Merge branch 'main' into gha-hardening-pull-request-target

Author: Sharra-writes

Dockerfile

@@ -54,19 +54,28 @@ RUN --mount=type=secret,id=DOCS_BOT_PAT_BASE,mode=0444 \
   . ./build-scripts/fetch-repos.sh
 
 # -----------------------------------------
-# DEPENDENCIES STAGE: Install node packages
+# PROD_DEPS STAGE: Install production dependencies
 # -----------------------------------------
-FROM base AS dependencies
+FROM base AS prod_deps
 USER node:node
 WORKDIR $APP_HOME
 
 # Copy what is needed to run npm ci
 COPY --chown=node:node package.json package-lock.json ./
 
-RUN npm ci --omit=optional --registry https://registry.npmjs.org/
+# Install only production dependencies (skip scripts to avoid husky)
+RUN npm ci --omit=dev --ignore-scripts --registry https://registry.npmjs.org/
 
 # -----------------------------------------
-# BUILD STAGE: Prepare for production stage
+# ALL_DEPS STAGE: Install all dependencies on top of prod deps
+# -----------------------------------------
+FROM prod_deps AS all_deps
+
+# Install dev dependencies on top of production ones
+RUN npm ci --registry https://registry.npmjs.org/
+
+# -----------------------------------------
+# BUILD STAGE: Build the application
 # -----------------------------------------
 FROM base AS build
 USER node:node
@@ -84,14 +93,27 @@ COPY --chown=node:node --from=clones $APP_HOME/assets assets/
 COPY --chown=node:node --from=clones $APP_HOME/content content/
 COPY --chown=node:node --from=clones $APP_HOME/translations translations/
 
-# From the dependencies stage
-COPY --chown=node:node --from=dependencies $APP_HOME/node_modules node_modules/
+# From the all_deps stage (need dev deps for build)
+COPY --chown=node:node --from=all_deps $APP_HOME/node_modules node_modules/
+
+# Build the application
+RUN npm run build
+
+# -----------------------------------------
+# WARMUP_CACHE STAGE: Warm up remote JSON cache
+# -----------------------------------------
+FROM build AS warmup_cache
+
+# Generate remote JSON cache
+RUN npm run warmup-remotejson
 
-# Generate build files
-RUN npm run build \
-  && npm run warmup-remotejson \
-  && npm run precompute-pageinfo -- --max-versions 2 \
-  && npm prune --production
+# -----------------------------------------
+# PRECOMPUTE STAGE: Precompute page info
+# -----------------------------------------
+FROM build AS precompute_stage
+
+# Generate precomputed page info
+RUN npm run precompute-pageinfo -- --max-versions 2
 
 # -------------------------------------------------
 # PRODUCTION STAGE: What will run on the containers
@@ -112,13 +134,17 @@ COPY --chown=node:node --from=clones $APP_HOME/assets assets/
 COPY --chown=node:node --from=clones $APP_HOME/content content/
 COPY --chown=node:node --from=clones $APP_HOME/translations translations/
 
-# From dependencies stage (*modified in build stage)
-COPY --chown=node:node --from=build $APP_HOME/node_modules node_modules/
+# From prod_deps stage (production-only node_modules)
+COPY --chown=node:node --from=prod_deps $APP_HOME/node_modules node_modules/
 
 # From build stage
 COPY --chown=node:node --from=build $APP_HOME/.next .next/
-COPY --chown=node:node --from=build $APP_HOME/.remotejson-cache ./
-COPY --chown=node:node --from=build $APP_HOME/.pageinfo-cache.json.br* ./
+
+# From warmup_cache stage
+COPY --chown=node:node --from=warmup_cache $APP_HOME/.remotejson-cache ./
+
+# From precompute_stage
+COPY --chown=node:node --from=precompute_stage $APP_HOME/.pageinfo-cache.json.br* ./
 
 # This makes it possible to set `--build-arg BUILD_SHA=abc123`
 # and it then becomes available as an environment variable in the docker run.

assets/images/help/copilot/coding-agent/agents-page-input.png

@@ -8,7 +8,6 @@ versions:
   ghec: '*'
 children:
   - /viewing-github-actions-metrics
-  - /sharing-workflows-secrets-and-runners-with-your-organization
   - /making-retired-namespaces-available-on-ghecom
 redirect_from:
   - /actions/administering-github-actions

assets/images/help/copilot/coding-agent/agents-page.png

@@ -12,6 +12,7 @@ redirect_from:
   - /actions/security-guides/encrypted-secrets
   - /actions/security-guides/using-secrets-in-github-actions
   - /actions/security-for-github-actions/security-guides/using-secrets-in-github-actions
+  - /actions/how-tos/administering-github-actions/sharing-workflows-secrets-and-runners-with-your-organization
 versions:
   fpt: '*'
   ghes: '*'

assets/images/social-cards/copilot.png

@@ -11,6 +11,7 @@ children:
   - /using-artifact-attestations-and-reusable-workflows-to-achieve-slsa-v1-build-level-3
   - /enforcing-artifact-attestations-with-a-kubernetes-admission-controller
   - /verifying-attestations-offline
+  - /managing-the-lifecycle-of-artifact-attestations
 redirect_from:
   - /actions/security-for-github-actions/using-artifact-attestations
 ---

content/actions/how-tos/administering-github-actions/index.md

@@ -0,0 +1,44 @@
+---
+title: Managing the lifecycle of artifact attestations
+shortTitle: Manage attestations
+intro: Search for and delete attestations that you no longer need.
+versions:
+  fpt: '*'
+  ghec: '*'
+---
+
+{% data reusables.actions.lifecycle-of-attestations %}
+
+## Finding attestations
+
+1. Navigate to the repository where the attestation was produced.
+{% data reusables.repositories.actions-tab %}
+1. In the left sidebar, under "Management," click **{% octicon "verified" aria-hidden="true" aria-label="verified" %} Attestations**.
+1. The attestations are sorted by creation date, newest first. Use the "Search or filter" bar to search for an attestation or filter the results.
+
+### Searching and filtering
+
+Enter **free text** to search by subject name. This returns all attestations with subject names that partially match your search string. Multiple attestations can have the same subject name.
+
+Use the `created` filter to filter by creation date. To enter a custom date range, click today's date then edit the default query.
+
+* For example: `created:<2025-04-03`.
+* Supported operators: `> <`.
+
+Use the `predicate` filter to filter by the kind of attestation. A predicate is the type of claim that an attestation makes about an artifact, such as "this artifact was built during a particular workflow run and originates from this repository."
+
+* Provenance attestations were created with the `attest-build-provenance` action.
+* SBOM attestations were created with the `attest-sbom` action.
+* Custom predicate type patterns are **not** supported in the search field, but are supported by the API.
+
+## Deleting attestations
+
+Before deleting an attestation, we recommend downloading a copy of it. Once the attestation is deleted, consumers with a verification process in place will **no longer be able to use the associated artifact**, and you will no longer be able to find the attestation on {% data variables.product.github %}.
+
+1. In the list of attestations, select the checkbox next to the attestations you want to delete. You can select multiple attestations at a time.
+1. Click **{% octicon "trash" aria-hidden="true" aria-label="trash" %} Delete**.
+1. Read the message, then confirm by clicking **Delete attestations**.
+
+## Managing attestations with the API
+
+To manage attestations in bulk with the REST API, see [AUTOTITLE](/rest/users/attestations).

content/actions/how-tos/administering-github-actions/sharing-workflows-secrets-and-runners-with-your-organization.md

@@ -221,3 +221,9 @@ gh attestation verify PATH/TO/YOUR/BUILD/ARTIFACT-BINARY \
   --format json \
   --jq '.[].verificationResult.statement.predicate'
 ```
+
+## Managing the lifecycle of attestations
+
+{% data reusables.actions.lifecycle-of-attestations %}
+
+To find and delete attestations, see [AUTOTITLE](/actions/how-tos/security-for-github-actions/using-artifact-attestations/managing-the-lifecycle-of-artifact-attestations).