Repo sync

content/actions/administering-github-actions/usage-limits-billing-and-administration.md

@@ -40,7 +40,7 @@ GitHub Actions usage is free for {% data variables.product.prodname_ghe_server %
 There are some limits on {% data variables.product.prodname_actions %} usage when using {% data variables.product.prodname_dotcom %}-hosted runners. These limits are subject to change.
 
 > [!NOTE]
-> For self-hosted runners, different usage limits apply. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits).
+> For self-hosted runners, different usage limits apply. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/usage-limits-for-self-hosted-runners).
 
 * **Job execution time** - Each job in a workflow can run for up to 6 hours of execution time. If a job reaches this limit, the job is terminated and fails to complete.
 {% data reusables.actions.usage-workflow-run-time %}
@@ -72,7 +72,7 @@ There are some limits on {% data variables.product.prodname_actions %} usage whe
 {% data reusables.actions.usage-workflow-queue-limits %}
 
 {% else %}
-Usage limits apply to self-hosted runners. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits).
+Usage limits apply to self-hosted runners. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/usage-limits-for-self-hosted-runners).
 {% endif %}
 
 {% ifversion fpt or ghec %}

content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller.md

@@ -101,7 +101,8 @@ You can find the definition of ARC's runner image in [this Dockerfile](https://g
 
 You can create your own runner image that meets your requirements. Your runner image must fulfill the following conditions.
 
-* Use a base image that can run the self-hosted runner application. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners).
+* Use a base image that can run the self-hosted runner application. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners).
+
 * The [runner binary](https://github.com/actions/runner/releases) must be placed under `/home/runner/` and launched using `/home/runner/run.sh`.
 * If you use Kubernetes mode, the [runner container hooks](https://github.com/actions/runner-container-hooks/releases) must be placed under `/home/runner/k8s`.
 

content/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners.md

@@ -19,12 +19,10 @@ You can add a self-hosted runner to a repository, an organization, or an enterpr
 
 If you are an organization or enterprise administrator, you might want to add your self-hosted runners at the organization or enterprise level. This approach makes the runner available to multiple repositories in your organization or enterprise, and also lets you to manage your runners in one place.
 
-For information on supported operating systems for self-hosted runners, or using self-hosted runners with a proxy server, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners).
-
 > [!WARNING]
 > {% data reusables.actions.self-hosted-runner-security %}
 >
-> For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories).
+> For more information, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions).
 
 You can set up automation to scale the number of self-hosted runners. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners).
 
@@ -105,6 +103,7 @@ For more information on changing runner group access settings, see [AUTOTITLE](/
 
 ## Further reading
 
+* [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)
 * [AUTOTITLE](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise)
 
 {% endif %}

content/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners.md

@@ -0,0 +1,81 @@
+---
+title: Communicating with self-hosted runners
+shortTitle: Self-hosted runner communication
+intro: 'Your self-hosted runners can communicate with {% ifversion fpt or ghec %}{% data variables.product.github %}{% else %}{% data variables.location.product_location_enterprise %} and {% data variables.product.prodname_dotcom_the_website %}{% endif %}'
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
+type: overview
+---
+
+A self-hosted runner connects to {% ifversion fpt or ghec %}{% data variables.product.github %}{% else %}{% data variables.location.product_location_enterprise %}{% endif %} to receive job assignments and to download new versions of the runner application. The self-hosted runner uses an {% ifversion ghes %}HTTP(S){% else %}HTTPS{% endif %} long poll that opens a connection to {% data variables.product.github %} for 50 seconds, and if no response is received, it then times out and creates a new long poll. The application must be running on the machine to accept and run {% data variables.product.prodname_actions %} jobs.
+
+{% data reusables.actions.runner-app-open-source %} {% ifversion fpt or ghec %} When a new version is released, the runner application automatically updates itself when a job is assigned to the runner, or within a week of release if the runner hasn't been assigned any jobs. {% else ifversion ghes %} When a new version is released, the runner application will automatically update within 24 hours. {% endif %}
+{% ifversion ghes %}
+
+> [!NOTE]
+> {% data reusables.actions.upgrade-runners-before-upgrade-ghes %}
+
+{% endif %}
+
+{% data reusables.actions.self-hosted-runner-auto-removal %}
+
+{% data reusables.actions.self-hosted-runner-ports-protocols %}
+
+{% ifversion fpt or ghec %}
+Since the self-hosted runner opens a connection to {% data variables.product.github %}, you do not need to allow {% data variables.product.prodname_dotcom %} to make inbound connections to your self-hosted runner.
+{% elsif ghes %}
+Only an outbound connection from the runner to {% data variables.product.prodname_ghe_server %} is required. There is no need for an inbound connection from {% data variables.product.prodname_ghe_server %} to the runner.
+For caching to work, the runner must be able to communicate with the blob storage and directly download content from it.
+{%- endif %}
+
+{% ifversion ghes %}
+
+{% data variables.product.prodname_ghe_server %} must accept inbound connections from your runners over HTTP(S) at {% data variables.location.product_location %}'s hostname and API subdomain, and your runners must allow outbound connections over HTTP(S) to {% data variables.location.product_location %}'s hostname and API subdomain.
+
+{% endif %}
+
+{% ifversion fpt or ghec %}
+
+You must ensure that the machine has the appropriate network access with at least 70 kilobits per second upload and download speed to communicate with the {% data variables.product.prodname_dotcom %} hosts listed below. Some hosts are required for essential runner operations, while other hosts are only required for certain functionality.
+
+You can use the REST API to get meta information about {% data variables.product.company_short %}, including the IP addresses of {% data variables.product.company_short %} services. See [AUTOTITLE](/rest/meta/meta).
+
+{% data reusables.actions.domain-name-cname-recursive-firewall-rules %}
+
+{% data reusables.actions.runner-essential-communications %}
+
+In addition, your workflow may require access to other network resources.
+
+If you use an IP address allow list for your {% data variables.product.prodname_dotcom %} organization or enterprise account, you must add your self-hosted runner's IP address to the allow list. See [Managing allowed IP addresses for your organization](/{% ifversion fpt %}enterprise-cloud@latest/{% endif %}/organizations/keeping-your-organization-secure/managing-allowed-ip-addresses-for-your-organization#using-github-actions-with-an-ip-allow-list) or [Enforcing policies for security settings in your enterprise](/{% ifversion fpt %}enterprise-cloud@latest/{% endif %}admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise){% ifversion fpt %} in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}.{% endif %}
+
+{% else %}
+
+{% ifversion ghes %}Self-hosted runners do not require any external internet access in order to function. As a result, you can use network routing to direct communication between the self-hosted runner and {% data variables.product.prodname_ghe_server %}. For example, you can assign a private IP address to your self-hosted runner and configure routing to send traffic to {% data variables.product.prodname_ghe_server %}, with no need for traffic to traverse a public network.{% endif %}
+
+{% endif %}
+
+{% ifversion ghes %}
+
+## Communication between self-hosted runners and {% data variables.product.prodname_dotcom_the_website %}
+
+Self-hosted runners do not need to connect to {% data variables.product.prodname_dotcom_the_website %} unless you have enabled automatic access to {% data variables.product.prodname_dotcom_the_website %} actions for {% data variables.product.prodname_ghe_server %}. For more information, see [AUTOTITLE](/admin/github-actions/managing-access-to-actions-from-githubcom/about-using-actions-in-your-enterprise).
+
+If you have enabled automatic access to {% data variables.product.prodname_dotcom_the_website %} actions, then the self-hosted runner will connect directly to {% data variables.product.prodname_dotcom_the_website %} to download actions. You must ensure that the machine has the appropriate network access to communicate with the {% data variables.product.prodname_dotcom %} URLs listed below.
+
+```shell copy
+github.com
+api.github.com
+codeload.github.com
+pkg.actions.githubusercontent.com
+```
+
+{% data reusables.actions.domain-name-cname-recursive-firewall-rules %}
+
+{% endif %}
+
+## Further reading
+
+* [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners)
+* [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#troubleshooting-network-connectivity)

content/actions/hosting-your-own-runners/managing-self-hosted-runners/index.md

@@ -8,6 +8,9 @@ versions:
   ghec: '*'
 children:
   - /about-self-hosted-runners
+  - /communicating-with-self-hosted-runners
+  - /supported-architectures-and-operating-systems-for-self-hosted-runners
+  - /usage-limits-for-self-hosted-runners
   - /adding-self-hosted-runners
   - /autoscaling-with-self-hosted-runners
   - /running-scripts-before-or-after-a-job

content/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners.md

@@ -71,7 +71,7 @@ config.cmd --check --url https://github.com/YOUR-ORG/YOUR-REPO --pat GHP_ABCD123
 
 The script tests each service, and outputs either a `PASS` or `FAIL` for each one. If you have any failing checks, you can see more details on the problem in the log file for the check. The log files are located in the `_diag` directory where you installed the runner application, and the path of the log file for each check is shown in the console output of the script.
 
-If you have any failing checks, you should also verify that your self-hosted runner machine meets all the communication requirements. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-requirements).
+If you have any failing checks, you should also verify that your self-hosted runner machine meets all the communication requirements. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners).
 
 ### Disabling TLS certificate verification
 

content/actions/hosting-your-own-runners/managing-self-hosted-runners/supported-architectures-and-operating-systems-for-self-hosted-runners.md

@@ -0,0 +1,40 @@
+---
+title: Supported architectures and operating systems for self-hosted runners
+shortTitle: Supported platforms
+intro: 'The following processor architectures and operating systems are supported for the self-hosted runner application.'
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
+type: overview
+---
+
+## Linux
+
+* Red Hat Enterprise Linux 8 or later
+* CentOS 8 or later
+* Oracle Linux 8 or later
+* Fedora 29 or later
+* Debian 10 or later
+* Ubuntu 20.04 or later
+* Linux Mint 20 or later
+* openSUSE 15.2 or later
+* SUSE Enterprise Linux (SLES) 15 SP2 or later
+
+## Windows
+
+* Windows 10 64-bit
+* Windows 11 64-bit
+* Windows Server 2016 64-bit
+* Windows Server 2019 64-bit
+* Windows Server 2022 64-bit
+
+## macOS
+
+* macOS 11.0 (Big Sur) or later
+
+## Supported processor architectures
+
+* `x64` - Linux, macOS, Windows.
+* `ARM64` - Linux, macOS{% ifversion actions-windows-arm %}, Windows (currently in {% data variables.release-phases.public_preview %}){% endif %}.
+* `ARM32` - Linux.

content/actions/hosting-your-own-runners/managing-self-hosted-runners/usage-limits-for-self-hosted-runners.md

@@ -0,0 +1,18 @@
+---
+title: Usage limits for self-hosted runners
+shortTitle: Usage limits
+intro: 'There are some limits on {% data variables.product.prodname_actions %} usage when using self-hosted runners. These limits are subject to change.'
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
+type: overview
+---
+
+{% ifversion fpt or ghec or ghes > 3.12 %}- **Job execution time** - Each job in a workflow can run for up to 5 days of execution time. If a job reaches this limit, the job is terminated and fails to complete.{% endif %}
+{% data reusables.actions.usage-workflow-run-time %}
+* **Job queue time** - Each job for self-hosted runners that has been queued for at least 24 hours will be canceled. The actual time in queue can reach up to 48 hours before cancellation occurs. If a self-hosted runner does not start executing the job within this limit, the job is terminated and fails to complete.
+{% data reusables.actions.usage-api-requests %}
+* **Job matrix** - {% data reusables.actions.usage-matrix-limits %}
+{% data reusables.actions.usage-workflow-queue-limits %}
+* **Registering self-hosted runners** - You can have a maximum of 10,000 self-hosted runners in one runner group. If this limit is reached, adding a new runner will not be possible.

content/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow.md

@@ -107,3 +107,7 @@ When routing a job to a self-hosted runner, {% data variables.product.prodname_d
   * If the runner doesn't pick up the assigned job within 60 seconds, the job is re-queued so that a new runner can accept it.
 * If {% data variables.product.prodname_dotcom %} doesn't find an online and idle runner that matches the job's `runs-on` labels and groups, then the job will remain queued until a runner comes online.
 * If the job remains queued for more than 24 hours, the job will fail.
+
+## Workflow run continuity
+
+{% data reusables.actions.runner-workflow-continuity %}

content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md

@@ -340,7 +340,7 @@ For third-party images, such as the images for ARM-powered runners, you can find
 
 {% ifversion fpt or ghec %}**Self-hosted**{% elsif ghes %}Self-hosted{% endif %} runners for {% data variables.product.github %} do not have guarantees around running in ephemeral clean virtual machines, and can be persistently compromised by untrusted code in a workflow.
 
-{% ifversion fpt or ghec %}As a result, self-hosted runners should almost [never be used for public repositories](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security) on {% data variables.product.github %}, because any user can open pull requests against the repository and compromise the environment. Similarly, be{% elsif ghes %}Be{% endif %} cautious when using self-hosted runners on private or internal repositories, as anyone who can fork the repository and open a pull request (generally those with read access to the repository) are able to compromise the self-hosted runner environment, including gaining access to secrets and the `GITHUB_TOKEN` which, depending on its settings, can grant write access to the repository. Although workflows can control access to environment secrets by using environments and required reviews, these workflows are not run in an isolated environment and are still susceptible to the same risks when run on a self-hosted runner.
+{% ifversion fpt or ghec %}As a result, self-hosted runners should almost [never be used for public repositories](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) on {% data variables.product.github %}, because any user can open pull requests against the repository and compromise the environment. Similarly, be{% elsif ghes %}Be{% endif %} cautious when using self-hosted runners on private or internal repositories, as anyone who can fork the repository and open a pull request (generally those with read access to the repository) are able to compromise the self-hosted runner environment, including gaining access to secrets and the `GITHUB_TOKEN` which, depending on its settings, can grant write access to the repository. Although workflows can control access to environment secrets by using environments and required reviews, these workflows are not run in an isolated environment and are still susceptible to the same risks when run on a self-hosted runner.
 
 {% data reusables.actions.disable-selfhosted-runners-crossrefs %}