diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api.md index 87f2129e87f1..6023be70831f 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api.md @@ -85,6 +85,46 @@ ARC can use {% data variables.product.pat_v1_plural %} to register self-hosted r {% data reusables.actions.actions-runner-controller-helm-chart-options %} +## Authenticating ARC with a {% data variables.product.pat_v2 %} + +ARC can use {% data variables.product.pat_v2_plural %} to register self-hosted runners. + +{% ifversion ghec or ghes %} + +> [!NOTE] +> Authenticating ARC with a {% data variables.product.pat_v1 %} is the only supported authentication method to register runners at the enterprise level. + +{% endif %} + +1. Create a {% data variables.product.pat_v2 %} with the required scopes. The required scopes are different depending on whether you are registering runners at the repository or organization level. For more information on how to create a {% data variables.product.pat_v2 %}, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-fine-grained-personal-access-token). + + The following is the list of required {% data variables.product.pat_generic %} scopes for ARC runners. + + * Repository runners: + * **Administration:** Read and write + + * Organization runners: + * **Administration:** Read + * **Self-hosted runners:** Read and write + +1. To create a Kubernetes secret with the value of your {% data variables.product.pat_v2 %}, use the following command. + + {% data reusables.actions.arc-runners-namespace %} + + ```bash copy + kubectl create secret generic pre-defined-secret \ + --namespace=arc-runners \ + --from-literal=github_token='YOUR-PAT' + ``` + +1. In your copy of the [`values.yaml`](https://github.com/actions/actions-runner-controller/blob/master/charts/gha-runner-scale-set/values.yaml) file, pass the secret name as a reference. + + ```yaml + githubConfigSecret: pre-defined-secret + ``` + + {% data reusables.actions.actions-runner-controller-helm-chart-options %} + ## Authenticating ARC with vault secrets > [!NOTE] diff --git a/content/admin/configuring-settings/hardening-security-for-your-enterprise/enabling-private-mode.md b/content/admin/configuring-settings/hardening-security-for-your-enterprise/enabling-private-mode.md index 1c570701dd30..29be189fb382 100644 --- a/content/admin/configuring-settings/hardening-security-for-your-enterprise/enabling-private-mode.md +++ b/content/admin/configuring-settings/hardening-security-for-your-enterprise/enabling-private-mode.md @@ -31,6 +31,5 @@ With private mode enabled, you can allow unauthenticated Git operations (and any {% data reusables.enterprise_site_admin_settings.access-settings %} {% data reusables.enterprise_site_admin_settings.management-console %} -{% data reusables.enterprise_management_console.privacy %} 1. Select **Private mode**. {% data reusables.enterprise_management_console.save-settings %} diff --git a/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md b/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md index 73da04d36678..91d180fc36ff 100644 --- a/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md +++ b/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md @@ -77,6 +77,8 @@ When specifying actions{% ifversion actions-workflow-policy %} and reusable work * To allow all actions{% ifversion actions-workflow-policy %} and reusable workflows{% endif %} in organizations that start with `space-org`, use `space-org*/*`. * To allow all actions{% ifversion actions-workflow-policy %} and reusable workflows{% endif %} in repositories that start with octocat, use `*/octocat**@*`. +Policies never restrict access to local actions on the runner filesystem (where the `uses:` path start with `./`). + ## Runners By default, anyone with admin access to a repository can add a self-hosted runner for the repository, and self-hosted runners come with risks: diff --git a/data/reusables/enterprise_management_console/privacy.md b/data/reusables/enterprise_management_console/privacy.md index f7de58c0a47f..47f7df0edf27 100644 --- a/data/reusables/enterprise_management_console/privacy.md +++ b/data/reusables/enterprise_management_console/privacy.md @@ -1 +1 @@ -1. In the "Settings" sidebar, click **Privacy** and uncheck **Privacy mode**. +1. In the "Settings" sidebar, click **Privacy** and uncheck **Private mode**. diff --git a/src/secret-scanning/data/public-docs.yml b/src/secret-scanning/data/public-docs.yml index 8fbe8df80966..207e27a6b95e 100644 --- a/src/secret-scanning/data/public-docs.yml +++ b/src/secret-scanning/data/public-docs.yml @@ -726,6 +726,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: true isPrivateWithGhas: true hasPushProtection: true @@ -737,6 +738,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: true isPrivateWithGhas: true hasPushProtection: true @@ -748,6 +750,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: false isPrivateWithGhas: true hasPushProtection: false @@ -783,6 +786,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: true isPrivateWithGhas: true hasPushProtection: false @@ -1091,6 +1095,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: false isPrivateWithGhas: true hasPushProtection: false @@ -1222,6 +1227,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: true isPrivateWithGhas: true hasPushProtection: true @@ -1245,6 +1251,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: false isPrivateWithGhas: true hasPushProtection: false @@ -1256,6 +1263,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: false isPrivateWithGhas: true hasPushProtection: false @@ -1847,6 +1855,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: true isPrivateWithGhas: true hasPushProtection: false @@ -1906,6 +1915,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: false isPrivateWithGhas: true hasPushProtection: true @@ -1917,6 +1927,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: false isPrivateWithGhas: true hasPushProtection: false @@ -2511,6 +2522,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: true isPrivateWithGhas: true hasPushProtection: true @@ -2522,6 +2534,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: true isPrivateWithGhas: true hasPushProtection: false @@ -2533,6 +2546,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: true isPrivateWithGhas: true hasPushProtection: false @@ -2544,6 +2558,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: true isPrivateWithGhas: true hasPushProtection: false @@ -2555,6 +2570,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: true isPrivateWithGhas: true hasPushProtection: false @@ -2566,6 +2582,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: true isPrivateWithGhas: true hasPushProtection: false @@ -2577,6 +2594,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: true isPrivateWithGhas: true hasPushProtection: false @@ -2588,6 +2606,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: true isPrivateWithGhas: true hasPushProtection: false @@ -2599,6 +2618,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: true isPrivateWithGhas: true hasPushProtection: false @@ -2931,6 +2951,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: false isPrivateWithGhas: true hasPushProtection: false @@ -3362,6 +3383,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: true isPrivateWithGhas: true hasPushProtection: true @@ -3373,6 +3395,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: false isPrivateWithGhas: true hasPushProtection: true @@ -3384,6 +3407,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: false isPrivateWithGhas: true hasPushProtection: false @@ -3712,6 +3736,17 @@ hasPushProtection: true hasValidityCheck: false isduplicate: false +- provider: Snowflake + supportedSecret: Snowflake Programmatic Access Token + secretType: snowflake_programmatic_access_token + versions: + fpt: '*' + ghec: '*' + isPublic: false + isPrivateWithGhas: true + hasPushProtection: false + hasValidityCheck: false + isduplicate: false - provider: Sourcegraph supportedSecret: Sourcegraph Access Token secretType: sourcegraph_access_token @@ -4174,6 +4209,7 @@ versions: fpt: '*' ghec: '*' + ghes: '>=3.18' isPublic: true isPrivateWithGhas: true hasPushProtection: false diff --git a/src/secret-scanning/lib/config.json b/src/secret-scanning/lib/config.json index 6e2c7ba299ec..3476d87107b3 100644 --- a/src/secret-scanning/lib/config.json +++ b/src/secret-scanning/lib/config.json @@ -1,5 +1,5 @@ { - "sha": "de330412222eaea5838c723eb6e3e2ebb124d35e", - "blob-sha": "06bbb1448f72fb3171b30d33d0f59334e3bba539", + "sha": "cc6e45651c0156064ffa8604dad1dfb6256a4a85", + "blob-sha": "6c6949487ed87adb16e5e6d9706ef7fb35929cdb", "targetFilename": "code-security/secret-scanning/introduction/supported-secret-scanning-patterns" } \ No newline at end of file