Merge branch 'main' into oxidizegithub

.github/branch_protection_settings/main.json

@@ -41,7 +41,10 @@
       "workflows",
       "lint-code",
       "secret-scanning",
-      "pagelist"
+      "pagelist",
+      "docs-internal-docker-image / docs-internal-docker-image",
+      "docs-internal-docker-security / docs-internal-docker-security",
+      "docs-internal-moda-config-bundle / docs-internal-moda-config-bundle"
     ],
     "contexts_url": "https://api.github.com/repos/github/docs-internal/branches/main/protection/required_status_checks/contexts",
     "checks": [
@@ -85,7 +88,19 @@
       { "context": "workflows", "app_id": 15368 },
       { "context": "lint-code", "app_id": 15368 },
       { "context": "secret-scanning", "app_id": 15368 },
-      { "context": "pagelist", "app_id": 15368 }
+      { "context": "pagelist", "app_id": 15368 },
+      {
+        "context": "docs-internal-docker-image / docs-internal-docker-image",
+        "app_id": 15368
+      },
+      {
+        "context": "docs-internal-docker-security / docs-internal-docker-security",
+        "app_id": 15368
+      },
+      {
+        "context": "docs-internal-moda-config-bundle / docs-internal-moda-config-bundle",
+        "app_id": 15368
+      }
     ]
   },
   "restrictions": {

.github/workflows/azure-prod-build-deploy.yml

@@ -5,9 +5,6 @@ name: Azure Production - Build and Deploy
 # **Who does it impact**: All contributors.
 
 on:
-  push:
-    branches:
-      - main
   workflow_dispatch:
 
 permissions:

.github/workflows/codeowners-legal.yml

@@ -20,6 +20,7 @@ on:
 permissions:
   contents: read
   pull-requests: write
+  repository-projects: read
 
 jobs:
   codeowners-legal:
@@ -33,7 +34,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           # Picking this number is a "best guess". If we make it too large,
-          # the checkout will take potentially unnecessariily long.
+          # the checkout will take potentially unnecessarily long.
           # This reduces the chance that tj-actions/changed-files has to
           # fetch deeper history. But if it needs to, it will.
           fetch-depth: 10
@@ -58,19 +59,14 @@ jobs:
           CHANGED_FILE_PATHS: ${{ steps.changed-files.outputs.all_changed_files }}
           CONTENT_TYPE: 'rai'
 
-      - name: Add Legal team as a reviewer
+      - name: Check for reviewers-legal label, add if missing and request review
         if: steps.checkContentType.outputs.containsContentType == 'true'
         env:
-          # The GH CLI uses a slightly different env name for
-          # the token than the GITHUB_TOKEN used by actions
-          GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR: ${{ github.event.pull_request.html_url }}
         run: |
-          has_reviewer=$(
-            gh pr view $PR --json reviews |
-            jq 'any(.reviews[]; select(length > 0))'
-          )
-          if ! $has_reviewer
-          then
+          labels=$(gh pr view ${{ github.event.pull_request.number }} --json labels --jq '.labels[].name')
+          if ! echo "$labels" | grep -q 'reviewers-legal'; then
             gh pr edit $PR --add-reviewer github/legal-product
+            gh pr edit $PR --add-label reviewers-legal
           fi

.github/workflows/delete-orphan-translation-files.yml

@@ -129,7 +129,8 @@ jobs:
             --title "Delete orphan files ($current_daystamp)" \
             --body '👋 humans. This PR was generated from docs-internal/.github/workflows/delete-orphan-translation-files.yml.
             ' \
-            --repo "${{ matrix.language_repo }}"
+            --repo "${{ matrix.language_repo }}" \
+            --head=$branch_name
           echo "Merge created PR..."
           retry_command gh pr merge --merge --auto --delete-branch "$branch_name"
 

.github/workflows/generate-code-scanning-query-lists.yml

@@ -146,7 +146,7 @@ jobs:
 
           git add data/reusables/code-scanning/codeql-query-tables
           git commit -m "Update CodeQL query tables"
-          git push origin $branchname
+          git push -u origin $branchname
 
           echo "Creating pull request..."
           gh pr create \

.github/workflows/purge-fastly.yml

@@ -5,6 +5,7 @@ name: Purge Fastly
 # **Who does it impact**: Writers and engineers.
 
 on:
+  deployment_status:
   workflow_dispatch:
     inputs:
       nuke_all:
@@ -16,9 +17,6 @@ on:
         description: "Comma separated languages. E.g. 'en,ja, es' (defaults to all)"
         required: false
         default: ''
-  push:
-    branches:
-      - main
 
 permissions:
   contents: read
@@ -29,11 +27,12 @@ env:
 
 jobs:
   send-purges:
+    # Run when workflow_dispatch is the event (manual) or when deployment_status is the event (automatic) and it's a successful production deploy
     if: >-
       ${{
         github.repository == 'github/docs-internal' &&
-        (github.event_name != 'workflow_run' ||
-        github.event.workflow_run.conclusion == 'success')
+        (github.event_name != 'deployment_status' ||
+         github.event.deployment_status.state == 'success' && github.event.deployment_status.environment == 'production')
       }}
     runs-on: ubuntu-latest
     steps:

.github/workflows/sync-audit-logs.yml

@@ -33,7 +33,7 @@ jobs:
           # need to use a token from a user with access to github/audit-log-allowlists for this step
           GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
         run: |
-          npm run audit-log-sync
+          npm run sync-audit-log
 
       - name: Get the audit-log-allowlists SHA being synced
         id: audit-log-allowlists
@@ -54,7 +54,11 @@ jobs:
           # If nothing to commit, exit now. It's fine. No orphans.
           changes=$(git diff --name-only | wc -l)
           untracked=$(git status --untracked-files --short | wc -l)
-          if [[ $changes -eq 0 ]] && [[ $untracked -eq 0 ]]; then
+          filesChanged=$(git diff --name-only)
+          # There will always be at least one file changed:
+          # src/audit-logs/lib/config.json
+          # If the config file is the only file changed, exit.
+          if [[ $changes -eq 1 ]] && [[ $untracked -eq 1 ]] && [[ $filesChanged == *lib/config.json ]]; then
             echo "There are no changes to commit or untracked files. Exiting..."
             exit 0
           fi
@@ -83,7 +87,8 @@ jobs:
 
             If CI does not pass or other problems arise, contact #docs-engineering on slack.' \
             --repo github/docs-internal \
-            --label audit-log-pipeline
+            --label audit-log-pipeline \
+            --head=$branchname
 
           # can't approve your own PR, approve with Actions
           unset GITHUB_TOKEN
@@ -93,7 +98,7 @@ jobs:
           # Actions can't merge the PR so back to docs-bot to merge the PR
           unset GITHUB_TOKEN
           gh auth login --with-token <<< "${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}"
-          gh pr merge --auto --delete-branch
+          gh pr merge --auto
 
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() && github.event_name != 'workflow_dispatch' }}

.github/workflows/sync-codeql-cli.yml

@@ -91,13 +91,13 @@ jobs:
           branchname=codeql-cli-update-${{ steps.semmle-code.outputs.OPENAPI_COMMIT_SHA }}
 
           branchCheckout=$(git checkout -b $branchname)
-          if [[! $? -eq 0 ]]; then
+          if [[ ! $? -eq 0 ]]; then
             echo "Branch $branchname already exists in `github/docs-internal`. Exiting..."
             exit 0
           fi
           git add .
           git commit -m "Update CodeQL CLI data"
-          git push origin $branchname
+          git push -u origin $branchname
 
           echo "Creating pull request..."
           gh pr create \
@@ -109,3 +109,9 @@ jobs:
             If CI does not pass or other problems arise, contact #docs-engineering on slack.' \
             --repo github/docs-internal \
             --label "codeql-cli-pipeline,skip FR board,ready-for-doc-review"
+
+      - uses: ./.github/actions/slack-alert
+        if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
+        with:
+          slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
+          slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}

.github/workflows/sync-graphql.yml

@@ -1,4 +1,4 @@
-name: Update GraphQL files
+name: Sync GraphQL schema
 
 # **What it does**: This updates our GraphQL schemas.
 # **Why we have it**: We want our GraphQL docs up to date.
@@ -25,7 +25,7 @@ jobs:
         env:
           # need to use a token from a user with access to github/github for this step
           GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
-        run: npm run graphql-sync
+        run: npm run sync-graphql
       - name: Create pull request
         id: create-pull-request
         uses: peter-evans/create-pull-request@6cd32fd93684475c31847837f87bb135d40a2b79 # pin @v7.0.3

.github/workflows/sync-openapi.yml

@@ -101,7 +101,8 @@ jobs:
 
             If CI does not pass or other problems arise, contact #docs-engineering on slack.' \
             --repo github/docs-internal \
-            --label github-openapi-bot
+            --label github-openapi-bot \
+            --head=$branchname \
 
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() && github.event_name != 'workflow_dispatch' }}

.github/workflows/sync-secret-scanning.yml

@@ -76,7 +76,8 @@ jobs:
 
             If CI does not pass or other problems arise, contact #docs-engineering on Slack.' \
             --repo github/docs-internal \
-            --label secret-scanning-pipeline,'skip FR board',ready-for-doc-review
+            --label secret-scanning-pipeline,'skip FR board',ready-for-doc-review \
+            --head=$branchname
 
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() && github.event_name != 'workflow_dispatch' }}