Merge branch 'main' into patch-1

Author: cmwilson21

.devcontainer/test-custom-devcontainer/devcontainer.json

@@ -1,5 +1,5 @@
 {
-	"name": "test",
+	"name": "Test postCreateCommand",
 	"image": "mcr.microsoft.com/devcontainers/universal:linux",
 
 	"settings": {
@@ -22,6 +22,6 @@
 	"forwardPorts": [5000],
 
 	// Use 'postCreateCommand' to run commands after the container is created.
-	"postCreateCommand": "echo test > aaa-TEST.txt"
+	"postCreateCommand": "echo Added: `date` > aaa-TEST.txt"
 
 }

.github/workflows/azure-preview-env-deploy.yml

@@ -47,9 +47,9 @@ jobs:
     # See https://bit.ly/3qB9nZW > If a job in a workflow is skipped due to a conditional, it will report its status as "Success".
     if: |
       (
-        (github.event.pull_request.head.sha || github.event.inputs.COMMIT_REF) 
+        (github.event.pull_request.head.sha || github.event.inputs.COMMIT_REF)
          && (github.event.number || github.event.inputs.PR_NUMBER || github.run_id)
-       ) 
+       )
        && (github.repository == 'github/docs-internal' || github.repository == 'github/docs')
        &&  github.actor != 'dependabot[bot]'
     timeout-minutes: 15
@@ -213,7 +213,7 @@ jobs:
             dockerRegistryUsername="${{ env.NONPROD_REGISTRY_USERNAME }}"
             dockerRegistryPassword="${{ secrets.NONPROD_REGISTRY_PASSWORD }}"
 
-      - name: Check that it can reached
+      - name: Check that it can be reached
         # This introduces a necessary delay. Because the preview evironment
         # URL is announced to the pull request as soon as all the steps
         # finish, what sometimes happens is that a viewer of the PR clicks
@@ -223,4 +223,8 @@ jobs:
         # process requests.
         # By introducing a slight "delay" here we avoid announcing a
         # preview environment URL that isn't actually working just yet.
-        run: curl --retry-connrefused --retry 5 -I ${{ env.APP_URL }}
+        # Note the use of `--fail`. It which means that if it actually
+        # did connect but the error code was >=400, the command will fail.
+        # The `--fail --retry N` combination means that a 4xx response
+        # code will exit immediately but a 5xx will exhaust the retries.
+        run: curl --fail --retry-connrefused --retry 5 -I ${{ env.APP_URL }}

.github/workflows/code-lint.yml

@@ -0,0 +1,51 @@
+name: Lint code
+
+# **What it does**: Lints our code to ensure the code matches the specified code style.
+# **Why we have it**: We want some level of consistency to our code.
+# **Who does it impact**: Docs engineering, open-source engineering contributors.
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - '**.js'
+      - '**.mjs'
+      - '**.ts'
+      - '**.tsx'
+      - '**.yaml'
+      - '**.yml'
+      - '**.scss'
+      - .eslintrc.cjs
+      # In case something like eslint or tsc or prettier upgrades
+      - 'package-lock.json'
+      # In case one of the script definitions changed
+      - 'package.json'
+      # Ultimately, for debugging this workflow itself
+      - .github/workflows/code-lint.yml
+
+permissions:
+  contents: read
+
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
+jobs:
+  lint-code:
+    if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'
+    runs-on: ${{ fromJSON('["ubuntu-latest", "ubuntu-20.04-xl"]')[github.repository == 'github/docs-internal'] }}
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+
+      - uses: ./.github/actions/node-npm-setup
+
+      - name: Run linter
+        run: npm run lint
+
+      - name: Run Prettier
+        run: npm run prettier-check
+
+      - name: Run TypeScript
+        run: npm run tsc

.github/workflows/lint-code.yml

@@ -0,0 +1,52 @@
+name: Local development
+
+# **What it does**: Can you start the local server like a writer would do?
+# **Why we have it**: Our CI is often heavily geared on testing in "production"
+#                     that historically we've been known to break local
+#                     development sometimes.
+# **Who does it impact**: Engineers, Contributors.
+
+on:
+  merge_group:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  local-dev:
+    if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'
+    runs-on: ${{ fromJSON('["ubuntu-latest", "ubuntu-20.04-xl"]')[github.repository == 'github/docs-internal'] }}
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+
+      - uses: ./.github/actions/node-npm-setup
+
+      # Note that we don't check out docs-early-access, Elasticsearch,
+      # or any remote translations. Nothing fancy here!
+
+      - name: Start server in the background
+        run: npm start > /tmp/stdout.log 2> /tmp/stderr.log &
+
+      - name: View the home page
+        run: |
+          echo "Going to sleep a little to wait for the server to start"
+          sleep 10
+          curl --fail --retry-connrefused --retry 5 http://localhost:4000/
+
+      - name: Edit a page's .md file and expect it to appear
+        run: |
+          # First append anything to the Markdown page
+          echo "Today's date $(date)" >> content/get-started/quickstart/hello-world.md
+
+          # This pipe to grep will fail if it can't find it in the curl output
+          curl -L http://localhost:4000/get-started/quickstart/hello-world | grep "Today's date"
+
+      - if: ${{ failure() }}
+        name: Debug server outputs on errors
+        run: |
+          echo "____STDOUT____"
+          cat /tmp/stdout.log
+          echo "____STDERR____"
+          cat /tmp/stderr.log

.github/workflows/local-dev.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/stale@6f05e4244c9a0b2ed3401882b05d701dd0a7289b
+      - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84
         with:
           only-labels: needs SME
           remove-stale-when-updated: true

.github/workflows/needs-sme-stale-check.yaml

@@ -36,6 +36,11 @@ jobs:
 
       - name: Checkout repository code
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        with:
+          # In order to fail gracefully when a branch already exists
+          # in the "Create pull request" step, we need to be able
+          # to get all existing branches.
+          fetch-depth: 0
 
         # Check out a nested repository inside of previous checkout
       - name: Checkout rest-api-description repo
@@ -85,7 +90,7 @@ jobs:
           branchname=openapi-update-${{ steps.rest-api-description.outputs.OPENAPI_COMMIT_SHA }}
 
           branchCheckout=$(git checkout -b $branchname)
-          if [[! $? -eq 0 ]]; then
+          if ! [[ $? -eq 0 ]]; then
             echo "Branch $branchname already exists in `github/docs-internal`. Exiting..."
             exit 0
           fi

.github/workflows/openapi-decorate.yml

@@ -64,3 +64,12 @@ jobs:
             --body "Found with the find-orphaned-assets.js script" \
             --repo github/docs-internal \
             --label docs-content-fr
+
+      - name: Send Slack notification if workflow fails
+        uses: someimportantcompany/github-actions-slack-message@1d367080235edfa53df415bd8e0bbab480f29bad
+        if: ${{ failure() && env.FREEZE != 'true' }}
+        with:
+          channel: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
+          bot-token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
+          color: failure
+          text: The last "Orphaned assets check" run for ${{github.repository}} failed. See https://github.com/${{github.repository}}/actions/workflows/orphaned-assets-check.yml

.github/workflows/orphaned-assets-check.yml

@@ -17,7 +17,7 @@ jobs:
     if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@6f05e4244c9a0b2ed3401882b05d701dd0a7289b
+      - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-issue-message: 'This issue is stale because there have been no updates in 365 days.'

.github/workflows/stale.yml

@@ -0,0 +1,123 @@
+name: Sync CodeQl CLI
+
+# **What it does**: This workflow is run manually approximately every two weeks.
+#   When run, this workflow syncs the CodeQL CLI automated pipeline with the semmle-code
+#   repository, and creates a pull request if there are updates.
+# **Why we have it**: So we can automate CodeQL CLI documentation.
+# **Who does it impact**: Anyone making CodeQL CLI changes in `github/semmle-code`, and wanting to get them published on the docs site.
+
+on:
+  workflow_dispatch:
+    inputs:
+      SOURCE_BRANCH:
+        description: 'Branch to pull the source files from in the semmle-code repo.'
+        type: string
+        required: true
+        default: 'main'
+
+permissions:
+  contents: write
+  pull-requests: write
+
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
+jobs:
+  generate-codeql-files:
+    if: github.repository == 'github/docs-internal'
+    runs-on: ubuntu-latest
+    steps:
+      - if: ${{ env.FREEZE == 'true' }}
+        run: |
+          echo 'The repo is currently frozen! Exiting this workflow.'
+          exit 1 # prevents further steps from running
+
+      - name: Checkout repository code
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+
+        # Check out a nested repository inside of previous checkout
+      - name: Checkout semmle-code repo
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        with:
+          # By default, only the most recent commit of the `main` branch
+          # will be checked out
+          token: ${{ secrets.DOCS_BOT_FR }}
+          repository: github/semmle-code
+          path: semmle-code
+          ref: ${{ github.event.inputs.SOURCE_BRANCH }}
+
+      - uses: ./.github/actions/node-npm-setup
+
+      - name: Get the semmle-code SHA being synced
+        id: semmle-code
+        run: |
+          cd semmle-code
+          OPENAPI_COMMIT_SHA=$(git rev-parse HEAD)
+          echo "OPENAPI_COMMIT_SHA=$OPENAPI_COMMIT_SHA" >> $GITHUB_OUTPUT
+          echo "Copied files from github/semmle-code repo. Commit SHA: $OPENAPI_COMMIT_SHA"
+
+      - name: Install pandoc
+        run: |
+          # Remove all previous pandoc versions
+          sudo apt-get purge --auto-remove pandoc
+          # Download pandoc
+          wget https://github.com/jgm/pandoc/releases/download/3.0.1/pandoc-3.0.1-1-amd64.deb
+          # Install pandoc
+          sudo dpkg -i pandoc-3.0.1-1-amd64.deb
+          # Output the pandoc version installed
+          pandoc -v
+          rm pandoc-3.0.1-1-amd64.deb
+
+      - name: Sync the CodeQL CLI data
+        run: |
+          src/codeql-cli/scripts/sync.js
+          git status
+          echo "Deleting the cloned github/semmle-code repo..."
+          rm -rf semmle-code
+
+      - name: Create pull request
+        env:
+          # Needed for gh
+          GITHUB_TOKEN: ${{ secrets.DOCUBOT_REPO_PAT }}
+        run: |
+          # If nothing to commit, exit now. It's fine. No orphans.
+          changes=$(git diff --name-only | wc -l)
+          untracked=$(git status --untracked-files --short | wc -l)
+          if [[ $changes -eq 0 ]] && [[ $untracked -eq 0 ]]; then
+            echo "There are no changes to commit after running src/codeql/scripts/sync.js. Exiting..."
+            exit 0
+          fi
+
+          git config --global user.name "docubot"
+          git config --global user.email "67483024+docubot@users.noreply.github.com"
+
+          branchname=codeql-cli-update-${{ steps.semmle-code.outputs.OPENAPI_COMMIT_SHA }}
+
+          branchCheckout=$(git checkout -b $branchname)
+          if [[! $? -eq 0 ]]; then
+            echo "Branch $branchname already exists in `github/docs-internal`. Exiting..."
+            exit 0
+          fi
+          git add .
+          git commit -m "Update CodeQL CLI data"
+          git push origin $branchname
+
+          echo "Creating pull request..."
+          gh pr create \
+            --title "Update CodeQL CLI manual" \
+            --body '👋 humans. This PR updates the CodeQL CLI manual Markdown pages with the latest changes. (Synced from semmle-code@${{ steps.semmle-code.outputs.OPENAPI_COMMIT_SHA }})
+
+            If CI does not pass or other problems arise, contact #docs-engineering on slack.' \
+            --repo github/docs-internal \
+            --label codeql-cli-pipeline
+
+      - name: Send Slack notification if workflow fails
+        uses: someimportantcompany/github-actions-slack-message@1d367080235edfa53df415bd8e0bbab480f29bad
+        if: ${{ failure() && env.FREEZE != 'true' }}
+        with:
+          channel: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
+          bot-token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
+          color: failure
+          text: The last Sync CodeQL CLI run for ${{github.repository}} failed. See https://github.com/${{github.repository}}/actions/workflows/sync-codeql-cli.yml

.github/workflows/sync-codeql-cli.yml

@@ -34,6 +34,10 @@ concurrency:
 env:
   FREEZE: ${{ secrets.FREEZE }}
   ELASTICSEARCH_URL: ${{ secrets.ELASTICSEARCH_URL }}
+  # Since we'll run in NDOE_ENV=production, we need to be explicit that
+  # we don't want Hydro configured.
+  HYDRO_ENDPOINT: ''
+  HYDRO_SECRET: ''
 
 jobs:
   figureOutMatrix: