Repo sync

content/billing/managing-your-billing/adding-a-sales-tax-certificate.md

@@ -32,11 +32,9 @@ You can upload a sales tax exemption certificate to your organization account if
 {% endif %}
 
 {% data reusables.organizations.billing-settings %}
-1. At the top of the page, click **Payment information**.
-
-   ![Screenshot of the "Billing Summary" section of the settings page. A link, labeled "Payment information," is highlighted with an orange outline.](/assets/images/help/settings/payment-info-link.png)
+1. In the sidebar, under **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing and licensing**, click **Payment information**.
 1. Review your "Billing information" and update any incorrect data. You must ensure that the address fields are correct and that the "City" and "Postal/Zip code" fields are accepted. If there is any missing information or any errors are reported, the option to upload a sales tax certificate is hidden.
-1. At the bottom of the page, next to "Sales Tax" in the "Additional information" section, click Upload certificate, and select the certificate file you want to upload.
+1. At the bottom of the page in the "Additional information" section next to "Sales Tax", click **Upload certificate**, and select the certificate file you want to upload. If "Sales Tax" is missing, check that your billing information defines your country as "United States of America".
 1. To remove a sales tax certificate, click {% octicon "trash" aria-label="Delete sales tax certificate" %} next to the certificate you want to remove.
 
 {% ifversion ghec or ghes %}
@@ -46,14 +44,10 @@ You can upload a sales tax exemption certificate to your organization account if
 Enterprise owners and billing managers can upload a sales tax exemption certificate to an enterprise account if the account uses the {% data variables.product.company_short %} Customer Agreement.
 
 {% data reusables.enterprise-accounts.access-enterprise %}
-{% data reusables.enterprise-accounts.settings-tab %}
 {% data reusables.enterprise-accounts.billing-tab %}
-1. At the top of the page, click **Payment information**.
-
-   ![Screenshot of the "Billing Summary" section of the settings page. A link, labeled "Payment information," is highlighted with an orange outline.](/assets/images/help/settings/payment-info-link.png)
-
+1. In the sidebar, under **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing and licensing**, click **Payment information**.
 1. Review your "Billing information" and update any incorrect data. You must ensure that the address fields are correct and that the "City" and "Postal/Zip code" fields are accepted. If there is any missing information or any errors are reported, the option to upload a sales tax certificate is hidden.
-1. At the bottom of the page, in the "Sales Tax" section, click **Upload certificate**, and select the certificate file you want to upload.
+1. At the bottom of the page, next to "Sales Tax", click **Upload certificate**, and select the certificate file you want to upload. If "Sales Tax" is missing, check that your billing information defines your country as "United States of America".
 1. To remove a sales tax certificate, click {% octicon "trash" aria-label="Delete sales tax certificate" %} next to the certificate you want to remove.
 
 {% endif %}

content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md

@@ -17,7 +17,7 @@ topics:
 ## About automatic dependency submission
 
 > [!NOTE]
-> Automatic dependency submission is currently only supported for Maven.
+> Automatic dependency submission does not support all package ecosystems. For the current list of supported ecosystems, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems).
 
 Dependency graph analyzes the manifest and lock files in a repository, in order to help users understand the upstream packages that their software project depends on. However, in some ecosystems, the resolution of transitive dependencies occurs at build-time and {% data variables.product.company_short %} isn't able to automatically discover all dependencies based on the contents of the repository alone.
 
@@ -47,12 +47,13 @@ Organization owners can enable automatic dependency submission for multiple repo
 1. Under "Dependency graph", click the dropdown menu next to “Automatic dependency submission”, then select **Enabled**.
 
 Once you've enabled automatic dependency submission for a repository, {% data variables.product.company_short %} will:
-* Monitor for changes to the `pom.xml` file in the root of the repository on all branches of the repository.
-* Perform an automatic dependency submission on each change.
+* Monitor for changes to manifest files in the root of the repository on all branches of the repository.
+* Run the dependency graph build action associated with the package ecosystem of each changed manifest.
+* Perform an automatic dependency submission with the results.
 
 You can view details about the automatic workflows run by viewing the **Actions** tab of your repository.
 
-> [!NOTE] Automatic submission will occur on the first push to the `pom.xml` file after the option is enabled.
+> [!NOTE] After you enable automatic dependency submission, we'll automatically trigger a run of the action. Once enabled, it'll run each time a commit to the default branch updates a manifest.
 
 ## Using self-hosted runners for automatic dependency submission
 
@@ -67,7 +68,7 @@ Once enabled, automatic dependency submission jobs will run on the self-hosted r
 * The self-hosted runners are unavailable.
 * There aren't any runner groups tagged with a `dependency-submission` label.
 
->[!NOTE] When using self-hosted runners, you need to add access to the Maven server settings file to allow the dependency submission workflows to connect to private registries. Dependencies from private registries will be included in the dependency tree in the next `pom.xml` update. For more information about the Maven server settings file, see [Security and Deployment Settings](https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#transitive-dependencies) in the Maven documentation.
+>[!NOTE] For Maven or Gradle projects that use self-hosted runners with private Maven registries, you need to modify the Maven server settings file to allow the dependency submission workflows to connect to the registries. For more information about the Maven server settings file, see [Security and Deployment Settings](https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#transitive-dependencies) in the Maven documentation.
 
 ## Using {% data variables.product.company_short %}-hosted {% data variables.actions.hosted_runners %} for automatic dependency submission
 
@@ -79,14 +80,22 @@ Once enabled, automatic dependency submission jobs will run on the self-hosted r
 
 ## Troubleshooting automatic dependency submission
 
-Automatic dependency submission is currently only supported for Maven. The feature uses the Maven Dependency Tree Submission action. For more information, see the documentation for the [Maven Dependency Tree Dependency Submission](https://github.com/marketplace/actions/maven-dependency-tree-dependency-submission) action in the {% data variables.product.prodname_marketplace %}. If your project uses a non-standard Maven configuration, it may not properly generate the dependencies and submit them to the dependency graph.
-
 Automatic dependency submission makes a best effort to cache package downloads between runs using the [Cache](https://github.com/marketplace/actions/cache) action to speed up workflows. For self-hosted runners, you may want to manage this cache within your own infrastructure. To do this, you can disable the built-in caching by setting an environment variable of `GH_DEPENDENCY_SUBMISSION_SKIP_CACHE` to `true`. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables).
 
-If your repository's dependencies seem inaccurate, check that the timestamp of the last dependency graph build matches the last change to your `pom.xml` file. The timestamp is visible on the table of alerts in the repository's {% data variables.product.prodname_dependabot_alerts %} tab. Pushing a commit which updates `pom.xml` will trigger a new run of the Dependency Tree Submission action and force a rebuild of that repository's dependency graph.
+### Manifest deduplication
 
 {% data reusables.dependency-graph.deduplication %}
 
+### Maven projects
+
+For Maven projects, automatic dependency submission runs an open source fork of the [Maven Dependency Tree Dependency Submission](https://github.com/marketplace/actions/maven-dependency-tree-dependency-submission). The fork allows {% data variables.product.github %} to stay in sync with the upstream repository plus maintain some changes that are only applicable to automatic submission. The fork's source is available at [advanced-security/maven-dependency-submission-action](https://github.com/advanced-security/maven-dependency-submission-action).
+
+If your repository's dependencies seem inaccurate, check that the timestamp of the last dependency graph build matches the last change to your `pom.xml` file. The timestamp is visible on the table of alerts in the repository's {% data variables.product.prodname_dependabot_alerts %} tab. Pushing a commit which updates `pom.xml` will trigger a new run of the Dependency Tree Submission action and force a rebuild of that repository's dependency graph.
+
+### Gradle projects
+
+For Gradle projects, automatic dependency submission runs a fork of the open source Gradle actions from [gradle/actions](https://github.com/gradle/actions). The fork is available at [actions/gradle-build-tools-actions](https://github.com/actions/gradle-build-tools-actions). You can view the results of the autosubmission action under your repository's **Actions** tab. Each run will be labeled "Automatic Dependency Submission (Gradle)" and its output will contain the JSON payload which the action submitted to the API.
+
 ## Further reading
 
 * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)

content/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems.md

@@ -18,33 +18,27 @@ versions:
 
 ## About the dependency graph
 
-{% data reusables.dependabot.about-the-dependency-graph %} For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
+For an introduction to the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
 
-## Supported package ecosystems
-
-If dependency graph is enabled, it will scan your repository for manifest files used by many commonly-used programming language package ecosystems. When it finds one of the supported manifest files, it will parse the file's contents and build a representation of its contents, including each package's name and version.
+## Building the dependency graph
 
-Some files explicitly define which versions are used for all direct and all indirect dependencies. They lock the package versions to those included in the build and enable Dependabot to find vulnerable versions in both direct and indirect dependencies. If you use these formats, your dependency graph is more accurate, so they're listed under the "Recommended files" column in this table.{% ifversion fpt or ghec %} Indirect dependencies that are inferred from a manifest file (or equivalent) are excluded from the checks for insecure dependencies.{% endif %}
+If dependency graph is enabled, it will scan your repository for manifest files used by programming language package ecosystems. When it finds one of the supported manifest files, it will parse the file and build a representation of its contents, including each package's name and version. This is called "static analysis".
 
-{% data reusables.dependency-graph.supported-package-ecosystems %}
+Some files explicitly define which versions are used for all direct and all indirect dependencies. They lock the package versions to those included in the build and enable {% data variables.product.prodname_dependabot %} to find vulnerable versions in both direct and indirect dependencies. If you use these formats, your dependency graph is more accurate, so they're listed under the "Recommended files" column in the "Supported package ecosystems" table. See [Supported package ecosystems](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems). {% ifversion fpt or ghec %} Indirect dependencies that are inferred from a manifest file (or equivalent) are excluded from {% data variables.product.prodname_dependabot %}'s checks for insecure dependencies.{% endif %}
 
 {% ifversion maven-transitive-dependencies %}
-
-For ecosystems that resolve transitive dependencies at build-time, we recommend configuring dependency submission to automatically submit these dependencies to the dependency graph. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository).
-
+For ecosystems that resolve transitive dependencies at build-time, static analysis does not provide a comprehensive view of the dependency tree. For these ecosystems, there are two approaches that use {% data variables.product.prodname_actions %}: automatic and manual dependency submission. In both cases, an external action will generate a full dependency tree and upload it to the dependency submission API. You can enable automatic submission for supported ecosystems in your repository's settings page. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository).
 {% endif %}
 
 ## Package ecosystems supported via dependency submission actions
 
-In addition to dependency graph's static analysis and auto-submission, you can use the {% data variables.dependency-submission-api.name %} to add build-time dependencies to the dependency graph, or to add dependencies from package managers and ecosystems of your choice to the dependency graph, even if the ecosystem is not in the supported ecosystem list above. Dependency information from these submitted dependencies will, in turn, flow into {% data variables.product.prodname_dependabot_updates %} and {% data variables.product.prodname_dependabot_alerts %}.
+In addition to dependency graph's static analysis and auto-submission, you can use the {% data variables.dependency-submission-api.name %} to add build-time dependencies to the dependency graph, or to add dependencies from package managers and ecosystems of your choice to the dependency graph, even if the ecosystem is not in the "Supported package ecosystems" table. Dependency information from these submitted dependencies will, in turn, flow into {% data variables.product.prodname_dependabot_updates %} and {% data variables.product.prodname_dependabot_alerts %}.
 
 {% data reusables.dependency-graph.dependency-submission-API-short %} For more information on the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api).
 
-You typically use the {% data variables.dependency-submission-api.name %} in a {% data variables.product.prodname_actions %} workflow to submit dependencies for your project when your project is built. {% data reusables.dependency-submission.api-premade-actions %} You can find links to the currently available actions in the table below.
-
-{% data reusables.dependency-submission.premade-action-table %}
+## Supported package ecosystems
 
-You can also create your own action. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api#creating-your-own-action).
+{% data reusables.dependency-graph.supported-package-ecosystems %}
 
 ## Deduplication of manifests
 

content/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository.md

@@ -39,3 +39,13 @@ If your company provides software to the US federal government per [Executive Or
 ## Exporting a software bill of materials for your repository using the REST API
 
 If you want to use the REST API to export an SBOM for your repository, see [AUTOTITLE](/rest/dependency-graph/sboms#export-a-software-bill-of-materials-sbom-for-a-repository).
+
+## Generating a software bill of materials from {% data variables.product.prodname_actions %}
+
+The following actions will generate an SBOM for your repository and attach it as a workflow artifact which you can download and use in other applications. For more information about downloading workflow artifacts, see [AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts).
+
+| Action | Details |
+| ---  | --- |
+[SPDX Dependency Submission Action](https://github.com/marketplace/actions/spdx-dependency-submission-action) | Uses [Microsoft's SBOM Tool](https://github.com/microsoft/sbom-tool) to create SPDX 2.2 compatible SBOMs with the [supported ecosystems](https://github.com/microsoft/component-detection/blob/main/docs/feature-overview.md) |
+[Anchore SBOM Action](https://github.com/marketplace/actions/anchore-sbom-action) | Uses [Syft](https://github.com/anchore/syft) to create SPDX 2.2 compatible SBOMs with the [supported ecosystems](https://github.com/anchore/syft#supported-ecosystems)  |
+[SBOM Dependency Submission Action](https://github.com/marketplace/actions/sbom-submission-action)| Uploads a CycloneDX SBOM to the {% data variables.dependency-submission-api.name %} |

content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md

@@ -71,7 +71,7 @@ From the repository's {% data variables.product.prodname_dependabot_alerts %} ta
 
 Clicking **Refresh {% data variables.product.prodname_dependabot_alerts %}** will only scan manifest files. If your dependency graph also includes build-time dependency information submitted using the {% data variables.dependency-submission-api.name %}, rerunning the Action or external process which generates and submits the dependency information will also trigger a rebuild of the repository's dependency graph. For more information about the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api).
 
-If you are using automatic dependency submission for Maven, pushing a commit that updates the repository's `pom.xml` will trigger the automatic submission action to run.
+If you are using automatic dependency submission, pushing a commit that updates the repository's manifest file will trigger the automatic submission action to run.
 
 In all cases, the timestamp at the top of the list of alerts indicates the last time the dependency graph was built.