From ea8cfa704da78bedfe6c84cb444f773534e11435 Mon Sep 17 00:00:00 2001 From: hubwriter Date: Tue, 3 Dec 2024 17:08:15 +0000 Subject: [PATCH 1/4] Copilot cookbook: Simplifying deeply nested inheritance (#53307) Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com> --- .../refactoring-code/index.md | 7 +- ...lifying-complex-inheritance-hierarchies.md | 116 ++++++++++++++++++ 2 files changed, 120 insertions(+), 3 deletions(-) create mode 100644 content/copilot/example-prompts-for-github-copilot-chat/refactoring-code/simplifying-complex-inheritance-hierarchies.md diff --git a/content/copilot/example-prompts-for-github-copilot-chat/refactoring-code/index.md b/content/copilot/example-prompts-for-github-copilot-chat/refactoring-code/index.md index 532f6d47bcb4..56a25fe1ba13 100644 --- a/content/copilot/example-prompts-for-github-copilot-chat/refactoring-code/index.md +++ b/content/copilot/example-prompts-for-github-copilot-chat/refactoring-code/index.md @@ -6,11 +6,12 @@ versions: topics: - Copilot children: - - /refactoring-data-access-layers - /improving-code-readability-and-maintainability - - /decoupling-business-logic-from-ui-components - /fixing-lint-errors - - /refactoring-to-implement-a-design-pattern - /refactoring-for-performance-optimization + - /refactoring-to-implement-a-design-pattern + - /refactoring-data-access-layers + - /decoupling-business-logic-from-ui-components + - /simplifying-complex-inheritance-hierarchies - /fixing-database-deadlocks-or-data-integrity-issues --- diff --git a/content/copilot/example-prompts-for-github-copilot-chat/refactoring-code/simplifying-complex-inheritance-hierarchies.md b/content/copilot/example-prompts-for-github-copilot-chat/refactoring-code/simplifying-complex-inheritance-hierarchies.md new file mode 100644 index 000000000000..8e29dd1f9bab --- /dev/null +++ b/content/copilot/example-prompts-for-github-copilot-chat/refactoring-code/simplifying-complex-inheritance-hierarchies.md @@ -0,0 +1,116 @@ +--- +title: Simplifying complex inheritance hierarchies +shortTitle: Simplify inheritance hierarchies +intro: '{% data variables.product.prodname_copilot_chat_short %} can help you to refactor code to avoid classes with multiple layers of inheritance.' +versions: + feature: copilot +category: + - 'Refactoring code' +complexity: + - Intermediate +octicon: rocket +topics: + - Copilot +--- + +Deep inheritance hierarchies, or improper use of inheritance, can lead to code that is hard to maintain, making it difficult to follow relationships between classes, or to extend them without causing breakage. + +{% data variables.product.prodname_copilot_chat_short %} can suggest refactoring inheritance-based designs into more flexible composition-based designs (favoring composition over inheritance). It can also recommend applying patterns like Strategy or Decorator to make the system more extensible without adding complexity to the inheritance structure. + +## Example scenario + +The following C# code has a deep inheritance hierarchy where each class builds on the previous one. The result is a long chain of inheritance that makes it difficult to know what properties each class has. + +A multi-level inheritance hierarchy like this can be difficult to understand, modify, and extend. + +```csharp +public class Employee +{ + public string Name { get; set; } + public int EmployeeID { get; set; } +} + +public class Manager : Employee +{ + public int NumberOfTeams { get; set; } +} + +public class SeniorManager : Manager +{ + public string Region { get; set; } +} + +public class Director : SeniorManager +{ + public int NumberOfDepartments { get; set; } +} + +public class VicePresident : Director +{ + public string Division { get; set; } +} + +public class President : VicePresident +{ + public string Company { get; set; } +} +``` + +## Example prompt + +In this situation you might decide to use a parent `Employee` class whose properties other classes should inherit, but to avoid any other inheritance by defining all other properties separately for each class. + +`Refactor this code so that classes only inherit the properties of the Employee class. All of the other properties that each class currently inherits should instead be declared independently in each class definition.` + +## Example response + +{% data reusables.copilot.example-prompts.response-is-an-example %} + +{% data variables.product.prodname_copilot_short %} suggests the following code: + +```csharp +public class Employee +{ + public string Name { get; set; } + public int EmployeeID { get; set; } +} + +public class Manager : Employee +{ + public int NumberOfTeams { get; set; } +} + +public class SeniorManager : Employee +{ + public int NumberOfTeams { get; set; } + public string Region { get; set; } +} + +public class Director : Employee +{ + public int NumberOfTeams { get; set; } + public string Region { get; set; } + public int NumberOfDepartments { get; set; } +} + +public class VicePresident : Employee +{ + public int NumberOfTeams { get; set; } + public string Region { get; set; } + public int NumberOfDepartments { get; set; } + public string Division { get; set; } +} + +public class President : Employee +{ + public int NumberOfTeams { get; set; } + public string Region { get; set; } + public int NumberOfDepartments { get; set; } + public string Division { get; set; } + public string Company { get; set; } +} +``` + +## Further reading + +{% data reusables.copilot.example-prompts.further-reading-items %} From 8bfefbd4d124b17eac049f12cbe71a21f841a524 Mon Sep 17 00:00:00 2001 From: docs-bot <77750099+docs-bot@users.noreply.github.com> Date: Tue, 3 Dec 2024 09:38:48 -0800 Subject: [PATCH 2/4] Update audit log event data (#53437) --- src/audit-logs/lib/config.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/audit-logs/lib/config.json b/src/audit-logs/lib/config.json index 3e7ec1299334..e51b311c411f 100644 --- a/src/audit-logs/lib/config.json +++ b/src/audit-logs/lib/config.json @@ -3,5 +3,5 @@ "apiOnlyEvents": "This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "apiRequestEvent": "This event is only available via audit log streaming." }, - "sha": "747e4cd3acd3a1e7ee9d7f122264cef706eaadee" + "sha": "f6212cb1a2ca919f7353ca6b1f0095b1e4197744" } \ No newline at end of file From ee44e4aa6a38487ca6f85b931ee1ed35bbeb9ef3 Mon Sep 17 00:00:00 2001 From: Sophie <29382425+sophietheking@users.noreply.github.com> Date: Tue, 3 Dec 2024 19:50:40 +0100 Subject: [PATCH 3/4] GHES 3.15 release candidate > GA (#53207) Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Co-authored-by: Pallavi <96553709+pallsama@users.noreply.github.com> --- .../enterprise-server/3-15/0-rc1.yml | 2 +- .../enterprise-server/3-15/0.yml | 226 ++++++++++++++++++ .../lib/enterprise-server-releases.js | 2 +- 3 files changed, 228 insertions(+), 2 deletions(-) create mode 100644 data/release-notes/enterprise-server/3-15/0.yml diff --git a/data/release-notes/enterprise-server/3-15/0-rc1.yml b/data/release-notes/enterprise-server/3-15/0-rc1.yml index 7ffab2854a3e..d93e31307c16 100644 --- a/data/release-notes/enterprise-server/3-15/0-rc1.yml +++ b/data/release-notes/enterprise-server/3-15/0-rc1.yml @@ -1,6 +1,6 @@ date: '2024-11-12' release_candidate: true -deprecated: false +deprecated: true intro: | > [!NOTE] Release candidate (RC) builds are intended solely for use in a test environment. Do not install an RC in a production environment. > diff --git a/data/release-notes/enterprise-server/3-15/0.yml b/data/release-notes/enterprise-server/3-15/0.yml new file mode 100644 index 000000000000..81fd0c587c41 --- /dev/null +++ b/data/release-notes/enterprise-server/3-15/0.yml @@ -0,0 +1,226 @@ +date: '2024-12-03' +release_candidate: false +deprecated: false +intro: | + For upgrade instructions, see "[AUTOTITLE](/admin/upgrading-your-instance/preparing-to-upgrade/overview-of-the-upgrade-process)." + +sections: + # Remove section heading if the section contains no notes. + + features: + # Remove a sub-section heading if the heading contains no notes. If sections + # that regularly recur are missing, add placeholders to this template. + + - heading: Instance administration + notes: + # https://github.com/github/releases/issues/4353 + - | + New installations of GitHub Enterprise Server version 3.15 and upgrades to 3.15 now require a root disk size of at least 400GB. Otherwise, the system will not boot. For more information on how to increase the root disk size in the appliance, see "[AUTOTITLE](/admin/monitoring-and-managing-your-instance/updating-the-virtual-machine-and-physical-resources/increasing-storage-capacity)." + + # https://github.com/github/releases/issues/4353 + - | + Minimum recommended requirements for vCPUs, memory, root storage, and data storage have been updated. See "[AUTOTITLE](/admin/installing-your-enterprise-server/setting-up-a-github-enterprise-server-instance/installing-github-enterprise-server-on-vmware#minimum-recommended-requirements)." + + - heading: Audit logs + notes: + # https://github.com/github/releases/issues/4185 + - | + Organization owners and security managers can monitor changes to the use of security configurations at the organization and repository levels. See "[AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale)," [`security_configuration`](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization#security_configuration), and [`repository_security_configuration`](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization#repository_security_configuration). + + - heading: Code scanning + notes: + # https://github.com/github/releases/issues/3915 and https://github.com/github/releases/issues/4469 + - | + Users can run CodeQL analysis of C# code without building the project, `build-mode: none`. When you enable code scanning using default setup on a repository, both Java and C# use this mode. Analysis of both languages using this method is generally available. See "[About build mode None for CodeQL](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-build-mode-none-for-codeql)." + # https://github.com/github/releases/issues/4189 + - | + CodeQL analysis of Swift and Kotlin code is generally available. + # https://github.com/github/releases/issues/4680 + - | + This release comes installed with version **2.18.4** of the CodeQL CLI, used in the CodeQL action for code scanning. Significant updates since the default version installed on GitHub Enterprise Server 3.14 include: + + * Support for Go 1.23 and TypeScript 5.5 + * C# can now use `build-mode: none`, which allows scanning C# code without requiring working builds + * Kotlin & Swift support for mobile applications is generally available + * Java `build-mode: none` analyses only report a warning on the tool status page when significant analysis problems are detected + * Two new JavaScript queries, `js/functionality-from-untrusted-domain`, have been added to detect usage of scripts from untrusted domains, including `polyfill.io` content delivery network and `js/insecure-helmet-configuration` to detect instances where important Helmet security features are disabled + * The precision of `cpp/iterator-to-expired-container` & `cpp/unsafe-strncat` have been increased to high + + - heading: Secret scanning + notes: + # https://github.com/github/releases/issues/4150 + - | + Secret scanning for discussions, issues, and pull request titles, bodies, and comments is now generally available. See "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." + # https://github.com/github/releases/issues/4511 + - | + Users can bypass push protection using the existing `Create a blob` and `Create or update file contents` REST API endpoints. This action can also be performed programmatically using the new `Create a push protection bypass` API endpoint. See the [GitHub Blog post](https://github.blog/changelog/2024-08-13-secret-scanning-push-protection-is-supported-for-content-upload-rest-api-endpoints/). + # https://github.com/github/releases/issues/4522 + - | + Organization owners can enable the detection of non-provider patterns for their organization using a security configuration. This feature is in public beta and is subject to change. See "[Enabling detection of non-provider patterns for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns#enabling-detection-of-non-provider-patterns-for-an-organization)." + + - heading: Dependabot + notes: + # https://github.com/github/releases/issues/4522 + - | + Organization owners, security managers and users with **admin** access can manage Dependabot auto-triage rules, as well as create custom auto-triage rules. Auto-triage rules are a powerful tool that automatically dismiss Dependabot alerts matching certain criteria. This feature is generally available. See "[AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules)." + + - heading: GitHub Connect + notes: + - | + For enterprises with a deployment of GitHub Enterprise Cloud on GHE.com, automatic license sync is supported from GitHub Enterprise Server to GHE.com. + + - heading: GitHub Advanced Security + notes: + # https://github.com/github/releases/issues/3953 and https://github.com/github/releases/issues/3954 + - | + Organization owners and security managers can use a "CodeQL pull request alerts" view in security overview to proactively identify and mitigate security risks at the organization and enterprise level. For example, they can see the most common alerts found in pull requests and see the corresponding remediation rates. See "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-pull-request-alerts)." + + - heading: Code security + notes: + # https://github.com/github/releases/issues/4231 + - | + Organization owners and security managers can simplify the rollout of GitHub security products at scale with security configurations. They can define collections of security settings, save them as a custom configuration, and apply them across groups of repositories. Security configurations can be enforced using policies to stop repositories making any changes to the enablement of security features. See "[AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale)." + # https://github.com/github/releases/issues/4031 and https://github.com/github/releases/issues/4287 and https://github.com/github/releases/issues/4185 + - | + Organization owners and security managers can create, apply, enforce, and monitor security configurations programmatically using REST API calls and audit logs. See "[AUTOTITLE](/rest/code-security/configurations)" and [`security_configuration`](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization#security_configuration). + + - heading: GitHub Actions + notes: + # Required Actions Runner version + - | + {% data reusables.actions.actions-runner-release-note %} + + - heading: GitHub Packages + notes: + # https://github.com/github/releases/issues/4184 + - | + Package managers benefit from improved performance as the npm registry no longer includes README content in package version metadata, reducing the size of package packuments (metadata manifest). This change enhances registry and npm CLI efficiency. + + - heading: Repositories + notes: + # https://github.com/github/releases/issues/4073 + - | + Users can use new property types when creating a custom property: `Multi select` and `True/False`. + # https://github.com/github/releases/issues/4139 + - | + Users can gain deeper insights into contributors and code frequency with enhanced focus navigation, and a new table format for viewing and downloading data. + # https://github.com/github/releases/issues/4244 + - | + Users can require that merges must be performed with a merge queue at the repository level. For more information about merge queues, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request-with-a-merge-queue#about-merge-queues)." + # https://github.com/github/releases/issues/4245 + - | + Admins can enforce status checks and workflow runs on existing refs while allowing the creation of new refs. + # https://github.com/github/releases/issues/4246 + - | + Organization members can use the new repository view and advanced filters to find repositories by visibility, language, custom properties, size, license, and more. + + - heading: Projects + notes: + # https://github.com/github/releases/issues/4070 + - | + Users can interact with project status updates programmatically using the `ProjectV2StatusUpdate` GraphQL object and the `projects_v2_status_update` webhook event. See [GitHub Issues & Projects](https://github.blog/changelog/2024-06-27-github-issues-projects-graphql-and-webhook-support-for-project-status-updates-and-more/) on the GitHub Blog. + # https://github.com/github/releases/issues/4665 + - | + For better accessibility, swimlanes and card titles have heading elements attached to them. + # https://github.com/github/releases/issues/4071 + - | + Project custom field changes are included directly in the [project_v2_item](/webhooks/webhook-events-and-payloads?actionType=edited#projects_v2_item) webhook event when a project item's fields are edited, allowing users to understand how project fields change over time and how long they have a particular value. + + - heading: Accessibility + notes: + # https://github.com/github/releases/issues/4147 + - | + Users can navigate and dismiss hovercards using keyboard shortcuts, enhancing accessibility. Additionally, a new setting allows users to disable all hovercards. + # https://github.com/github/releases/issues/4248 + - | + Math equations are rendered with standardized MathML, replacing custom HTML MathJax to enhance accessibility and security. While most users will see minimal changes, slight differences in font and alignment may occur. + # https://github.com/github/releases/issues/4408 + - | + The light and dark high contrast themes have been updated to improve readability. + + - heading: Integrations and extensions + notes: + # https://github.com/github/releases/issues/4592 + - | + The `client_id` field is included in all API responses that describe a GitHub App. This is part of a shift to use the client ID as the primary identifier for an app. See [Client IDs are now included in App API responses](https://github.blog/changelog/2024-08-23-client-ids-are-now-included-in-app-api-responses/) on the GitHub Blog. + # https://github.com/github/releases/issues/3685 + - | + When users go through the device code flow for an OAuth app, such as the GitHub CLI, they are prompted to use an account picker if they have multiple accounts. + + changes: + # https://github.com/github/releases/issues/4167 + - | + The API endpoint for listing custom deployment rule integrations for an environment (`GET /repos/{owner}/{repo}/environments/{environment_name}/deployment_protection_rules/apps`) requires **"Administration" repository permissions (read)** for fine-grained tokens. Previously, the token required "Actions" repository permissions (read). + # https://github.com/github/releases/issues/3927 + - | + Pushes that update over 5,000 branches no longer trigger webhooks or GitHub Actions workflows. + # https://github.com/github/releases/issues/4231 + - | + Organization owners and security managers will see a new organization-level code security settings UI. In the organization settings sidebar, the **Code security and analysis** option has been replaced by an expanding **Code security** option. This contains new **Configurations** and **Global settings** options. See "[AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale)." + + known_issues: + - | + An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning. + - | + When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration. + - | + Attempting to stop replications after stopping GitHub Actions on a GHES instance would fail, reporting that MSSQL was not responding. This can be avoided by starting MSSQL prior to stopping replication by running `/usr/local/share/enterprise/ghe-nomad-jobs queue /etc/nomad-jobs/mssql/mssql.hcl`. + - | + Admins setting up cluster high availability (HA) may encounter a `spokes` error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories. + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. See "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + Repositories originally imported using `ghe-migrator` will not correctly track GitHub Advanced Security contributions. + - | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + Running a `config apply` as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the Elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. + - | + An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning. + - | + In the header bar displayed to site administrators, some icons are not available. + - | + When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded. + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run. + - | + Customers doing feature version upgrade to 3.14.3 may experience issues with database migrations due to data issues during database conversions. + - | + {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %} + + closing_down: + # https://github.com/github/releases/issues/3525 + - | + In GitHub Enterprise Server 3.16, tag protection rules will be migrated to a ruleset and the tag protection rule feature will no longer be available. + # https://github.com/github/releases/issues/4964 + - | + In GitHub Enterprise Server 3.16, the `/explore` functionality, including the `Activity` and `Trending` pages, will be removed. + # https://github.com/github/releases/issues/4110 and https://github.com/github/releases/issues/4193 and https://github.com/github/releases/issues/4231 + - | + We are closing down the API endpoints and parameters that complemented the old organization-level code security settings UI experience. These have been replaced by a new API for security configurations. See "[AUTOTITLE](/rest/code-security/configurations)." + + The following things are scheduled for removal in GitHub Enterprise Server 3.16. + * **Closing down:** The GET response for security product status in an organization: [Get an organization](/rest/orgs/orgs?apiVersion=2022-11-28#get-an-organization) is deprecated. This attribute will return inaccurate information. + * **Closing down:** The PATCH functionality for security products to set a default status for new repos in an organization: [Update an organization](/rest/orgs/orgs?apiVersion=2022-11-28#update-an-organization) is deprecated. The PATCH operation will be ignored. + * **Closing down:** The POST endpoint to enable or disable a security feature for all repositories in an organization: [Enable or disable a security feature for an organization](/rest/orgs/orgs?apiVersion=2022-11-28#enable-or-disable-a-security-feature-for-an-organization) is deprecated. Using the POST operation may result in a code security configuration being unintentionally removed from a repository. + + retired: + # https://github.com/github/releases/issues/4878 + - | + The Management Console API has been removed. The Manage GHES API reached feature parity with the Management Console API in {% data variables.product.prodname_ghe_server %} version 3.12. For information about the Manage GHES API, see "[AUTOTITLE](/rest/enterprise-admin/manage-ghes)." + - | + The option to "copy Storage settings from Actions" in the Management Console ("GitHub Packages" > "Packages Storage Settings") has been removed. diff --git a/src/versions/lib/enterprise-server-releases.js b/src/versions/lib/enterprise-server-releases.js index 83c72a92c001..3a7e4a2b5233 100644 --- a/src/versions/lib/enterprise-server-releases.js +++ b/src/versions/lib/enterprise-server-releases.js @@ -15,7 +15,7 @@ export const nextNext = '3.17' export const supported = ['3.15', '3.14', '3.13', '3.12', '3.11', '3.10'] // Edit this to `null` when it's no longer the release candidate -export const releaseCandidate = '3.15' +export const releaseCandidate = null // Ensure that: // "next" is ahead of "latest" by one minor or major release. From 1efe1241d74c3b425fde498712889d4666db9244 Mon Sep 17 00:00:00 2001 From: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Date: Tue, 3 Dec 2024 20:07:43 +0000 Subject: [PATCH 4/4] Customize Actions runners label for code scanning's default setup (#52934) Co-authored-by: Kevin Heis Co-authored-by: Sophie <29382425+sophietheking@users.noreply.github.com> Co-authored-by: Marco Gario --- ...ale-sets-with-actions-runner-controller.md | 2 +- ...guring-code-scanning-for-your-appliance.md | 4 +- ...iguring-default-setup-for-code-scanning.md | 39 +++++++++++++++++-- ...guring-larger-runners-for-default-setup.md | 4 +- ...ing-your-configuration-of-default-setup.md | 7 ++++ ...reating-a-custom-security-configuration.md | 3 +- ...canning-default-setup-customize-labels.yml | 5 +++ 7 files changed, 56 insertions(+), 8 deletions(-) create mode 100644 data/features/code-scanning-default-setup-customize-labels.yml diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md index 2775d46f2d13..a2ff02031c9a 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md @@ -914,7 +914,7 @@ You can also use ARC with {% data variables.product.prodname_codeql %} to identi {% data variables.product.prodname_actions_runner_controller %} does not use multiple labels to route jobs to specific runner scale sets. Instead, to designate a runner scale set for {% data variables.product.prodname_dependabot %} updates or {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}, use a descriptive installation name in your Helm chart, such as `dependabot` or `code-scanning`. You can then set the `runs-on` value in your workflows to the installation name as the single label, and use the designated runner scale set for {% data variables.product.prodname_dependabot %} updates or {% data variables.product.prodname_code_scanning %} jobs. -If you're using default setup for {% data variables.product.prodname_code_scanning %}, the analysis will automatically look for a runner scale set with the installation name `code-scanning`. +If you're using default setup for {% data variables.product.prodname_code_scanning %}, the analysis will automatically look for a runner scale set with the installation name `code-scanning` {% ifversion code-scanning-default-setup-customize-labels %} but you can specify a custom name in the configuration, so that individual repositories can use different runner scale sets. See "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners){% endif %}. {% note %} diff --git a/content/admin/managing-code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance.md b/content/admin/managing-code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance.md index ba6461a8b149..a48d8d0c4c92 100644 --- a/content/admin/managing-code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance.md +++ b/content/admin/managing-code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance.md @@ -67,7 +67,9 @@ You can configure {% data variables.product.prodname_code_scanning %} to run {% {% ifversion code-scanning-runner-label or default-setup-self-hosted-runners-GHEC %} If you are provisioning a self-hosted runner for {% data variables.product.prodname_codeql %} analysis, your runner must use a {% data variables.product.prodname_codeql %}-supported operating system version and CPU architecture. See the [{% data variables.product.prodname_codeql %} system requirements](https://codeql.github.com/docs/codeql-overview/system-requirements/). -If you are using default setup for {% data variables.product.prodname_code_scanning %}, assign the `code-scanning` label to your self-hosted runner. For more information about using labels with self-hosted runners, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners)."{% ifversion code-scanning-default-setup-self-hosted-310 or default-setup-self-hosted-runners-GHEC %} For more information about using default setup for code scanning analysis of compiled languages, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages)."{% endif %} +If you are using default setup for {% data variables.product.prodname_code_scanning %}, you can assign self-hosted runners {% ifversion code-scanning-default-setup-customize-labels %}with the default `code-scanning` label, or you can optionally give them custom labels so that individual repositories can use different runners.{% else %}with the `code-scanning` label.{% endif %} See "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners)." + +{% ifversion code-scanning-default-setup-self-hosted-310 or default-setup-self-hosted-runners-GHEC %} For information about using default setup for code scanning analysis of compiled languages, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages)."{% endif %} {% endif %} diff --git a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md index c1ba167f0ebb..24518b3f44f8 100644 --- a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md +++ b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md @@ -62,9 +62,9 @@ Your repository is eligible for default setup for {% data variables.product.prod If your repository includes at least one {% data variables.product.prodname_codeql %}-supported language, you can use default setup even if your repository also includes languages that aren't supported by {% data variables.product.prodname_codeql %}, such as R. Unsupported languages will not be scanned by default setup. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql)." {% endif %} -{% ifversion code-scanning-default-setup-self-hosted-310 or default-setup-self-hosted-runners-GHEC %} -You can use default setup with self-hosted runners for all {% data variables.product.prodname_codeql %}-supported languages{% ifversion codeql-swift-advanced-setup %} except Swift{% endif %}. {% ifversion codeql-no-build %}Default setup uses the `none` build mode for {% data variables.code-scanning.no_build_support %} and uses the `autobuild` build mode for other compiled languages. You should configure your self-hosted runners to make sure they can run all the necessary commands for C/C++, C#, and Swift analysis. Analysis of JavaScript/TypeScript, Go, Ruby, Python, and Kotlin code does not currently require special configuration.{% else %}Default setup runs the `autobuild` action, so you should configure your self-hosted runners to make sure they can run all the necessary commands for {% data variables.code-scanning.compiled_languages %} analysis. Analysis of JavaScript/TypeScript, Go, Ruby, Python, and Kotlin code does not currently require special configuration.{% endif %} -{% endif %} +You can use default setup for all {% data variables.product.prodname_codeql %}-supported languages{% ifversion codeql-swift-advanced-setup %} except Swift{% endif %} for self-hosted runners or {% data variables.product.prodname_dotcom %}-hosted runners. See "[Assigning labels to runners](#assigning-labels-to-runners)", later in this article. + +{% ifversion codeql-no-build %}Default setup uses the `none` build mode for {% data variables.code-scanning.no_build_support %} and uses the `autobuild` build mode for other compiled languages. You should configure your self-hosted runners to make sure they can run all the necessary commands for C/C++, C#, and Swift analysis. Analysis of JavaScript/TypeScript, Go, Ruby, Python, and Kotlin code does not currently require special configuration.{% else %}Default setup runs the `autobuild` action, so you should configure your self-hosted runners to make sure they can run all the necessary commands for {% data variables.code-scanning.compiled_languages %} analysis. Analysis of JavaScript/TypeScript, Go, Ruby, Python, and Kotlin code does not currently require special configuration.{% endif %} ### Customizing default setup @@ -126,6 +126,11 @@ When you initially configure default setup for {% data variables.product.prodnam > [!NOTE] > If you configure {% data variables.product.prodname_code_scanning %} to use the **Extended** query suite, you may experience a higher rate of false positive alerts. +{% ifversion code-scanning-default-setup-customize-labels %} + +1. Optionally, to use labeled runners, in the "Runner type" section, select **Standard {% data variables.product.company_short %} runner** {% octicon "triangle-down" aria-hidden="true" %} then select **Labeled runner**. Then, next to "Runner label", enter the label of an existing self-hosted or {% data variables.product.company_short %}-hosted runner. See "[Assigning labels to runners](#assigning-labels-to-runners)", later in this article. + +{%- endif %} {%- endif %} 1. Review the settings for default setup on your repository, then click **Enable {% data variables.product.prodname_codeql %}**. This will trigger a workflow that tests the new, automatically generated configuration. @@ -135,6 +140,34 @@ When you initially configure default setup for {% data variables.product.prodnam 1. Optionally, to view your default setup configuration after enablement, select {% octicon "kebab-horizontal" aria-label="Menu" %}, then click **{% octicon "gear" aria-hidden="true" %} View {% data variables.product.prodname_codeql %} configuration**. +## Assigning labels to runners + +>[!NOTE]{% data variables.product.prodname_code_scanning_caps %} sees assigned runners when default setup is enabled. If a runner is assigned to a repository that is already running default setup, you must disable and re-enable default setup to start using the runner. If you add a runner and want to start using it, you can change the configuration manually without needing to disable and re-enable default setup. + +You can also assign self-hosted runners{% ifversion code-scanning-default-setup-customize-labels %} with the default `code-scanning` label, or you can optionally give them custom labels so that individual repositories can use different runners.{% else %}with the `code-scanning` label.{% endif %} For information about assigning labels to self-hosted runners, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners)." + +{% ifversion code-scanning-default-setup-customize-labels %} + +Specifying custom labels for self-hosted runners is optional. Unless you have a specific use case, we recommend that you only assign runners with the default `code-scanning` label. For example, you may want to: + +* Assign more powerful self-hosted runners to critical repositories for faster {% data variables.product.prodname_code_scanning %} analysis. +* Run your {% data variables.product.prodname_code_scanning %} analyses on a particular platform (for example, macOS). +* Have granular control over the workload for your {% data variables.product.prodname_dotcom %}-hosted runners and self-hosted runners. + +Once you've assigned custom labels to self-hosted runners, your repositories can use those runners for {% data variables.product.prodname_code_scanning %} default setup. For more information, see "[Configuring default setup for a repository](#configuring-default-setup-for-a-repository)", earlier in this article. + +You can also use {% data variables.product.prodname_security_configurations %} to assign labels to self-hosted runners for {% data variables.product.prodname_code_scanning %}. See "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration#creating-a-custom-security-configuration)." + +{% endif %} + +{% ifversion fpt or ghec %} + +### Assigning {% data variables.actions.hosted_runners %} + +To assign a {% data variables.actions.hosted_runner %}, name the runner `code-scanning`. This will automatically add the `code-scanning` label to the {% data variables.actions.hosted_runner %}. An organization can only have one {% data variables.actions.hosted_runner %} with the `code-scanning` label, and that runner will handle all {% data variables.product.prodname_code_scanning %} jobs from repositories within your organization with access to the runner's group. See "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/configuring-larger-runners-for-default-setup#provisioning-organization-level-larger-runners-for-default-setup)." + +{% endif %} + ## Next steps After your configuration runs successfully at least once, you can start examining and resolving {% data variables.product.prodname_code_scanning %} alerts. For more information on {% data variables.product.prodname_code_scanning %} alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)" and "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/assessing-code-scanning-alerts-for-your-repository)." diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/configuring-larger-runners-for-default-setup.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/configuring-larger-runners-for-default-setup.md index 24e21229890c..3276cf91b9f0 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/configuring-larger-runners-for-default-setup.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/configuring-larger-runners-for-default-setup.md @@ -42,7 +42,7 @@ Consider configuring {% data variables.actions.hosted_runners %} for default set ## Provisioning organization-level {% data variables.actions.hosted_runners %} for default setup -1. Add a {% data variables.actions.hosted_runner %} to your organization. For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization)." - * To add the `code-scanning` label to your {% data variables.actions.hosted_runner %}, name the runner `code-scanning`. An organization can only have one {% data variables.actions.hosted_runner %} with the `code-scanning` label, and that runner will handle all {% data variables.product.prodname_code_scanning %} jobs from repositories within your organization with access to the runner's group. +1. Add a {% data variables.actions.hosted_runner %} to your organization. See "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization)." + * To add a custom label to your {% data variables.actions.hosted_runner %}, give the runner a name that matches that label. You can use this custom label when you configure default setup with {% data variables.actions.hosted_runners %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners)." 1. By default, all repositories in your organization have access to organization-level runners, meaning every repository can use your {% data variables.actions.hosted_runner %}. For information on granting only select repositories access to a {% data variables.actions.hosted_runner %}, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#allowing-repositories-to-access-larger-runners)." 1. You can now configure default setup for your organization and repositories, and your {% data variables.actions.hosted_runner %} will automatically pick up {% data variables.product.prodname_code_scanning %} jobs. For more information on configuring default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale)." diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md index a036449c1622..997abc28bef8 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md @@ -38,6 +38,13 @@ If you need to change any other aspects of your {% data variables.product.prodna 1. In the "{% data variables.product.prodname_codeql %} default configuration" window, click **{% octicon "pencil" aria-hidden="true" %} Edit**. 1. Optionally, in the "Languages" section, select or deselect languages for analysis. 1. Optionally, in the "Query suite" row of the "Scan settings" section, select a different query suite to run against your code.{% ifversion codeql-threat-models %} + +{% ifversion code-scanning-default-setup-customize-labels %} + +1. Optionally, to use labeled runners, in the "Runner type" section of the "{% data variables.product.prodname_codeql %} default configuration" modal dialog, select **Standard {% data variables.product.company_short %} runner** {% octicon "triangle-down" aria-hidden="true" %} to open a dropdown menu, then select **Labeled runner**. Then, next to "Runner label", enter the label of an existing self-hosted or {% data variables.product.company_short %}-hosted runner. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners)." + +{% endif %} + 1. ({% data variables.release-phases.public_preview_caps %}) Optionally, in the "Threat model" row of the "Scan settings" section, select **Remote and local sources**. {% endif %} 1. To update your configuration, as well as run an initial analysis of your code with the new configuration, click **Save changes**. All future analyses will use your new configuration. diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration.md index de4dc867a6f9..89e59d23912f 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration.md @@ -55,7 +55,8 @@ When creating a security configuration, keep in mind that: > [!NOTE] > You cannot manually change the enablement settings for vulnerable function calls. If {% data variables.product.prodname_GH_advanced_security %} features and {% data variables.product.prodname_dependabot_alerts %} are enabled, vulnerable function calls is also enabled. Otherwise, it is disabled. -1. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. To learn about default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup)." +1. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup.{% ifversion code-scanning-default-setup-customize-labels %} + If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can also choose to use custom-labeled runners at this step.{% endif %} See "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup)." 1. In the "{% data variables.product.prodname_secret_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features: * {% data variables.product.prodname_secret_scanning_caps %}. To learn about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."{% ifversion secret-scanning-validity-check-partner-patterns %} * Validity check. To learn more about validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)".{% endif %}{% ifversion org-npp-enablement-security-configurations %} diff --git a/data/features/code-scanning-default-setup-customize-labels.yml b/data/features/code-scanning-default-setup-customize-labels.yml new file mode 100644 index 000000000000..89bf644ce5b5 --- /dev/null +++ b/data/features/code-scanning-default-setup-customize-labels.yml @@ -0,0 +1,5 @@ +# Reference: #15251 +versions: + fpt: '*' + ghec: '*' + ghes: '>3.15'