github
diff --git a/‎.github/branch_protection_settings/main.json
Lines changed: 17 additions & 2 deletions b/‎.github/branch_protection_settings/main.json
Lines changed: 17 additions & 2 deletions
diff --git a/‎.github/workflows/azure-prod-build-deploy.yml
Lines changed: 0 additions & 3 deletions b/‎.github/workflows/azure-prod-build-deploy.yml
Lines changed: 0 additions & 3 deletions
diff --git a/‎.github/workflows/codeowners-legal.yml
Lines changed: 7 additions & 11 deletions b/‎.github/workflows/codeowners-legal.yml
Lines changed: 7 additions & 11 deletions
diff --git a/‎.github/workflows/purge-fastly.yml
Lines changed: 4 additions & 5 deletions b/‎.github/workflows/purge-fastly.yml
Lines changed: 4 additions & 5 deletions
diff --git a/‎config/kubernetes/production/deployments/webapp.yaml
Lines changed: 3 additions & 3 deletions b/‎config/kubernetes/production/deployments/webapp.yaml
Lines changed: 3 additions & 3 deletions
diff --git a/‎config/moda/deployment.yaml
Lines changed: 28 additions & 5 deletions b/‎config/moda/deployment.yaml
Lines changed: 28 additions & 5 deletions
diff --git a/‎content/actions/administering-github-actions/usage-limits-billing-and-administration.md
Lines changed: 1 addition & 1 deletion b/‎content/actions/administering-github-actions/usage-limits-billing-and-administration.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎content/actions/hosting-your-own-runners/managing-self-hosted-runners/running-scripts-before-or-after-a-job.md
Lines changed: 2 additions & 1 deletion b/‎content/actions/hosting-your-own-runners/managing-self-hosted-runners/running-scripts-before-or-after-a-job.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow.md
Lines changed: 4 additions & 4 deletions b/‎content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md
Lines changed: 10 additions & 0 deletions b/‎content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md
Lines changed: 10 additions & 0 deletions
diff --git a/‎content/actions/writing-workflows/quickstart.md
Lines changed: 1 addition & 0 deletions b/‎content/actions/writing-workflows/quickstart.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎content/admin/data-residency/about-github-enterprise-cloud-with-data-residency.md
Lines changed: 2 additions & 2 deletions b/‎content/admin/data-residency/about-github-enterprise-cloud-with-data-residency.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎content/admin/data-residency/about-storage-of-your-data-with-data-residency.md
Lines changed: 1 addition & 1 deletion b/‎content/admin/data-residency/about-storage-of-your-data-with-data-residency.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎content/admin/data-residency/getting-started-with-data-residency-for-github-enterprise-cloud.md
Lines changed: 1 addition & 1 deletion b/‎content/admin/data-residency/getting-started-with-data-residency-for-github-enterprise-cloud.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎content/admin/overview/setting-up-a-trial-of-github-enterprise-cloud.md
Lines changed: 2 additions & 2 deletions b/‎content/admin/overview/setting-up-a-trial-of-github-enterprise-cloud.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎content/authentication/keeping-your-account-and-data-secure/about-authentication-to-github.md
Lines changed: 1 addition & 1 deletion b/‎content/authentication/keeping-your-account-and-data-secure/about-authentication-to-github.md
Lines changed: 1 addition & 1 deletion
@@ -41,7 +41,10 @@
       "workflows",
       "lint-code",
       "secret-scanning",
-      "pagelist"
+      "pagelist",
+      "docs-internal-docker-image / docs-internal-docker-image",
+      "docs-internal-docker-security / docs-internal-docker-security",
+      "docs-internal-moda-config-bundle / docs-internal-moda-config-bundle"
     ],
     "contexts_url": "https://api.github.com/repos/github/docs-internal/branches/main/protection/required_status_checks/contexts",
     "checks": [
@@ -85,7 +88,19 @@
       { "context": "workflows", "app_id": 15368 },
       { "context": "lint-code", "app_id": 15368 },
       { "context": "secret-scanning", "app_id": 15368 },
-      { "context": "pagelist", "app_id": 15368 }
+      { "context": "pagelist", "app_id": 15368 },
+      {
+        "context": "docs-internal-docker-image / docs-internal-docker-image",
+        "app_id": 15368
+      },
+      {
+        "context": "docs-internal-docker-security / docs-internal-docker-security",
+        "app_id": 15368
+      },
+      {
+        "context": "docs-internal-moda-config-bundle / docs-internal-moda-config-bundle",
+        "app_id": 15368
+      }
     ]
   },
   "restrictions": {
 
@@ -5,9 +5,6 @@ name: Azure Production - Build and Deploy
 # **Who does it impact**: All contributors.
 
 on:
-  push:
-    branches:
-      - main
   workflow_dispatch:
 
 permissions:
 
@@ -20,6 +20,7 @@ on:
 permissions:
   contents: read
   pull-requests: write
+  repository-projects: read
 
 jobs:
   codeowners-legal:
@@ -33,7 +34,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           # Picking this number is a "best guess". If we make it too large,
-          # the checkout will take potentially unnecessariily long.
+          # the checkout will take potentially unnecessarily long.
           # This reduces the chance that tj-actions/changed-files has to
           # fetch deeper history. But if it needs to, it will.
           fetch-depth: 10
@@ -58,19 +59,14 @@ jobs:
           CHANGED_FILE_PATHS: ${{ steps.changed-files.outputs.all_changed_files }}
           CONTENT_TYPE: 'rai'
 
-      - name: Add Legal team as a reviewer
+      - name: Check for reviewers-legal label, add if missing and request review
         if: steps.checkContentType.outputs.containsContentType == 'true'
         env:
-          # The GH CLI uses a slightly different env name for
-          # the token than the GITHUB_TOKEN used by actions
-          GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR: ${{ github.event.pull_request.html_url }}
         run: |
-          has_reviewer=$(
-            gh pr view $PR --json reviews |
-            jq 'any(.reviews[]; select(length > 0))'
-          )
-          if ! $has_reviewer
-          then
+          labels=$(gh pr view ${{ github.event.pull_request.number }} --json labels --jq '.labels[].name')
+          if ! echo "$labels" | grep -q 'reviewers-legal'; then
             gh pr edit $PR --add-reviewer github/legal-product
+            gh pr edit $PR --add-label reviewers-legal
           fi
@@ -5,6 +5,7 @@ name: Purge Fastly
 # **Who does it impact**: Writers and engineers.
 
 on:
+  deployment_status:
   workflow_dispatch:
     inputs:
       nuke_all:
@@ -16,9 +17,6 @@ on:
         description: "Comma separated languages. E.g. 'en,ja, es' (defaults to all)"
         required: false
         default: ''
-  push:
-    branches:
-      - main
 
 permissions:
   contents: read
@@ -29,11 +27,12 @@ env:
 
 jobs:
   send-purges:
+    # Run when workflow_dispatch is the event (manual) or when deployment_status is the event (automatic) and it's a successful production deploy
     if: >-
       ${{
         github.repository == 'github/docs-internal' &&
-        (github.event_name != 'workflow_run' ||
-        github.event.workflow_run.conclusion == 'success')
+        (github.event_name != 'deployment_status' ||
+         github.event.deployment_status.state == 'success' && github.event.deployment_status.environment == 'production')
       }}
     runs-on: ubuntu-latest
     steps:
 
@@ -23,10 +23,10 @@ spec:
           image: docs-internal
           resources:
             requests:
-              cpu: 4000m
-              memory: 5Gi
+              cpu: 8000m
+              memory: 10Gi
             limits:
-              cpu: 4000m
+              cpu: 16000m
               memory: 14Gi
           ports:
             - name: http
 
@@ -1,13 +1,36 @@
-required_builds:
-  - docs-internal-moda-config-bundle / docs-internal-moda-config-bundle
-  - docs-internal-docker-image / docs-internal-docker-image
-  - docs-internal-docker-security / docs-internal-docker-security
+# Deploy configuration reference: https://thehub.github.com/epd/engineering/products-and-services/internal/moda/reference/deployment-yaml/
+
 environments:
   - name: production
-    auto_deploy: true
+    require_pipeline: true
     cluster_selector:
       profile: general
       region: iad
+
+required_builds:
+  - docs-internal-moda-config-bundle / docs-internal-moda-config-bundle
+  - docs-internal-docker-image / docs-internal-docker-image
+  - docs-internal-docker-security / docs-internal-docker-security
+
+# Make the pipeline start automatically when a PR is enqueued
+auto_start_pipeline: production_rollout
+
+pipelines:
+  production_rollout:
+    thread_notifications: true
+    notify_users_via_dm: false
+    timeout: 1200
+    stages:
+      - name: full_production
+        kind: deployment
+        start_message: We are now going to deploy {{app}}/{{ref}}! Please pause or cancel the pipeline after the deploy if you want more time before auto-merging your pull request(s).
+        config:
+          environment: production
+          timeout: 1200
+        # gates:
+        #   - kind: timer
+        #     duration: 1200
+
 notifications:
   slack_channels:
     - '#docs-ops'
@@ -45,7 +45,7 @@ There are some limits on {% data variables.product.prodname_actions %} usage whe
 * **Job execution time** - Each job in a workflow can run for up to 6 hours of execution time. If a job reaches this limit, the job is terminated and fails to complete.
 {% data reusables.actions.usage-workflow-run-time %}
 {% data reusables.actions.usage-api-requests %}
-* **Webhook rate limit** - Each repository is limited to 1500 triggered events every 10 seconds.
+* **Webhook rate limit** - Each repository is limited to 1500 events triggering a workflow run every 10 seconds. When the limit is reached, the workflow runs that were supposed to be triggered by the webhook events will be blocked and will not be queued.
 * **Concurrent jobs** - The number of concurrent jobs you can run in your account depends on your {% data variables.product.prodname_dotcom %} plan, as well as the type of runner used. If exceeded, any additional jobs are queued.
 
   **Standard {% data variables.product.prodname_dotcom %}-hosted runners**
 
@@ -49,7 +49,8 @@ The scripts are automatically executed when the runner has the following environ
 * `ACTIONS_RUNNER_HOOK_JOB_STARTED`: The script defined in this environment variable is triggered when a job has been assigned to a runner, but before the job starts running.
 * `ACTIONS_RUNNER_HOOK_JOB_COMPLETED`: The script defined in this environment variable is triggered at the end of the job, after all the steps defined in the workflow have run.
 
-To set these environment variables, you can either add them to the operating system, or add them to a file named `.env` within the self-hosted runner application directory (that is, the directory into which you downloaded and unpacked the runner software). For example, the following `.env` entry will have the runner automatically run a script, saved as `/opt/runner/cleanup_script.sh` on the runner machine, before each job runs:
+To set these environment variables, you can either add them to the operating system, or add them to a file named `.env` within the self-hosted runner application directory (that is, the directory into which you downloaded and unpacked the runner software). Note that any change to the `.env` file will require restarting the runner.  
+For example, the following `.env` entry will have the runner automatically run a script, saved as `/opt/runner/cleanup_script.sh` on the runner machine, before each job runs:
 
 ```bash
 ACTIONS_RUNNER_HOOK_JOB_STARTED=/opt/runner/cleanup_script.sh
 
@@ -17,7 +17,7 @@ shortTitle: Use runners in a workflow
 
 You can target self-hosted runners for use in a workflow based on the labels assigned to the runners{% ifversion target-runner-groups %}, or their group membership, or a combination of these{% endif %}.
 
->[!NOTE]Actions Runner Controller does not support multiple labels, only the name of the runner can be used in place of a label
+>[!IMPORTANT]Runner Scale Sets do not support multiple labels, only the name of the runner can be used in place of a label. See [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller).
 
 ## About self-hosted runner labels
 
@@ -109,9 +109,9 @@ These labels operate cumulatively, so a self-hosted runner must have all four la
 
 ## Routing precedence for self-hosted runners
 
-When routing a job to a self-hosted runner, {% data variables.product.prodname_dotcom %} looks for a runner that matches the job's `runs-on` labels{% ifversion target-runner-groups %} and/or groups{% endif %}:
+When routing a job to a self-hosted runner, {% data variables.product.prodname_dotcom %} looks for a runner that matches the job's `runs-on` labels{% ifversion target-runner-groups %} and groups{% endif %}:
 
-* If {% data variables.product.prodname_dotcom %} finds an online and idle runner that matches the job's `runs-on` labels{% ifversion target-runner-groups %} and/or groups{% endif %}, the job is then assigned and sent to the runner.
+* If {% data variables.product.prodname_dotcom %} finds an online and idle runner that matches the job's `runs-on` labels{% ifversion target-runner-groups %} and groups{% endif %}, the job is then assigned and sent to the runner.
   * If the runner doesn't pick up the assigned job within 60 seconds, the job is re-queued so that a new runner can accept it.
-* If {% data variables.product.prodname_dotcom %} doesn't find an online and idle runner that matches the job's `runs-on` labels {% ifversion target-runner-groups %} and/or groups{% endif %}, then the job will remain queued until a runner comes online.
+* If {% data variables.product.prodname_dotcom %} doesn't find an online and idle runner that matches the job's `runs-on` labels {% ifversion target-runner-groups %} and groups{% endif %}, then the job will remain queued until a runner comes online.
 * If the job remains queued for more than 24 hours, the job will fail.
@@ -29,6 +29,16 @@ This guide gives an overview of how to configure GCP to trust {% data variables.
 
 {% data reusables.actions.oidc-on-ghecom %}
 
+{% ifversion ghes %}
+{% data reusables.actions.oidc-endpoints %}
+  <!-- This note is indented to align with the above reusable. -->
+
+  > [!NOTE]
+  > Google Cloud Platform does not have fixed IP ranges defined for these endpoints.
+
+* Make sure that the value of the issuer claim that's included with the JSON Web Token (JWT) is set to a publicly routable URL. For more information, see [AUTOTITLE](/enterprise-server@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect).
+{% endif %}
+
 ## Adding a Google Cloud Workload Identity Provider
 
 To configure the OIDC identity provider in GCP, you will need to perform the following configuration. For instructions on making these changes, refer to [the GCP documentation](https://github.com/google-github-actions/auth).
 
@@ -5,6 +5,7 @@ allowTitleToDifferFromFilename: true
 redirect_from:
   - /actions/getting-started-with-github-actions/starting-with-preconfigured-workflow-templates
   - /actions/quickstart
+  - /actions/getting-started-with-github-actions
 versions:
   fpt: '*'
   ghes: '*'
 
@@ -14,7 +14,7 @@ redirect_from:
 
 By default, {% data variables.product.company_short %} stores data for {% data variables.product.prodname_dotcom_the_website %} in the USA. {% data reusables.data-residency.when-you-adopt-data-residency %} To learn how {% data variables.product.company_short %} handles data storage, see [AUTOTITLE](/admin/data-residency/about-storage-of-your-data-with-data-residency).
 
-Access to this feature is currently managed by {% data variables.contact.contact_enterprise_sales %}.
+To get {% data variables.enterprise.data_residency_short %} for your enterprise, **contact {% data variables.contact.contact_sales_data_residency %}**.
 
 ## What is {% data variables.product.product_name %}?
 
@@ -107,7 +107,7 @@ When reading the documentation, readers may need to substitute references to {%
 
 ## Getting started
 
-When you have worked with your account team in {% data variables.contact.contact_enterprise_sales %} to create a new enterprise account and choose a subdomain on {% data variables.enterprise.data_residency_site %}, you can get started with your new enterprise.
+When you have worked with your account team to create a new enterprise account and choose a subdomain on {% data variables.enterprise.data_residency_site %}, you can get started with your new enterprise.
 
 You will:
 
 
@@ -16,7 +16,7 @@ redirect_from:
 
 Although your code and user data are stored within your chosen region, {% data variables.product.company_short %} may store certain types of data outside your region, and may need to transfer some data outside your region.
 
-If you are in doubt about any aspect of {% data variables.enterprise.data_residency_short %}, contact your account manager in {% data variables.contact.contact_enterprise_sales %}.
+If you are in doubt about any aspect of {% data variables.enterprise.data_residency_short %}, contact your account manager.
 
 ## Data stored in your region
 
 
@@ -17,7 +17,7 @@ redirect_from:
 
 When you adopt {% data variables.enterprise.data_residency %}, you can choose where your company's code and data are stored.
 
-After you have **worked with {% data variables.contact.contact_enterprise_sales %}** to create an enterprise account with a dedicated URL on {% data variables.enterprise.data_residency_site %}, you'll use this guide to set up your enterprise. You will:
+After you have **worked with {% data variables.contact.contact_sales_data_residency %}** to create an enterprise account with a dedicated URL on {% data variables.enterprise.data_residency_site %}, you'll use this guide to set up your enterprise. You will:
 
 * Add users by configuring authentication and provisioning with an identity management system
 * Set up billing for your enterprise
 
@@ -18,10 +18,10 @@ shortTitle: Enterprise Cloud trial
 
 You can set up a trial to evaluate the additional features that come with {% data variables.product.prodname_ghe_cloud %}, such as SAML single sign-on (SSO), internal repositories, and audit log streaming. For a list of available features, see our [Pricing](https://github.com/pricing) page.
 
-Your trial **won't** include {% data variables.enterprise.data_residency_short %} on {% data variables.enterprise.data_residency_site %} or access to {% data variables.product.prodname_ghe_server %}. To test these features, contact {% data variables.contact.contact_enterprise_sales %}.
-
 <a href="https://github.com/account/enterprises/new?ref_cta=GHEC+trial&ref_loc=setting+up+a+trial+of+github+enterprise+cloud&ref_page=docs" target="_blank" class="btn btn-primary mt-3 mr-3 no-underline"><span>Set up a trial of {% data variables.product.prodname_ghe_cloud %}</span> {% octicon "link-external" height:16 %}</a>
 
+>[!IMPORTANT] Your trial enterprise will be hosted in the USA. If you require {% data variables.enterprise.data_residency_short %} outside the USA, contact {% data variables.contact.contact_sales_data_residency %}.
+
 To set up a trial, you must be signed in to a personal account. If you don't have a personal account, see [AUTOTITLE](/free-pro-team@latest/get-started/start-your-journey/creating-an-account-on-github).
 
 You do not need to provide a payment method during the trial.
 
@@ -55,7 +55,7 @@ If you need to use multiple accounts on {% data variables.location.product_locat
   * If you enable 2FA, after you successfully enter your username and password, we'll also prompt you to provide a code that's generated by a time-based one time password (TOTP) application on your mobile device{% ifversion fpt or ghec %} or sent as a text message (SMS).{% endif %}{% ifversion 2fa-check-up-period %}
   * After you configure 2FA, your account enters a check up period for 28 days. You can leave the check up period by successfully performing 2FA within those 28 days. If you don't perform 2FA in that timespan, you'll then be asked to perform 2FA inside one of your existing {% data variables.product.prodname_dotcom %} sessions.
   * If you cannot perform 2FA to pass the 28th day checkup, you will be provided a shortcut that lets you reconfigure your 2FA settings. You must reconfigure your settings before you can access the rest of {% data variables.product.prodname_dotcom %}{% endif %}. For more information, see [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication#providing-a-2fa-code-when-signing-in-to-the-website){% ifversion 2fa-check-up-period %} and [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication){% endif %}.
-  * In addition to authentication with a TOTP application{% ifversion fpt or ghec %} or a text message{% endif %}, you can optionally add an alternative method of authentication with {% ifversion fpt or ghec %}{% data variables.product.prodname_mobile %} or{% endif %} a security key using WebAuthn. For more information, see {% ifversion fpt or ghec %}[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-github-mobile) and {% endif %}[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-key).
+  * In addition to authentication with a TOTP application{% ifversion fpt or ghec %} or a text message{% endif %}, you can optionally add an alternative method of authentication with {% ifversion fpt or ghec %}{% data variables.product.prodname_mobile %} or{% endif %} a security key using WebAuthn. See {% ifversion fpt or ghec %}[Configuring two-factor authentication using {% data variables.product.prodname_mobile %}](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-github-mobile) or {% endif %}[Configuring two-factor authentication using a security key](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-key).
 
     {% ifversion fpt or ghec %}