Repo sync

.github/workflows/azure-prod-build-deploy.yml

@@ -5,9 +5,6 @@ name: Azure Production - Build and Deploy
 # **Who does it impact**: All contributors.
 
 on:
-  push:
-    branches:
-      - main
   workflow_dispatch:
 
 permissions:

.github/workflows/purge-fastly.yml

@@ -5,6 +5,7 @@ name: Purge Fastly
 # **Who does it impact**: Writers and engineers.
 
 on:
+  deployment_status:
   workflow_dispatch:
     inputs:
       nuke_all:
@@ -16,9 +17,6 @@ on:
         description: "Comma separated languages. E.g. 'en,ja, es' (defaults to all)"
         required: false
         default: ''
-  push:
-    branches:
-      - main
 
 permissions:
   contents: read
@@ -29,11 +27,12 @@ env:
 
 jobs:
   send-purges:
+    # Run when workflow_dispatch is the event (manual) or when deployment_status is the event (automatic) and it's a successful production deploy
     if: >-
       ${{
         github.repository == 'github/docs-internal' &&
-        (github.event_name != 'workflow_run' ||
-        github.event.workflow_run.conclusion == 'success')
+        (github.event_name != 'deployment_status' ||
+         github.event.deployment_status.state == 'success' && github.event.deployment_status.environment == 'production')
       }}
     runs-on: ubuntu-latest
     steps:

config/kubernetes/production/deployments/webapp.yaml

@@ -23,10 +23,10 @@ spec:
           image: docs-internal
           resources:
             requests:
-              cpu: 4000m
-              memory: 5Gi
+              cpu: 8000m
+              memory: 10Gi
             limits:
-              cpu: 4000m
+              cpu: 16000m
               memory: 14Gi
           ports:
             - name: http

content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md

@@ -29,6 +29,16 @@ This guide gives an overview of how to configure GCP to trust {% data variables.
 
 {% data reusables.actions.oidc-on-ghecom %}
 
+{% ifversion ghes %}
+{% data reusables.actions.oidc-endpoints %}
+  <!-- This note is indented to align with the above reusable. -->
+
+  > [!NOTE]
+  > Google Cloud Platform does not have fixed IP ranges defined for these endpoints.
+
+* Make sure that the value of the issuer claim that's included with the JSON Web Token (JWT) is set to a publicly routable URL. For more information, see [AUTOTITLE](/enterprise-server@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect).
+{% endif %}
+
 ## Adding a Google Cloud Workload Identity Provider
 
 To configure the OIDC identity provider in GCP, you will need to perform the following configuration. For instructions on making these changes, refer to [the GCP documentation](https://github.com/google-github-actions/auth).

data/reusables/enterprise-accounts/emu-cap-public-preview.md

@@ -1,3 +1,4 @@
 >[!NOTE] CAP protection for web sessions is currently in {% data variables.release-phases.public_preview %} and may change.
 >
 > If IdP CAP support is already enabled for your enterprise, you can opt into extended protection for web sessions from your enterprise's "Authentication security" settings. To enable this feature, your enterprise must have 1,000 or fewer members, active or suspended.
+> When web session protection is enabled and a user's IP conditions are not satisfied, they can view and filter all user-owned resources but cannot view the details of the results for notifications, searches, personal dashboards, or starred repositories.

src/archives/middleware/archived-enterprise-versions.ts

@@ -227,14 +227,17 @@ export default async function archivedEnterpriseVersions(
     // old Azure Blob Storage URL. These need to be rewritten to
     // the new archived enterprise repo URL.
     if (versionSatisfiesRange(requestedVersion, `>=${firstReleaseStoredInBlobStorage}`)) {
+      // `x-host` is a custom header set by Fastly.
+      // GLB automatically deletes the `x-forwarded-host` header.
+      const host = req.get('x-host') || req.get('x-forwarded-host') || req.get('host')
       r.body = r.body
         .replaceAll(
           `${OLD_AZURE_BLOB_ENTERPRISE_DIR}/${requestedVersion}/assets/cb-`,
           `${ENTERPRISE_GH_PAGES_URL_PREFIX}${requestedVersion}/assets/cb-`,
         )
         .replaceAll(
           `${OLD_AZURE_BLOB_ENTERPRISE_DIR}/${requestedVersion}/`,
-          `${req.protocol}://${req.get('x-forwarded-host') || req.get('host')}/enterprise-server@${requestedVersion}/`,
+          `${req.protocol}://${host}/enterprise-server@${requestedVersion}/`,
         )
     }
 

src/audit-logs/lib/config.json

@@ -3,5 +3,5 @@
     "apiOnlyEvents": "This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "apiRequestEvent": "This event is only available via audit log streaming."
   },
-  "sha": "20c2272a952ed0bd5281b59da7c6b538ed330b75"
+  "sha": "a91faaa776298030c2e9dbf2aa57e3698a00bfe8"
 }

src/frame/middleware/index.ts

@@ -31,6 +31,7 @@ import healthz from './healthz'
 import manifestJson from './manifest-json'
 import remoteIP from './remote-ip'
 import buildInfo from './build-info'
+import reqHeaders from './req-headers'
 import archivedEnterpriseVersions from '@/archives/middleware/archived-enterprise-versions'
 import robots from './robots'
 import earlyAccessLinks from '@/early-access/middleware/early-access-links'
@@ -246,6 +247,7 @@ export default function (app: Express) {
   app.use('/api', api)
   app.get('/_ip', remoteIP)
   app.get('/_build', buildInfo)
+  app.get('/_req-headers', reqHeaders)
   app.use(asyncMiddleware(manifestJson))
 
   // Things like `/api` sets their own Fastly surrogate keys.

src/frame/middleware/req-headers.ts

@@ -0,0 +1,10 @@
+import type { Request, Response } from 'express'
+
+import { noCacheControl } from './cache-control.js'
+
+export default function reqHeaders(req: Request, res: Response) {
+  noCacheControl(res)
+  res.json({
+    'request-headers': req.headers,
+  })
+}