Repo sync

.github/workflows/ready-for-doc-review.yml

@@ -50,7 +50,12 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
         run: |
           echo "Extracting issue numbers from PR description..."
-          ISSUE_NUMS=$(echo "${{ github.event.pull_request.body }}" | grep -oE '(https://github.com/github/docs-content/issues/[0-9]+|github/docs-content#[0-9]+|#[0-9]+)' | grep -oE '[0-9]+$')
+
+          # Clean up PR description to avoid syntax errors in grep command
+          PR_BODY="${{ github.event.pull_request.body }}"
+          echo "PR description to use in the script: $PR_BODY"
+
+          ISSUE_NUMS=$(echo "$PR_BODY" | grep -oE '(https://github.com/github/docs-content/issues/[0-9]+|github/docs-content#[0-9]+|#[0-9]+)' | grep -oE '[0-9]+$')
           echo "Extracted issue numbers: $ISSUE_NUMS"
 
           if [ -n "$ISSUE_NUMS" ]; then
@@ -67,7 +72,7 @@ jobs:
                   echo "DIY_DOCS_LABEL=true" >> $GITHUB_ENV
                   break
                 else
-                  echo "DIY docs label not found for issue #$ISSUE_NUM."
+                  echo "DIY docs label not found for issue $ISSUE_NUM."
                 fi
               else
                 echo "Issue $ISSUE_NUM does not exist in the docs-content repository."

config/moda/configuration/default/env.yaml

@@ -4,6 +4,6 @@ data:
   NODE_OPTIONS: '--max-old-space-size=4096'
   PORT: '4000'
   ENABLED_LANGUAGES: 'en,es,ja,pt,zh,ru,fr,ko,de'
-  RATE_LIMIT_MAX: '21'
+  RATE_LIMIT_MAX: '150'
   # Moda uses a non-default port for sending datadog metrics
   DD_DOGSTATSD_PORT: '28125'

content/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds.md

@@ -177,12 +177,20 @@ When you run your updated workflows, they will build your artifacts and generate
 
 ## Verifying artifact attestations with the {% data variables.product.prodname_cli %}
 
+You can validate artifact attestations for binaries and container images and validate SBOM attestations using the {% data variables.product.prodname_cli %}. For more information, see the [`attestation`](https://cli.github.com/manual/gh_attestation) section of the {% data variables.product.prodname_cli %} manual.
+
+>[!NOTE]These commands assume you are in an online environment. If you are in an offline or air-gapped environment, see [AUTOTITLE](/actions/security-guides/verifying-attestations-offline).
+
+### Verifying an artifact attestation for binaries
+
 To verify artifact attestations for **binaries**, use the following {% data variables.product.prodname_cli %} command.
 
 ```bash copy
 gh attestation verify PATH/TO/YOUR/BUILD/ARTIFACT-BINARY -R ORGANIZATION_NAME/REPOSITORY_NAME
 ```
 
+### Verifying an artifact attestation for container images
+
 To verify artifact attestations for **container images**, you must provide the image's FQDN prefixed with `oci://` instead of the path to a binary. You can use the following {% data variables.product.prodname_cli %} command.
 
 ```bash copy
@@ -191,6 +199,24 @@ docker login ghcr.io
 gh attestation verify oci://ghcr.io/ORGANIZATION_NAME/IMAGE_NAME:test -R ORGANIZATION_NAME/REPOSITORY_NAME
 ```
 
->[!NOTE]These commands assume you are in an online environment. If you are in an offline or air-gapped environment, see [AUTOTITLE](/actions/security-guides/verifying-attestations-offline).
+### Verifying an attestation for SBOMs
+
+To verify SBOM attestations, you have to provide the `--predicate-type` flag to reference a non-default predicate. For more information, see [Vetted predicates](https://github.com/in-toto/attestation/tree/main/spec/predicates#vetted-predicates) in the `in-toto/attestation` repository.
 
-For more information, see the [`attestation`](https://cli.github.com/manual/gh_attestation) section of the {% data variables.product.prodname_cli %} manual.
+For example, the [`attest-sbom` action](https://github.com/actions/attest-sbom) currently supports either SPDX or CycloneDX SBOM predicates. To verify an SBOM attestation in the SPDX format, you can use the following {% data variables.product.prodname_cli %} command.
+
+```bash copy
+gh attestation verify PATH/TO/YOUR/BUILD/ARTIFACT-BINARY \
+  -R ORGANIZATION_NAME/REPOSITORY_NAME \
+  --predicate-type https://spdx.dev/Document/v2.3
+```
+
+To view more information on the attestation, reference the `--format json` flag. This can be especially helpful when reviewing SBOM attestations.
+
+```bash copy
+gh attestation verify PATH/TO/YOUR/BUILD/ARTIFACT-BINARY \
+  -R ORGANIZATION_NAME/REPOSITORY_NAME \
+  --predicate-type https://spdx.dev/Document/v2.3 \
+  --format json \
+  --jq '.[].verificationResult.statement.predicate'
+```

src/shielding/middleware/rate-limit.ts

@@ -14,8 +14,6 @@ if (isNaN(MAX)) {
 }
 
 // We apply this rate limiter to _all_ routes in src/shielding/index.ts except for `/api/*` routes
-// `/api/*` routes are rate limited on a more specific basis in frame/api/index.ts
-// When creating a limiter for `/api/*` routes, we need to pass `true` as the second argument
 export function createRateLimiter(max = MAX, isAPILimiter = false) {
   return rateLimit({
     // 1 minute