Merge branch 'main' into dependabot/npm_and_yarn/npm-security-bec2176354

Author: KittyChiu

.github/workflows/deploy-merged-pr.yml

@@ -11,6 +11,38 @@ permissions:
   actions: read
 
 jobs:
+  check-file-changes:
+    if: github.event.review.state == 'approved'
+    runs-on: ubuntu-latest
+    env:
+      PR_NUMBER: ${{ github.event.pull_request.number }}
+      SOURCE_REPO: ${{ github.repository }}
+    outputs:
+      should_sync: ${{ steps.filter.outputs.should_sync }}
+    steps:
+      - name: Check Changed File Paths
+        id: filter
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          EXCLUDED_PATHS=(
+            ".github/workflows/"
+          )
+
+          CHANGED_FILES=$(gh pr view $PR_NUMBER --json files --repo $SOURCE_REPO --jq '[.files[].path]')
+
+          EXCLUDE_FILTER=$(printf '"%s",' "${EXCLUDED_PATHS[@]}")
+          EXCLUDE_FILTER="[${EXCLUDE_FILTER%,}]"
+
+          NON_WORKFLOW_CHANGES=$(echo "$CHANGED_FILES" | jq --argjson exclude "$EXCLUDE_FILTER" '[.[] | select(. as $f | $exclude | any(. as $p | $f | startswith($p)) | not)] | length')
+          if [ "$NON_WORKFLOW_CHANGES" -gt 0 ]; then
+            echo "PR contains changes outside filtered paths — proceeding."
+            echo "should_sync=true" >> $GITHUB_OUTPUT
+          else
+            echo "All changes are under filtered paths — skipping workflow."
+            echo "should_sync=false" >> $GITHUB_OUTPUT
+          fi
+
   check-merge-state:
     if: github.event.review.state == 'approved'
     runs-on: ubuntu-latest
@@ -95,8 +127,8 @@ jobs:
           echo "Auto-merge enabled successfully!"
 
   dispatch-to-internal:
-    needs: check-merge-state
-    if: needs.check-merge-state.outputs.checks_passed == 'true' && github.event.review.state == 'approved'
+    needs: [check-file-changes, check-merge-state]
+    if: needs.check-merge-state.outputs.checks_passed == 'true' && needs.check-file-changes.outputs.should_sync == 'true' && github.event.review.state == 'approved'
     runs-on: ubuntu-latest
     env:
       SOURCE_REPO: github/github-well-architected

.github/workflows/pr-check.yml

@@ -15,6 +15,7 @@ env:
   CI: development
   SITE_DIR: public
   HUGO_VERSION: 0.151.0
+  DART_SASS_VERSION: 1.99.0
 
 jobs:
   lint:
@@ -67,7 +68,7 @@ jobs:
           fetch-depth: 0
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@v5
         with:
           config-file: >-
             ./.github/dependency-review-config.yml
@@ -77,13 +78,16 @@ jobs:
           wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb
           sudo dpkg -i ${{ runner.temp }}/hugo.deb
           hugo version
-      - name: Install Dart Sass
-        run: sudo snap install dart-sass
 
       - uses: actions/setup-node@v6
         with:
           node-version: lts/*
 
+      - name: Install Dart Sass
+        run: |
+          npm install -g sass@${DART_SASS_VERSION}
+          sass --version
+
       - name: Install test dependencies
         run: |
           # Clean install of the node modules
@@ -129,7 +133,7 @@ jobs:
           done
 
       - name: Upload Pages artifact
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@v5
         with:
           path: './${{ env.SITE_DIR }}'
           retention-days: '7'

CONTRIBUTING.md

@@ -411,7 +411,7 @@ See [Framework Overview] for details on each pillar.
 - Keep sentences **short and clear**
 - Avoid unnecessary jargon
 - Include practical examples
-- Prefer GitHub Docs links to **Enterprise Cloud**: `https://docs.github.com/en/enterprise-cloud@latest` (unless the guidance is specific to GitHub Enterprise Server)
+- Prefer GitHub Docs links to **Enterprise Cloud**: `https://docs.github.com/enterprise-cloud@latest` (unless the guidance is specific to GitHub Enterprise Server)
 - Use Hugo shortcodes to keep articles consistent (see `archetypes/default.md`):
   - Further assistance: `{{% seeking-further-assistance-details %}}`
   - Related links: `{{% related-links-github-docs %}}`

content/library/application-security/recommendations/securing-developer-workspace.md

@@ -142,7 +142,7 @@ In addition to the development container best practices above, Codespaces enviro
 
 Third-party dependencies can introduce vulnerabilities into the development environment and the software supply chain. In fact, they are a leading cause of security incidents. It is essential to manage these dependencies carefully to minimize risk. This means reviewing and securing dependencies coming from package managers (like npm, PyPI, Maven, and NuGet), registries (which provide OCI images, Helm charts, and dev container features), OS-level packages (like apt, yum, and apk), and other sources.
 
-- **Keep dependencies up to date**. Regularly update third-party libraries and packages to incorporate security patches and improvements. Use dependency management tools, such as [Dependabot](https://docs.github.com/en/enterprise-cloud@latest/dependabot), to automatically check for updates and vulnerabilities. When a new version is released, review the changelog for security-related fixes before updating. Prefer manual updates over automatic updates to ensure that changes are reviewed. Avoid mutable references.
+- **Keep dependencies up to date**. Regularly update third-party libraries and packages to incorporate security patches and improvements. Use dependency management tools, such as [Dependabot](https://docs.github.com/en/enterprise-cloud@latest/code-security/getting-started/dependabot-quickstart-guide), to automatically check for updates and vulnerabilities. When a new version is released, review the changelog for security-related fixes before updating. Prefer manual updates over automatic updates to ensure that changes are reviewed. Avoid mutable references.
 - **Eliminate insecure packages**. Remove or replace packages that are no longer maintained or have known security issues. Vulnerabilities on developer machines can provide access to corporate networks, source code, and other sensitive resources. Use tools like Dependabot to identify and remediate vulnerable and outdated dependencies. Remember that multiple low- and medium-severity vulnerabilities will create a larger attack surface, creating new high- and critical-severity vulnerabilities; avoid accumulating these over time.
 - **Review all dependencies**. Before adding a new dependency, review its source code, documentation, and community reputation. Look for signs of active maintenance. Avoid packages with excessive permissions or those that execute code during installation without explicit user consent. Continuously review existing dependencies for security risks and remove any that are unnecessary.
 - **Restrict automatic code execution during package installation**. Configure package managers to block or prompt for confirmation before executing scripts during dependency installation. This prevents malicious code from running without developer awareness. For example, configure `ignore-scripts=true` in an `.npmrc` file to prevent `npm` from running lifecycle scripts by default. Placing this configuration in the project ensures that this setting applies to everyone that works with the code. In addition, creating this file at the user level (`$HOME/.npmrc` or `%USERPROFILE%\.npmrc`) ensures that you do not automatically run scripts when you restore a project that lacks this configuration. An easy way to apply user-level personalization is to use a [dotfiles](https://dotfiles.github.io/) repository to configure your development machine, [local dev containers](https://code.visualstudio.com/docs/devcontainers/containers#_personalizing-with-dotfile-repositories), or [Codespaces](https://docs.github.com/en/codespaces/setting-your-user-preferences/personalizing-github-codespaces-for-your-account#dotfiles). This ensures that your preferred settings are automatically and consistently applied to each development environment.

content/library/governance/recommendations/managing-repositories-at-scale/rulesets-best-practices.md

@@ -109,7 +109,7 @@ Enterprises need consistent, enforceable guardrails for how code enters, evolves
    - Grant bypass only to roles/teams with clear break-glass standard operating procedures.
    - Monitor bypass exceptions via the audit log, [REST API](https://docs.github.com/enterprise-cloud@latest/rest/repos/bypass-requests), webhooks, or the native [rule insights](https://docs.github.com/enterprise-cloud@latest/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization#viewing-insights-for-rulesets) dashboard; look for patterns indicating a need to adjust rules.
 6. Change management & versioning
-   - [Rulesest history](https://docs.github.com/enterprise-cloud@latest/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization#using-ruleset-history) is retained for 180 days; you can view all the changes to a ruleset and revert back to a specific iteration.
+   - [Rulesets history](https://docs.github.com/enterprise-cloud@latest/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization#using-ruleset-history) is retained for 180 days; you can view all the changes to a ruleset and revert back to a specific iteration.
 7. Measurement & feedback
    - Metrics: % repos covered per tier, # blocked events by rule, mean time to remediate violation patterns, bypass frequency.
    - Use rule insights to adjust high-friction rules.

content/library/productivity/quick-links.md

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: MIT
 title: Quick Links
 weight: 1
-prev: library/productivity/introduction
+prev: library/productivity
 next: library/productivity/design-principles
 ---
 

content/library/scenarios/nist-ssdf-implementation.md

@@ -845,7 +845,7 @@ jobs:
 1. **Security alerts**: Review and triage alerts in the Security tab
 2. **Dependabot security updates**: Automatically generate PRs for dependency updates
 3. **Repository custom properties**: Use [custom properties](https://docs.github.com/enterprise-cloud@latest/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) to classify repositories by business criticality, enabling risk-based prioritization of alerts
-4. **Security campaigns**: Use [security campaigns](https://docs.github.com/enterprise-cloud@latest/code-security/securing-your-organization/tracking-security-work-across-your-organization/about-security-campaigns) to prioritize and coordinate remediation of specific alert types across repositories
+4. **Security campaigns**: Use [security campaigns](https://docs.github.com/enterprise-cloud@latest/code-security/securing-your-organization/fixing-security-alerts-at-scale) to prioritize and coordinate remediation of specific alert types across repositories
 5. **Copilot Autofix**: Use [Copilot Autofix](https://docs.github.com/enterprise-cloud@latest/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning) to automatically generate fix suggestions for vulnerabilities identified by CodeQL
 
 {{< callout type="info" >}}