diff --git a/content/admin/all-releases.md b/content/admin/all-releases.md index a529773fa0f5..17ecdff8a7db 100644 --- a/content/admin/all-releases.md +++ b/content/admin/all-releases.md @@ -52,6 +52,7 @@ If you run analysis in an external CI system, we recommend using the same versio | {% data variables.product.prodname_ghe_server %} version | Recommended {% data variables.product.prodname_codeql_cli %} version | | ------------------------------------------------- | ---------------------- | +| 3.16 | 2.20.3 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.20.3/)) | | 3.15 | 2.18.4 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.18.4/)) | | 3.14 | 2.17.6 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.17.6/)) | | 3.13 | 2.16.5 ([changelog](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.16.5/)) | diff --git a/content/pull-requests/collaborating-with-pull-requests/working-with-forks/detaching-a-fork.md b/content/pull-requests/collaborating-with-pull-requests/working-with-forks/detaching-a-fork.md index a5a1379b5d36..8fbbda54e3c5 100644 --- a/content/pull-requests/collaborating-with-pull-requests/working-with-forks/detaching-a-fork.md +++ b/content/pull-requests/collaborating-with-pull-requests/working-with-forks/detaching-a-fork.md @@ -10,6 +10,8 @@ topics: permissions: People with admin access for a forked repository can delete the forked repository. --- +{% ifversion ghes > 3.16 %} + ## Converting a fork into a standalone repository To turn your fork into a standalone repository, you can leave the fork network ensuring the new repository will no longer automatically sync with changes from the original repository. This is useful when you want to take the work you are doing in a different direction or maintain distinct versions. @@ -42,6 +44,8 @@ You can only detach forks with the leave network option when: While the fork is being detached, some operations will be briefly unavailable until the fork has been transitioned to a standalone repository. +{% endif %} + ## Manually Leaving the fork network To turn your fork into a standalone repository, you can clone the fork, use the clone to create a new repository, and then delete the fork removing the connection to the original network. diff --git a/data/reusables/code-scanning/beta-actions-analysis.md b/data/reusables/code-scanning/beta-actions-analysis.md deleted file mode 100644 index 5e687ab053ee..000000000000 --- a/data/reusables/code-scanning/beta-actions-analysis.md +++ /dev/null @@ -1,6 +0,0 @@ -{% ifversion code-scanning-actions-language %} - -> [!NOTE] -> The ability to use {% data variables.product.prodname_code_scanning %} to find vulnerabilities in {% data variables.product.prodname_actions %} workflows is currently in {% data variables.release-phases.public_preview %} and subject to change. - -{% endif %} diff --git a/data/reusables/code-scanning/codeql-query-tables/actions.md b/data/reusables/code-scanning/codeql-query-tables/actions.md deleted file mode 100644 index a5ea9eb6d2e6..000000000000 --- a/data/reusables/code-scanning/codeql-query-tables/actions.md +++ /dev/null @@ -1,29 +0,0 @@ -{% rowheaders %} - -| Query name | Related CWEs | Default | Extended | {% data variables.product.prodname_copilot_autofix_short %} | -| --- | --- | --- | --- | --- | -| [Artifact poisoning](https://codeql.github.com/codeql-query-help/actions/actions-artifact-poisoning-critical/) | 829 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| [Cache Poisoning via caching of untrusted files](https://codeql.github.com/codeql-query-help/actions/actions-cache-poisoning-direct-cache/) | 349 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| [Cache Poisoning via execution of untrusted code](https://codeql.github.com/codeql-query-help/actions/actions-cache-poisoning-poisonable-step/) | 349 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| [Cache Poisoning via low-privileged code injection](https://codeql.github.com/codeql-query-help/actions/actions-cache-poisoning-code-injection/) | 349, 094 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| [Checkout of untrusted code in a privileged context](https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-critical/) | 829 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} | -| [Checkout of untrusted code in trusted context](https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-high/) | 829 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} | -| [Code injection](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-critical/) | 094, 095, 116 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| [Environment variable built from user-controlled sources](https://codeql.github.com/codeql-query-help/actions/actions-envvar-injection-critical/) | 077, 020 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| [Excessive Secrets Exposure](https://codeql.github.com/codeql-query-help/actions/actions-excessive-secrets-exposure/) | 312 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| [Improper Access Control](https://codeql.github.com/codeql-query-help/actions/actions-improper-access-control/) | 285 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| [PATH environment variable built from user-controlled sources](https://codeql.github.com/codeql-query-help/actions/actions-envpath-injection-critical/) | 077, 020 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| [Storage of sensitive information in GitHub Actions artifact](https://codeql.github.com/codeql-query-help/actions/actions-secrets-in-artifacts/) | 312 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| [Unmasked Secret Exposure](https://codeql.github.com/codeql-query-help/actions/actions-unmasked-secret-exposure/) | 312 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| [Untrusted Checkout TOCTOU](https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-toctou-high/) | 367 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| [Untrusted Checkout TOCTOU](https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-toctou-critical/) | 367 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| [Use of a known vulnerable action](https://codeql.github.com/codeql-query-help/actions/actions-vulnerable-action/) | 1395 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| [Workflow does not contain permissions](https://codeql.github.com/codeql-query-help/actions/actions-missing-workflow-permissions/) | 275 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} | -| [Artifact poisoning](https://codeql.github.com/codeql-query-help/actions/actions-artifact-poisoning-medium/) | 829 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} | -| [Checkout of untrusted code in trusted context](https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-medium/) | 829 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} | -| [Code injection](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-medium/) | 094, 095, 116 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} | -| [Environment variable built from user-controlled sources](https://codeql.github.com/codeql-query-help/actions/actions-envvar-injection-medium/) | 077, 020 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} | -| [PATH environment variable built from user-controlled sources](https://codeql.github.com/codeql-query-help/actions/actions-envpath-injection-medium/) | 077, 020 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} | -| [Unpinned tag for a non-immutable Action in workflow](https://codeql.github.com/codeql-query-help/actions/actions-unpinned-tag/) | 829 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} | - -{% endrowheaders %} diff --git a/src/audit-logs/data/fpt/organization.json b/src/audit-logs/data/fpt/organization.json index 68e28a40bede..1bff0a04481f 100644 --- a/src/audit-logs/data/fpt/organization.json +++ b/src/audit-logs/data/fpt/organization.json @@ -1949,11 +1949,41 @@ "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, + { + "action": "personal_access_token.access_restriction_disabled", + "description": "The configured restriction for access to resources via personal access tokens was disabled.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.access_restriction_enabled", + "description": "The configured restriction for access to resources via personal access tokens was enabled.", + "docs_reference_links": "N/A" + }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, + { + "action": "personal_access_token.auto_approve_grant_requests_disabled", + "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.auto_approve_grant_requests_enabled", + "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.expiration_limit_set", + "description": "A personal access token expiration limit was set.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.expiration_limit_unset", + "description": "A personal access token expiration limit was unset.", + "docs_reference_links": "N/A" + }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", diff --git a/src/audit-logs/data/ghec/enterprise.json b/src/audit-logs/data/ghec/enterprise.json index 1323f178dbc3..795693e8481c 100644 --- a/src/audit-logs/data/ghec/enterprise.json +++ b/src/audit-logs/data/ghec/enterprise.json @@ -2709,11 +2709,51 @@ "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, + { + "action": "personal_access_token.access_restriction_disabled", + "description": "The configured restriction for access to resources via personal access tokens was disabled.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.access_restriction_enabled", + "description": "The configured restriction for access to resources via personal access tokens was enabled.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.access_restriction_reset", + "description": "The configured restriction for access to resources via personal access tokens was reset and delegated to organizations.", + "docs_reference_links": "N/A" + }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, + { + "action": "personal_access_token.auto_approve_grant_requests_disabled", + "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.auto_approve_grant_requests_enabled", + "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.auto_approve_grant_requests_reset", + "description": "Triggered when the enterprise delegates to the organizations when to require approval for fine-grained personal access tokens before the tokens can access organization resources.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.expiration_limit_set", + "description": "A personal access token expiration limit was set.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.expiration_limit_unset", + "description": "A personal access token expiration limit was unset.", + "docs_reference_links": "N/A" + }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", diff --git a/src/audit-logs/data/ghec/organization.json b/src/audit-logs/data/ghec/organization.json index 68e28a40bede..1bff0a04481f 100644 --- a/src/audit-logs/data/ghec/organization.json +++ b/src/audit-logs/data/ghec/organization.json @@ -1949,11 +1949,41 @@ "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, + { + "action": "personal_access_token.access_restriction_disabled", + "description": "The configured restriction for access to resources via personal access tokens was disabled.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.access_restriction_enabled", + "description": "The configured restriction for access to resources via personal access tokens was enabled.", + "docs_reference_links": "N/A" + }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, + { + "action": "personal_access_token.auto_approve_grant_requests_disabled", + "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.auto_approve_grant_requests_enabled", + "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.expiration_limit_set", + "description": "A personal access token expiration limit was set.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.expiration_limit_unset", + "description": "A personal access token expiration limit was unset.", + "docs_reference_links": "N/A" + }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", diff --git a/src/audit-logs/data/ghes-3.16/enterprise.json b/src/audit-logs/data/ghes-3.16/enterprise.json index cf6efb0cb729..aeb4ac7bed10 100644 --- a/src/audit-logs/data/ghes-3.16/enterprise.json +++ b/src/audit-logs/data/ghes-3.16/enterprise.json @@ -2024,6 +2024,16 @@ "description": "Triggered when you delete a fine-grained personal access token.", "docs_reference_links": "N/A" }, + { + "action": "personal_access_token.expiration_limit_set", + "description": "A personal access token expiration limit was set.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.expiration_limit_unset", + "description": "A personal access token expiration limit was unset.", + "docs_reference_links": "N/A" + }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", diff --git a/src/audit-logs/data/ghes-3.16/organization.json b/src/audit-logs/data/ghes-3.16/organization.json index 2566d4615367..d7736e5c3a91 100644 --- a/src/audit-logs/data/ghes-3.16/organization.json +++ b/src/audit-logs/data/ghes-3.16/organization.json @@ -1884,11 +1884,41 @@ "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, + { + "action": "personal_access_token.access_restriction_disabled", + "description": "The configured restriction for access to resources via personal access tokens was disabled.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.access_restriction_enabled", + "description": "The configured restriction for access to resources via personal access tokens was enabled.", + "docs_reference_links": "N/A" + }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, + { + "action": "personal_access_token.auto_approve_grant_requests_disabled", + "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.auto_approve_grant_requests_enabled", + "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.expiration_limit_set", + "description": "A personal access token expiration limit was set.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.expiration_limit_unset", + "description": "A personal access token expiration limit was unset.", + "docs_reference_links": "N/A" + }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", diff --git a/src/audit-logs/data/ghes-3.17/enterprise.json b/src/audit-logs/data/ghes-3.17/enterprise.json index a370c871da7b..a3674cfedcdc 100644 --- a/src/audit-logs/data/ghes-3.17/enterprise.json +++ b/src/audit-logs/data/ghes-3.17/enterprise.json @@ -2059,6 +2059,16 @@ "description": "Triggered when you delete a fine-grained personal access token.", "docs_reference_links": "N/A" }, + { + "action": "personal_access_token.expiration_limit_set", + "description": "A personal access token expiration limit was set.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.expiration_limit_unset", + "description": "A personal access token expiration limit was unset.", + "docs_reference_links": "N/A" + }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", diff --git a/src/audit-logs/data/ghes-3.17/organization.json b/src/audit-logs/data/ghes-3.17/organization.json index f38e202d3bab..3c7044bc8843 100644 --- a/src/audit-logs/data/ghes-3.17/organization.json +++ b/src/audit-logs/data/ghes-3.17/organization.json @@ -1919,11 +1919,41 @@ "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, + { + "action": "personal_access_token.access_restriction_disabled", + "description": "The configured restriction for access to resources via personal access tokens was disabled.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.access_restriction_enabled", + "description": "The configured restriction for access to resources via personal access tokens was enabled.", + "docs_reference_links": "N/A" + }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, + { + "action": "personal_access_token.auto_approve_grant_requests_disabled", + "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.auto_approve_grant_requests_enabled", + "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.expiration_limit_set", + "description": "A personal access token expiration limit was set.", + "docs_reference_links": "N/A" + }, + { + "action": "personal_access_token.expiration_limit_unset", + "description": "A personal access token expiration limit was unset.", + "docs_reference_links": "N/A" + }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", diff --git a/src/audit-logs/lib/config.json b/src/audit-logs/lib/config.json index bfb65863b400..97798a3a394c 100644 --- a/src/audit-logs/lib/config.json +++ b/src/audit-logs/lib/config.json @@ -3,5 +3,5 @@ "apiOnlyEvents": "This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "apiRequestEvent": "This event is only available via audit log streaming." }, - "sha": "ae4d8faa66c3986541a6db3a45bcf66e839fd773" + "sha": "4c383d40f155ce577a0b3698089811aa95dbebe4" } \ No newline at end of file