Merge branch 'main' into resolve-typo-commit-signature-verification

Author: janiceilene

.github/workflows/azure-preview-env-deploy.yml

@@ -198,7 +198,16 @@ jobs:
       # Deploy ARM template is idempotent
       # Note: once the resources exist the image tag must change for a new deployment to occur (the image tag includes workflow run number, run attempt, as well as sha)
       - name: Run ARM deploy
-        id: deploy
+        # This 'if' will be truth, if this workflow is...
+        #  - run as a workflow_dispatch
+        #  - run because of a push to main (or gh-readonly-queue/main)
+        #  - run as a regular pull request
+        # But if it's a pull request, *and* for whatever reason, the pull
+        # request has "Auto-merge" enabled, don't bother.
+        # The idea is that if auto-merge has been abled, by humans or by
+        # bots, they have no intention of viewing the deployed preview anyway.
+        # This saves time because the PR can merge sooner.
+        if: ${{ !github.event.pull_request.auto_merge }}
         uses: azure/arm-deploy@841b12551939c88af8f6df767c24c38a5620fd0d
         with:
           resourceGroupName: ${{ secrets.PREVIEW_ENV_RESOURCE_GROUP }}

assets/images/help/images/actions-oidc-gateway.png

@@ -1,4 +1,5 @@
 import { GitPullRequestIcon } from '@primer/octicons-react'
+
 import { useMainContext } from 'components/context/MainContext'
 import { useTranslation } from 'components/hooks/useTranslation'
 
@@ -11,7 +12,7 @@ export const Contribution = () => {
     : 'https://github.com/github/docs'
 
   return (
-    <div className="f5 contribution">
+    <div className="hide-sm hide-md f5 contribution">
       <h2 className="f4 mb-3">{t`title`}</h2>
       <p className="max-w-xs color-fg-muted mb-3">{t`body`}</p>
       <a className="btn color-border-accent-emphasis" href={contributionHref}>

components/page-footer/Contribution.tsx

@@ -0,0 +1,104 @@
+---
+title: Connecting to a private network
+intro: 'You can connect {% data variables.product.prodname_dotcom %}-hosted runners to resources on a private network, including package registries, secret managers, and other on-premises services.'
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
+type: how_to
+topics:
+  - Actions
+  - Developer
+---
+
+{% data reusables.actions.enterprise-beta %}
+{% data reusables.actions.enterprise-github-hosted-runners %}
+
+## About {% data variables.product.prodname_dotcom %}-hosted runners networking
+
+By default, {% data variables.product.prodname_dotcom %}-hosted runners have access to the public internet. However, you may also want these runners to access resources on your private network, such as a package registry, a secret manager, or other on-premise services. 
+
+{% data variables.product.prodname_dotcom %}-hosted runners are shared across all {% data variables.product.prodname_dotcom %} customers, so you will need a way of connecting your private network to just your runners while they are running your workflows. There are a few different approaches you could take to configure this access, each with different advantages and disadvantages.
+
+{% ifversion fpt or ghec or ghes > 3.4 %}
+### Using an API Gateway with OIDC
+
+With {% data variables.product.prodname_actions %}, you can use OpenID Connect (OIDC) tokens to authenticate your workflow outside of {% data variables.product.prodname_actions %}. For example, you could run an API Gateway on the edge of your private network that authenticates incoming requests with the OIDC token and then makes API requests on behalf of your workflow in your private network.
+
+The following diagram gives an overview of this solution's architecture:
+
+![Diagram of an OIDC gateway](/assets/images/help/images/actions-oidc-gateway.png)
+
+It's important that you authenticate not just that the OIDC token came from {% data variables.product.prodname_actions %}, but that it came specifically from your expected workflows, so that other {% data variables.product.prodname_actions %} users aren't able to access services in your private network. You can use OIDC claims to create these conditions. For more information, see "[Defining trust conditions on cloud roles using OIDC claims](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#defining-trust-conditions-on-cloud-roles-using-oidc-claims)."
+
+The main disadvantage of this approach is you have to implement the API gateway to make requests on your behalf, as well as run it on the edge of your network.
+
+But there are various advantages too:
+- You don't need to configure any firewalls, or modify the routing of your private network. 
+- The API gateway is stateless, and so it scales horizontally to handle high availability and high throughput.
+
+For more information, see [a reference implementation of an API Gateway](https://github.com/github/actions-oidc-gateway-example) (note that this requires customization for your use case and is not ready-to-run as-is), and "[About security hardening with OpenID Connect](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)".
+{% endif %}
+
+### Using WireGuard to create a network overlay
+
+If you don't want to maintain separate infrastructure for an API Gateway, you can create an overlay network between your runner and a service in your private network, by running WireGuard in both places.
+
+There are various disadvantages to this approach: 
+
+- To reach WireGuard running on your private service, you will need a well-known IP address and port that your workflow can reference: this can either be a public IP address and port, a port mapping on a network gateway, or a service that dynamically updates DNS. 
+- WireGuard doesn't handle NAT traversal out of the box, so you'll need to identify a way to provide this service.
+- This connection is one-to-one, so if you need high availability or high throughput you'll need to build that on top of WireGuard. 
+- You'll need to generate and securely store keys for both the runner and your private service. WireGuard uses UDP, so your network must support UDP traffic.
+
+There are some advantages too, as you can run WireGuard on an existing server so you don't have to maintain separate infrastructure, and it's well supported on {% data variables.product.prodname_dotcom %}-hosted runners.
+
+### Example: Configuring WireGuard
+
+This example workflow configures WireGuard to connect to a private service.
+
+For this example, the WireGuard instance running in the private network has this configuration:
+- Overlay network IP address of `192.168.1.1`
+- Public IP address and port of `1.2.3.4:56789`
+- Public key `examplepubkey1234...`
+
+The WireGuard instance in the {% data variables.product.prodname_actions %} runner has this configuration:
+- Overlay network IP address of `192.168.1.2`
+- Private key stores as an {% data variables.product.prodname_actions %} secret under `WIREGUARD_PRIVATE_KEY`
+
+```yaml
+name: WireGuard example
+
+on:
+  workflow_dispatch:
+
+jobs:
+  wireguard_example:
+    runs-on: ubuntu-latest
+    steps:
+      - run: sudo apt install wireguard
+
+      - run: echo "${{ secrets.WIREGUARD_PRIVATE_KEY }}" > privatekey
+
+      - run: sudo ip link add dev wg0 type wireguard
+
+      - run: sudo ip address add dev wg0 192.168.1.2 peer 192.168.1.1
+
+      - run: sudo wg set wg0 listen-port 48123 private-key privatekey peer examplepubkey1234... allowed-ips 0.0.0.0/0 endpoint 1.2.3.4:56789
+
+      - run: sudo ip link set up dev wg0
+
+      - run: curl -vvv http://192.168.1.1
+```
+
+For more information, see [WireGuard's Quick Start](https://www.wireguard.com/quickstart/), as well as "[Encrypted Secrets](/actions/security-guides/encrypted-secrets)" for how to securely store keys.
+
+### Using Tailscale to create a network overlay
+
+Tailscale is a commercial product built on top of WireGuard. This option is very similar to WireGuard, except Tailscale is more of a complete product experience instead of an open source component.
+
+It's disadvantages are similar to WireGuard: The connection is one-to-one, so you might need to do additional work for high availability or high throughput. You still need to generate and securely store keys. The protocol is still UDP, so your network must support UDP traffic.
+
+However, there are some advantages over WireGuard: NAT traversal is built-in, so you don't need to expose a port to the public internet. It is by far the quickest of these options to get up and running, since Tailscale provides an {% data variables.product.prodname_actions %} workflow with a single step to connect to the overlay network.
+
+For more information, see the [Tailscale GitHub Action](https://github.com/tailscale/github-action), as well as "[Encrypted Secrets](/actions/security-guides/encrypted-secrets)" for how to securely store keys.

content/actions/using-github-hosted-runners/connecting-to-a-private-network.md

@@ -9,6 +9,7 @@ children:
   - /about-github-hosted-runners
   - /monitoring-your-current-jobs
   - /customizing-github-hosted-runners
+  - /connecting-to-a-private-network
 shortTitle: Use GitHub-hosted runners
 ---
 

content/actions/using-github-hosted-runners/index.md

@@ -17,7 +17,9 @@ topics:
   - Licensing
 shortTitle: Automatic user license sync
 ---
-## About license synchronization
+## About automatic license synchronization
+
+{% data reusables.enterprise-licensing.unique-user-licensing-model %}
 
 {% data reusables.enterprise-licensing.about-license-sync %} For more information, see "[About {% data variables.product.prodname_github_connect %}](/admin/configuration/configuring-github-connect/about-github-connect#data-transmission-for-github-connect)."
 

content/admin/configuration/configuring-github-connect/enabling-automatic-user-license-sync-for-your-enterprise.md

@@ -30,7 +30,7 @@ You can confirm that the websites and email addresses listed on the profiles of
 
 After you verify ownership of your enterprise account's domains, a "Verified" badge will display on the profile of each organization that has the domain listed on its profile. {% data reusables.organizations.verified-domains-details %}
 
-Organization owners will be able to verify the identity of organization members by viewing each member's email address within the verified domain.
+For domains configured at the enterprise level, enterprise owners can verify the identity of organization members by viewing each member's email address within the verified domain. Enterprise owners can also view a list of enterprise members who don't have an email address from a verified domain associated with their user account on {% data variables.product.prodname_dotcom %}. For more information, see "[Viewing members without an email address from a verified domain](/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#viewing-members-without-an-email-address-from-a-verified-domain)."
 
 After you verify domains for your enterprise account, you can restrict email notifications to verified domains for all the organizations owned by your enterprise account. For more information, see "[Restricting email notifications for your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise)."
 

content/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise.md

@@ -108,6 +108,17 @@ If your enterprise uses {% data variables.product.prodname_emus %}, you can also
 
 You can view a list of all dormant users {% ifversion ghes or ghae %} who have not been suspended and {% endif %}who are not site administrators. {% data reusables.enterprise-accounts.dormant-user-activity-threshold %} For more information, see "[Managing dormant users](/admin/user-management/managing-users-in-your-enterprise/managing-dormant-users)."
 
+{% ifversion ghec or ghes > 3.1 %}
+## Viewing members without an email address from a verified domain
+
+You can view a list of members in your enterprise who don't have an email address from a verified domain associated with their user account on {% data variables.product.prodname_dotcom_the_website %}.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.verified-domains-tab %}
+1. Under "Notification preferences", click the {% octicon "eye" aria-label="The github eye icon" %} **View enterprise members without an approved or verified domain email** link.
+{% endif %}
+
 ## Further reading
 
 - "[Roles in an enterprise](/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise)"

content/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md

@@ -43,11 +43,11 @@ topics:
 children:
   - /managing-your-github-billing-settings
   - /managing-billing-for-your-github-account
+  - /managing-your-license-for-github-enterprise
+  - /managing-licenses-for-visual-studio-subscriptions-with-github-enterprise
   - /managing-billing-for-github-actions
   - /managing-billing-for-github-codespaces
   - /managing-billing-for-github-packages
-  - /managing-your-license-for-github-enterprise
-  - /managing-licenses-for-visual-studio-subscriptions-with-github-enterprise
   - /managing-billing-for-github-advanced-security
   - /managing-billing-for-github-sponsors
   - /managing-billing-for-github-marketplace-apps

content/billing/index.md

@@ -45,7 +45,7 @@ You can see your current usage in your [Azure account portal](https://portal.azu
 
 {% ifversion ghec %}
 
-{% data variables.product.company_short %} bills monthly for the total number of members in your enterprise account, as well as any additional services you use with {% data variables.product.prodname_ghe_cloud %}.
+{% data variables.product.company_short %} bills monthly for the total number of licensed seats for your organization or enterprise account, as well as any additional services you use with {% data variables.product.prodname_ghe_cloud %}, such as {% data variables.product.prodname_actions %} minutes. For more information about the licensed seats portion of your bill, see "[About per-user pricing](/billing/managing-billing-for-your-github-account/about-per-user-pricing)."
 
 {% elsif ghes %}
 
@@ -64,40 +64,14 @@ Each user on {% data variables.product.product_location %} consumes a seat on yo
 Administrators for your enterprise account on {% data variables.product.prodname_dotcom_the_website %} can access and manage billing for the enterprise. For more information, see "[Roles in an enterprise]({% ifversion ghes %}/enterprise-cloud@latest{% endif %}/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise){% ifversion ghec %}."{% elsif ghes %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}
 
 {% ifversion ghec %}
-
 {% data reusables.enterprise-accounts.billing-microsoft-ea-overview %} For more information, see "[Connecting an Azure subscription to your enterprise](/billing/managing-billing-for-your-github-account/connecting-an-azure-subscription-to-your-enterprise)."
-
 {% endif %}
 
 {% ifversion ghes %}
-
 {% data reusables.billing.ghes-with-no-enterprise-account %}
-
 {% endif %}
 
-{% ifversion ghec %}
-
-## Per-user pricing
-
-{% data variables.product.company_short %} bills for services consumed on {% data variables.product.prodname_dotcom_the_website %}, each user for deployments of {% data variables.product.prodname_ghe_server %}, and each member of organizations on {% data variables.product.prodname_ghe_cloud %}. For more information about per-user pricing, see "[About per-user pricing](/billing/managing-billing-for-your-github-account/about-per-user-pricing)."
-
-{% data reusables.billing.per-user-pricing-reference %}
-
-For more information about roles, see "[Roles in an enterprise](/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise)" or "[Roles in an organization](/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization)."
-
-For more information about outside collaborators, see "[Adding outside collaborators to repositories in your organization](/organizations/managing-access-to-your-organizations-repositories/adding-outside-collaborators-to-repositories-in-your-organization)."
-
-{% endif %}
-
-## About synchronization of license usage
-
-{% data reusables.enterprise.about-deployment-methods %}
-
-{% data reusables.enterprise-licensing.about-license-sync %} For more information, see {% ifversion ghec %}"[Syncing license usage between {% data variables.product.prodname_ghe_server %} and {% data variables.product.prodname_ghe_cloud %}](/enterprise-server/billing/managing-your-license-for-github-enterprise/syncing-license-usage-between-github-enterprise-server-and-github-enterprise-cloud)" in the {% data variables.product.prodname_ghe_server %} documentation.{% elsif ghes %}"[Syncing license usage between {% data variables.product.prodname_ghe_server %} and {% data variables.product.prodname_ghe_cloud %}](/billing/managing-your-license-for-github-enterprise/syncing-license-usage-between-github-enterprise-server-and-github-enterprise-cloud)."{% endif %}
-
 {% endif %}
-
 ## Further reading
 
-- "[About enterprise accounts](/admin/overview/about-enterprise-accounts)"{% ifversion ghec or ghes %}
-- "[About licenses for GitHub Enterprise](/billing/managing-your-license-for-github-enterprise/about-licenses-for-github-enterprise)"{% endif %}
+- "[About enterprise accounts](/admin/overview/about-enterprise-accounts)"