github
diff --git a/‎.github/prompts/code-review.prompt.md‎
Lines changed: 0 additions & 145 deletions b/‎.github/prompts/code-review.prompt.md‎
Lines changed: 0 additions & 145 deletions
diff --git a/‎.github/workflows/changelog-agent.yml‎
Lines changed: 14 additions & 42 deletions b/‎.github/workflows/changelog-agent.yml‎
Lines changed: 14 additions & 42 deletions
diff --git a/‎.github/workflows/local-dev.yml‎
Lines changed: 11 additions & 1 deletion b/‎.github/workflows/local-dev.yml‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎config/kubernetes/default/deployments/webapp.yaml‎
Lines changed: 15 additions & 10 deletions b/‎config/kubernetes/default/deployments/webapp.yaml‎
Lines changed: 15 additions & 10 deletions
diff --git a/‎config/kubernetes/production/deployments/webapp.yaml‎
Lines changed: 15 additions & 11 deletions b/‎config/kubernetes/production/deployments/webapp.yaml‎
Lines changed: 15 additions & 11 deletions
diff --git a/‎content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md‎
Lines changed: 11 additions & 0 deletions b/‎content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md‎
Lines changed: 2 additions & 0 deletions b/‎content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md‎
Lines changed: 2 additions & 0 deletions b/‎content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md‎
Lines changed: 2 additions & 0 deletions
@@ -321,12 +321,6 @@ jobs:
 
             core.setOutput('examples', examples.join('\n'));
 
-      - name: Set up Node.js
-        if: steps.check_parent.outputs.has_parent == 'true' && steps.check_existing.outputs.exists == 'false'
-        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
-        with:
-          node-version-file: 'package.json'
-
       - name: Prepare prompts for LLM
         if: steps.check_parent.outputs.has_parent == 'true' && steps.check_existing.outputs.exists == 'false'
         id: prepare_prompts
@@ -724,39 +718,17 @@ jobs:
               body: `<!-- changelog-agent-handled -->\n🤖 A changelog draft PR has been automatically created in docs-content: ${changelogPrUrl}`,
             });
 
-      - name: Send Slack failure alert
-        if: failure()
-        env:
-          SLACK_CHANNEL_ID: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
-          SLACK_TOKEN: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
-          WORKFLOW_NAME: ${{ github.workflow }}
-          REPOSITORY: ${{ github.repository }}
-          RUN_ID: ${{ github.run_id }}
-          SERVER_URL: ${{ github.server_url }}
-        run: |
-          curl -sS -X POST https://slack.com/api/chat.postMessage \
-            -H "Authorization: Bearer ${SLACK_TOKEN}" \
-            -H "Content-Type: application/json; charset=utf-8" \
-            --data "$(cat <<EOF
-          {
-            "channel": "${SLACK_CHANNEL_ID}",
-            "text": ":warning: Workflow failure in ${REPOSITORY}",
-            "blocks": [
-              {
-                "type": "section",
-                "text": {
-                  "type": "mrkdwn",
-                  "text": ":warning: *${WORKFLOW_NAME}* failed in *${REPOSITORY}*"
-                }
-              },
-              {
-                "type": "section",
-                "text": {
-                  "type": "mrkdwn",
-                  "text": "<${SERVER_URL}/${REPOSITORY}/actions/runs/${RUN_ID}|View workflow run>"
-                }
-              }
-            ]
-          }
-          EOF
-          )"
+      # Local composite actions below require the repository to be checked out.
+      - name: Check out repo
+        if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - uses: ./.github/actions/slack-alert
+        if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
+        with:
+          slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
+
+      - uses: ./.github/actions/create-workflow-failure-issue
+        if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
+        with:
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
@@ -21,10 +21,20 @@ jobs:
 
       - uses: ./.github/actions/node-npm-setup
 
+      - name: Generate GitHub App token
+        if: ${{ github.repository == 'github/docs-internal' }}
+        id: app-token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        with:
+          app-id: ${{ secrets.DOCS_BOT_APP_ID }}
+          private-key: ${{ secrets.DOCS_BOT_APP_PRIVATE_KEY }}
+          owner: github
+          repositories: docs-early-access
+
       - uses: ./.github/actions/get-docs-early-access
         if: ${{ github.repository == 'github/docs-internal' }}
         with:
-          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Disable Next.js telemetry
         run: npx next telemetry disable
 
@@ -26,19 +26,24 @@ spec:
       containers:
         - name: webapp
           image: docs-internal
+          # Retune using 2 weeks of data
+          # https://app.datadoghq.com/dashboard/6vx-iun-ghs/moda-resource-recommendations?tpl_var_kube_namespace%5B0%5D=docs-internal-staging-balsam&tpl_var_kube_namespace%5B1%5D=docs-internal-staging-boxwood&tpl_var_kube_namespace%5B2%5D=docs-internal-staging-cedar&tpl_var_kube_namespace%5B3%5D=docs-internal-staging-cypress&tpl_var_kube_namespace%5B4%5D=docs-internal-staging-fir&tpl_var_kube_namespace%5B5%5D=docs-internal-staging-hemlock&tpl_var_kube_namespace%5B6%5D=docs-internal-staging-hinoki&tpl_var_kube_namespace%5B7%5D=docs-internal-staging-holly&tpl_var_kube_namespace%5B8%5D=docs-internal-staging-juniper&tpl_var_kube_namespace%5B9%5D=docs-internal-staging-laurel&tpl_var_kube_namespace%5B10%5D=docs-internal-staging-pine&tpl_var_kube_namespace%5B11%5D=docs-internal-staging-redwood&tpl_var_kube_namespace%5B12%5D=docs-internal-staging-sequoia&tpl_var_kube_namespace%5B13%5D=docs-internal-staging-spruce&tpl_var_kube_namespace%5B14%5D=docs-internal-staging-yew&from_ts=0&to_ts=1209600000&live=true
+          # Staging is not budget checked
           resources:
             requests:
-              cpu: 1000m
-              # Absolute minimum to start app is 1000m
-              # Node is single-threaded but we want more CPUs
-              # for OS and image resizing, and other binary executions
-              # Better to increase replicas or memory than CPU
-              memory: 8.0Gi
-              # Absolute minimum to start app is 4500Mi
-              # Would increase with more pages, versions, or languages supported
+              # requests.cpu: 150m idle schedule floor
+              # staging idles near zero
+              cpu: 150m
+              # requests.memory: highest-peak pod p99 (1882Mi) * 1.1
+              # for working-set padding
+              memory: 2070Mi
             limits:
-              cpu: 8000m
-              memory: 8.0Gi
+              # limits.cpu: highest-peak pod max [warmup peak] (1.82 cores) * 3
+              # for start up insurance; compressible
+              cpu: 5460m
+              # limits.memory: highest-peak pod max (1882Mi) * 2
+              # over-limit means OOMkill; non-compressible
+              memory: 3764Mi
           ports:
             - name: http
               containerPort: 4000
 
@@ -38,20 +38,24 @@ spec:
       containers:
         - name: webapp
           image: docs-internal
+          # Retune using 2 weeks of data
+          # https://app.datadoghq.com/dashboard/6vx-iun-ghs/moda-resource-recommendations?tpl_var_kube_namespace%5B0%5D=docs-internal-production&from_ts=0&to_ts=1209600000&live=true
+          # Moda budget is requests * replicas * clusters
           resources:
             requests:
-              cpu: 1500m
-              # Absolute minimum to start app is 1000m
-              # Node is single-threaded but we want more CPUs
-              # for OS and image resizing, and other binary executions
-              # Better to increase replicas or memory than CPU
-              memory: 5000Mi
-              # Absolute minimum to start app is 4500Mi
-              # Would increase with more pages, versions, or languages supported
-              # The additional memory helps during traffic surges
+              # requests.cpu: median pod p99 (0.32 cores) * 2
+              # for failover headroom
+              cpu: 640m
+              # requests.memory: highest-peak pod p99 (4740Mi) * 1.1
+              # for working-set padding
+              memory: 5214Mi
             limits:
-              cpu: 8000m
-              memory: 14.0Gi
+              # limits.cpu: highest-peak pod max [warmup peak] (2.42 cores) * 3
+              # for start up insurance; compressible; does not count towards budget
+              cpu: 7260m
+              # limits.memory: highest-peak pod max (4813Mi) * 2
+              # over-limit means OOMkill; non-compressible
+              memory: 9626Mi
           ports:
             - name: http
               containerPort: 4000
 
@@ -70,6 +70,17 @@ Edit the trust policy, adding the `sub` field to the validation conditions. For
 }
 ```
 
+For repositories created after July 15, 2026, or that have opted in to immutable subject claims, the `sub` claim includes immutable owner and repository IDs (not available on {% data variables.product.prodname_ghe_server %}). Make sure your trust policy matches the format your repository uses. For more information, see [AUTOTITLE](/actions/reference/openid-connect-reference#immutable-subject-claims).
+
+```json copy
+"Condition": {
+  "StringEquals": {
+    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
+    "token.actions.githubusercontent.com:sub": "repo:octo-org@123456/octo-repo@456789:ref:refs/heads/octo-branch"
+  }
+}
+```
+
 If you use a workflow with an environment, the `sub` field must reference the environment name: `repo:ORG-NAME/REPO-NAME:environment:ENVIRONMENT-NAME`. For more information, see [AUTOTITLE](/actions/reference/openid-connect-reference#filtering-for-a-specific-environment).
 
 {% data reusables.actions.oidc-deployment-protection-rules %}
 
@@ -32,6 +32,8 @@ This guide gives an overview of how to configure Azure to trust {% data variable
 
 {% data reusables.actions.oidc-on-ghecom %}
 
+For repositories created after July 15, 2026, and repository renames or transfers after that date, use an immutable default OIDC `sub` claim that includes owner and repository IDs (not available on {% data variables.product.prodname_ghe_server %}). Existing repositories keep the previous format unless they opt in. For more information, see [AUTOTITLE](/actions/reference/openid-connect-reference#immutable-subject-claims).
+
 {% ifversion ghes %}
 {% data reusables.actions.oidc-endpoints %}
   <!-- This note is indented to align with the above reusable. -->
 
@@ -31,6 +31,8 @@ This guide gives an overview of how to configure GCP to trust {% data variables.
 
 {% data reusables.actions.oidc-on-ghecom %}
 
+For repositories created after July 15, 2026, and repository renames or transfers after that date, use an immutable default OIDC `sub` claim that includes owner and repository IDs (not available on {% data variables.product.prodname_ghe_server %}). Existing repositories keep the previous format unless they opt in. For more information, see [AUTOTITLE](/actions/reference/openid-connect-reference#immutable-subject-claims).
+
 {% ifversion ghes %}
 {% data reusables.actions.oidc-endpoints %}
   <!-- This note is indented to align with the above reusable. -->