GitHub Enterprise Server 3.7 release candidate (#31313)

Author: mattpollard

README.md

@@ -1,5 +1,5 @@
 # GitHub Docs <!-- omit in toc --> 
-
+ 
 This repository contains the documentation website code and Markdown source files for [docs.github.com](https://docs.github.com).
 
 GitHub's Docs team works on pre-production content in a private repo that regularly syncs with this public repo.

assets/images/enterprise/management-console/actions-google-cloud-storage.png

@@ -32,7 +32,12 @@ When subdomain isolation is enabled, {% data variables.product.prodname_ghe_serv
 | `http(s)://HOSTNAME/media/`       | `http(s)://media.HOSTNAME/`       |
 | `http(s)://HOSTNAME/pages/`       | `http(s)://pages.HOSTNAME/`       |
 | `http(s)://HOSTNAME/raw/`         | `http(s)://raw.HOSTNAME/`         |
+{%- ifversion viewscreen-and-notebooks %}
+| `http(s)://HOSTNAME/viewscreen/`  | `http(s)://viewscreen.HOSTNAME/`  |
+| `http(s)://HOSTNAME/notebooks/`   | `http(s)://notebooks.HOSTNAME/`   |
+{%- else %}
 | `http(s)://HOSTNAME/render/`      | `http(s)://render.HOSTNAME/`      |
+{%- endif %}
 | `http(s)://HOSTNAME/reply/`       | `http(s)://reply.HOSTNAME/`       |
 | `http(s)://HOSTNAME/uploads/`     | `http(s)://uploads.HOSTNAME/`     | {% ifversion ghes %}
 | `https://HOSTNAME/` | `http(s)://docker.HOSTNAME/`{% endif %}{% ifversion ghes %}

assets/images/enterprise/management-console/login-attempt-rate-limiting.png

@@ -23,14 +23,15 @@ shortTitle: Access the management console
 
 Use the {% data variables.enterprise.management_console %} for basic administrative activities:
 - **Initial setup**: Walk through the initial setup process when first launching {% data variables.location.product_location %} by visiting {% data variables.location.product_location %}'s IP address in your browser.
+- **Configuring authentication policies for the {% data variables.enterprise.management_console %}**: Set rate limits for login attempts, and the lockout duration if someone exceeds the rate limit. 
 - **Configuring basic settings for your instance**: Configure DNS, hostname, SSL, user authentication, email, monitoring services, and log forwarding on the Settings page.
 - **Scheduling maintenance windows**: Take {% data variables.location.product_location %} offline while performing maintenance using the {% data variables.enterprise.management_console %} or administrative shell.
 - **Troubleshooting**: Generate a support bundle or view high level diagnostic information.
 - **License management**: View or update your {% data variables.product.prodname_enterprise %} license.
 
 You can always reach the {% data variables.enterprise.management_console %} using {% data variables.location.product_location %}'s IP address, even when the instance is in maintenance mode, or there is a critical application failure or hostname or SSL misconfiguration.
 
-To access the {% data variables.enterprise.management_console %}, you must use the administrator password established during initial setup of {% data variables.location.product_location %}. You must also be able to connect to the virtual machine host on port 8443. If you're having trouble reaching the {% data variables.enterprise.management_console %}, please check intermediate firewall and security group configurations.
+To access the {% data variables.enterprise.management_console %}, you must use the administrator password established during initial setup of {% data variables.location.product_location %}. You must also be able to connect to the virtual machine host on port 8443. If you're having trouble reaching the {% data variables.enterprise.management_console %}, please check intermediate firewall and security group configurations. 
 
 The {% data variables.enterprise.management_console %} password hash is stored in `/data/user/common/secrets.conf`, and that file is automatically synced from the primary appliance to any high-availability replicas. Any change to the primary's password will automatically be replicated to high-availability replicas. For more information about high availability, see "[About high availability configuration](/admin/enterprise-management/configuring-high-availability/about-high-availability-configuration)."
 
@@ -52,9 +53,9 @@ The first time that you access the {% data variables.enterprise.management_conso
 
 ## Unlocking the {% data variables.enterprise.management_console %} after failed login attempts
 
-The {% data variables.enterprise.management_console %} locks after ten failed login attempts are made in the span of ten minutes. You must wait for the login screen to automatically unlock before attempting to log in again. The login screen automatically unlocks as soon as the previous ten minute period contains fewer than ten failed login attempts. The counter resets after a successful login occurs.
+The {% data variables.enterprise.management_console %} locks after {% ifversion enterprise-authentication-rate-limits %}the number of failed login attempts configured by your authentication policies. For more information, see "[Configuring authentication policy rate limits](/admin/configuration/configuring-your-enterprise/configuring-rate-limits#configuring-authentication-policy-rate-limits)".{% else %}ten failed login attempts are made in the span of ten minutes. You must wait for the login screen to automatically unlock before attempting to log in again. The login screen automatically unlocks as soon as the previous ten minute period contains fewer than ten failed login attempts. The counter resets after a successful login occurs.{% endif %}
 
-To immediately unlock the {% data variables.enterprise.management_console %}, use the `ghe-reactivate-admin-login` command via the administrative shell. For more information, see "[Command line utilities](/enterprise/admin/guides/installation/command-line-utilities#ghe-reactivate-admin-login)" and "[Accessing the administrative shell (SSH)](/enterprise/admin/guides/installation/accessing-the-administrative-shell-ssh/)."
+{% data reusables.enterprise_management_console.unlocking-management-console-with-shell %}
 
 ## Troubleshooting failed connections to the {% data variables.enterprise.management_console %}
 

assets/images/enterprise/site-admin-settings/mandatory-message-text-box.png

@@ -282,7 +282,7 @@ ghe-org-admin-promote -a
 
 ### ghe-reactivate-admin-login
 
-Use this command to immediately unlock the {% data variables.enterprise.management_console %} after 10 failed login attempts in the span of 10 minutes.
+Use this command to immediately unlock the {% data variables.enterprise.management_console %} after {% ifversion enterprise-authentication-rate-limits %}an account lockout. To configure authentication policies for {% data variables.location.product_location %}, see "[Configuring authentication policy rate limits](/admin/configuration/configuring-your-enterprise/configuring-rate-limits#configuring-authentication-policy-rate-limits)".{% else %}10 failed login attempts in the span of 10 minutes.{% endif %}
 
 ```shell
 $ ghe-reactivate-admin-login
@@ -314,6 +314,60 @@ This utility lists all of the services that have been started or stopped (are ru
 
 ```shell
 $ ghe-service-list
+{% ifversion viewscreen-and-notebooks %}
+active
+  - alambic
+  - alive
+  - aqueduct-lite
+  - authzd
+  - babeld
+  - codeload
+  - consul, process 17114
+  - consul-template, process 19493
+  - driftwood
+  - elasticsearch
+  - enterprise-manage-unicorn, process 9359
+  - ghe-user-disk, process 2545
+  - git-daemon
+  - github-env
+  - github-gitauth
+  - github-resqued
+  - github-stream-processors
+  - github-timerd
+  - github-unicorn
+  - gitrpcd
+  - governor
+  - gpgverify
+  - grafana-server, process 19314
+  - graphite-web, process 20189
+  - hookshot-go
+  - kafka-lite
+  - kredz
+  - lfs-server
+  - mail-replies
+  - memcached
+  - minio
+  - mysql
+  - nginx
+  - nomad, process 19562
+  - pages
+  - postfix
+  - redis
+  - spokesd
+  - spokes-sweeper
+  - svnbridge
+  - token-scanning-api
+  - token-scanning-backfill-worker
+  - token-scanning-hydro-consumer
+  - token-scanning-incremental-worker
+  - token-scanning-udp-backfill-worker
+  - treelights
+  - turboscan
+  - viewscreen
+
+inactive
+  - wireguard
+{% else %}
 start/running
   - github-resqued, process 12711
   - github-unicorn, process 12726
@@ -330,9 +384,9 @@ start/running
   - ghe-storage, process 2012
   - enterprise-manage-unicorn, process 2024
   - enterprise-manage-resque, process 2053
-
 stop/waiting
   - ghe-replica-mode
+  {% endif %}
 ```
 
 ### ghe-set-password

assets/images/enterprise/site-admin-settings/push-mandatory-message-checkbox.png

@@ -34,6 +34,19 @@ You can exempt a list of users from API rate limits using the `ghe-config` utili
 3. Type limits for authenticated and unauthenticated requests for each API, or accept the pre-filled default limits.
 {% data reusables.enterprise_management_console.save-settings %}
 
+{% ifversion enterprise-authentication-rate-limits %}
+## Configuring rate limits for authentication to the {% data variables.enterprise.management_console %}
+
+You can configure the lockout time and login attempt limits for the {% data variables.enterprise.management_console %}. If a user exceeds the login attempt limit, the {% data variables.enterprise.management_console %} will remain locked for the duration set by the lockout time. {% data reusables.enterprise_management_console.unlocking-management-console-with-shell %}
+
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+2. Under "Login attempt rate limiting", configure the lockout time and login attempt rate limit or accept the pre-filled default settings.
+![Fields for configuring lockout time and login attempt rate limit](/assets/images/enterprise/management-console/login-attempt-rate-limiting.png)
+{% data reusables.enterprise_management_console.save-settings %}
+
+{% endif %}
 ## Enabling secondary rate limits
 
 Setting secondary rate limits protects the overall level of service on {% data variables.location.product_location %}.

content/admin/configuration/configuring-network-settings/enabling-subdomain-isolation.md

@@ -26,8 +26,6 @@ Before enabling {% data variables.product.prodname_actions %}, make sure you hav
 
 ## Enabling {% data variables.product.prodname_actions %} with Amazon S3 storage
 
-{% data reusables.enterprise_installation.ssh-into-instance %}
-{% data reusables.actions.perform-blob-storage-precheck %}
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
 {% data reusables.enterprise_management_console.actions %}
@@ -41,6 +39,7 @@ Before enabling {% data variables.product.prodname_actions %}, make sure you hav
    * **AWS S3 Access Key** and **AWS S3 Secret Key**: The AWS access key ID and secret key for your bucket. For more information on managing AWS access keys, see the "[AWS Identity and Access Management Documentation](https://docs.aws.amazon.com/iam/index.html)."
 
    ![Radio button for selecting Amazon S3 Storage and fields for S3 configuration](/assets/images/enterprise/management-console/actions-aws-s3-storage.png)
+{% data reusables.enterprise_management_console.test-storage-button %}
 {% data reusables.enterprise_management_console.save-settings %}
 
 {% data reusables.actions.enterprise-postinstall-nextsteps %}

content/admin/configuration/configuring-your-enterprise/accessing-the-management-console.md

@@ -33,14 +33,14 @@ Before enabling {% data variables.product.prodname_actions %}, make sure you hav
 
 ## Enabling {% data variables.product.prodname_actions %} with Azure Blob storage
 
-{% data reusables.enterprise_installation.ssh-into-instance %}
-{% data reusables.actions.perform-blob-storage-precheck %}
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
 {% data reusables.enterprise_management_console.actions %}
 {% data reusables.actions.enterprise-enable-checkbox %}
 1. Under "Artifact & Log Storage", select **Azure Blob Storage**, and enter your Azure storage account's connection string. For more information on getting the connection string for your storage account, see the [Azure documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#view-account-access-keys).
-  ![Radio button for selecting Azure Blob Storage and the Connection string field](/assets/images/enterprise/management-console/actions-azure-storage.png)
+
+   ![Radio button for selecting Azure Blob Storage and the Connection string field](/assets/images/enterprise/management-console/actions-azure-storage.png)
+{% data reusables.enterprise_management_console.test-storage-button %}
 {% data reusables.enterprise_management_console.save-settings %}
 
 {% data reusables.actions.enterprise-postinstall-nextsteps %}

content/admin/configuration/configuring-your-enterprise/command-line-utilities.md

@@ -0,0 +1,58 @@
+---
+title: Enabling GitHub Actions with Google Cloud Storage
+intro: 'You can enable {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_server %} and use Google Cloud Storage to store data generated by workflow runs.'
+permissions: 'Site administrators can enable {% data variables.product.prodname_actions %} and configure enterprise settings.'
+versions:
+  feature: 'actions-ghes-gcp-storage'
+type: how_to
+topics:
+  - Actions
+  - Enterprise
+  - Infrastructure
+  - Storage
+shortTitle: Google Cloud Storage
+---
+
+{% note %}
+
+**Note:** {% data variables.product.prodname_actions %} support for Google Cloud Storage is currently in beta and subject to change.
+
+{% endnote %}
+
+## Prerequisites
+
+Before enabling {% data variables.product.prodname_actions %}, make sure you have completed the following steps:
+
+* Create your Google Cloud Storage bucket for storing data generated by workflow runs.
+* Create a Google Cloud service account that can access the bucket, and create a Hash-based Message Authentication Code (HMAC) key for the service account. For more information, see "[Manage HMAC keys for service accounts](https://cloud.google.com/storage/docs/authentication/managing-hmackeys)" in the Google Cloud documentation.
+
+  The service account must have the following [Identity and Access Management (IAM) permissions](https://cloud.google.com/storage/docs/access-control/iam-permissions) for the bucket:
+
+  * `storage.objects.create`
+  * `storage.objects.get`
+  * `storage.objects.list`
+  * `storage.objects.update`
+  * `storage.objects.delete`
+  * `storage.multipartUploads.create`
+  * `storage.multipartUploads.abort`
+  * `storage.multipartUploads.listParts`
+  * `storage.multipartUploads.list`
+{% data reusables.actions.enterprise-common-prereqs %}
+
+## Enabling {% data variables.product.prodname_actions %} with Google Cloud Storage
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.actions %}
+{% data reusables.actions.enterprise-enable-checkbox %}
+1. Under "Artifact & Log Storage", select **Google Cloud Storage**, and enter your bucket's details:
+
+   * **Service URL**: The service URL for your bucket. This is usually `https://storage.googleapis.com`.
+   * **Bucket Name**: The name of your bucket.
+   * **HMAC Access Id** and **HMAC Secret**: The Google Cloud access ID and secret for your storage account. For more information, see "[Manage HMAC keys for service accounts](https://cloud.google.com/storage/docs/authentication/managing-hmackeys)" in the Google Cloud documentation.
+
+   ![Radio button for selecting Google Cloud Storage and fields for configuration](/assets/images/enterprise/management-console/actions-google-cloud-storage.png)
+{% data reusables.enterprise_management_console.test-storage-button %}
+{% data reusables.enterprise_management_console.save-settings %}
+
+{% data reusables.actions.enterprise-postinstall-nextsteps %}

content/admin/configuration/configuring-your-enterprise/configuring-rate-limits.md

@@ -28,8 +28,6 @@ Before enabling {% data variables.product.prodname_actions %}, make sure you hav
 
 ## Enabling {% data variables.product.prodname_actions %} with MinIO Gateway for NAS storage
 
-{% data reusables.enterprise_installation.ssh-into-instance %}
-{% data reusables.actions.perform-blob-storage-precheck %}
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
 {% data reusables.enterprise_management_console.actions %}
@@ -42,7 +40,9 @@ Before enabling {% data variables.product.prodname_actions %}, make sure you hav
 
    ![Radio button for selecting Amazon S3 Storage and fields for MinIO configuration](/assets/images/enterprise/management-console/actions-minio-s3-storage.png)
 1. Under "Artifact & Log Storage", select **Force path style**.
+
    ![Checkbox to Force path style](/assets/images/enterprise/management-console/actions-minio-force-path-style.png)
+{% data reusables.enterprise_management_console.test-storage-button %}
 {% data reusables.enterprise_management_console.save-settings %}
 
 {% data reusables.actions.enterprise-postinstall-nextsteps %}

content/admin/github-actions/enabling-github-actions-for-github-enterprise-server/enabling-github-actions-with-amazon-s3-storage.md

@@ -8,6 +8,7 @@ topics:
 children:
   - /enabling-github-actions-with-azure-blob-storage
   - /enabling-github-actions-with-amazon-s3-storage
+  - /enabling-github-actions-with-google-cloud-storage
   - /enabling-github-actions-with-minio-gateway-for-nas-storage
   - /managing-self-hosted-runners-for-dependabot-updates
 shortTitle: Enable GitHub Actions

content/admin/github-actions/enabling-github-actions-for-github-enterprise-server/enabling-github-actions-with-azure-blob-storage.md

@@ -135,6 +135,9 @@ To enable {% data variables.product.prodname_actions %} on {% data variables.pro
 
 * Azure Blob storage
 * Amazon S3
+{%- ifversion actions-ghes-gcp-storage %}
+* Google Cloud Storage
+{%- endif %}
 * S3-compatible MinIO Gateway for NAS
 
 {% note %}
@@ -145,8 +148,6 @@ To enable {% data variables.product.prodname_actions %} on {% data variables.pro
 
 {% data reusables.actions.minio-gateways-removal %}
 
-Before you enable {% data variables.product.prodname_actions %}, you can test your storage configuration from the administrative shell with the `ghe-actions-precheck` utility. For more information, see "[Command-line utilities](/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-actions-check)" and "[Accessing the administrative shell (SSH)](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh)."
-
 ## Networking considerations
 
 {% data reusables.actions.proxy-considerations %} For more information about using a proxy with {% data variables.product.prodname_ghe_server %}, see "[Configuring an outbound web proxy server](/admin/configuration/configuring-network-settings/configuring-an-outbound-web-proxy-server)."
@@ -157,9 +158,12 @@ Before you enable {% data variables.product.prodname_actions %}, you can test yo
 
 Follow one of the procedures below to enable {% data variables.product.prodname_actions %} with your chosen storage provider:
 
-* [Enabling GitHub Actions with Azure Blob storage](/admin/github-actions/enabling-github-actions-with-azure-blob-storage)
-* [Enabling GitHub Actions with Amazon S3 storage](/admin/github-actions/enabling-github-actions-with-amazon-s3-storage)
-* [Enabling GitHub Actions with MinIO Gateway for NAS storage](/admin/github-actions/enabling-github-actions-with-minio-gateway-for-nas-storage)
+* [Enabling GitHub Actions with Azure Blob storage](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/enabling-github-actions-with-azure-blob-storage)
+* [Enabling GitHub Actions with Amazon S3 storage](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/enabling-github-actions-with-amazon-s3-storage)
+{%- ifversion actions-ghes-gcp-storage %}
+* [Enabling GitHub Actions with Google Cloud Storage](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/enabling-github-actions-with-google-cloud-storage)
+{%- endif %}
+* [Enabling GitHub Actions with MinIO Gateway for NAS storage](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/enabling-github-actions-with-minio-gateway-for-nas-storage)
 
 ## Managing access permissions for {% data variables.product.prodname_actions %} in your enterprise