GitHub Enterprise Server 3.3 release candidate (github#22286)

Co-authored-by: Laura Coursen <[email protected]>
Co-authored-by: Kelly Arwine <[email protected]>
Co-authored-by: vgrl <[email protected]>
Co-authored-by: Elijah Buck <[email protected]>
Co-authored-by: Laura Coursen <[email protected]>
Co-authored-by: Kelly Arwine <[email protected]>
Co-authored-by: github-openapi-bot <[email protected]>
Co-authored-by: Felicity Chapman <[email protected]>
Co-authored-by: Jules Parker <[email protected]>
Co-authored-by: mc <[email protected]>
Co-authored-by: github-openapi-bot <[email protected]>
Co-authored-by: github-openapi-bot <[email protected]>
Co-authored-by: Matt Pollard <[email protected]>

Author: 9 people

assets/images/enterprise/3.2/repository/security-and-analysis-security-alerts-person-or-team-search.png

@@ -108,7 +108,7 @@ To add a `repo:` filter, you must include the owner of the repository in the que
 
 ### Supported `is:` queries
 
-To filter notifications for specific activity on {% data variables.product.product_location %}, you can use the  `is` query. For example, to only see repository invitation updates, use `is:repository-invitation`{% ifversion not ghae %}, and to only see {% ifversion fpt or ghes or ghec %}{% data variables.product.prodname_dependabot %}{% else %} security{% endif %} alerts, use `is:repository-vulnerability-alert`.{% endif %}
+To filter notifications for specific activity on {% data variables.product.product_location %}, you can use the  `is` query. For example, to only see repository invitation updates, use `is:repository-invitation`{% ifversion not ghae %}, and to only see {% data variables.product.prodname_dependabot %} alerts, use `is:repository-vulnerability-alert`{% endif %}.
 
 - `is:check-suite`
 - `is:commit`
@@ -167,7 +167,7 @@ For example, to see notifications from the octo-org organization, use `org:octo-
 {% ifversion fpt or ghes or ghae-issue-4864 or ghec %}
 ## {% data variables.product.prodname_dependabot %} custom filters
 
-{% ifversion fpt or ghec %}
+{% ifversion fpt or ghec or ghes > 3.2 %}
 If you use {% data variables.product.prodname_dependabot %} to keep your dependencies up-to-date, you can use and save these custom filters:
 - `is:repository_vulnerability_alert` to show notifications for {% data variables.product.prodname_dependabot_alerts %}.
 - `reason:security_alert` to show notifications for {% data variables.product.prodname_dependabot_alerts %} and security update pull requests.
@@ -176,9 +176,9 @@ If you use {% data variables.product.prodname_dependabot %} to keep your depende
 For more information about {% data variables.product.prodname_dependabot %}, see "[About managing vulnerable dependencies](/github/managing-security-vulnerabilities/about-managing-vulnerable-dependencies)."
 {% endif %}
 
-{% ifversion ghes or ghae-issue-4864 %}
+{% ifversion ghes < 3.3 or ghae-issue-4864 %}
 
-If you use {% data variables.product.prodname_dependabot %} to keep your dependencies-up-to-date, you can use and save these custom filters to show notifications for {% data variables.product.prodname_dependabot_alerts %}:
+If you use {% data variables.product.prodname_dependabot %} to tell you about vulnerable dependencies, you can use and save these custom filters to show notifications for {% data variables.product.prodname_dependabot_alerts %}:
 - `is:repository_vulnerability_alert` 
 - `reason:security_alert`
 

assets/images/enterprise/3.2/repository/security-and-analysis-security-alerts-save-changes.png

@@ -4,6 +4,7 @@ intro: 'You can control features that secure and analyze the code in your projec
 versions:
   fpt: '*'
   ghec: '*'
+  ghes: '>3.2'
 topics:
   - Accounts
 redirect_from:
@@ -17,6 +18,8 @@ shortTitle: Manage security & analysis
 
 You can still manage the security and analysis features for individual repositories. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)."
 
+You can also review the security log for all activity on your user account. For more information, see "[Reviewing your security log](/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log)."
+
 {% data reusables.security.some-security-and-analysis-features-are-enabled-by-default %}
 
 {% data reusables.security.security-and-analysis-features-enable-read-only %}
@@ -28,23 +31,23 @@ For an overview of repository-level security, see "[Securing your repository](/c
 {% data reusables.user_settings.access_settings %}
 {% data reusables.user_settings.security-analysis %}
 3. Under "Configure security and analysis features", to the right of the feature, click **Disable all** or **Enable all**.
-  !["Enable all" or "Disable all" button for "Configure security and analysis" features](/assets/images/help/settings/security-and-analysis-disable-or-enable-all.png)
-6. Optionally, enable the feature by default for new repositories in your organization.
-  !["Enable by default" option for new repositories](/assets/images/help/settings/security-and-analysis-enable-by-default-in-modal.png)
+  {% ifversion ghes > 3.2 %}!["Enable all" or "Disable all" button for "Configure security and analysis" features](/assets/images/enterprise/3.3/settings/security-and-analysis-disable-or-enable-all.png){% else %}!["Enable all" or "Disable all" button for "Configure security and analysis" features](/assets/images/help/settings/security-and-analysis-disable-or-enable-all.png){% endif %}
+6. Optionally, enable the feature by default for new repositories that you own.
+  {% ifversion ghes > 3.2 %}!["Enable by default" option for new repositories](/assets/images/enterprise/3.3/settings/security-and-analysis-enable-by-default-in-modal.png){% else %}!["Enable by default" option for new repositories](/assets/images/help/settings/security-and-analysis-enable-by-default-in-modal.png){% endif %}
 7. Click **Disable FEATURE** or **Enable FEATURE** to disable or enable the feature for all the repositories you own.
-  ![Button to disable or enable feature](/assets/images/help/settings/security-and-analysis-enable-dependency-graph.png)
+  {% ifversion ghes > 3.2 %}![Button to disable or enable feature](/assets/images/enterprise/3.3/settings/security-and-analysis-enable-dependency-graph.png){% else %}![Button to disable or enable feature](/assets/images/help/settings/security-and-analysis-enable-dependency-graph.png){% endif %}
 
 {% data reusables.security.displayed-information %}
 
 ## Enabling or disabling features for new repositories
 
 {% data reusables.user_settings.access_settings %}
 {% data reusables.user_settings.security-analysis %}
-3. Under "Configure security and analysis features", to the right of the feature, enable or disable the feature by default for new repositories in your organization.
-  ![Checkbox for enabling or disabling a feature for new repositories](/assets/images/help/settings/security-and-analysis-enable-or-disable-feature-checkbox.png)
+3. Under "Configure security and analysis features", to the right of the feature, enable or disable the feature by default for new repositories that you own.
+  {% ifversion ghes > 3.2 %}![Checkbox for enabling or disabling a feature for new repositories](/assets/images/enterprise/3.3/settings/security-and-analysis-enable-or-disable-feature-checkbox.png){% else %}![Checkbox for enabling or disabling a feature for new repositories](/assets/images/help/settings/security-and-analysis-enable-or-disable-feature-checkbox.png){% endif %}
 
 ## Further reading
 
 - "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)"
 - "[Managing vulnerabilities in your project's dependencies](/github/managing-security-vulnerabilities/managing-vulnerabilities-in-your-projects-dependencies)"
-{% ifversion fpt or ghec %}- "[Keeping your dependencies updated automatically](/github/administering-a-repository/keeping-your-dependencies-updated-automatically)"{% endif %}
+- "[Keeping your dependencies updated automatically](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically)"

assets/images/help/repository/security-and-analysis-security-alerts-username-x-ghe.png renamed to assets/images/enterprise/3.2/repository/security-and-analysis-security-alerts-username-x.png

@@ -290,15 +290,11 @@ GitHub helps you avoid using third-party software that contains known vulnerabil
 |----|----|
 | Dependabot Alerts | You can track your repository's dependencies and receive Dependabot alerts when your enterprise detects vulnerable dependencies. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies)." |
 | Dependency Graph | The dependency graph is a summary of the manifest and lock files stored in a repository. It shows you the ecosystems and packages your codebase depends on (its dependencies) and the repositories and packages that depend on your project (its dependents). For more information, see "[About the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)." |{% ifversion ghes > 3.1 or ghec %}
-| Dependency Review | If a pull request contains changes to dependencies, you can view a summary of what has changed and whether there are known vulnerabilities in any of the dependencies. For more information, see "[About dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)" or  "[Reviewing Dependency Changes in a Pull Request](/github/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request)." | {% endif %} {% ifversion ghec %}
+| Dependency Review | If a pull request contains changes to dependencies, you can view a summary of what has changed and whether there are known vulnerabilities in any of the dependencies. For more information, see "[About dependency review](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)" or  "[Reviewing Dependency Changes in a Pull Request](/github/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request)." | {% endif %} {% ifversion ghec or ghes > 3.2 %}
 | Dependabot Security Updates | Dependabot can fix vulnerable dependencies for you by raising pull requests with security updates. For more information, see "[About Dependabot security updates](/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates)." |
 | Dependabot Version Updates | Dependabot can be used to keep the packages you use updated to the latest versions. For more information, see "[About Dependabot version updates](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates)." | {% endif %}
 
-{% note %}
-
-**Note:** Dependabot security updates and version updates are currently only available for {% data variables.product.prodname_ghe_cloud %} and will be available for {% data variables.product.prodname_ghe_server %} as outlined in our [public roadmap](https://github.com/github/roadmap).
-
-{% endnote %}
+{% data reusables.dependabot.beta-security-and-version-updates-onboarding %}
 
 ### Step 8: Establish a remediation process
 

assets/images/enterprise/3.3/dependabot/dependabot-secrets.png

@@ -110,7 +110,7 @@ For example, you can enable any {% data variables.product.prodname_GH_advanced_s
     ```shell
     ghe-config app.secret-scanning.enabled false
     ```
-    - To disable {% data variables.product.prodname_dependabot %}, enter the following {% ifversion ghes > 3.1 %}command{% else %}commands{% endif %}.
+    - To disable {% data variables.product.prodname_dependabot_alerts %}, enter the following {% ifversion ghes > 3.1 %}command{% else %}commands{% endif %}.
     {% ifversion ghes > 3.1 %}```shell
     ghe-config app.dependency-graph.enabled false
     ```

assets/images/enterprise/3.3/dependabot/dependabot-version-update-error.png

@@ -103,6 +103,8 @@ Before enabling {% data variables.product.prodname_dependabot_alerts %} for your
 
    {% endtip %}
 
+When you enable {% data variables.product.prodname_dependabot_alerts %}, you should consider also setting up {% data variables.product.prodname_actions %} for {% data variables.product.prodname_dependabot_security_updates %}. This feature allows developers to fix vulnerabilities in their dependencies. For more information, see "[Setting up {% data variables.product.prodname_dependabot %} security and version updates on your enterprise](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/setting-up-dependabot-updates)."
+
 ## Viewing vulnerable dependencies on {% data variables.product.product_location %}
 
 You can view all vulnerabilities in {% data variables.product.product_location %} and manually sync vulnerability data from {% data variables.product.prodname_dotcom_the_website %} to update the list.

assets/images/enterprise/3.3/organizations/security-and-analysis-disable-or-enable-all-ghas.png

@@ -0,0 +1,21 @@
+---
+title: About repository caching
+intro: "You can increase the performance of Git read operations for distributed teams and CI farms with repository caching."
+versions:
+  ghes: '>=3.3'
+type: overview
+topics:
+  - Enterprise
+---
+
+{% data reusables.enterprise.repository-caching-release-phase %}
+
+If you have teams and CI farms located around the world, you may experience reduced performance on your primary {% data variables.product.prodname_ghe_server %} instance. While active geo-replicas can improve the performance of read requests, this comes at the cost of limiting write throughput. To reduce load on your primary instance and improve write throughput performance, you can configure a repository cache, an asynchronous read-only mirror of repositories located near these geographically-distributed clients. 
+
+A repository cache eliminates the need for {% data variables.product.product_name %} to transmit the same Git data over a long-haul network link multiple times to serve multiple clients, by serving your repository data close to CI farms and distributed teams. For instance, if your primary instance is in North America and you also have a large presence in Asia, you will benefit from setting up the repository cache in Asia for use by CI runners there.
+
+The repository cache listens to the primary instance, whether that's a single instance or a geo-replicated set of instances, for changes to Git data. CI farms and other read-heavy consumers clone and fetch from the repository cache instead of the primary instance. Changes are propagated across the network, at periodic intervals, once per cache instance rather than once per client. Git data will typically be visible on the repository cache within several minutes after the data is pushed to the primary instance.
+
+You have fine-grained control over which repositories are allowed to sync to the repository cache.
+
+{% data reusables.enterprise.repository-caching-config-summary %} For more information, see "[Configuring a repository cache](/admin/enterprise-management/caching-repositories/configuring-a-repository-cache)."

assets/images/enterprise/3.3/organizations/security-and-analysis-enable-or-disable-feature-checkbox.png

@@ -0,0 +1,90 @@
+---
+title: Configuring a repository cache
+intro: "You can configure a repository cache by creating a new appliance, connecting the repository cache to your primary appliance, and configuring replication of repository networks to the repository cache."
+versions:
+  ghes: '>=3.3'
+type: how_to
+topics:
+  - Enterprise
+---
+
+{% data reusables.enterprise.repository-caching-release-phase %}
+
+## About configuration for repository caching
+
+{% data reusables.enterprise.repository-caching-config-summary %} Then, you can set data location policies that govern which repository networks are replicated to the repository cache.
+
+Repository caching is not supported with clustering.
+
+## DNS for repository caches
+
+The primary instance and repository cache should have different DNS names. For example, if your primary instance is at `github.example.com`, you might decide to name a cache `europe-ci.github.example.com` or `github.asia.example.com`.
+
+To have your CI machines fetch from the repository cache instead of the primary instance, you can use Git's `url.<base>.insteadOf` configuration setting. For more information, see [`git-config`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf) in the Git documentation. 
+
+For example, the global `.gitconfig` for the CI machine would include these lines.
+
+```
+[url "https://europe-ci.github.example.com/"]
+	insteadOf = https://github.example.com/
+```
+
+Then, when told to fetch `https://github.example.com/myorg/myrepo`, Git will instead fetch from `https://europe-ci.github.example.com/myorg/myrepo`.
+
+## Configuring a repository cache
+
+1. During the beta, you must enable the feature flag for repository caching on your primary {% data variables.product.prodname_ghe_server %} appliance.
+   
+   ```
+   $ ghe-config cluster.cache-enabled true
+   ```
+
+1. Set up a new {% data variables.product.prodname_ghe_server %} appliance on your desired platform. This appliance will be your repository cache. For more information, see "[Setting up a {% data variables.product.prodname_ghe_server %} instance](/admin/guides/installation/setting-up-a-github-enterprise-server-instance)."
+{% data reusables.enterprise_installation.replica-steps %}
+1. Connect to the repository cache's IP address using SSH.
+
+   ```shell
+   $ ssh -p 122 admin@<em>REPLICA IP</em>
+   ```
+
+{% data reusables.enterprise_installation.generate-replication-key-pair %}
+{% data reusables.enterprise_installation.add-ssh-key-to-primary %}
+1. To verify the connection to the primary and enable replica mode for the repository cache, run `ghe-repl-setup` again.
+
+   ```shell
+   $ ghe-repl-setup <em>PRIMARY IP</em>
+   ```
+
+1. Set a `cache_location` for the repository cache, replacing *CACHE-LOCATION* with an alphanumeric identifier, such as the region where the cache is deployed.
+
+   ```shell
+   $ ghe-repl-node --cache <em>CACHE-LOCATION</em>
+   ```
+
+{% data reusables.enterprise_installation.replication-command %}
+{% data reusables.enterprise_installation.verify-replication-channel %}
+1. To enable replication of repository networks to the repository cache, set a data location policy. For more information, see "[Data location policies](#data-location-policies)."
+
+## Data location policies
+
+You can control data locality by configuring data location policies for your repositories with the `spokesctl cache-policy` command. Data location policies determine which repository networks are replicated on which repository caches. By default, no repository networks will be replicated on any repository caches until a data location policy is configured.
+
+You can configure a policy to replicate all networks with the `--default` flag. For example, this command will create a policy to replicate a single copy of every repository network to the set of repository caches whose `cache_location` is "kansas".
+
+ ```
+ $ ghe-spokesctl cache-policy set --default 1 kansas
+ ```
+
+To configure replication for a repository network, specify the repository that is the root of the network. A repository network includes a repository and all of the repository's forks. You cannot replicate part of a network without replicating the whole network.
+
+```
+$ ghe-spokesctl cache-policy set <owner/repository> 1 kansas
+```
+
+You can override a policy that replicates all networks and exclude specific networks by specifying a replica count of zero for the network. For example, this command specifies that any repository cache in location "kansas" cannot contain any copies of that network.
+
+```
+$ ghe-spokesctl cache-policy set <owner/repository> 0 kansas
+```
+
+Replica counts greater than one in a given cache location are not supported.

assets/images/enterprise/3.3/repository/repo-tabs-pull-requests.png

@@ -0,0 +1,13 @@
+---
+title: Caching repositories
+intro: "You can improve performance for your geographically-distributed team with repository caching, which provides read-only mirrors close to your users and CI clients."
+versions:
+  ghes: '>=3.3'
+topics:
+  - Enterprise
+children:
+  - /about-repository-caching
+  - /configuring-a-repository-cache
+---
+
+{% data reusables.enterprise.repository-caching-release-phase %}