+          "value": "[concat('https://', variables('dnsName'), '.azurewebsites.net')]"
       }
   }
 }

components/landing/CodeExamples.tsx

@@ -108,7 +108,7 @@ export const CodeExamples = () => {
           <p className="my-3 f4">
             {t('no_example')} <br /> {t('try_another')}
           </p>
-          <Link href="https://github.com/github/docs/blob/main/data/product-examples/actions/code-examples.yml">
+          <Link href="https://github.com/github/docs/tree/main/data/product-examples">
             {t('learn')} <ArrowRightIcon />
           </Link>
         </div>

components/lib/events.ts

@@ -129,10 +129,14 @@ export function sendEvent({ type, version = '1.0.0', ...props }: SendEventProps)
     ...props,
   }
 
-  // Only send the beacon if the feature is not disabled in the user's browser
-  if (navigator?.sendBeacon) {
-    const blob = new Blob([JSON.stringify(body)], { type: 'application/json' })
-    navigator.sendBeacon('/events', blob)
+  const blob = new Blob([JSON.stringify(body)], { type: 'application/json' })
+  const endpoint = '/events'
+  try {
+    // Only send the beacon if the feature is not disabled in the user's browser
+    // Even if the function exists, it can still throw an error from the call being blocked
+    navigator?.sendBeacon(endpoint, blob)
+  } catch {
+    console.warn(`sendBeacon to '${endpoint}' failed.`)
   }
 
   return body

components/sidebar/AllProductsLink.tsx

@@ -1,11 +1,18 @@
 import { useRouter } from 'next/router'
 import { ArrowLeftIcon } from '@primer/octicons-react'
+import { DEFAULT_VERSION, useVersion } from 'components/hooks/useVersion'
 
 export const AllProductsLink = () => {
   const router = useRouter()
+  const { currentVersion } = useVersion()
+  const currentVersionPathSegment = currentVersion === DEFAULT_VERSION ? '' : `/${currentVersion}`
+
   return (
     <li>
-      <a href={`/${router.locale}`} className="f6 pl-4 pr-5 ml-n1 pb-1 color-fg-default">
+      <a
+        href={`/${router.locale}${currentVersionPathSegment}`}
+        className="f6 pl-4 pr-5 ml-n1 pb-1 color-fg-default"
+      >
         <ArrowLeftIcon size="small" className="mr-1" />
         All products
       </a>

components/sidebar/SidebarHomepage.tsx

@@ -6,8 +6,6 @@ import { useVersion } from 'components/hooks/useVersion'
 import { useMainContext } from 'components/context/MainContext'
 import { Link } from 'components/Link'
 
-import { AllProductsLink } from './AllProductsLink'
-
 export const SidebarHomepage = () => {
   const router = useRouter()
   const { currentVersion } = useVersion()
@@ -55,7 +53,6 @@ export const SidebarHomepage = () => {
 
   return (
     <ul data-testid="sidebar" className="mt-4">
-      {!isFPT && <AllProductsLink />}
       <li>
         <ActionList {...{ as: 'ul' }} items={navItems}></ActionList>
       </li>

content/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md

@@ -218,6 +218,10 @@ For example:
 curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
 ```
 
+### Adding permissions settings
+
+{% data reusables.actions.oidc-permissions-token %}
+
 ## Updating your workflows for OIDC
 
 You can now update your YAML workflows to use OIDC access tokens instead of secrets. Popular cloud providers have published their official login actions that make it easy for you to get started with OIDC. For more information about updating your workflows, see the cloud-specific guides listed below in "[Enabling OpenID Connect for your cloud provider](#enabling-openid-connect-for-your-cloud-provider)."

content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md

@@ -56,14 +56,7 @@ To update your workflows for OIDC, you will need to make two changes to your YAM
 
 ### Adding permissions settings
 
-The workflow will require a `permissions` setting with a defined [`id-token`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) value. If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. For example:
-
-```yaml{:copy}
-permissions:
-  id-token: write
-```
-
-You may need to specify additional permissions here, depending on your workflow's requirements. 
+ {% data reusables.actions.oidc-permissions-token %}
 
 ### Requesting the access token
 

content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure.md

@@ -50,14 +50,7 @@ To update your workflows for OIDC, you will need to make two changes to your YAM
 
 ### Adding permissions settings
 
-The workflow will require a `permissions` setting with a defined [`id-token`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) value. If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. For example:
-
-```yaml{:copy}
-permissions:
-  id-token: write
-```
-
-You may need to specify additional permissions here, depending on your workflow's requirements. 
+ {% data reusables.actions.oidc-permissions-token %}
 
 ### Requesting the access token
 

content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md

@@ -37,14 +37,7 @@ If your cloud provider doesn't yet offer an official action, you can update your
 
 ### Adding permissions settings
 
-The workflow will require a `permissions` setting with a defined [`id-token`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) value. If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. For example:
-
-```yaml{:copy}
-permissions:
-  id-token: write
-```
-
-You may need to specify additional permissions here, depending on your workflow's requirements. 
+ {% data reusables.actions.oidc-permissions-token %}
 
 ### Using official actions
 

content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md

@@ -49,14 +49,7 @@ To update your workflows for OIDC, you will need to make two changes to your YAM
 
 ### Adding permissions settings
 
-The workflow will require a `permissions` setting with a defined [`id-token`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) value. If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. For example:
-
-```yaml{:copy}
-permissions:
-  id-token: write
-```
-
-You may need to specify additional permissions here, depending on your workflow's requirements. 
+ {% data reusables.actions.oidc-permissions-token %}
 
 ### Requesting the access token