Merge branch 'main' into docs/actions/guides/building-and-testing-nodejs

.github/allowed-actions.js

@@ -13,6 +13,7 @@ module.exports = [
   'actions/stale@af4072615903a8b031f986d25b1ae3bf45ec44d4', //actions/stale@v3.0.13
   'crowdin/github-action@fd9429dd63d6c0f8a8cb4b93ad8076990bd6e688',
   'crykn/copy_folder_to_another_repo_action@abc264e1c16eb3d7b1f7763bfdb0e1699ad43120',
+  'cschleiden/actions-linter@43fd4e08e52ed40c0e2782dc2425694388851576',
   'dawidd6/action-delete-branch@47743101a121ad657031e6704086271ca81b1911',
   'docker://chinthakagodawita/autoupdate-action:v1',
   'fkirc/skip-duplicate-actions@36feb0d8d062137530c2e00bd278d138fe191289',

.github/workflows/workflow-lint.yml

@@ -0,0 +1,22 @@
+name: Lint workflows
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches-ignore:
+      - translations
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+
+      - name: Run linter
+        uses: cschleiden/actions-linter@43fd4e08e52ed40c0e2782dc2425694388851576
+        with:
+          workflows: '[".github/workflows/*.yml"]'

content/actions/guides/building-and-testing-python.md

@@ -123,7 +123,7 @@ jobs:
 
 #### Using a specific Python version
 
-You can configure a specific version of python. For example, 3.8. Alternatively, you can semantic version syntax to get the latest minor release. This example uses the latest minor release of Python 3.
+You can configure a specific version of python. For example, 3.8. Alternatively, you can use semantic version syntax to get the latest minor release. This example uses the latest minor release of Python 3.
 
 {% raw %}
 ```yaml

content/actions/hosting-your-own-runners/adding-self-hosted-runners.md

@@ -13,6 +13,10 @@ type: 'tutorial'
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
 
+You can add a self-hosted runner to a repository, an organization, or an enterprise.
+
+If you are an organization or enterprise administrator, you might want to add your self-hosted runners at the organization or enterprise level. This approach makes the runner available to multiple repositories in your organization or enterprise, and also lets you to manage your runners in one place.
+
 For information on supported operating systems for self-hosted runners, or using self-hosted runners with a proxy server, see "[About self-hosted runners](/github/automating-your-workflow-with-github-actions/about-self-hosted-runners)."
 
 {% warning %}
@@ -45,6 +49,8 @@ You can add self-hosted runners at the organization level, where they can be use
 {% data reusables.github-actions.self-hosted-runner-configure %}
 {% data reusables.github-actions.self-hosted-runner-check-installation-success %}
 
+{% data reusables.github-actions.self-hosted-runner-public-repo-access %}
+
 ### Adding a self-hosted runner to an enterprise
 
 You can add self-hosted runners to an enterprise, where they can be assigned to multiple organizations. The organization admins are then able to control which repositories can use it.
@@ -62,3 +68,13 @@ To add a self-hosted runner at the enterprise level of {% data variables.product
 1. Click **Add new**, then click **New runner**. New runners are assigned to the default group. You can modify the runner's group after you've registered the runner. For more information, see "[Managing access to self-hosted runners](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group)."
 {% data reusables.github-actions.self-hosted-runner-configure %}
 {% data reusables.github-actions.self-hosted-runner-check-installation-success %}
+
+{% data reusables.github-actions.self-hosted-runner-public-repo-access %}
+
+#### Making enterprise runners available to repositories
+
+By default, runners in an enterprise's "Default" self-hosted runner group are available to all organizations in the enterprise, but are not available to all repositories in each organization.
+
+To make an enterprise-level self-hosted runner group available to an organization repository, you might need to change the organization's inherited settings for the runner group to make the runner available to repositories in the organization.
+
+For more information on changing runner group access settings, see "[Managing access to self-hosted runners using groups](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group)."

content/actions/reference/context-and-expression-syntax-for-github-actions.md

@@ -75,6 +75,10 @@ In order to use property dereference syntax, the property name must:
 - start with `a-Z` or `_`.
 - be followed by `a-Z` `0-9` `-` or `_`.
 
+#### Determining when to use contexts
+
+{% data reusables.github-actions.using-context-or-environment-variables %}
+
 #### `github` context
 
 The `github` context contains information about the workflow run and the event that triggered the run. You can read most of the `github` context data in environment variables. For more information about environment variables, see "[Using environment variables](/actions/automating-your-workflow-with-github-actions/using-environment-variables)."

content/actions/reference/environment-variables.md

@@ -57,6 +57,16 @@ We strongly recommend that actions use environment variables to access the files
 | `GITHUB_API_URL` | Returns the API URL. For example: `{% data variables.product.api_url_code %}`.
 | `GITHUB_GRAPHQL_URL` | Returns the GraphQL API URL. For example: `{% data variables.product.graphql_url_code %}`.
 
+{% tip %}
+
+**Note:** If you need to use a workflow run's URL from within a job, you can combine these environment variables: `$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID`
+
+{% endtip %}
+
+#### Determining when to use default environment variables or contexts
+
+{% data reusables.github-actions.using-context-or-environment-variables %}
+
 ### Naming conventions for environment variables
 
 {% note %}

content/actions/reference/specifications-for-github-hosted-runners.md

@@ -83,44 +83,11 @@ If there is a tool that you'd like to request, please open an issue at [actions/
 
 {% endnote %}
 
-Windows and Ubuntu runners are hosted in Azure and have the same IP address ranges as Azure Data centers. Currently, all Windows and Ubuntu {% data variables.product.prodname_dotcom %}-hosted runners are in the following Azure regions:
+Windows and Ubuntu runners are hosted in Azure and subsequently have the same IP address ranges as the Azure datacenters. macOS runners are hosted in {% data variables.product.prodname_dotcom %}'s own macOS cloud.
 
-- East US (`eastus`)
-- East US 2 (`eastus2`)
-- West US 2 (`westus2`)
-- Central US (`centralus`)
-- South Central US (`southcentralus`)
+To get a list of IP address ranges that {% data variables.product.prodname_actions %} uses for {% data variables.product.prodname_dotcom %}-hosted runners, you can use the {% data variables.product.prodname_dotcom %} REST API . For more information, see the `actions` key in the response of the "[Get GitHub meta information](/rest/reference/meta#get-github-meta-information)" endpoint. You can use this list of IP addresses if you require an allow-list to prevent unauthorized access to your internal resources.
 
-Microsoft updates the Azure IP address ranges weekly in a JSON file that you can download from the [Azure IP Ranges and Service Tags - Public Cloud](https://www.microsoft.com/en-us/download/details.aspx?id=56519) website. You can use this range of IP addresses if you require an allow-list to prevent unauthorized access to your internal resources.
-
-The JSON file contains an array called `values`. Inside that array, you can find the supported IP addresses in an object with a `name` and `id` of the Azure region, for example `"AzureCloud.eastus2"`.
-
-You can find the supported IP address ranges in the `"addressPrefixes"` object. This is a condensed example of the JSON file.
-
-```json
-{
-  "changeNumber": 84,
-  "cloud": "Public",
-  "values": [
-    {
-      "name": "AzureCloud.eastus2",
-      "id": "AzureCloud.eastus2",
-      "properties": {
-        "changeNumber": 33,
-        "region": "eastus2",
-        "platform": "Azure",
-        "systemService": "",
-        "addressPrefixes": [
-          "13.68.0.0/17",
-          "13.77.64.0/18",
-          "13.104.147.0/25",
-          ...
-        ]
-      }
-    }
-  ]
-}
-```
+The list of {% data variables.product.prodname_actions %} IP addresses returned by the API is updated once a week. 
 
 ### File systems
 

content/admin/configuration/command-line-utilities.md

@@ -466,20 +466,23 @@ ghe-webhook-logs
 ```
 
 To show all failed hook deliveries in the past day:
+{% if currentVersion ver_gt "enterprise-server@2.22" %}
+```shell
+ghe-webhook-logs -f -a <em>YYYY-MM-DD</em>
+```
+
+The date format should be `YYYY-MM-DD`, `YYYY-MM-DD HH:MM:SS`, or `YYYY-MM-DD HH:MM:SS (+/-) HH:M`.
+{% else %}
 ```shell
 ghe-webhook-logs -f -a <em>YYYYMMDD</em>
 ```
+{% endif %}
 
 To show the full hook payload, result, and any exceptions for the delivery:
 ```shell
 ghe-webhook-logs -g <em>delivery-guid</em> -v
 ```
 
-To show global webhook deliveries:
-```shell
-ghe-webhook-logs --global
-```
-
 ### Clustering
 
 #### ghe-cluster-status

content/admin/configuration/configuring-backups-on-your-appliance.md

@@ -80,6 +80,14 @@ If backup attempts overlap, the `ghe-backup` command will abort with an error me
 
 In the event of prolonged outage or catastrophic event at the primary site, you can restore {% data variables.product.product_location %} by provisioning another {% data variables.product.prodname_enterprise %} appliance and performing a restore from the backup host. You must add the backup host's SSH key to the target {% data variables.product.prodname_enterprise %} appliance as an authorized SSH key before restoring an appliance.
 
+{%if currentVersion ver_gt "enterprise-server@2.22"%}
+{% note %}
+
+**Note:** If {% data variables.product.product_location %} has {% data variables.product.prodname_actions %} enabled, you must first configure the {% data variables.product.prodname_actions %} external storage provider on the replacement appliance before running the the `ghe-restore` command. For more information, see "[Backing up and restoring {% data variables.product.prodname_ghe_server %} with {% data variables.product.prodname_actions %} enabled](/admin/github-actions/backing-up-and-restoring-github-enterprise-server-with-github-actions-enabled)."
+
+{% endnote %}
+{% endif %}
+
 To restore {% data variables.product.product_location %} from the last successful snapshot, use the `ghe-restore` command. You should see output similar to this:
 
 ```shell

content/admin/configuration/configuring-code-scanning-for-your-appliance.md

@@ -29,11 +29,11 @@ For the users of {% data variables.product.product_location %} to be able to ena
 1. Check if there is an **{% data variables.product.prodname_advanced_security %}** entry in the left sidebar.
 ![Advanced Security sidebar](/assets/images/enterprise/management-console/sidebar-advanced-security.png)
 
-If you can't see **{% data variables.product.prodname_advanced_security %}** in the sidebar, it means that your license doesn't include support for {% data variables.product.prodname_advanced_security %} features including {% data variables.product.prodname_code_scanning %}. The {% data variables.product.prodname_advanced_security %} license gives you and your users access to features that help you make your repositories and code more secure. 
+{% data reusables.enterprise_management_console.advanced-security-license %}
 
 ### Enabling {% data variables.product.prodname_code_scanning %}
 
-{% data reusables.enterprise_management_console.enable-disable-code-scanning %}
+{% data reusables.enterprise_management_console.enable-disable-security-features %}
 
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
@@ -47,35 +47,41 @@ If you can't see **{% data variables.product.prodname_advanced_security %}** in
 
 #### Setting up a self-hosted runner
 
-If you are enrolled in the {% data variables.product.prodname_actions %} beta, then {% data variables.product.prodname_ghe_server %} can run {% data variables.product.prodname_code_scanning %} using a {% data variables.product.prodname_actions %} workflow. First, you need to provision one or more self-hosted {% data variables.product.prodname_actions %} runners in your environment. You can provision self-hosted runners at the repository, organization, or enterprise account level. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners)" and "[Adding self-hosted runners](/actions/hosting-your-own-runners/adding-self-hosted-runners)."
+{% data variables.product.prodname_ghe_server %} can run {% data variables.product.prodname_code_scanning %} using a {% data variables.product.prodname_actions %} workflow. First, you need to provision one or more self-hosted {% data variables.product.prodname_actions %} runners in your environment. You can provision self-hosted runners at the repository, organization, or enterprise account level. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners)" and "[Adding self-hosted runners](/actions/hosting-your-own-runners/adding-self-hosted-runners)."
 
 You must ensure that Git is in the PATH variable on any self-hosted runners you use to run {% data variables.product.prodname_codeql %} actions.
 
-#### Provisioning the action
-To run {% data variables.product.prodname_code_scanning %} on {% data variables.product.prodname_ghe_server %} with {% data variables.product.prodname_actions %}, the appropriate action must be available locally. You can make the action available in three ways.
+{% if currentVersion == "enterprise-server@2.22" %}
+#### Provisioning the actions
+To run {% data variables.product.prodname_code_scanning %} on {% data variables.product.prodname_ghe_server %} with {% data variables.product.prodname_actions %}, the appropriate actions must be available locally. You can make the actions available in three ways.
 
-- **Recommended** You can use [{% data variables.product.prodname_github_connect %}](/enterprise/admin/configuration/connecting-github-enterprise-server-to-github-enterprise-cloud) to automatically download actions from {% data variables.product.prodname_dotcom_the_website %}. The machine that hosts your instance must be able to access {% data variables.product.prodname_dotcom_the_website %}. This approach ensures that you get the latest software automatically. For more information, see "[Configuring {% data variables.product.prodname_github_connect %} to sync {% data variables.product.prodname_actions %}](/enterprise/admin/configuration/configuring-code-scanning-for-your-appliance#configuring-github-connect-to-sync-github-actions)."
+- **Recommended**: You can use [{% data variables.product.prodname_github_connect %}](/enterprise/admin/configuration/connecting-github-enterprise-server-to-github-enterprise-cloud) to automatically download actions from {% data variables.product.prodname_dotcom_the_website %}. The machine that hosts your instance must be able to access {% data variables.product.prodname_dotcom_the_website %}. This approach ensures that you get the latest software automatically. For more information, see "[Configuring {% data variables.product.prodname_github_connect %} to sync {% data variables.product.prodname_actions %}](/enterprise/admin/configuration/configuring-code-scanning-for-your-appliance#configuring-github-connect-to-sync-github-actions)."
 - If you want to use the {% data variables.product.prodname_codeql_workflow %}, you can sync the repository from {% data variables.product.prodname_dotcom_the_website %} to {% data variables.product.prodname_ghe_server %}, by using the {% data variables.product.prodname_codeql %} Action sync tool available at [https://github.com/github/codeql-action-sync-tool](https://github.com/github/codeql-action-sync-tool/). You can use this tool regardless of whether {% data variables.product.product_location %} or your {% data variables.product.prodname_actions %} runners have access to the internet, as long as you can access both {% data variables.product.product_location %} and {% data variables.product.prodname_dotcom_the_website %} simultaneously on your computer.
-- You can create a local copy of the action's repository on your server, by cloning the {% data variables.product.prodname_dotcom_the_website %} repository with the action. For example, if you want to use the {% data variables.product.prodname_codeql %} action, you can create a repository in your instance called `github/codeql-action`, then clone the [repository](https://github.com/github/codeql-action) from {% data variables.product.prodname_dotcom_the_website %}, and then push that repository to your instance's `github/codeql-action` repository. You will also need to download any of the releases from the repository on {% data variables.product.prodname_dotcom_the_website %} and upload them to your instance's `github/codeql-action` repository as releases. 
-
+- You can create a local copy of an action's repository on your server, by cloning the {% data variables.product.prodname_dotcom_the_website %} repository that contains the action. For example, if you want to use the actions for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}, you can create a repository in your instance called `github/codeql-action`, then clone the [repository](https://github.com/github/codeql-action) from {% data variables.product.prodname_dotcom_the_website %}, and then push that repository to your instance's `github/codeql-action` repository. You will also need to download any of the releases from the repository on {% data variables.product.prodname_dotcom_the_website %} and upload them to your instance's `github/codeql-action` repository as releases. 
 
 ##### Configuring {% data variables.product.prodname_github_connect %} to sync {% data variables.product.prodname_actions %}
-
 1. If you want to download action workflows on demand from {% data variables.product.prodname_dotcom_the_website %}, you need to enable {% data variables.product.prodname_github_connect %}. For more information, see "[Enabling {% data variables.product.prodname_github_connect %}](/enterprise/admin/configuration/connecting-github-enterprise-server-to-github-enterprise-cloud#enabling-github-connect)."
-2. You'll also need to enable {% data variables.product.prodname_actions %} for {% data variables.product.product_location %}. For more information, see "[Enabling {% data variables.product.prodname_actions %} and configuring storage](/enterprise/admin/github-actions/enabling-github-actions-and-configuring-storage)."
+2. You'll also need to enable {% data variables.product.prodname_actions %} for {% data variables.product.product_location %}. For more information, see "[Getting started with {% data variables.product.prodname_actions %} for {% data variables.product.prodname_ghe_server %}](/admin/github-actions/getting-started-with-github-actions-for-github-enterprise-server)."
 3. The next step is to configure access to actions on {% data variables.product.prodname_dotcom_the_website %} using {% data variables.product.prodname_github_connect %}. For more information, see "[Enabling automatic access to {% data variables.product.prodname_dotcom_the_website %} actions using {% data variables.product.prodname_github_connect %}](/enterprise/admin/github-actions/enabling-automatic-access-to-githubcom-actions-using-github-connect)."
 4. Add a self-hosted runner to your repository, organization, or enterprise account. For more information, see "[Adding self-hosted runners](/actions/hosting-your-own-runners/adding-self-hosted-runners)."
+{% endif %}
 
-After you configure a self-hosted runner, users can enable {% data variables.product.prodname_code_scanning %} for individual repositories on {% data variables.product.product_location %}. For more information, see "[Enabling {% data variables.product.prodname_code_scanning %} for a repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository)."
+{% if currentVersion ver_gt "enterprise-server@2.22" %}
+#### Configuring {% data variables.product.prodname_codeql %} on a server without internet access
+If the server on which you are running {% data variables.product.prodname_ghe_server %} is not connected to the internet, and you want to allow users to enable {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} for their repositories, you must use the {% data variables.product.prodname_codeql %} Action sync tool to copy the {% data variables.product.prodname_codeql %} actions and query bundle from {% data variables.product.prodname_dotcom_the_website %} to your server. The tool, and details of how to use it, are available at [https://github.com/github/codeql-action-sync-tool](https://github.com/github/codeql-action-sync-tool/).
+{% endif %}
+
+#### Enabling code scanning for individual repositories
+After you configure a self-hosted runner, {% if currentVersion == "enterprise-server@2.22" %}and provision the actions,{% endif %} users can enable {% data variables.product.prodname_code_scanning %} for individual repositories on {% data variables.product.product_location %}. For more information, see "[Enabling {% data variables.product.prodname_code_scanning %} for a repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository)."
 
 ### Running {% data variables.product.prodname_code_scanning %} using the {% data variables.product.prodname_codeql_runner %}
-If your organization isn't taking part in the beta for {% data variables.product.prodname_actions %}, or if you don't want to use {% data variables.product.prodname_actions %}, you can run {% data variables.product.prodname_code_scanning %} using the {% data variables.product.prodname_codeql_runner %}. 
+If you don't want to use {% data variables.product.prodname_actions %}, you can run {% data variables.product.prodname_code_scanning %} using the {% data variables.product.prodname_codeql_runner %}. 
 
 The {% data variables.product.prodname_codeql_runner %} is a command-line tool that you can add to your third-party CI/CD system. The tool runs {% data variables.product.prodname_codeql %} analysis on a checkout of a {% data variables.product.prodname_dotcom %} repository. For more information, see "[Running {% data variables.product.prodname_code_scanning %} in your CI system](/github/finding-security-vulnerabilities-and-errors-in-your-code/running-codeql-code-scanning-in-your-ci-system)."
 
 ### Disabling {% data variables.product.prodname_code_scanning %}
 
-{% data reusables.enterprise_management_console.enable-disable-code-scanning %}
+{% data reusables.enterprise_management_console.enable-disable-security-features %}
 
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}

content/admin/configuration/configuring-secret-scanning-for-your-appliance.md

@@ -0,0 +1,69 @@
+---
+title: Configuring secret scanning for your appliance
+shortTitle: Configuring secret scanning
+intro: 'You can enable, configure, and disable {% data variables.product.prodname_secret_scanning %} for {% data variables.product.product_location %}. {% data variables.product.prodname_secret_scanning_caps %} allows users to scan code for accidentally committed secrets.'
+product: '{% data reusables.gated-features.secret-scanning %}'
+miniTocMaxHeadingLevel: 4
+versions:
+  enterprise-server: '>=3.0'
+---
+
+{% data reusables.secret-scanning.beta %}
+
+### About {% data variables.product.prodname_secret_scanning %}
+
+{% data reusables.secret-scanning.about-secret-scanning %} For more information, see "[About secret scanning](/github/administering-a-repository/about-secret-scanning)."
+
+### Prerequisites
+
+To use {% data variables.product.prodname_secret_scanning %} in {% data variables.product.product_location %} you need these two prerequisites.
+
+- The [SSSE3](https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-optimization-manual.pdf#G3.1106470) (Supplemental Streaming SIMD Extensions 3) CPU flag needs to be enabled on the VM/KVM that runs {% data variables.product.product_location %}. 
+
+- You need an {% data variables.product.prodname_advanced_security %} license.
+
+#### Checking support for the SSSE3 flag on your vCPUs
+
+The SSSE3 set of instructions is required because {% data variables.product.prodname_secret_scanning %} leverages hardware accelerated pattern matching to find potential credentials committed to your {% data variables.product.prodname_dotcom %} repositories. SSSE3 is enabled for most modern CPUs. You can check whether SSSE3 is enabled for the vCPUs available to your {% data variables.product.prodname_ghe_server %} instance.
+
+1. Connect to the administrative shell for your {% data variables.product.prodname_ghe_server %} instance. For more information, see "[Accessing the administrative shell (SSH)](/admin/configuration/accessing-the-administrative-shell-ssh)."
+2. Enter the following command:
+
+```shell
+grep -iE '^flags.*ssse3' /proc/cpuinfo >/dev/null | echo $?
+```
+
+If this returns the value `0`, it means that the SSSE3 flag is available and enabled. You can now enable {% data variables.product.prodname_secret_scanning %} for {% data variables.product.product_location %}. For more information, see "[Enabling secret scanning](#enabling-secret-scanning)" below.
+
+If this doesn't return `0`, SSSE3 is not enabled on your VM/KVM. You need to refer to the documentation of the hardware/hypervisor on how to enable the flag, or make it available to guest VMs.
+
+#### Checking whether you have an {% data variables.product.prodname_advanced_security %} license
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+1. Check if there is an **{% data variables.product.prodname_advanced_security %}** entry in the left sidebar.
+![Advanced Security sidebar](/assets/images/enterprise/management-console/sidebar-advanced-security.png)
+
+{% data reusables.enterprise_management_console.advanced-security-license %}
+
+### Enabling {% data variables.product.prodname_secret_scanning %}
+
+{% data reusables.enterprise_management_console.enable-disable-security-features %}
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.advanced-security-tab %}
+1. Under "{% data variables.product.prodname_advanced_security %}," click **{% data variables.product.prodname_secret_scanning_caps %}**.
+![Checkbox to enable or disable {% data variables.product.prodname_secret_scanning %}](/assets/images/enterprise/management-console/enable-secret-scanning-checkbox.png)
+{% data reusables.enterprise_management_console.save-settings %}
+
+### Disabling {% data variables.product.prodname_secret_scanning %}
+
+{% data reusables.enterprise_management_console.enable-disable-security-features %}
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.advanced-security-tab %}
+1. Under "{% data variables.product.prodname_advanced_security %}", unselect **{% data variables.product.prodname_secret_scanning_caps %}**.
+![Checkbox to enable or disable {% data variables.product.prodname_secret_scanning %}](/assets/images/enterprise/management-console/secret-scanning-disable.png)
+{% data reusables.enterprise_management_console.save-settings %}

content/admin/configuration/enabling-subdomain-isolation.md

@@ -15,7 +15,7 @@ Subdomain isolation mitigates cross-site scripting and other related vulnerabili
 
 When subdomain isolation is enabled, {% data variables.product.prodname_ghe_server %} replaces several paths with subdomains.
 
-{% if currentVersion ver_gt "enterprise-server@2.21" %}
+{% if currentVersion == "enterprise-server@2.22" %}
 To use Docker with {% data variables.product.prodname_registry %}, you must also enable subdomain isolation. For more information, see "[Configuring Docker for use with {% data variables.product.prodname_registry %}](/enterprise/{{ currentVersion }}/user/packages/using-github-packages-with-your-projects-ecosystem/configuring-docker-for-use-with-github-packages)."
 
 {% data reusables.package_registry.packages-ghes-release-stage %}
@@ -33,8 +33,9 @@ To use Docker with {% data variables.product.prodname_registry %}, you must also
 | `http(s)://HOSTNAME/raw/`         | `http(s)://raw.HOSTNAME/`         |
 | `http(s)://HOSTNAME/render/`      | `http(s)://render.HOSTNAME/`      |
 | `http(s)://HOSTNAME/reply/`       | `http(s)://reply.HOSTNAME/`       |
-| `http(s)://HOSTNAME/uploads/`     | `http(s)://uploads.HOSTNAME/`     |{% if currentVersion ver_gt "enterprise-server@2.21" %}
-|  N/A, Docker with {% data variables.product.prodname_registry %} will not work with subdomain isolation disabled. | `http(s)://docker.HOSTNAME/` |
+| `http(s)://HOSTNAME/uploads/`     | `http(s)://uploads.HOSTNAME/`     |{% if currentVersion == "enterprise-server@2.22" %}
+|  N/A, Docker with {% data variables.product.prodname_registry %} will not work with subdomain isolation disabled for the {% data variables.product.prodname_registry %} 2.22 beta. | `http(s)://docker.HOSTNAME/` |{% endif %} {% if currentVersion ver_gt "enterprise-server@2.22" %}
+| `https://HOSTNAME/_registry/docker/` | `http(s)://docker.HOSTNAME/`{% endif %}{% if currentVersion ver_gt "enterprise-server@2.22" %}
 | `https://HOSTNAME/_registry/npm/` | `https://npm.HOSTNAME/`
 | `https://HOSTNAME/_registry/rubygems/` | `https://rubygems.HOSTNAME/`
 | `https://HOSTNAME/_registry/maven/` | `https://maven.HOSTNAME/`

content/admin/configuration/index.md

@@ -29,6 +29,7 @@ versions:
     {% link_in_list /configuring-backups-on-your-appliance %}
     {% link_in_list /site-admin-dashboard %}
     {% link_in_list /enabling-private-mode %}
+    {% link_in_list /managing-github-for-mobile-for-your-enterprise %}
     {% link_in_list /configuring-email-for-notifications %}
     {% link_in_list /configuring-rate-limits %}
     {% link_in_list /configuring-applications %}
@@ -56,3 +57,4 @@ versions:
     {% link_in_list /enabling-automatic-user-license-sync-between-github-enterprise-server-and-github-enterprise-cloud %}
 {% topic_link_in_list /configuring-advanced-security-features %}
     {% link_in_list /configuring-code-scanning-for-your-appliance %}
+    {% link_in_list /configuring-secret-scanning-for-your-appliance %}

content/admin/configuration/managing-github-for-mobile-for-your-enterprise.md

@@ -0,0 +1,28 @@
+---
+title: Managing GitHub for mobile for your enterprise
+intro: You can decide whether authenticated users can connect to {% data variables.product.product_location %} with {% data variables.product.prodname_mobile %}.
+permissions: Enterprise owners can manage {% data variables.product.prodname_mobile %} for an enterprise on {% data variables.product.product_name %}.
+versions:
+  enterprise-server: '>=3.0'
+---
+
+{% if enterpriseServerVersions contains currentVersion %}
+{% data reusables.mobile.ghes-release-phase %}
+{% endif %}
+
+### About {% data variables.product.prodname_mobile %}
+
+{% data reusables.mobile.about-mobile %} For more information, see "[GitHub for mobile](/github/getting-started-with-github/github-for-mobile)."
+
+Members of your enterprise can use {% data variables.product.prodname_mobile %} to triage, collaborate, and manage work on {% data variables.product.product_location %} from a mobile device. By default, {% data variables.product.prodname_mobile %} is enabled for {% data variables.product.product_location %}. You can allow or disallow enterprise members from using {% data variables.product.prodname_mobile %} to authenticate to {% data variables.product.product_location %} and access your enterprise's data.
+
+### Enabling or disabling {% data variables.product.prodname_mobile %}
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.type-management-console-password %}
+1. In the left sidebar, click **Mobile**.
+  !["Mobile" in the left sidebar for the {% data variables.product.prodname_ghe_server %} management console](/assets/images/enterprise/management-console/click-mobile.png)
+1. Under "GitHub for mobile", select or deselect **Enable GitHub Mobile Apps**.
+  ![Checkbox for "Enable GitHub Mobile Apps" in the {% data variables.product.prodname_ghe_server %} management console](/assets/images/enterprise/management-console/select-enable-github-mobile-apps.png)
+{% data reusables.enterprise_management_console.save-settings %}

content/admin/enterprise-management/about-clustering.md

@@ -24,6 +24,8 @@ Learn more about [services required for clustering](/enterprise/{{ currentVersio
 
 Clustering provides redundancy, but it is not intended to replace a High Availability configuration. For more information, see [High Availability configuration](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-github-enterprise-server-for-high-availability). A primary/secondary failover configuration is far simpler than clustering and will serve the needs of many organizations. For more information, see [Differences between Clustering and High Availability](/enterprise/{{ currentVersion }}/admin/guides/clustering/differences-between-clustering-and-high-availability-ha/).
 
+{% data reusables.package_registry.packages-cluster-support %}
+
 ### How do I get access to clustering?
 
 Clustering is designed for specific scaling situations and is not intended for every organization. If clustering is something you'd like to consider, please contact your dedicated representative or {% data variables.contact.contact_enterprise_sales %}.

content/admin/enterprise-management/index.md

@@ -23,7 +23,6 @@ versions:
     {% link_in_list /increasing-storage-capacity %}
     {% link_in_list /increasing-cpu-or-memory-resources %}
     {% link_in_list /migrating-from-github-enterprise-1110x-to-2123 %}
-    {% link_in_list /migrating-elasticsearch-indices-to-github-enterprise-server-214-or-later %}
 {% topic_link_in_list /configuring-clustering %}
     {% link_in_list /about-clustering %}
     {% link_in_list /differences-between-clustering-and-high-availability-ha %}

content/admin/enterprise-management/migrating-elasticsearch-indices-to-github-enterprise-server-214-or-later.md

@@ -1,132 +0,0 @@
----
-title: Migrating Elasticsearch indices to GitHub Enterprise Server 2.14 or later
-intro: 'To prepare for an upgrade to {% data variables.product.prodname_ghe_server %} 2.14, you''ll need to migrate your indices to Elasticsearch 5.6 with our migration script.'
-redirect_from:
-  - /enterprise/admin/installation/migrating-elasticsearch-indices-to-github-enterprise-2-14-or-later/
-  - /enterprise/admin/guides/installation/migrating-elasticsearch-indices-to-github-enterprise-2-14-or-later/
-  - /enterprise/admin/guides/installation/migrating-elasticsearch-indices-to-github-enterprise-server-2-14-or-later
-  - /enterprise/admin/enterprise-management/migrating-elasticsearch-indices-to-github-enterprise-server-214-or-later
-versions:
-  enterprise-server: '*'
----
-
-<!-- This guide is here for longevity for support purposes. Please do not delete or add to index.md file-->
-
-
-{% data variables.product.prodname_ghe_server %} 2.14 includes an upgrade to Elasticsearch 5.6. Before upgrading to {% data variables.product.prodname_ghe_server %} 2.14 or later from 2.12 or 2.13, we recommend you download, install, and run the Elasticsearch migration tools, so your largest indices are migrated online while your appliance still has online access.
-
-### Search indices
-
-The migration script checks for any `search` indices first while the appliance is online. Migrating `search` indices can take a few minutes to a few days, depending on their size. For an example of large indices, these indices took a couple of days to migrate in our test environment.
-
-```
-admin@ip-172-31-2-141:~$ curl -s http://localhost:9200/_cat/indices?v | sort -n -k 6
-green  open   blog-1                     1   0          0            0       144b           144b
-green  open   projects-1                 1   0          0            0       144b           144b
-green  open   registry-packages-1        1   0          0            0       144b           144b
-green  open   showcases-1                1   0          0            0       144b           144b
-health status index                    pri rep docs.count docs.deleted store.size pri.store.size
-green  open   pull-requests-1            1   0          1            0      9.3kb          9.3kb
-green  open   wikis-1                    1   0          2            0        5kb            5kb
-green  open   hookshot-logs-2018-05-29   5   0         25            0    124.2kb        124.2kb
-green  open   repos-1                    1   0       1638            1      1.4mb          1.4mb
-green  open   gists-1                    1   0       3531           64    291.9kb        291.9kb
-green  open   audit_log-1-2018-06-1      1   0      11108            0        3mb            3mb
-green  open   users-1                    1   0      19866           56      2.7mb          2.7mb
-green  open   hookshot-logs-2018-05-31   5   0      20000            0     33.4mb         33.4mb
-green  open   hookshot-logs-2018-06-04   5   0      20000            0     32.6mb         32.6mb
-green  open   issues-1                   1   0      26405            6     82.8mb         82.8mb
-green  open   hookshot-logs-2018-05-30   5   0     119744            0    196.8mb        196.8mb
-green  open   audit_log-1-2018-05-1      1   0     191664            0       50mb           50mb
-green  open   code-search-1              1   0    6932626           44     42.9gb         42.9gb
-green  open   commits-1                  1   0   63753587         1485     45.4gb         45.4gb
-```
-
-The `search` indices start with:
-
-- blog-
-- code-search-
-- commits-
-- gists-
-- issues-
-- labels-
-- marketplace-listings-
-- non-marketplace-listings-
-- projects-
-- pull-requests-
-- registry-packages-
-- repos-
-- showcases-
-- topics-
-- users-
-
-### Webhook indices
-
-After the migration script rebuilds the necessary `search` indices online, the script will check if any `webhook` indices need to be rebuilt. If you've run your appliance with {% data variables.product.prodname_ghe_server %} 2.12 or 2.13 for 14 days or longer, then you likely will not need your `webhook` indices rebuilt since `webhook` indices have a default retention policy of seven days. If you're updating your appliance from {% data variables.product.prodname_enterprise %} 2.11 or earlier, then you may need to rebuild the `webhook` indices.
-
-If any `webhook` indices need to be rebuilt, then you'll be prompted to enable maintenance mode before the script can rebuild the `webhook` indices. Although migrating `webhook` indices requires some downtime, large maintenance windows or downtime is not necessary.
-
-The `webhook` indices start with `hookshot-logs-`.
-
-### Available indices
-
-You can see available indices on your appliance using curl.
-
-```
-admin@ip-172-31-2-141:~$ curl -s http://localhost:9200/_cat/indices?v | sort -n -k 6
-green  open   blog-1                     1   0          0            0       144b           144b
-green  open   projects-1                 1   0          0            0       144b           144b
-green  open   registry-packages-1        1   0          0            0       144b           144b
-green  open   showcases-1                1   0          0            0       144b           144b
-health status index                    pri rep docs.count docs.deleted store.size pri.store.size
-green  open   pull-requests-1            1   0          1            0      9.3kb          9.3kb
-green  open   wikis-1                    1   0          2            0        5kb            5kb
-green  open   hookshot-logs-2018-05-29   5   0         25            0    124.2kb        124.2kb
-green  open   repos-1                    1   0       1638            1      1.4mb          1.4mb
-green  open   gists-1                    1   0       3531           64    291.9kb        291.9kb
-green  open   audit_log-1-2018-06-1      1   0      11108            0        3mb            3mb
-green  open   users-1                    1   0      19866           56      2.7mb          2.7mb
-green  open   hookshot-logs-2018-05-31   5   0      20000            0     33.4mb         33.4mb
-green  open   hookshot-logs-2018-06-04   5   0      20000            0     32.6mb         32.6mb
-green  open   issues-1                   1   0      26405            6     82.8mb         82.8mb
-green  open   hookshot-logs-2018-05-30   5   0     119744            0    196.8mb        196.8mb
-green  open   audit_log-1-2018-05-1      1   0     191664            0       50mb           50mb
-green  open   code-search-1              1   0    6932626           44     42.9gb         42.9gb
-green  open   commits-1                  1   0   63753587         1485     45.4gb         45.4gb
-```
-
-### Preparing a {% data variables.product.prodname_ghe_server %} 2.12 or 2.13 appliance
-
-If you upgrade to {% data variables.product.prodname_ghe_server %} 2.14 or later without running the migration tools, the existing Elasticsearch indices may be invalid and won't work correctly. To run the Elasticsearch migration script, your {% data variables.product.prodname_ghe_server %} appliance must be running {% data variables.product.prodname_enterprise %} 2.12 or 2.13.
-
-{% warning %}
-
-**Warning:**
-- Using {% data variables.product.prodname_enterprise_backup_utilities %} will destroy old Elasticsearch indices not compatible with 5.X after restoring. In this case, manual reindexing could be necessary.
-- If {% data variables.product.prodname_ghe_server %} is configured for High Availability, the migration script **must** run while replication is still running. The changes must be allowed to fully replicate to the other appliance before starting the upgrade. If replication is not running while the migration script runs, your Elasticsearch indexes may become invalid.
-
-{% endwarning %}
-
-1. Authenticate to the primary appliance with High Availability enabled using SSH.
-2. Download and install the migration script to the appliance:
-   ```shell
-   $ wget https://github-enterprise.s3.amazonaws.com/util/es-5x-transition-tools.tar.gz
-   $ sudo tar -C / -xvf es-5x-transition-tools.tar.gz
-   ```
-   If you manage a {% data variables.product.prodname_ghe_server %} Cluster, authenticate to one of the Elasticsearch server nodes using SSH and install the migration tools there. Locate them using:
-    ```shell
-    $ ghe-cluster-each -r elasticsearch -p
-    ghe-test-data-0
-    ghe-test-data-1
-    ghe-test-data-2
-    ```
-2. Run the migration script:
-   ```shell
-   $ /usr/local/share/enterprise/ghe-es-5x-migration -r
-   ```
- {% note %}
-
- **Note:** If you have `webhook` indices to migrate, after running the online migrations, you'll be prompted to enable maintenance mode.
-
- {% endnote %}
-3. If you’re running a {% data variables.product.prodname_ghe_server %} Cluster, follow the official upgrade documentation for single VMs or High Availability environments or the cluster upgrade guide. For more information, see "[Upgrading {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/guides/installation/upgrading-github-enterprise-server/)" or "[Upgrading a cluster](/enterprise/{{ currentVersion }}/admin/guides/clustering/upgrading-a-cluster/)".

content/admin/enterprise-management/removing-a-high-availability-replica.md

@@ -31,3 +31,11 @@ versions:
   ```shell
   $ ghe-repl-teardown
   ```
+
+  {% if currentVersion ver_gt "enterprise-server@2.22" %}
+  {% note %}
+  
+  **Note:** If you have {% data variables.product.prodname_actions %} enabled, you should decommission the former replica server or update its {% data variables.product.prodname_actions %} configuration to use different external storage. For more information, see "[High availability for {% data variables.product.prodname_actions %}](/admin/github-actions/high-availability-for-github-actions#high-availability-replicas)."
+  
+  {% endnote %}
+  {% endif %}

content/admin/enterprise-management/upgrading-github-enterprise-server.md

@@ -220,3 +220,9 @@ For more information, see "[Command-line utilities](/enterprise/{{ currentVersio
 #### Rolling back a feature release
 
 To roll back from a feature release, restore from a VM snapshot to ensure that root and data partitions are in a consistent state. For more information, see "[Taking a snapshot](#taking-a-snapshot)."
+
+{% if currentVersion ver_gt "enterprise-server@2.22" %}
+### Further reading
+
+- "[About upgrades to new releases](/admin/overview/about-upgrades-to-new-releases)"
+{% endif %}

content/admin/enterprise-support/providing-data-to-github-support.md

@@ -59,7 +59,9 @@ After you submit your support request, we may ask you to share a support bundle
 - `configuration-logs/ghe-config.log`: {% data variables.product.prodname_ghe_server %} configuration logs
 - `collectd/logs/collectd.log`: Collectd logs
 - `mail-logs/mail.log`: SMTP email delivery logs
+{% if currentVersion ver_lt "enterprise-server@3.0" %}
 - `hookshot-logs/exceptions.log`: Webhook delivery errors
+{% endif %}
 
 For more information, see "[Audit logging](/enterprise/{{ currentVersion }}/admin/guides/installation/audit-logging)."
 

content/admin/github-actions/about-using-actions-on-github-enterprise-server.md

@@ -1,8 +1,9 @@
 ---
-title: About using GitHub.com actions on GitHub Enterprise Server
+title: About using actions on GitHub Enterprise Server
 intro: '{% data variables.product.prodname_ghe_server %} includes most {% data variables.product.prodname_dotcom %}-authored actions, and has options for enabling access to other actions from {% data variables.product.prodname_dotcom_the_website %} and {% data variables.product.prodname_marketplace %}.'
 redirect_from:
   - /enterprise/admin/github-actions/about-using-githubcom-actions-on-github-enterprise-server
+  - /admin/github-actions/about-using-githubcom-actions-on-github-enterprise-server
 versions:
   enterprise-server: '>=2.22'
 ---
@@ -10,11 +11,13 @@ versions:
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
 
+{% data variables.product.prodname_actions %} workflows can use _actions_, which are individual tasks that you can combine to create jobs and customize your workflow. You can create your own actions, or use and customize actions shared by the {% data variables.product.prodname_dotcom %} community.
+
 {% data reusables.actions.enterprise-no-internet-actions %}
 
 ### Official actions bundled with {% data variables.product.prodname_ghe_server %}
 
-Most official {% data variables.product.prodname_dotcom %}-authored actions are automatically bundled with {% data variables.product.prodname_ghe_server %}, and are captured at a point in time from {% data variables.product.prodname_marketplace %}. When your {% data variables.product.prodname_ghe_server %} instance receives updates, the bundled official actions are also updated.
+Most official {% data variables.product.prodname_dotcom %}-authored actions are automatically bundled with {% data variables.product.prodname_ghe_server %}, and are captured at a point in time from {% data variables.product.prodname_marketplace %}. When your {% data variables.product.prodname_ghe_server %} instance is updated, the bundled official actions are also updated.
 
 The bundled official actions include `actions/checkout`, `actions/upload-artifact`, `actions/download-artifact`, `actions/labeler`, and various `actions/setup-` actions, among others. To see all the official actions included on your enterprise instance, browse to the `actions` organization on your instance: <code>https://<em>HOSTNAME</em>/actions</code>.
 
@@ -30,6 +33,6 @@ Each action is a repository in the `actions` organization, and each action repos
 
 If users on your enterprise instance need access to other actions from {% data variables.product.prodname_dotcom_the_website %} or {% data variables.product.prodname_marketplace %}, there are a few configuration options.
 
-You can manually download and sync actions onto your enterprise instance using the `actions-sync` tool. For more information, see "[Manually syncing actions from {% data variables.product.prodname_dotcom_the_website %}](/enterprise/admin/github-actions/manually-syncing-actions-from-githubcom)."
+The recommended approach is to enable automatic access to all actions from {% data variables.product.prodname_dotcom_the_website %}. You can do this by using {% data variables.product.prodname_github_connect %} to integrate {% data variables.product.prodname_ghe_server %} with {% data variables.product.prodname_ghe_cloud %}. For more information, see "[Enabling automatic access to {% data variables.product.prodname_dotcom_the_website %} actions using {% data variables.product.prodname_github_connect %}](/enterprise/admin/github-actions/enabling-automatic-access-to-githubcom-actions-using-github-connect)". {% data reusables.actions.enterprise-limit-actions-use %}
 
-Alternatively, you can enable automatic access to all actions from {% data variables.product.prodname_dotcom_the_website %} by connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_ghe_cloud %} using {% data variables.product.prodname_github_connect %}. For more information, see "[Enabling automatic access to {% data variables.product.prodname_dotcom_the_website %} actions using {% data variables.product.prodname_github_connect %}](/enterprise/admin/github-actions/enabling-automatic-access-to-githubcom-actions-using-github-connect)".
+Alternatively, if you want stricter control over which actions are allowed in your enterprise, you can manually download and sync actions onto your enterprise instance using the `actions-sync` tool. For more information, see "[Manually syncing actions from {% data variables.product.prodname_dotcom_the_website %}](/enterprise/admin/github-actions/manually-syncing-actions-from-githubcom)."

content/admin/github-actions/advanced-configuration-and-troubleshooting.md

@@ -0,0 +1,7 @@
+---
+title: Advanced configuration and troubleshooting
+intro: 'Configure high availability for {% data variables.product.prodname_actions %}, and troubleshoot {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_server %}.'
+mapTopic: true
+versions:
+  enterprise-server: '>=3.0'
+---

content/admin/github-actions/backing-up-and-restoring-github-enterprise-server-with-github-actions-enabled.md

@@ -0,0 +1,22 @@
+---
+title: Backing up and restoring GitHub Enterprise Server with GitHub Actions enabled
+shortTitle: Backing up and restoring
+intro: '{% data variables.product.prodname_actions %} data on your external storage provider is not included in regular {% data variables.product.prodname_ghe_server %} backups, and must be backed up separately.'
+versions:
+  enterprise-server: '>=3.0'
+---
+
+{% data reusables.actions.enterprise-storage-ha-backups %}
+
+If you use {% data variables.product.prodname_enterprise_backup_utilities %} to back up {% data variables.product.product_location %}, it's important to note that {% data variables.product.prodname_actions %} data stored on your external storage provider is not included in the backup.
+
+This is an overview of the steps required to restore {% data variables.product.product_location %} with {% data variables.product.prodname_actions %} to a new appliance:
+
+1. Confirm that the original appliance is offline.
+1. Manually configure network settings on the replacement {% data variables.product.prodname_ghe_server %} appliance. Network settings are excluded from the backup snapshot, and are not overwritten by `ghe-restore`.
+1. Configure the replacement appliance to use the same {% data variables.product.prodname_actions %} external storage configuration as the original appliance.
+1. Enable {% data variables.product.prodname_actions %} on the replacement appliance. This will connect the replacement appliance to the same  external storage for {% data variables.product.prodname_actions %}.
+1. After {% data variables.product.prodname_actions %} is configured with the external storage provider, use the `ghe-restore` command to restore the rest of the data from the backup. For more information, see "[Restoring a backup](/admin/configuration/configuring-backups-on-your-appliance#restoring-a-backup)."
+1. Re-register your self-hosted runners on the replacement appliance. For more information, see [Adding self-hosted runners](/actions/hosting-your-own-runners/adding-self-hosted-runners).
+
+For more information on backing up and restoring {% data variables.product.prodname_ghe_server %}, see "[Configuring backups on your appliance](/admin/configuration/configuring-backups-on-your-appliance)."

content/admin/github-actions/enabling-automatic-access-to-githubcom-actions-using-github-connect.md

@@ -13,7 +13,7 @@ versions:
 
 By default, {% data variables.product.prodname_actions %} workflows on {% data variables.product.prodname_ghe_server %} cannot use actions directly from {% data variables.product.prodname_dotcom_the_website %} or [{% data variables.product.prodname_marketplace %}](https://github.com/marketplace?type=actions).
 
-To make all actions from {% data variables.product.prodname_dotcom_the_website %} available on your enterprise instance, you can connect {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_ghe_cloud %} using {% data variables.product.prodname_github_connect %}. For other ways of accessing actions from {% data variables.product.prodname_dotcom_the_website %}, see "[About using {% data variables.product.prodname_dotcom_the_website %} actions on {% data variables.product.prodname_ghe_server %}](/enterprise/admin/github-actions/about-using-githubcom-actions-on-github-enterprise-server)."
+To make all actions from {% data variables.product.prodname_dotcom_the_website %} available on your enterprise instance, you can use {% data variables.product.prodname_github_connect %} to integrate {% data variables.product.prodname_ghe_server %} with {% data variables.product.prodname_ghe_cloud %}. For other ways of accessing actions from {% data variables.product.prodname_dotcom_the_website %}, see "[About using actions on {% data variables.product.prodname_ghe_server %}](/admin/github-actions/about-using-actions-on-github-enterprise-server)."
 
 ### Enabling automatic access to all {% data variables.product.prodname_dotcom_the_website %} actions
 
@@ -24,3 +24,4 @@ Before enabling access to all actions from {% data variables.product.prodname_do
 {% data reusables.enterprise-accounts.github-connect-tab %}
 1. Under "Server can use actions from GitHub.com in workflows runs", use the drop-down menu and select **Enabled**.
   ![Drop-down menu to actions from GitHub.com in workflows runs](/assets/images/enterprise/site-admin-settings/enable-marketplace-actions-drop-down.png)
+1. {% data reusables.actions.enterprise-limit-actions-use %}

content/admin/github-actions/enabling-github-actions-and-configuring-storage.md

@@ -1,51 +0,0 @@
----
-title: Enabling GitHub Actions and configuring storage
-intro: 'External storage must be configured as part of enabling {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_server %}.'
-permissions: 'Site administrators can enable {% data variables.product.prodname_actions %} and configure enterprise settings.'
-redirect_from:
-  - /enterprise/admin/github-actions/enabling-github-actions-and-configuring-storage
-versions:
-  enterprise-server: '>=2.22'
----
-
-{% if currentVersion == "enterprise-server@2.22" %}
-{% note %}
-
-**Note:** {% data variables.product.prodname_actions %} support on {% data variables.product.prodname_ghe_server %} 2.22 is a limited public beta. Review the external storage requirements below and [sign up for the beta](https://resources.github.com/beta-signup/).
-
-{% endnote %}
-{% endif %}
-{% data reusables.actions.enterprise-github-hosted-runners %}
-
-### About external storage requirements
-
-To enable {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_server %}, you must have access to external blob storage.
-
-{% data variables.product.prodname_actions %} uses blob storage to store artifacts generated by workflow runs, such as workflow logs and user-uploaded build artifacts. The amount of storage required depends on your usage of {% data variables.product.prodname_actions %}.
-
-{% data variables.product.prodname_actions %} supports these storage providers:
-
-* Amazon S3
-* Azure Blob storage
-* S3-compatible MinIO Gateway for NAS
-
-#### Amazon S3 permissions
-
-If you use Amazon S3, {% data variables.product.prodname_actions %} requires the following permissions for your AWS access key ID and secret:
-
-* `s3:PutObject`
-* `s3:GetObject`
-* `s3:ListBucketMultipartUploads`
-* `s3:ListMultipartUploadParts`
-* `s3:AbortMultipartUpload`
-* `s3:DeleteObject`
-
-### Enabling {% data variables.product.prodname_actions %}
-
-{% if currentVersion == "enterprise-server@2.22" %}
-{% data variables.product.prodname_actions %} support on {% data variables.product.prodname_ghe_server %} 2.22 is a limited public beta. [Sign up for the beta](https://resources.github.com/beta-signup/).
-{% endif %}
-
-### Further reading
-
-- "Hardware considerations" for your platform in "[Setting up a {% data variables.product.prodname_ghe_server %} instance](/enterprise/admin/installation/setting-up-a-github-enterprise-server-instance)"

content/admin/github-actions/enabling-github-actions-for-github-enterprise-server.md

@@ -0,0 +1,7 @@
+---
+title: Enabling GitHub Actions for GitHub Enterprise Server
+intro: 'Learn how to configure storage and enable {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_server %}.'
+mapTopic: true
+versions:
+  enterprise-server: '>=2.22'
+---

content/admin/github-actions/enabling-github-actions-with-amazon-s3-storage.md

@@ -0,0 +1,36 @@
+---
+title: Enabling GitHub Actions with Amazon S3 storage
+intro: 'You can enable {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_server %} and use Amazon S3 storage to store artifacts generated by workflow runs.'
+permissions: 'Site administrators can enable {% data variables.product.prodname_actions %} and configure enterprise settings.'
+versions:
+  enterprise-server: '>=3.0'
+---
+
+### Prerequisites
+
+{% data reusables.actions.enterprise-s3-support-warning %}
+
+Before enabling {% data variables.product.prodname_actions %}, make sure you have completed the following steps:
+
+* Create your Amazon S3 bucket for storing artifacts generated by workflow runs. {% indented_data_reference site.data.reusables.actions.enterprise-s3-permission spaces=2 %}
+  
+{% data reusables.actions.enterprise-common-prereqs %}
+
+### Enabling {% data variables.product.prodname_actions %} with Amazon S3 storage
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.actions %}
+{% data reusables.actions.enterprise-enable-checkbox %}
+1. Under "Artifact & Log Storage", select **Amazon S3**, and enter your storage bucket's details:
+
+   * **AWS Service URL**: The service URL for your bucket. For example, if your S3 bucket was created in the `us-west-2` region, this value should be `https://s3.us-west-2.amazonaws.com`.
+
+     For more information, see "[AWS service endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html)" in the AWS documentation.
+   * **AWS S3 Bucket**: The name of your S3 bucket.
+   * **AWS S3 Access Key** and **AWS S3 Secret Key**: The AWS access key ID and secret key for your bucket. For more information on managing AWS access keys, see the "[AWS Identity and Access Management Documentation](https://docs.aws.amazon.com/iam/index.html)."
+
+   ![Radio button for selecting Amazon S3 Storage and fields for S3 configuration](/assets/images/enterprise/management-console/actions-aws-s3-storage.png)
+{% data reusables.enterprise_management_console.save-settings %}
+
+{% data reusables.actions.enterprise-postinstall-nextsteps %}

content/admin/github-actions/enabling-github-actions-with-azure-blob-storage.md

@@ -0,0 +1,36 @@
+---
+title: Enabling GitHub Actions with Azure Blob storage
+intro: 'You can enable {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_server %} and use Azure Blob storage to store artifacts generated by workflow runs.'
+permissions: 'Site administrators can enable {% data variables.product.prodname_actions %} and configure enterprise settings.'
+versions:
+  enterprise-server: '>=3.0'
+---
+
+### Prerequisites
+
+Before enabling {% data variables.product.prodname_actions %}, make sure you have completed the following steps:
+
+* Create your Azure storage account for storing workflow artifacts. {% data variables.product.prodname_actions %} stores its data as block blobs, and two storage account types are supported:
+  * A **general-purpose** storage account (also known as `general-purpose v1` or `general-purpose v2`) using the **standard** performance tier.
+
+    {% warning %}
+
+    **Warning:** Using the **premium** performance tier with a general-purpose storage account is not supported. The **standard** performance tier must be selected when creating the storage account, and it cannot be changed later.
+
+    {% endwarning %}
+  * A **BlockBlobStorage** storage account, which uses the **premium** performance tier.
+
+  For more information on Azure storage account types and performance tiers, see the [Azure documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview?toc=/azure/storage/blobs/toc.json#types-of-storage-accounts).
+{% data reusables.actions.enterprise-common-prereqs %}
+
+### Enabling {% data variables.product.prodname_actions %} with Azure Blob storage
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.actions %}
+{% data reusables.actions.enterprise-enable-checkbox %}
+1. Under "Artifact & Log Storage", select **Azure Blob Storage**, and enter your Azure storage account's connection string. For more information on getting the connection string for your storage account, see the [Azure documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#view-account-access-keys).
+  ![Radio button for selecting Azure Blob Storage and the Connection string field](/assets/images/enterprise/management-console/actions-azure-storage.png)
+{% data reusables.enterprise_management_console.save-settings %}
+
+{% data reusables.actions.enterprise-postinstall-nextsteps %}

content/admin/github-actions/enabling-github-actions-with-minio-gateway-for-nas-storage.md

@@ -0,0 +1,37 @@
+---
+title: Enabling GitHub Actions with MinIO Gateway for NAS storage
+intro: 'You can enable {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_server %} and use MinIO Gateway for NAS storage to store artifacts generated by workflow runs.'
+permissions: 'Site administrators can enable {% data variables.product.prodname_actions %} and configure enterprise settings.'
+versions:
+  enterprise-server: '>=3.0'
+---
+
+### Prerequisites
+
+{% data reusables.actions.enterprise-s3-support-warning %}
+
+Before enabling {% data variables.product.prodname_actions %}, make sure you have completed the following steps:
+
+* To avoid resource contention on the appliance, we recommend that MinIO be hosted separately from {% data variables.product.product_location %}.
+* Create your bucket for storing workflow artifacts. To set up your bucket and access key, see the [MinIO documentation](https://docs.min.io/docs/minio-gateway-for-nas.html). {% indented_data_reference site.data.reusables.actions.enterprise-s3-permission spaces=2 %}
+  
+{% data reusables.actions.enterprise-common-prereqs %}
+
+### Enabling {% data variables.product.prodname_actions %} with MinIO Gateway for NAS storage
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.actions %}
+{% data reusables.actions.enterprise-enable-checkbox %}
+1. Under "Artifact & Log Storage", select **Amazon S3**, and enter your storage bucket's details:
+
+   * **AWS Service URL**: The URL to your MinIO service. For example, `https://my-minio.example:9000`.
+   * **AWS S3 Bucket**: The name of your S3 bucket.
+   * **AWS S3 Access Key** and **AWS S3 Secret Key**: The `MINIO_ACCESS_KEY` and `MINIO_SECRET_KEY` used for your MinIO instance. For more information, see the [MinIO documentation](https://docs.min.io/docs/minio-gateway-for-nas.html).
+
+   ![Radio button for selecting Amazon S3 Storage and fields for MinIO configuration](/assets/images/enterprise/management-console/actions-minio-s3-storage.png)
+1. Under "Artifact & Log Storage", select **Force path style**.
+   ![Checkbox to Force path style](/assets/images/enterprise/management-console/actions-minio-force-path-style.png)
+{% data reusables.enterprise_management_console.save-settings %}
+
+{% data reusables.actions.enterprise-postinstall-nextsteps %}

content/admin/github-actions/enforcing-github-actions-policies-for-your-enterprise.md

@@ -8,7 +8,6 @@ versions:
 ---
 
 {% data reusables.actions.enterprise-beta %}
-{% data reusables.actions.enterprise-github-hosted-runners %}
 
 ### About {% data variables.product.prodname_actions %} permissions for your enterprise
 

content/admin/github-actions/getting-started-with-github-actions-for-github-enterprise-server.md

@@ -0,0 +1,96 @@
+---
+title: Getting started with GitHub Actions for GitHub Enterprise Server
+intro: 'Learn about enabling and configuring {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_server %} for the first time.'
+permissions: 'Site administrators can enable {% data variables.product.prodname_actions %} and configure enterprise settings.'
+redirect_from:
+  - /enterprise/admin/github-actions/enabling-github-actions-and-configuring-storage
+  - /admin/github-actions/enabling-github-actions-and-configuring-storage
+versions:
+  enterprise-server: '>=2.22'
+---
+
+{% if currentVersion == "enterprise-server@2.22" %}
+{% note %}
+
+**Note:** {% data variables.product.prodname_actions %} support on {% data variables.product.prodname_ghe_server %} 2.22 is a limited public beta. Review the external storage requirements below and [sign up for the beta](https://resources.github.com/beta-signup/).
+
+{% endnote %}
+{% endif %}
+
+{% data reusables.actions.enterprise-github-hosted-runners %}
+
+{% if currentVersion ver_gt "enterprise-server@2.22" %}
+
+This article explains how site administrators can configure {% data variables.product.prodname_ghe_server %} to use {% data variables.product.prodname_actions %}. It covers the hardware and software requirements, presents the storage options, and describes the security management policies.
+
+### Review hardware considerations
+
+{% data reusables.actions.enterprise-hardware-considerations %}
+
+{% endif %}
+
+### External storage requirements
+
+To enable {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_server %}, you must have access to external blob storage.
+
+{% data variables.product.prodname_actions %} uses blob storage to store artifacts generated by workflow runs, such as workflow logs and user-uploaded build artifacts. The amount of storage required depends on your usage of {% data variables.product.prodname_actions %}. Only a single external storage configuration is supported, and you can't use multiple storage providers at the same time.
+
+{% data variables.product.prodname_actions %} supports these storage providers:
+
+* Azure Blob storage
+* Amazon S3
+* S3-compatible MinIO Gateway for NAS
+
+{% note %}
+
+**Note:** These are the only storage providers that {% data variables.product.company_short %} supports and can provide assistance with. Other S3 API-compatible storage providers are unlikely to work due to differences from the S3 API. [Contact us](https://support.github.com/contact) to request support for additional storage providers.
+
+{% endnote %}
+
+{% if currentVersion == "enterprise-server@2.22" %}
+
+#### Amazon S3 permissions
+
+{% data reusables.actions.enterprise-s3-permission %}
+
+### Enabling {% data variables.product.prodname_actions %}
+
+{% data variables.product.prodname_actions %} support on {% data variables.product.prodname_ghe_server %} 2.22 is a limited public beta. [Sign up for the beta](https://resources.github.com/beta-signup/).
+
+### Further reading
+
+- "Hardware considerations" for your platform in "[Setting up a {% data variables.product.prodname_ghe_server %} instance](/enterprise/admin/installation/setting-up-a-github-enterprise-server-instance)"
+
+{% endif %}
+
+{% if currentVersion ver_gt "enterprise-server@2.22" %}
+
+### Enabling {% data variables.product.prodname_actions %} with your storage provider
+
+Follow one of the procedures below to enable {% data variables.product.prodname_actions %} with your chosen storage provider:
+
+* [Enabling GitHub Actions with Azure Blob storage](/admin/github-actions/enabling-github-actions-with-azure-blob-storage)
+* [Enabling GitHub Actions with Amazon S3 storage](/admin/github-actions/enabling-github-actions-with-amazon-s3-storage)
+* [Enabling GitHub Actions with MinIO Gateway for NAS storage](/admin/github-actions/enabling-github-actions-with-minio-gateway-for-nas-storage)
+
+### Managing access permissions for {% data variables.product.prodname_actions %} in your enterprise
+
+You can use policies to manage access to {% data variables.product.prodname_actions %}. For more information, see "[Enforcing GitHub Actions policies for your enterprise](/admin/github-actions/enforcing-github-actions-policies-for-your-enterprise)."
+
+### Adding self-hosted runners
+
+{% data reusables.actions.enterprise-github-hosted-runners %}
+
+To run {% data variables.product.prodname_actions %} workflows, you need to add self-hosted runners. You can add self-hosted runners at the enterprise, organization, or repository levels. For more information, see "[Adding self-hosted runners](/actions/hosting-your-own-runners/adding-self-hosted-runners)."
+
+### Managing which actions can be used in your enterprise
+
+You can control which actions your users are allowed to use in your enterprise. This includes setting up {% data variables.product.prodname_github_connect %} for automatic access to actions from {% data variables.product.prodname_dotcom_the_website %}, or manually syncing actions from {% data variables.product.prodname_dotcom_the_website %}.
+
+For more information, see "[About using actions on {% data variables.product.prodname_ghe_server %}](/admin/github-actions/about-using-actions-on-github-enterprise-server)."
+
+### General security hardening for {% data variables.product.prodname_actions %} 
+
+If you want to learn more about security practices for {% data variables.product.prodname_actions %}, see "[Security hardening for {% data variables.product.prodname_actions %}](/actions/learn-github-actions/security-hardening-for-github-actions)."
+
+{% endif %}

content/admin/github-actions/high-availability-for-github-actions.md

@@ -0,0 +1,29 @@
+---
+title: High availability for GitHub Actions
+intro: 'There are some special considerations for administering {% data variables.product.prodname_actions %} in a high availability configuration.'
+versions:
+  enterprise-server: '>=3.0'
+---
+
+### Replication or redundancy of your {% data variables.product.prodname_actions %} data
+
+{% data reusables.actions.enterprise-storage-ha-backups %}
+
+We strongly recommend that you configure your {% data variables.product.prodname_actions %} external storage to use data redundancy or replication. For more information, refer to your storage provider's documentation:
+
+* [Azure Storage redundancy documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy)
+* [Amazon S3 replication documentation](https://docs.aws.amazon.com/AmazonS3/latest/dev/replication.html)
+
+### High availability replicas
+
+#### Promoting a replica
+
+When enabling a high availability configuration, any replicas are automatically configured to use the {% data variables.product.prodname_actions %} external storage configuration. If you need to initiate a failover to promote a replica, no extra configuration changes are required for {% data variables.product.prodname_actions %}.
+
+For more information, see "[Initiating a failover to your replica appliance](/admin/enterprise-management/initiating-a-failover-to-your-replica-appliance)."
+
+#### Removing a high availability replica
+
+Avoid letting multiple instances to write to the same {% data variables.product.prodname_actions %} external storage. This could occur when using the `ghe-repl-teardown` command to stop and permanently remove a {% data variables.product.prodname_actions %}-enabled replica. This is because the replica will be converted into a standalone {% data variables.product.prodname_ghe_server %}, and after the teardown it will still use the same external storage configuration as the primary.
+
+To help avoid this issue, we recommend either decommissioning the replica server or updating its {% data variables.product.prodname_actions %} configuration with different external storage.

content/admin/github-actions/index.md

@@ -12,11 +12,22 @@ versions:
 
 ### Table of Contents
 
-{% link_in_list /enabling-github-actions-and-configuring-storage %}
+{% topic_link_in_list /enabling-github-actions-for-github-enterprise-server %}
+  {% link_in_list /getting-started-with-github-actions-for-github-enterprise-server %}
+  {% link_in_list /enabling-github-actions-with-azure-blob-storage %}
+  {% link_in_list /enabling-github-actions-with-amazon-s3-storage %}
+  {% link_in_list /enabling-github-actions-with-minio-gateway-for-nas-storage %}
+
 {% link_in_list /enforcing-github-actions-policies-for-your-enterprise %}
 
 {% topic_link_in_list /managing-access-to-actions-from-githubcom %}
-  {% link_in_list /about-using-githubcom-actions-on-github-enterprise-server %}
-  {% link_in_list /setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access %}
-  {% link_in_list /manually-syncing-actions-from-githubcom %}
+  {% link_in_list /about-using-actions-on-github-enterprise-server %}
   {% link_in_list /enabling-automatic-access-to-githubcom-actions-using-github-connect %}
+  {% link_in_list /manually-syncing-actions-from-githubcom %}
+  {% link_in_list /setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access %}
+
+{% topic_link_in_list /advanced-configuration-and-troubleshooting %}
+  {% link_in_list /high-availability-for-github-actions %}
+  {% link_in_list /backing-up-and-restoring-github-enterprise-server-with-github-actions-enabled %}
+  {% link_in_list /using-a-staging-environment %}
+  {% link_in_list /troubleshooting-github-actions-for-your-enterprise %}

content/admin/github-actions/manually-syncing-actions-from-githubcom.md

@@ -12,7 +12,9 @@ versions:
 
 {% data reusables.actions.enterprise-no-internet-actions %}
 
-To make specific actions from {% data variables.product.prodname_dotcom_the_website %} available to use in workflows, you can use {% data variables.product.company_short %}'s open source [`actions-sync`](https://github.com/actions/actions-sync) tool to sync action repositories from {% data variables.product.prodname_dotcom_the_website %} to your enterprise instance. For other ways of accessing actions from {% data variables.product.prodname_dotcom_the_website %}, see "[About using {% data variables.product.prodname_dotcom_the_website %} actions on {% data variables.product.prodname_ghe_server %}](/enterprise/admin/github-actions/about-using-githubcom-actions-on-github-enterprise-server)."
+The recommended approach of enabling access to actions from {% data variables.product.prodname_dotcom_the_website %} is to enable automatic access to all actions. You can do this by using {% data variables.product.prodname_github_connect %} to integrate {% data variables.product.prodname_ghe_server %} with {% data variables.product.prodname_ghe_cloud %} . For more information, see "[Enabling automatic access to {% data variables.product.prodname_dotcom_the_website %} actions using {% data variables.product.prodname_github_connect %}](/enterprise/admin/github-actions/enabling-automatic-access-to-githubcom-actions-using-github-connect)".
+
+However, if you want stricter control over which actions are allowed in your enterprise, you can follow this guide to use {% data variables.product.company_short %}'s open source [`actions-sync`](https://github.com/actions/actions-sync) tool to sync individual action repositories from {% data variables.product.prodname_dotcom_the_website %} to your enterprise instance.
 
 ### About the `actions-sync` tool
 

content/admin/github-actions/troubleshooting-github-actions-for-your-enterprise.md

@@ -0,0 +1,143 @@
+---
+title: Troubleshooting GitHub Actions for your enterprise
+intro: 'Troubleshooting common issues that occur when using {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_server %}.'
+permissions: 'Site administrators can troubleshoot {% data variables.product.prodname_actions %} issues and modify {% data variables.product.prodname_ghe_server %} configurations.'
+versions:
+  enterprise-server: '>=3.0'
+---
+
+### Configuring self-hosted runners when using a self-signed certificate for {% data variables.product.prodname_ghe_server %}
+
+{% data reusables.actions.enterprise-self-signed-cert %} For more information, see "[Configuring TLS](/admin/configuration/configuring-tls)."
+
+#### Installing the certificate on the runner machine
+
+For a self-hosted runner to connect to a {% data variables.product.prodname_ghe_server %} using a self-signed certificate, you must install the certificate on the runner machine so that the connection is security hardened.
+
+For the steps required to install a certificate, refer to the documentation for your runner's operating system.
+
+#### Configuring Node.JS to use the certificate
+
+Most actions are written in JavaScript and run using Node.js, which does not use the operating system certificate store. For the self-hosted runner application to use the certificate, you must set the `NODE_EXTRA_CA_CERTS` environment variable on the runner machine.
+
+You can set the environment variable as a system environment variable, or declare it in a file named _.env_ in the self-hosted runner application directory.
+
+For example:
+
+```shell
+NODE_EXTRA_CA_CERTS=/usr/share/ca-certificates/extra/mycertfile.crt
+```
+
+Environment variables are read when the self-hosted runner application starts, so you must set the environment variable before configuring or starting the self-hosted runner application. If your certificate configuration changes, you must restart the self-hosted runner application.
+
+#### Configuring Docker containers to use the certificate
+
+If you use Docker container actions or service containers in your workflows, you might also need to install the certificate in your Docker image in addition to setting the above environment variable.
+
+### Configuring HTTP proxy settings for {% data variables.product.prodname_actions %}
+
+{% data reusables.actions.enterprise-http-proxy %}
+
+If these settings aren't correctly configured, you might receive errors like `Resource unexpectedly moved to https://<IP_ADDRESS>` when setting or changing your {% data variables.product.prodname_actions %} configuration.
+
+### Runners not connecting to {% data variables.product.prodname_ghe_server %} after changing the hostname
+
+If you change the hostname of {% data variables.product.product_location %}, self-hosted runners will be unable to connect to the old hostname, and will not execute any jobs.
+
+You will need to update the configuration of your self-hosted runners to use the new hostname for {% data variables.product.product_location %}. Each self-hosted runner will require one of the following procedures:
+
+* In the self-hosted runner application directory, edit the `.runner` and `.credentials` files to replace all mentions of the old hostname with the new hostname, then restart the self-hosted runner application.
+* Remove the runner from {% data variables.product.prodname_ghe_server %} using the UI, and re-add it. For more information, see "[Removing self-hosted runners](/actions/hosting-your-own-runners/removing-self-hosted-runners)" and "[Adding self-hosted runners](/actions/hosting-your-own-runners/adding-self-hosted-runners)."
+
+### Stuck jobs and {% data variables.product.prodname_actions %} memory and CPU limits
+
+{% data variables.product.prodname_actions %} is composed of multiple services running on {% data variables.product.product_location %}. By default, these services are set up with default CPU and memory limits that should work for most instances. However, heavy users of {% data variables.product.prodname_actions %} might need to adjust these settings.
+
+You may be hitting the CPU or memory limits if you notice that jobs are not starting (even though there are idle runners), or if the job's progress is not updating or changing in the UI.
+
+#### 1. Check the overall CPU and memory usage in the management console
+
+Access the management console and use the monitor dashboard to inspect the overall CPU and memory graphs under "System Health". For more information, see "[Accessing the monitor dashboard](/admin/enterprise-management/accessing-the-monitor-dashboard)."
+
+If the overall "System Health" CPU usage is close to 100%, or there is no free memory left, then {% data variables.product.product_location %} is running at capacity and needs to be scaled up. For more information, see "[Increasing CPU or memory resources](/admin/enterprise-management/increasing-cpu-or-memory-resources)."
+
+#### 2. Check the Nomad Jobs CPU and memory usage in the management console
+
+If the overall "System Health" CPU and memory usage is OK, scroll down the monitor dashboard page to the "Nomad Jobs" section, and look at the "CPU Percent Value" and "Memory Usage" graphs.
+
+Each plot in these graphs corresponds to one service. For {% data variables.product.prodname_actions %} services, look for:
+
+* `mps_frontend`
+* `mps_backend`
+* `token_frontend`
+* `token_backend`
+* `actions_frontend`
+* `actions_backend`
+
+If any of these services are at or near 100% CPU utilization, or the memory is near their limit (2 GB by default), then the resource allocation for these services might need increasing. Take note of which of the above services are at or near their limit.
+
+#### 3. Increase the resource allocation for services at their limit
+
+1. Log in to the administrative shell using SSH. For more information, see "[Accessing the administrative shell (SSH)](/admin/configuration/accessing-the-administrative-shell-ssh)."
+1. Run the following command to see what resources are available for allocation:
+
+   ```shell
+   nomad node status -self
+   ```
+
+   In the output, find the "Allocated Resources" section. It looks similar to the following example:
+
+   ```
+   Allocated Resources
+   CPU              Memory          Disk
+   7740/49600 MHZ   23 GiB/32 GiB   4.4 GiB/7.9 GiB
+   ```
+
+   For CPU and memory, this shows how much is allocated to the **total** of **all** services (the left value) and how much is available (the right value). In the example above, there is 23 GiB of memory allocated out of 32 GiB total. This means there is 9 GiB of memory available for allocation.
+
+   {% warning %}
+
+   **Warning:** Be careful not to allocate more than the total available resources, or services will fail to start.
+
+   {% endwarning %}
+1. Change directory to `/etc/consul-templates/etc/nomad-jobs/actions`:
+
+   ```shell
+   cd /etc/consul-templates/etc/nomad-jobs/actions
+   ```
+
+   In this directory there are three files that correspond to the {% data variables.product.prodname_actions %} services from above:
+
+   * `mps.hcl.ctmpl`
+   * `token.hcl.ctmpl`
+   * `actions.hcl.ctmpl`
+1. For the services that you identified that need adjustment, open the corresponding file and locate the `resources` group that looks like the following:
+
+   ```
+   resources {
+     cpu = 512
+     memory = 2048
+     network {
+       port "http" { }
+     }
+   }
+   ```
+
+   The values are in MHz for CPU resources, and MB for memory resources.
+
+   For example, to increase the resource limits in the above example to 1 GHz for the CPU and 4 GB of memory, change it to:
+
+   ```
+   resources {
+     cpu = 1024
+     memory = 4096
+     network {
+       port "http" { }
+     }
+   }
+   ```
+1. Save and exit the file.
+1. Run `ghe-config-apply` to apply the changes.
+
+    When running `ghe-config-apply`, if you see output like `Failed to run nomad job '/etc/nomad-jobs/<name>.hcl'`, then the change has likely over-allocated CPU or memory resources. If this happens, edit the configuration files again and lower the allocated CPU or memory, then re-run `ghe-config-apply`.
+1. After the configuration is applied, run `ghe-actions-check` to verify that the {% data variables.product.prodname_actions %} services are operational.

content/admin/github-actions/using-a-staging-environment.md

@@ -0,0 +1,27 @@
+---
+title: Using a staging environment
+intro: 'Learn about using {% data variables.product.prodname_actions %} with {% data variables.product.prodname_ghe_server %} staging environments.'
+versions:
+  enterprise-server: '>=3.0'
+---
+
+It can be useful to have a staging or testing environment for {% data variables.product.product_location %}, so that you can test updates or new features before implementing them in your production environment.
+
+A common way to create the staging environment is to use a backup of your production instance and restore it to the staging environment.
+
+When setting up a {% data variables.product.prodname_ghe_server %} staging environment that has {% data variables.product.prodname_actions %} enabled, you must use a different external storage configuration for {% data variables.product.prodname_actions %} storage than your production environment uses. Otherwise, your staging environment will write to the same external storage as production.
+
+Expect to see `404` errors in your staging environment when trying to view logs or artifacts from existing {% data variables.product.prodname_actions %} workflow runs, because that data will be missing from your staging storage location.
+
+Although it is not required for {% data variables.product.prodname_actions %} to be functional in your staging environment, you can optionally copy the files from the production storage location to the staging storage location.
+
+* For an Azure storage account, you can use [`azcopy`](https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs#copy-all-containers-directories-and-blobs-to-another-storage-account). For example:
+
+  ```shell
+  azcopy copy 'https://<em>SOURCE-STORAGE-ACCOUNT-NAME</em>.blob.core.windows.net/<em>SAS-TOKEN</em>' 'https://<em>DESTINATION-STORAGE-ACCOUNT-NAME</em>.blob.core.windows.net/' --recursive
+  ```
+* For Amazon S3 buckets, you can use [`aws s3 sync`](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3/sync.html). For example:
+
+  ```shell
+  aws s3 sync s3://<em>SOURCE-BUCKET</em> s3://<em>DESTINATION-BUCKET</em>
+  ```

content/admin/installation/installing-github-enterprise-server-on-aws.md

@@ -131,4 +131,5 @@ Both primary and replica instances should be assigned separate EIPs in productio
 
 ### Further reading
 
-- "[System overview](/enterprise/admin/guides/installation/system-overview)"
+- "[System overview](/enterprise/admin/guides/installation/system-overview)"{% if currentVersion ver_gt "enterprise-server@2.22" %}
+- "[About upgrades to new releases](/admin/overview/about-upgrades-to-new-releases)"{% endif %}

content/admin/installation/installing-github-enterprise-server-on-azure.md

@@ -106,7 +106,8 @@ We recommend you use a DS v2 instance type with at least 14 GB of RAM. You can u
   {% data reusables.enterprise_installation.instance-will-restart-automatically %}
   {% data reusables.enterprise_installation.visit-your-instance %}
   
-  ### Further reading
+### Further reading
   
-  - "[System overview](/enterprise/admin/guides/installation/system-overview)"
+- "[System overview](/enterprise/admin/guides/installation/system-overview)"{% if currentVersion ver_gt "enterprise-server@2.22" %}
+- "[About upgrades to new releases](/admin/overview/about-upgrades-to-new-releases)"{% endif %}
   

content/admin/installation/installing-github-enterprise-server-on-google-cloud-platform.md

@@ -113,4 +113,5 @@ To create the {% data variables.product.prodname_ghe_server %} instance, you'll
 
 ### Further reading
 
-- "[System overview](/enterprise/admin/guides/installation/system-overview)"
+- "[System overview](/enterprise/admin/guides/installation/system-overview)"{% if currentVersion ver_gt "enterprise-server@2.22" %}
+- "[About upgrades to new releases](/admin/overview/about-upgrades-to-new-releases)"{% endif %}

content/admin/installation/installing-github-enterprise-server-on-hyper-v.md

@@ -62,4 +62,5 @@ versions:
 
 ### Further reading
 
- - "[System overview](/enterprise/admin/guides/installation/system-overview)"
+- "[System overview](/enterprise/admin/guides/installation/system-overview)"{% if currentVersion ver_gt "enterprise-server@2.22" %}
+- "[About upgrades to new releases](/admin/overview/about-upgrades-to-new-releases)"{% endif %}

content/admin/installation/installing-github-enterprise-server-on-openstack-kvm.md

@@ -47,4 +47,5 @@ versions:
 
 ### Further reading
 
- - "[System overview](/enterprise/admin/guides/installation/system-overview)"
+- "[System overview](/enterprise/admin/guides/installation/system-overview)"{% if currentVersion ver_gt "enterprise-server@2.22" %}
+- "[About upgrades to new releases](/admin/overview/about-upgrades-to-new-releases)"{% endif %}

content/admin/installation/installing-github-enterprise-server-on-vmware.md

@@ -48,4 +48,5 @@ versions:
 
 ### Further reading
 
- - "[System overview](/enterprise/admin/guides/installation/system-overview)"
+- "[System overview](/enterprise/admin/guides/installation/system-overview)"{% if currentVersion ver_gt "enterprise-server@2.22" %}
+- "[About upgrades to new releases](/admin/overview/about-upgrades-to-new-releases)"{% endif %}

content/admin/installation/installing-github-enterprise-server-on-xenserver.md

@@ -45,4 +45,5 @@ versions:
 
 ### Further reading
 
- - "[System overview](/enterprise/admin/guides/installation/system-overview)"
+- "[System overview](/enterprise/admin/guides/installation/system-overview)"{% if currentVersion ver_gt "enterprise-server@2.22" %}
+- "[About upgrades to new releases](/admin/overview/about-upgrades-to-new-releases)"{% endif %}

content/admin/installation/setting-up-a-staging-instance.md

@@ -23,3 +23,9 @@ To thoroughly test a {% data variables.product.prodname_ghe_server %} appliance
 1. Perform a backup of your production instance using {% data variables.product.prodname_enterprise_backup_utilities %}. For more information, see the "About {% data variables.product.prodname_enterprise_backup_utilities %}" section of "[Configuring backups on your appliance](/enterprise/admin/guides/installation/configuring-backups-on-your-appliance#about-github-enterprise-server-backup-utilities)."
 2. Set up a new instance to act as your staging environment. You can use the same guides for provisioning and installing your staging instance as you did for your production instance. For more information, see "[Setting up a {% data variables.product.prodname_ghe_server %} instance](/enterprise/admin/guides/installation/setting-up-a-github-enterprise-server-instance/)."
 3. Restore your backup onto your staging instance. For more information, see the "Restoring a backup" section of "[Configuring backups on your appliance](/enterprise/admin/guides/installation/configuring-backups-on-your-appliance#restoring-a-backup)."
+
+{% if currentVersion ver_gt "enterprise-server@2.22" %}
+### Further reading
+
+- "[About upgrades to new releases](/admin/overview/about-upgrades-to-new-releases)"
+{% endif %}

content/admin/overview/about-upgrades-to-new-releases.md

@@ -0,0 +1,33 @@
+---
+title: About upgrades to new releases
+shortTitle: About upgrades
+intro: 'You can benefit from new features and bug fixes for {% data variables.product.product_name %} by upgrading your enterprise to a newly released version.'
+versions:
+  enterprise-server: '>=3.0'
+---
+
+{% data variables.product.product_name %} is constantly improving, with new functionality and bug fixes introduced through major and minor releases. 
+
+Major releases include new functionality and feature upgrades and typically occur quarterly.
+
+Starting with {% data variables.product.prodname_ghe_server %} 3.0, all major releases begin with at least one release candidate. Release candidates are proposed major releases, with a complete feature set. There may be bugs or issues in a release candidate which can only be found through feedback from customers actually using {% data variables.product.product_name %}. 
+
+You can get early access to the latest features by testing a release candidate as soon as the release candidate is available. You can upgrade to a release candidate from a supported version and can upgrade from the release candidate to later versions when released. You should upgrade any environment running a release candidate as soon as the release is generally available. For more information, see "[Upgrade requirements](/admin/enterprise-management/upgrade-requirements)."
+
+Release candidates should be deployed on test or staging environments. As you test a release candidate, please provide feedback by contacting support. For more information, see "[Working with {% data variables.contact.github_support %}](/admin/enterprise-support)."
+
+We'll use your feedback to apply bug fixes and any other necessary changes to create a stable production release. Each new release candidate adds bug fixes for issues found in prior versions. When the release is ready for widespread adoption, {% data variables.product.company_short %} publishes a stable production release.
+
+{% warning %}
+
+**Warning**: The upgrade to a new major release will cause a few hours of downtime, during which none of your users will be able to use the enterprise. You can inform your users about downtime by publishing a global announcement banner, using your enterprise settings or the REST API. For more information, see "[Customizing user messages on your instance](/admin/user-management/customizing-user-messages-on-your-instance#creating-a-global-announcement-banner)" and "[{% data variables.product.prodname_enterprise %} administration](/rest/reference/enterprise-admin#announcements)."
+
+{% endwarning %}
+
+Minor releases, which consist of hot patches and bug fixes only, happen more frequently. Minor releases are generally available when first released, with no release candidates. Upgrading to a minor release typically requires less than five minutes of downtime.
+
+To upgrade your enterprise to a new release, see "[Release notes](/enterprise-server/admin/release-notes)" and "[Upgrading {% data variables.product.prodname_ghe_server %}](/admin/enterprise-management/upgrading-github-enterprise-server)."
+
+### Further reading
+
+- [ {% data variables.product.prodname_roadmap %} ]( {% data variables.product.prodname_roadmap_link %} ) in the  `github/roadmap` repository

content/admin/overview/index.md

@@ -15,5 +15,6 @@ For more information, or to purchase {% data variables.product.prodname_enterpri
 {% link_in_list /about-enterprise-accounts %}
 {% link_in_list /managing-your-github-enterprise-license %}
 {% link_in_list /managing-billing-for-your-enterprise %}
+{% link_in_list /about-upgrades-to-new-releases %}
 {% link_in_list /system-overview %}
 {% link_in_list /about-the-github-enterprise-api %}

content/admin/packages/configuring-package-ecosystem-support-for-your-enterprise.md

@@ -0,0 +1,47 @@
+---
+title: Configuring package ecosystem support for your enterprise
+intro: 'You can configure {% data variables.product.prodname_registry %} for your enterprise by globally enabling or disabling individual package ecosystems on your enterprise, including Docker, RubyGems, npm, Apache Maven, Gradle, or NuGet. Learn about other configuration requirements to support specific package ecosystems.'
+redirect_from:
+  - /enterprise/admin/packages/configuring-packages-support-for-your-enterprise
+  - /admin/packages/configuring-packages-support-for-your-enterprise
+versions:
+  enterprise-server: '>=2.22'
+---
+
+{% data reusables.package_registry.packages-ghes-release-stage %}
+
+### Enabling or disabling individual package ecosystems
+
+To prevent new packages from being uploaded, you can set an ecosystem you previously enabled to **Read-Only**, while still allowing existing packages to be downloaded.
+
+{% if currentVersion == "enterprise-server@2.22" %}
+To use {% data variables.product.prodname_registry %} with Docker, you must have subdomain isolation enabled for your instance. For more information, see "[Enabling subdomain isolation](/enterprise/admin/configuration/enabling-subdomain-isolation)."
+{% endif %}
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_site_admin_settings.packages-tab %}
+1. Under "Ecosystem Toggles", for each package type, select **Enabled**, **Read-Only**, or **Disabled**.
+  ![Ecosystem toggles](/assets/images/enterprise/site-admin-settings/ecosystem-toggles.png)
+{% data reusables.enterprise_management_console.save-settings %}
+
+{% if currentVersion == "enterprise-server@3.0" or currentVersion ver_gt "enterprise-server@3.0" %}
+### Connecting to the official NPM registry
+
+If you've enabled npm packages on your enterprise and want to allow access to the official NPM registry as well as the {% data variables.product.prodname_registry %} npm registry, then you must perform some additional configuration.
+
+{% data variables.product.prodname_registry %} uses a transparent proxy for network traffic that connects to the official NPM registry at `registry.npmjs.com`. The proxy is enabled by default and cannot be disabled.
+
+To allow network connections to the NPM registry, you will need to configure network ACLs that allow {% data variables.product.prodname_ghe_server %} to send HTTPS traffic to `registry.npmjs.com`  over port 443:
+
+| Source | Destination | Port | Type |
+|---|---|---|---|
+| {% data variables.product.prodname_ghe_server %} | `registry.npmjs.com` | TCP/443 | HTTPS |
+
+Note that connections to `registry.npmjs.com` traverse through the Cloudflare network, and subsequently do not connect to a single static IP address; instead, a connection is made to an IP address within the CIDR ranges listed here: https://www.cloudflare.com/ips/.
+
+{% endif %}
+
+### Next steps
+
+As a next step, we recommend you check if you need to update or upload a TLS certificate for your packages host URL. For more information, see "[Getting started with GitHub Packages for your enterprise](/admin/packages/getting-started-with-github-packages-for-your-enterprise)."

content/admin/packages/configuring-packages-support-for-your-enterprise.md

@@ -1,21 +0,0 @@
----
-title: Configuring packages support for your enterprise
-intro: 'You can configure {% data variables.product.prodname_registry %} for your enterprise by enabling or disabling each package ecosystem.'
-redirect_from:
-  - /enterprise/admin/packages/configuring-packages-support-for-your-enterprise
-versions:
-  enterprise-server: '>=2.22'
----
-
-{% data reusables.package_registry.packages-ghes-release-stage %}
-
-You can enable or disable each package ecosystem for your instance. You can set an ecosystem you previously enabled to **Read-Only** to prevent new packages from being uploaded, while allowing existing packages to be downloaded.
-
-To use {% data variables.product.prodname_registry %} with Docker, you must have subdomain isolation enabled for your instance. For more information, see "[Enabling subdomain isolation](/enterprise/admin/configuration/enabling-subdomain-isolation)."
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_site_admin_settings.packages-tab %}
-1. Under "Ecosystem Toggles", for each package type, select **Enabled**, **Read-Only**, or **Disabled**.
-  ![Ecosystem toggles](/assets/images/enterprise/site-admin-settings/ecosystem-toggles.png)
-{% data reusables.enterprise_management_console.save-settings %}

content/admin/packages/configuring-third-party-storage-for-packages.md

@@ -1,53 +0,0 @@
----
-title: Configuring third-party storage for packages
-intro: 'You can configure the third-party service that {% data variables.product.prodname_registry %} uses to store your enterprise''s packages.'
-redirect_from:
-  - /enterprise/admin/packages/configuring-third-party-storage-for-packages
-versions:
-  enterprise-server: '>=2.22'
----
-
-{% data reusables.package_registry.packages-ghes-release-stage %}
-
-### About third-party storage for {% data variables.product.prodname_registry %}
-
-{% data variables.product.prodname_registry %} on {% data variables.product.prodname_ghe_server %} uses external blob storage to store your packages. The amount of storage required depends on your usage of {% data variables.product.prodname_registry %}.
-
-At this time, {% data variables.product.prodname_registry %} supports blob storage with Amazon Web Services (AWS) S3. MinIO is also supported, but configuration is not currently implemented in the {% data variables.product.product_name %} interface. You can use MinIO for storage by following the instructions for AWS S3, entering the analogous information for your MinIO configuration. Before configuring third-party storage for {% data variables.product.prodname_registry %} on {% data variables.product.prodname_dotcom %}, you must set up a bucket with your third-party storage provider. For more information on installing and running a MinIO bucket to use with {% data variables.product.prodname_registry %}, see the "[Quickstart for configuring MinIO storage](/admin/packages/quickstart-for-configuring-minio-storage)."
-
-For the best experience, we recommend using a dedicated bucket for {% data variables.product.prodname_registry %}, separate from the bucket you use for {% data variables.product.prodname_actions %} storage.
-
-### Configuring AWS S3 as storage for {% data variables.product.prodname_registry %}
-
-{% warning %}
-
-**Warnings:**
-- It's critical you set the restrictive access policies you want for your storage bucket because {% data variables.product.company_short %} does not apply specific object permissions or additional access control lists (ACLs) to your storage bucket configuration. For example, if you make your bucket public, data in the bucket will be accessible on the public internet. For more information, see [Setting bucket and object access permissions](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/set-permissions.html) in the AWS Documentation.
-- We recommend using a dedicated bucket for {% data variables.product.prodname_registry %}, separate from the bucket you use for {% data variables.product.prodname_actions %} storage.
-- Make sure to configure the bucket you'll want to use in the future. We do not recommend changing your storage after you start using {% data variables.product.prodname_registry %}.
-
-{% endwarning %}
-
-Before you configure AWS as storage for {% data variables.product.prodname_registry %}, make sure your AWS access key ID and secret have the following permissions:
-  - `s3:PutObject`
-  - `s3:GetObject`
-  - `s3:ListBucketMultipartUploads`
-  - `s3:ListMultipartUploadParts`
-  - `s3:AbortMultipartUpload`
-  - `s3:DeleteObject`
-  - `s3:ListBucket`
-
-{% data reusables.enterprise_site_admin_settings.access-settings %}
-{% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_site_admin_settings.packages-tab %}
-1. Under "AWS Service URL", type the S3 endpoint URL for your bucket's region.
-  ![AWS Service URL field](/assets/images/enterprise/site-admin-settings/storage-service-url.png)
-1. Under "AWS S3 Bucket", type the name of the S3 bucket you want to use to store package artifacts.
-  ![AWS S3 Bucket field](/assets/images/enterprise/site-admin-settings/aws-s3-bucket.png)
-1. Under "AWS S3 Access Key", type your access key for S3.
-  ![AWS S3 Access Key field](/assets/images/enterprise/site-admin-settings/aws-s3-access-key.png)
-1. Under "AWS S3 Secret Key", type your secret key for S3.
-  ![AWS S3 Secret Key field](/assets/images/enterprise/site-admin-settings/aws-s3-secret-key.png)
-1. Under "AWS S3 Region", type your region for S3.
-  ![AWS S3 Region field](/assets/images/enterprise/site-admin-settings/aws-s3-region.png)
-{% data reusables.enterprise_management_console.save-settings %}

content/admin/packages/enabling-github-packages-for-your-enterprise.md

@@ -1,17 +0,0 @@
----
-title: Enabling GitHub Packages for your enterprise
-intro: 'You can start using {% data variables.product.prodname_registry %} on your instance by enabling the feature, configuring third-party storage, configuring the ecosystems you want to support, and updating your TLS certificate.'
-redirect_from:
-  - /enterprise/admin/packages/enabling-github-packages-for-your-enterprise
-versions:
-  enterprise-server: '>=2.22'
----
-
-{% data reusables.package_registry.packages-ghes-release-stage %}
-
-1. After you've been invited to join the beta, to enable {% data variables.product.prodname_registry %} for your instance, follow the instructions from your account representative.
-1. Configure third-party storage for your enterprise's packages. For more information, see "[Configuring third-party storage for packages](/enterprise/admin/packages/configuring-third-party-storage-for-packages)."
-1. Enable or disable each package ecosystem for your enterprise. For more information, see "[Configuring packages support for your enterprise](/enterprise/admin/packages/configuring-packages-support-for-your-enterprise)."
-1. If subdomain isolation is enabled for your instance, which is required to use {% data variables.product.prodname_registry %} with Docker, create and upload a TLS certificate that allows the package host URL for each ecosystem you want to use, such as `npm.HOSTNAME`. Make sure each package host URL includes `https://`.
-
-    You can create the certificate manually or using Let's Encrypt. If you already use Let's Encrypt, you must request a new TLS certificate after enabling {% data variables.product.prodname_registry %}. For more information about package host URLs, see "[Enabling subdomain isolation](/enterprise/admin/configuration/enabling-subdomain-isolation)." For more information about uploading TLS certificates to {% data variables.product.product_name %}, see "[Configuring TLS](/enterprise/admin/configuration/configuring-tls)."

content/admin/packages/enabling-github-packages-with-aws.md

@@ -0,0 +1,65 @@
+---
+title: Enabling GitHub Packages with AWS
+intro: 'Set up {% data variables.product.prodname_registry %} with AWS as your external storage.'
+versions:
+  enterprise-server: '>=2.22'
+---
+
+{% warning %}
+
+**Warnings:**
+- It is critical that you configure any restrictive access policies you need for your storage bucket, because {% data variables.product.company_short %} does not apply specific object permissions or additional access control lists (ACLs) to your storage bucket configuration. For example, if you make your bucket public, data in the bucket will be accessible to the public internet. For more information, see "[Setting bucket and object access permissions](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/set-permissions.html)" in the AWS Documentation.
+- We recommend using a dedicated bucket for {% data variables.product.prodname_registry %}, separate from the bucket you use for {% data variables.product.prodname_actions %} storage.
+- Make sure to configure the bucket you'll want to use in the future. We do not recommend changing your storage after you start using {% data variables.product.prodname_registry %}.
+
+{% endwarning %}
+
+### Prerequisites
+
+Before you can enable and configure {% data variables.product.prodname_registry %} on {% data variables.product.product_location_enterprise %}, you need to prepare your AWS storage bucket. To prepare your AWS storage bucket, we recommend consulting the official AWS docs at [AWS Documentation](https://docs.aws.amazon.com/index.html).
+
+Ensure your AWS access key ID and secret have the following permissions:
+  - `s3:PutObject`
+  - `s3:GetObject`
+  - `s3:ListBucketMultipartUploads`
+  - `s3:ListMultipartUploadParts`
+  - `s3:AbortMultipartUpload`
+  - `s3:DeleteObject`
+  - `s3:ListBucket`
+
+### Enabling {% data variables.product.prodname_registry %} with AWS external storage
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_site_admin_settings.packages-tab %}
+{% data reusables.package_registry.enable-enterprise-github-packages %}
+{% if currentVersion == "enterprise-server@2.22" %}
+1. Under "AWS Service URL", type the S3 endpoint URL for your bucket's region.
+  ![AWS Service URL field](/assets/images/enterprise/site-admin-settings/storage-service-url.png)
+1. Under "AWS S3 Bucket", type the name of the S3 bucket you want to use to store package artifacts.
+  ![AWS S3 Bucket field](/assets/images/enterprise/site-admin-settings/aws-s3-bucket.png)
+1. Under "AWS S3 Access Key", type your access key for S3.
+  ![AWS S3 Access Key field](/assets/images/enterprise/site-admin-settings/aws-s3-access-key.png)
+1. Under "AWS S3 Secret Key", type your secret key for S3.
+  ![AWS S3 Secret Key field](/assets/images/enterprise/site-admin-settings/aws-s3-secret-key.png)
+1. Under "AWS S3 Region", type your region for S3.
+  ![AWS S3 Region field](/assets/images/enterprise/site-admin-settings/aws-s3-region.png)
+{% endif %}
+{% if currentVersion ver_gt "enterprise-server@2.22" %}
+1. Under "Packages Storage", select **Amazon S3** and enter your storage bucket's details:
+    - **AWS Service URL:** The service URL for your bucket. For example, if your S3 bucket was created in the `us-west-2 region`, this value should be `https://s3.us-west-2.amazonaws.com`.
+
+      For more information, see "[AWS service endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html)" in the AWS documentation.
+
+    - **AWS S3 Bucket:** The name of your S3 bucket dedicated to {% data variables.product.prodname_registry %}.
+    - **AWS S3 Access Key** and **AWS S3 Secret Key**: The AWS access key ID and secret key to access your bucket.
+
+      For more information on managing AWS access keys, see the "[AWS Identity and Access Management Documentation](https://docs.aws.amazon.com/iam/index.html)."
+
+    ![Entry boxes for your S3 AWS bucket's details](/assets/images/help/package-registry/s3-aws-storage-bucket-details.png)
+{% endif %}
+{% data reusables.enterprise_management_console.save-settings %}
+
+### Next steps
+
+{% data reusables.package_registry.next-steps-for-packages-enterprise-setup %}

content/admin/packages/enabling-github-packages-with-azure-blob-storage.md

@@ -0,0 +1,34 @@
+---
+title: Enabling GitHub Packages with Azure Blob Storage
+intro: 'Set up {% data variables.product.prodname_registry %} with Azure Blob Storage as your external storage.'
+versions:
+  enterprise-server: '>=3.0'
+---
+
+{% warning %}
+
+**Warnings:**
+- It is critical that you set the restrictive access policies you need for your storage bucket, because {% data variables.product.company_short %} does not apply specific object permissions or additional access control lists (ACLs) to your storage bucket configuration. For example, if you make your bucket public, data in the bucket will be accessible on the public internet.
+- We recommend using a dedicated bucket for {% data variables.product.prodname_registry %}, separate from the bucket you use for {% data variables.product.prodname_actions %} storage.
+- Make sure to configure the bucket you'll want to use in the future. We do not recommend changing your storage after you start using {% data variables.product.prodname_registry %}.
+
+{% endwarning %}
+
+### Prerequisites
+
+Before you can enable and configure {% data variables.product.prodname_registry %} on {% data variables.product.product_location_enterprise %}, you need to prepare your Azure Blob storage bucket. To prepare your Azure Blob storage bucket, we recommend consulting the official Azure Blob storage docs at the official [Azure Blob Storage documentation site](https://docs.microsoft.com/en-us/azure/storage/blobs/).
+
+### Enabling {% data variables.product.prodname_registry %} with Azure Blob Storage
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_site_admin_settings.packages-tab %}
+{% data reusables.package_registry.enable-enterprise-github-packages %}
+1. Under "Packages Storage", select **Azure Blob Storage** and enter your Azure container name for your packages storage bucket and connection string.
+  ![Azure Blob storage container name and connection string boxes](/assets/images/help/package-registry/azure-blob-storage-settings.png)
+
+{% data reusables.enterprise_management_console.save-settings %}
+
+### Next steps
+
+{% data reusables.package_registry.next-steps-for-packages-enterprise-setup %}

content/admin/packages/enabling-github-packages-with-minio.md

@@ -0,0 +1,61 @@
+---
+title: Enabling GitHub Packages with MinIO
+intro: 'Set up {% data variables.product.prodname_registry %} with MinIO as your external storage.'
+versions:
+  enterprise-server: '>=2.22'
+---
+
+{% warning %}
+
+**Warnings:**
+- It is critical that you set the restrictive access policies you need for your storage bucket, because {% data variables.product.company_short %} does not apply specific object permissions or additional access control lists (ACLs) to your storage bucket configuration. For example, if you make your bucket public, data in the bucket will be accessible on the public internet.
+- We recommend using a dedicated bucket for {% data variables.product.prodname_registry %}, separate from the bucket you use for {% data variables.product.prodname_actions %} storage.
+- Make sure to configure the bucket you'll want to use in the future. We do not recommend changing your storage after you start using {% data variables.product.prodname_registry %}.
+
+{% endwarning %}
+### Prerequisites
+Before you can enable and configure {% data variables.product.prodname_registry %} on {% data variables.product.product_location_enterprise %}, you need to prepare your MinIO storage bucket. To help you quickly set up a MinIO bucket and navigate MinIO's customization options, see the "[Quickstart for configuring your MinIO storage bucket for {% data variables.product.prodname_registry %}](/admin/packages/quickstart-for-configuring-your-minio-storage-bucket-for-github-packages)."
+
+Ensure your MinIO external storage access key ID and secret have these permissions:
+  - `s3:PutObject`
+  - `s3:GetObject`
+  - `s3:ListBucketMultipartUploads`
+  - `s3:ListMultipartUploadParts`
+  - `s3:AbortMultipartUpload`
+  - `s3:DeleteObject`
+  - `s3:ListBucket`
+
+### Enabling {% data variables.product.prodname_registry %} with MinIO external storage
+
+Although MinIO does not currently appear in the user interface under "Package Storage", MinIO is still {% if currentVersion == "enterprise-server@2.22" %} officially{% endif %} supported by {% data variables.product.prodname_registry %} on {% data variables.product.prodname_enterprise %}. Also, note that MinIO's object storage is compatible with the S3 API and you can enter MinIO's bucket details in place of AWS S3 details.
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_site_admin_settings.packages-tab %}
+{% data reusables.package_registry.enable-enterprise-github-packages %}
+{% if currentVersion == "enterprise-server@2.22" %}
+1. Under "AWS Service URL", type the MinIO URL for your bucket's region.
+  ![AWS Service URL field](/assets/images/enterprise/site-admin-settings/storage-service-url.png)
+1. Under "AWS S3 Bucket", type the name of the MinIO bucket you want to use to store package artifacts.
+  ![AWS S3 Bucket field](/assets/images/enterprise/site-admin-settings/aws-s3-bucket.png)
+1. Under "AWS S3 Access Key", type your access key for MinIO.
+  ![AWS S3 Access Key field](/assets/images/enterprise/site-admin-settings/aws-s3-access-key.png)
+1. Under "AWS S3 Secret Key", type your secret key for MinIO.
+  ![AWS S3 Secret Key field](/assets/images/enterprise/site-admin-settings/aws-s3-secret-key.png)
+1. Under "AWS S3 Region", type your region for MinIO.
+  ![AWS S3 Region field](/assets/images/enterprise/site-admin-settings/aws-s3-region.png)
+{% endif %}
+{% if currentVersion ver_gt "enterprise-server@2.22" %}
+1. Under "Packages Storage", select **Amazon S3**.
+1. Enter your MinIO storage bucket's details in the AWS storage settings.
+    - **AWS Service URL:** The hosting URL for your MinIO bucket.
+    - **AWS S3 Bucket:** The name of your S3-compatible MinIO bucket dedicated to {% data variables.product.prodname_registry %}.
+    - **AWS S3 Access Key** and **AWS S3 Secret Key**: Enter the MinIO access key ID and secret key to access your bucket.
+
+    ![Entry boxes for your S3 AWS bucket's details](/assets/images/help/package-registry/s3-aws-storage-bucket-details.png)
+{% endif %}
+{% data reusables.enterprise_management_console.save-settings %}
+
+### Next steps
+
+{% data reusables.package_registry.next-steps-for-packages-enterprise-setup %}

content/admin/packages/getting-started-with-github-packages-for-your-enterprise.md

@@ -0,0 +1,49 @@
+---
+title: Getting started with GitHub Packages for your enterprise
+intro: 'You can start using {% data variables.product.prodname_registry %} on {% data variables.product.product_location %} by enabling the feature, configuring third-party storage, configuring the ecosystems you want to support, and updating your TLS certificate.'
+redirect_from:
+  - /enterprise/admin/packages/enabling-github-packages-for-your-enterprise
+  - /admin/packages/enabling-github-packages-for-your-enterprise
+versions:
+  enterprise-server: '>=2.22'
+---
+
+{% if currentVersion == "enterprise-server@2.22" %}
+
+{% data reusables.package_registry.packages-ghes-release-stage %}
+
+{% note %}
+
+**Note:** After you've been invited to join the beta, follow the instructions from your account representative to enable {% data variables.product.prodname_registry %} for {% data variables.product.product_location %}.
+
+{% endnote %}
+
+{% endif %}
+
+{% data reusables.package_registry.packages-cluster-support %}
+
+### Step 1: Enable {% data variables.product.prodname_registry %} and configure external storage
+
+{% data variables.product.prodname_registry %} on {% data variables.product.prodname_ghe_server %} uses external blob storage to store your packages.
+
+After enabling {% data variables.product.prodname_registry %} for {% data variables.product.product_location %}, you'll need to prepare your third-party storage bucket. The amount of storage required depends on your usage of {% data variables.product.prodname_registry %}, and the setup guidelines can vary by storage provider.
+
+Supported external storage providers
+- Amazon Web Services (AWS) S3 {% if currentVersion ver_gt "enterprise-server@2.22" %}
+- Azure Blob Storage {% endif %}
+- MinIO
+
+To enable {% data variables.product.prodname_registry %} and configure third-party storage, see:
+  - "[Enabling GitHub Packages with AWS](/admin/packages/enabling-github-packages-with-aws)"{% if currentVersion ver_gt "enterprise-server@2.22" %}
+  - "[Enabling GitHub Packages with Azure Blob Storage](/admin/packages/enabling-github-packages-with-azure-blob-storage)"{% endif %}
+  - "[Enabling GitHub Packages with MinIO](/admin/packages/enabling-github-packages-with-minio)"
+
+### Step 2: Specify the package ecosystems to support on your instance
+
+Choose which package ecosystems you'd like to enable, disable, or set to read-only on your {% data variables.product.product_location %}. Available options are Docker, RubyGems, npm, Apache Maven, Gradle, or NuGet.  For more information, see "[Configuring package ecosystem support for your enterprise](/enterprise/admin/packages/configuring-package-ecosystem-support-for-your-enterprise)."
+
+### Step 3: Ensure you have a TLS certificate for your package host URL, if needed
+
+If subdomain isolation is enabled for {% data variables.product.product_location %}{% if currentVersion == "enterprise-server@2.22" %}, which is required to use {% data variables.product.prodname_registry %} with Docker{% endif %}, you will need to create and upload a TLS certificate that allows the package host URL for each ecosystem you want to use, such as `npm.HOSTNAME`. Make sure each package host URL includes `https://`.
+
+  You can create the certificate manually, or you can use _Let's Encrypt_. If you already use _Let's Encrypt_, you must request a new TLS certificate after enabling {% data variables.product.prodname_registry %}. For more information about package host URLs, see "[Enabling subdomain isolation](/enterprise/admin/configuration/enabling-subdomain-isolation)." For more information about uploading TLS certificates to {% data variables.product.product_name %}, see "[Configuring TLS](/enterprise/admin/configuration/configuring-tls)."

content/admin/packages/index.md

@@ -9,7 +9,11 @@ versions:
 
 {% data reusables.package_registry.packages-ghes-release-stage %}
 
-{% link_with_intro /enabling-github-packages-for-your-enterprise %}
-{% link_with_intro /quickstart-for-configuring-minio-storage %}
-{% link_with_intro /configuring-packages-support-for-your-enterprise %}
-{% link_with_intro /configuring-third-party-storage-for-packages %}
+{% link_with_intro /getting-started-with-github-packages-for-your-enterprise %}
+
+  {% link_in_list /enabling-github-packages-with-aws %}{% if currentVersion ver_gt "enterprise-server@2.22" %}
+  {% link_in_list /enabling-github-packages-with-azure-blob-storage %}{% endif %}
+  {% link_in_list /enabling-github-packages-with-minio %}
+  {% link_in_list /quickstart-for-configuring-your-minio-storage-bucket-for-github-packages %}
+
+{% link_with_intro /configuring-package-ecosystem-support-for-your-enterprise %}

content/admin/packages/quickstart-for-configuring-your-minio-storage-bucket-for-github-packages.md

@@ -1,6 +1,6 @@
 ---
-title: Quickstart for configuring MinIO storage
-intro: 'Set up MinIO as a storage provider for using {% data variables.product.prodname_registry %} on your enterprise.'
+title: Quickstart for configuring your MinIO storage bucket for GitHub Packages
+intro: 'Configure your custom MinIO storage bucket for use with {% data variables.product.prodname_registry %}.'
 versions:
   enterprise-server: '>=2.22'
 ---
@@ -13,11 +13,11 @@ MinIO offers object storage with support for the S3 API and {% data variables.pr
 
 This quickstart shows you how to set up MinIO using Docker for use with {% data variables.product.prodname_registry %} but you have other options for managing MinIO besides Docker. For more information about MinIO, see the official [MinIO docs](https://docs.min.io/).
 
-### 1. Choose a MinIO mode for your needs 
+### 1. Choose a MinIO mode for your needs
 
-| MinIO mode | Optimized for | Storage infrastructure required | 
+| MinIO mode | Optimized for | Storage infrastructure required |
 |----|----|----|
-| Standalone MinIO (on a single host) | Fast setup |  N/A | 
+| Standalone MinIO (on a single host) | Fast setup |  N/A |
 | MinIO as a NAS gateway |  NAS (Network-attached storage)| NAS devices |
 | Clustered MinIO (also called Distributed MinIO)|  Data security | Storage servers running in a cluster |
 
@@ -58,7 +58,7 @@ For more information about your options, see the official [MinIO docs](https://d
     ```
     {% endmac %}
 
-    You can access your MinIO keys using the environment variables: 
+    You can access your MinIO keys using the environment variables:
 
     ```shell
     $ echo $MINIO_ACCESS_KEY
@@ -78,9 +78,9 @@ For more information about your options, see the official [MinIO docs](https://d
      ```
 
      For more information, see "[MinIO Docker Quickstart guide](https://docs.min.io/docs/minio-docker-quickstart-guide.html)."
- 
+
    * Run MinIO using Docker as a NAS gateway:
- 
+
      This setup is useful for deployments where there is already a NAS you want to use as the backup storage for {% data variables.product.prodname_registry %}.
 
      ```shell
@@ -92,7 +92,7 @@ For more information about your options, see the official [MinIO docs](https://d
      ```
 
      For more information, see "[MinIO Gateway for NAS](https://docs.min.io/docs/minio-gateway-for-nas.html)."
- 
+
    * Run MinIO using Docker as a cluster. This MinIO deployment uses several hosts and MinIO's erasure coding for the strongest data protection. To run MinIO in a cluster mode, see the "[Distributed MinIO Quickstart Guide](https://docs.min.io/docs/distributed-minio-quickstart-guide.html).
 
 ### 3. Create your MinIO bucket for {% data variables.product.prodname_registry %}
@@ -121,7 +121,6 @@ For more information about your options, see the official [MinIO docs](https://d
      $ docker run minio/mc mb packages
      ```
 
-
 ### Next steps
 
 To finish configuring storage for {% data variables.product.prodname_registry %}, you'll need to copy the MinIO storage URL:
@@ -130,4 +129,4 @@ To finish configuring storage for {% data variables.product.prodname_registry %}
   echo "http://${MINIO_ACCESS_KEY}:${MINIO_SECRET_KEY}@minioclustername.example.com:9000"
   ```
 
-For the next steps, see "[Configuring third-party storage for packages](/admin/packages/configuring-third-party-storage-for-packages)."
+For the next steps, see "[Enabling {% data variables.product.prodname_registry %} with  MinIO](/admin/packages/enabling-github-packages-with-minio)."

content/admin/user-management/audited-actions.md

@@ -116,8 +116,11 @@ Name                          | Description
 Name                              | Description
 ---------------------------------:| -------------------------------------------
 `team.create`                     | A user account or repository was added to a team.
-`team.delete`                     | A user account or repository was removed from a team.
-`team.destroy`                    | A team was deleted.
+`team.delete`                     | A user account or repository was removed from a team.{% if currentVersion ver_gt "enterprise-server@2.22" or currentVersion == "github-ae@latest" %}
+`team.demote_maintainer`          | A user was demoted from a team maintainer to a team member.{% endif %}
+`team.destroy`                    | A team was deleted.{% if currentVersion ver_gt "enterprise-server@2.22" or currentVersion == "github-ae@latest" %}
+`team.promote_maintainer`         | A user was promoted from a team member to a team maintainer.{% endif %}
+
 
 #### Users
 
@@ -132,7 +135,8 @@ Name                              | Description
 `user.destroy`                    | A user deleted his or her account, triggering `user.async_delete`.{% if enterpriseServerVersions contains currentVersion %}
 `user.failed_login`               | A user tried to sign in with an incorrect username, password, or two-factor authentication code.
 `user.forgot_password`            | A user requested a password reset via the sign-in page.{% endif %}
-`user.login`                      | A user signed in.
+`user.login`                      | A user signed in.{% if currentVersion ver_gt "enterprise-server@2.22" or currentVersion == "github-ae@latest" %}
+`user.mandatory_message_viewed`   | A user views a mandatory message (see "[Customizing user messages](/admin/user-management/customizing-user-messages-for-your-enterprise)" for details) | {% endif %}
 `user.promote`                    | An ordinary user account was promoted to a site admin.
 `user.remove_email`               | An email address was removed from a user account.
 `user.rename`                     | A username was changed.

content/admin/user-management/customizing-user-messages-for-your-enterprise.md

@@ -4,13 +4,18 @@ redirect_from:
   - /enterprise/admin/user-management/creating-a-custom-sign-in-message/
   - /enterprise/admin/user-management/customizing-user-messages-on-your-instance
   - /admin/user-management/customizing-user-messages-on-your-instance
-intro: 'You can create custom messages that users will see on the{% if enterpriseServerVersions contains currentVersion %} sign in and sign out pages{% else %} sign out page{% endif %}{% if currentVersion ver_gt "enterprise-server@2.21" or currentVersion == "github-ae@latest" %} or in an announcement banner at the top of every page{% endif %}.'
+intro: 'You can create custom messages that users will see on {% data variables.product.product_location %}.'
 versions:
   enterprise-server: '*'
   github-ae: '*'
 ---
 
-You can use Markdown to format your message. For more information, see "[About writing and formatting on {% data variables.product.prodname_dotcom %}](/articles/about-writing-and-formatting-on-github/)."
+### About user messages
+
+There are several types of user messages.
+- Messages that appear on the {% if enterpriseServerVersions contains currentVersion %}sign in or {% endif %}sign out page{% if currentVersion ver_gt "enterprise-server@2.22" or currentVersion == "github-ae@latest" %}
+- Mandatory messages, which appear once in a pop-up window that must be dismissed{% endif %}{% if currentVersion ver_gt "enterprise-server@2.21" or currentVersion == "github-ae@latest" %}
+- Announcement banners, which appear at the top of every page{% endif %}
 
 {% if enterpriseServerVersions contains currentVersion %}
 {% note %}
@@ -19,20 +24,23 @@ You can use Markdown to format your message. For more information, see "[About w
 
 {% endnote %}
 
+You can use Markdown to format your message. For more information, see "[About writing and formatting on {% data variables.product.prodname_dotcom %}](/articles/about-writing-and-formatting-on-github/)."
+
 ### Creating a custom sign in message
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.settings-tab %}
 {% data reusables.enterprise-accounts.messages-tab %}
-5. Under "Sign in page", click **Add message** or **Edit message**.
-![Edit message button](/assets/images/enterprise/site-admin-settings/edit-message.png)
+5. {% if currentVersion ver_gt "enterprise-server@2.22" %}To the right of{% else %}Under{% endif %} "Sign in page", click **Add message** or **Edit message**.
+![{% if currentVersion ver_gt "enterprise-server@2.22" %}Add{% else %}Edit{% endif %} message button](/assets/images/enterprise/site-admin-settings/edit-message.png)
 6. Under **Sign in message**, type the message you'd like users to see.
-![Sign in message](/assets/images/enterprise/site-admin-settings/sign-in-message.png)
+![Sign in message](/assets/images/enterprise/site-admin-settings/sign-in-message.png){% if currentVersion ver_gt "enterprise-server@2.22" %}
+{% data reusables.enterprise_site_admin_settings.message-preview-save %}{% else %}
 {% data reusables.enterprise_site_admin_settings.click-preview %}
   ![Preview button](/assets/images/enterprise/site-admin-settings/sign-in-message-preview-button.png)
 8. Review the rendered message.
 ![Sign in message rendered](/assets/images/enterprise/site-admin-settings/sign-in-message-rendered.png)
-{% data reusables.enterprise_site_admin_settings.save-changes %}
+{% data reusables.enterprise_site_admin_settings.save-changes %}{% endif %}
 {% endif %}
 
 ### Creating a custom sign out message
@@ -40,15 +48,40 @@ You can use Markdown to format your message. For more information, see "[About w
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.settings-tab %}
 {% data reusables.enterprise-accounts.messages-tab %}
-5. Under "Sign out page", click **Add message** or **Edit message**.
+5. {% if currentVersion ver_gt "enterprise-server@2.22" or currentVersion == "github-ae@latest" %}To the right of{% else %}Under{% endif %} "Sign out page", click **Add message** or **Edit message**.
 ![Add message button](/assets/images/enterprise/site-admin-settings/sign-out-add-message-button.png)
 6. Under **Sign out message**, type the message you'd like users to see.
-![Sign two_factor_auth_header message](/assets/images/enterprise/site-admin-settings/sign-out-message.png)
+![Sign two_factor_auth_header message](/assets/images/enterprise/site-admin-settings/sign-out-message.png){% if currentVersion ver_gt "enterprise-server@2.22" or currentVersion == "github-ae@latest" %}
+{% data reusables.enterprise_site_admin_settings.message-preview-save %}{% else %}
 {% data reusables.enterprise_site_admin_settings.click-preview %}
   ![Preview button](/assets/images/enterprise/site-admin-settings/sign-out-message-preview-button.png)
 8. Review the rendered message.
 ![Sign out message rendered](/assets/images/enterprise/site-admin-settings/sign-out-message-rendered.png)
-{% data reusables.enterprise_site_admin_settings.save-changes %}
+{% data reusables.enterprise_site_admin_settings.save-changes %}{% endif %}
+
+{% if currentVersion ver_gt "enterprise-server@2.22" or currentVersion == "github-ae@latest" %}
+### Creating a mandatory message
+
+You can create a mandatory message that {% data variables.product.product_name %} will show to all users the first time they sign in after you save the message. The message appears in a pop-up window that the user must dismiss before the user can use {% data variables.product.product_location %}. Mandatory messages have a variety of uses.
+
+- Providing onboarding information for new employees
+- Telling users how to get help with {% data variables.product.product_location %}
+- Ensuring that all users read your terms of service for using {% data variables.product.product_location %}
+
+If you include Markdown checkboxes in the message, all checkboxes must be selected before the user can dismiss the message. For example, if you include your terms of service in the mandatory message, you can require that each user selects a checkbox to confirm the user has read the terms.
+
+Each time a user sees a mandatory message, an audit log event is created. The event includes the version of the message that the user saw. For more information see "[Audited actions](/admin/user-management/audited-actions)."
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.messages-tab %}
+1. To the right of "Mandatory message", click **Add message**.
+  ![Add message button](/assets/images/enterprise/site-admin-settings/add-mandatory-message-button.png)
+1. Under "Mandatory message", in the text box, type your message.
+  ![Add message button](/assets/images/enterprise/site-admin-settings/mandatory-message-text-box.png)
+{% data reusables.enterprise_site_admin_settings.message-preview-save %}
+
+{% endif %}
 
 {% if currentVersion ver_gt "enterprise-server@2.21" or currentVersion == "github-ae@latest" %}
 ### Creating a global announcement banner
@@ -56,9 +89,7 @@ You can use Markdown to format your message. For more information, see "[About w
 You can set a global announcement banner to be displayed to all users at the top of every page.
 
 {% if currentVersion == "github-ae@latest" or currentVersion ver_gt "enterprise-server@2.22" %}
-
 You can also set an announcement banner{% if enterpriseServerVersions contains currentVersion %} in the administrative shell using a command line utility or{% endif %} using the API. For more information, see {% if enterpriseServerVersions contains currentVersion %}"[Command-line utilities](/enterprise/admin/configuration/command-line-utilities#ghe-announce)" and {% endif %}"[{% data variables.product.prodname_enterprise %} administration](/rest/reference/enterprise-admin#announcements)."
-
 {% else %}
 
 You can also set an announcement banner in the administrative shell using a command line utility. For more information, see "[Command-line utilities](/enterprise/admin/configuration/command-line-utilities#ghe-announce)."
@@ -68,14 +99,11 @@ You can also set an announcement banner in the administrative shell using a comm
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.settings-tab %}
 {% data reusables.enterprise-accounts.messages-tab %}
-1. Under "Announcement", click **Add announcement**.
+1. {% if currentVersion ver_gt "enterprise-server@2.22" or currentVersion == "github-ae@latest" %}To the right of{% else %}Under{% endif %} "Announcement", click **Add announcement**.
   ![Add announcement button](/assets/images/enterprise/site-admin-settings/add-announcement-button.png)
 1. Under "Announcement", in the text field, type the announcement you want displayed in a banner.
   ![Text field to enter announcement](/assets/images/enterprise/site-admin-settings/announcement-text-field.png)
-1. Optionally, under "Expires on", use the calendar drop-down menu, and select an expiration date.
+1. Optionally, under "Expires on", select the calendar drop-down menu and click an expiration date.
   ![Calendar drop-down menu to choose expiration date](/assets/images/enterprise/site-admin-settings/expiration-drop-down.png)
-1. Optionally, to see what the banner will look like, click **Preview**.
-  ![Preview button](/assets/images/enterprise/site-admin-settings/preview-announcement-button.png)
-1. Click **Save changes**.
-  ![Save changes button](/assets/images/enterprise/site-admin-settings/save-announcement-button.png)
+{% data reusables.enterprise_site_admin_settings.message-preview-save %}
 {% endif %}

content/github/administering-a-repository/about-releases.md

@@ -25,7 +25,7 @@ You can receive notifications when new releases are published in a repository wi
 
 Anyone with read access to a repository can view and compare releases, but only people with write permissions to a repository can manage releases. For more information, see "[Managing releases in a repository](/github/administering-a-repository/managing-releases-in-a-repository)."
 
-{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" or currentVersion == "github-ae@latest" %}
+{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.0" or currentVersion == "github-ae@latest" %}
 People with admin permissions to a repository can choose whether {% data variables.large_files.product_name_long %} ({% data variables.large_files.product_name_short %}) objects are included in the ZIP files and tarballs that {% data variables.product.product_name %} creates for each release. For more information, see "[Managing {% data variables.large_files.product_name_short %} objects in archives of your repository](/github/administering-a-repository/managing-git-lfs-objects-in-archives-of-your-repository)."
 {% endif %}
 

content/github/administering-a-repository/about-secret-scanning.md

@@ -8,116 +8,57 @@ redirect_from:
   - /articles/about-token-scanning-for-private-repositories
 versions:
   free-pro-team: '*'
+  enterprise-server: '>=3.0'
 ---
 
+{% data reusables.secret-scanning.beta %}
+{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
+
 If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project.
 
-If someone checks a secret from a {% data variables.product.company_short %} partner into a public or private repository, {% data variables.product.prodname_secret_scanning %} can detect the secret and help you mitigate the impact of the leak.
+Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning.{% if currentVersion == "free-pro-team@latest" %} For more information, see "[Secret scanning](/developers/overview/secret-scanning)."
+{% endif %}
 
-Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning. For more information, see "[Secret scanning](/partnerships/secret-scanning)."
+{% data reusables.secret-scanning.about-secret-scanning %}
 
+{% if currentVersion == "free-pro-team@latest" %}
 ### About {% data variables.product.prodname_secret_scanning %} for public repositories
 
- {% data variables.product.prodname_secret_scanning_caps %} is automatically enabled on public repositories, where it scans code for secrets, to check for known secret formats. When a match of your secret format is found in a public repository, {% data variables.product.company_short %} doesn't publicly disclose the information as an alert, but instead sends a payload to an HTTP endpoint of your choice. For an overview of how secret scanning works on public repositories, see "[Secret scanning](/developers/overview/secret-scanning)."
+{% data variables.product.prodname_secret_scanning_caps %} is automatically enabled on public repositories. When you push to a public repository, {% data variables.product.product_name %} scans the content of the commits for secrets. If you switch a private repository to public, {% data variables.product.product_name %} scans the entire repository for secrets.
 
-When you push to a public repository, {% data variables.product.product_name %} scans the content of the commits for secrets. If you switch a private repository to public, {% data variables.product.product_name %} scans the entire repository for secrets.
-
-When {% data variables.product.prodname_secret_scanning %} detects a set of credentials, we notify the service provider who issued the secret. The service provider validates the credential and then decides whether they should revoke the secret, issue a new secret, or reach out to you directly, which will depend on the associated risks to you or the service provider.
+When {% data variables.product.prodname_secret_scanning %} detects a set of credentials, we notify the service provider who issued the secret. The service provider validates the credential and then decides whether they should revoke the secret, issue a new secret, or reach out to you directly, which will depend on the associated risks to you or the service provider. For an overview of how we work with token-issuing partners, see "[Secret scanning](/developers/overview/secret-scanning)."
 
 {% data variables.product.product_name %} currently scans public repositories for secrets issued by the following service providers.
 
-- Adafruit
-- Alibaba Cloud
-- Amazon Web Services (AWS)
-- Atlassian
-- Azure
-- Clojars
-- CloudBees CodeShip
-- Databricks
-- Datadog
-- Discord
-- Doppler
-- Dropbox
-- Dynatrace
-- Finicity
-- Frame.io
-- GitHub
-- GoCardless
-- Google Cloud
-- Hashicorp Terraform
-- Hubspot
-- Mailchimp
-- Mailgun
-- MessageBird
-- npm
-- NuGet
-- Palantir
-- Plivo
-- Postman
-- Proctorio
-- Pulumi
-- Samsara
-- Shopify
-- Slack
-- SSLMate
-- Stripe
-- Tencent Cloud
-- Twilio
+{% data reusables.secret-scanning.partner-secret-list-public-repo %}
 
 ### About {% data variables.product.prodname_secret_scanning %} for private repositories
+{% endif %}
 
-{% data reusables.secret-scanning.beta %}
+{% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.22" %}
+### About {% data variables.product.prodname_secret_scanning %} on {% data variables.product.product_name %}
 
-If you're a repository administrator or an organization owner, you can enable {% data variables.product.prodname_secret_scanning %} for private repositories that are owned by organizations. You can enable  {% data variables.product.prodname_secret_scanning %} for all your repositories, or for all new repositories within your organization. {% data variables.product.prodname_secret_scanning_caps %} is not available for user account-owned private repositories. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)" and "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization)."
+{% data variables.product.prodname_secret_scanning_caps %} is available on all organization-owned repositories as part of {% data variables.product.prodname_GH_advanced_security %}. It is not available on user-owned repositories.
+{% endif %}
 
-When you push commits to a private repository with {% data variables.product.prodname_secret_scanning %} enabled, {% data variables.product.product_name %} scans the contents of the commits for secrets.
+If you're a repository administrator or an organization owner, you can enable {% data variables.product.prodname_secret_scanning %} for {% if currentVersion == "free-pro-team@latest" %} private{% endif %} repositories that are owned by organizations. You can enable  {% data variables.product.prodname_secret_scanning %} for all your repositories, or for all new repositories within your organization.{% if currentVersion == "free-pro-team@latest" %} {% data variables.product.prodname_secret_scanning_caps %} is not available for user-owned private repositories.{% endif %} For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)" and "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization)."
 
-When {% data variables.product.prodname_secret_scanning %} detects a secret in a private repository, {% data variables.product.prodname_dotcom %} sends alerts.
+When you push commits to a{% if currentVersion == "free-pro-team@latest" %} private{% endif %} repository with {% data variables.product.prodname_secret_scanning %} enabled, {% data variables.product.prodname_dotcom %} scans the contents of the commits for secrets.
+
+When {% data variables.product.prodname_secret_scanning %} detects a secret in a{% if currentVersion == "free-pro-team@latest" %} private{% endif %} repository, {% data variables.product.prodname_dotcom %} sends alerts.
 
 - {% data variables.product.prodname_dotcom %} sends an email alert to the repository administrators and organization owners.
 
 - {% data variables.product.prodname_dotcom %} displays an alert in the repository. For more information, see "[Managing alerts from {% data variables.product.prodname_secret_scanning %}](/github/administering-a-repository/managing-alerts-from-secret-scanning)."
 
-Repository administrators and organization owners can grant users and team access to {% data variables.product.prodname_secret_scanning %} alerts. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)."
+Repository administrators and organization owners can grant users and teams access to {% data variables.product.prodname_secret_scanning %} alerts. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)."
 
-To monitor results from {% data variables.product.prodname_secret_scanning %} across your private repositories or your organization, you can use the {% data variables.product.prodname_secret_scanning %} API. For more information about API endpoints, see "[{% data variables.product.prodname_secret_scanning_caps %}](/rest/reference/secret-scanning)."
+{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.0" %}
+To monitor results from {% data variables.product.prodname_secret_scanning %} across your private repositories or your organization, you can use the {% data variables.product.prodname_secret_scanning %} API. For more information about API endpoints, see "[{% data variables.product.prodname_secret_scanning_caps %}](/rest/reference/secret-scanning)."{% endif %}
 
-{% data variables.product.product_name %} currently scans private repositories for secrets issued by the following service providers.
+{% data variables.product.prodname_dotcom %}  currently scans{% if currentVersion == "free-pro-team@latest" %} private{% endif %} repositories for secrets issued by the following service providers.
 
-- Adafruit
-- Alibaba Cloud
-- Amazon Web Services (AWS)
-- Atlassian
-- Azure
-- Clojars
-- CloudBees CodeShip
-- Databricks
-- Discord
-- Doppler
-- Dropbox
-- Dynatrace
-- Finicity
-- Frame.io
-- GitHub
-- GoCardless
-- Google Cloud
-- Hashicorp Terraform
-- Hubspot
-- Mailchimp
-- Mailgun
-- npm
-- NuGet
-- Palantir
-- Postman
-- Proctorio
-- Pulumi
-- Samsara
-- Shopify
-- Slack
-- SSLMate
-- Stripe
-- Tencent Cloud
-- Twilio
+{% data reusables.secret-scanning.partner-secret-list-private-repo %}
 
 {% note %}
 

content/github/administering-a-repository/about-securing-your-repository.md

@@ -3,6 +3,7 @@ title: About securing your repository
 intro: '{% data variables.product.product_name %} provides a number of ways that you can help keep your repository secure.'
 versions:
   free-pro-team: '*'
+  enterprise-server: '>=3.0'  
 ---
 
 ### Setting up your repository securely
@@ -13,6 +14,7 @@ The first step to securing a repository is to set up who can see and modify your
 
 {% data variables.product.prodname_dotcom %} has a growing set of security features that help you keep your code secure. You can find these on the **Security** tab for your repository. 
 
+{% if currentVersion == "free-pro-team@latest" %}
 - **Security policy**
   
   Make it easy for people to confidentially report security vulnerabilities they've found in your repository. For more information, see "[Adding a security policy to your repository](/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)."
@@ -25,10 +27,21 @@ The first step to securing a repository is to set up who can see and modify your
 
   View alerts about dependencies that are known to contain security vulnerabilities, and choose whether to have pull requests generated automatically to update these dependencies. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)"
   and "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
+ {% endif %}
 
+{% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.22" %}
+- **{% data variables.product.prodname_dependabot_alerts %}**
+
+  View alerts about dependencies that are known to contain security vulnerabilities, and manage these alerts. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
+  {% endif %}
+
+{% if currentVersion == "free-pro-team@latest" %}
 - **{% data variables.product.prodname_dependabot %} version updates**
 
   Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-dependabot-version-updates)."
+  {% endif %}
+
+{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" %}
 
 - **{% data variables.product.prodname_code_scanning_capc %} alerts** 
 
@@ -37,6 +50,7 @@ The first step to securing a repository is to set up who can see and modify your
 - **Detected secrets**
 
   View any secrets that {% data variables.product.prodname_dotcom %} has found in your code. You should treat tokens or credentials that have been checked into the repository as compromised. For more information, see "[About secret scanning](/github/administering-a-repository/about-secret-scanning)."
+  {% endif %}
 
 ### Exploring dependencies 
 {% data variables.product.prodname_dotcom %}'s dependency graph allows you to explore: