[14-11-2022]: Allow admins to require approval on fork PR in private repos - [GA] (#32442)

Co-authored-by: github-actions <[email protected]>
Co-authored-by: Belinda Vennam <[email protected]>
Co-authored-by: Steve Guntrip <[email protected]>

Author: 4 people

assets/images/help/settings/actions-fork-pull-request-workflows-require-approval.png

@@ -0,0 +1,16 @@
+---
+title: Approving workflow runs from private forks
+intro: 'When someone without write access submits a pull request to a private repository, a maintainer may need to approve any workflow runs.'
+permissions: 'Maintainers with write access to a repository can approve workflow runs.'
+versions:
+  feature: actions-private-fork-workflow-approvals
+shortTitle: Approve private fork runs
+---
+
+## About workflow runs from private forks
+
+{% data reusables.actions.private-repository-forks-overview %} For more information, see "[Enforcing a policy for fork pull requests in private repositories](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories)."
+
+## Approving workflow runs on a pull request from a private fork
+
+{% data reusables.actions.workflows.approve-workflow-runs %}

content/actions/managing-workflow-runs/approving-workflow-runs-from-private-forks.md

@@ -17,12 +17,4 @@ Workflow runs that have been awaiting approval for more than 30 days are automat
 
 ## Approving workflow runs on a pull request from a public fork
 
-Maintainers with write access to a repository can use the following procedure to review and run workflows on pull requests from contributors that require approval.
-
-{% data reusables.repositories.sidebar-pr %}
-{% data reusables.repositories.choose-pr-review %}
-{% data reusables.repositories.changed-files %}
-1. Inspect the proposed changes in the pull request and ensure that you are comfortable running your workflows on the pull request branch. You should be especially alert to any proposed changes in the `.github/workflows/` directory that affect workflow files.
-1. If you are comfortable with running workflows on the pull request branch, return to the {% octicon "comment-discussion" aria-label="The discussion icon" %} **Conversation** tab, and under "Workflow(s) awaiting approval", click **Approve and run**.
-
-   ![Approve and run workflows](/assets/images/help/pull_requests/actions-approve-and-run-workflows-from-fork.png)
+{% data reusables.actions.workflows.approve-workflow-runs %}

content/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks.md

@@ -18,6 +18,7 @@ children:
   - /re-running-workflows-and-jobs
   - /canceling-a-workflow
   - /approving-workflow-runs-from-public-forks
+  - /approving-workflow-runs-from-private-forks
   - /reviewing-deployments
   - /disabling-and-enabling-a-workflow
   - /skipping-workflow-runs

content/actions/managing-workflow-runs/index.md

@@ -0,0 +1,7 @@
+# Reference: #8433
+# Allow admins to require approval on fork PR in private repos
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>= 3.8'
+  ghae: '>= 3.8'

data/features/actions-private-fork-workflow-approvals.yml

@@ -1,3 +1,7 @@
 1. Under **Fork pull request workflows**, select your options. For example:
-  ![Enable, disable, or limits actions for this repository](/assets/images/help/settings/actions-fork-pull-request-workflows.png)
+  {% ifversion actions-private-fork-workflow-approvals %}
+   ![Enable, disable, or limits actions for this repository](/assets/images/help/settings/actions-fork-pull-request-workflows-require-approval.png){% else %}
+
+   ![Enable, disable, or limits actions for this repository](/assets/images/help/settings/actions-fork-pull-request-workflows.png){% endif %}
+
 1. Click **Save** to apply the settings.

data/reusables/actions/private-repository-forks-configure.md

@@ -1,3 +1,4 @@
 - **Run workflows from fork pull requests** - Allows users to run workflows from fork pull requests, using a `GITHUB_TOKEN` with read-only permission, and with no access to secrets.
 - **Send write tokens to workflows from pull requests** - Allows pull requests from forks to use a `GITHUB_TOKEN` with write permission.
-- **Send secrets to workflows from pull requests** - Makes all secrets available to the pull request.
+- **Send secrets to workflows from pull requests** - Makes all secrets available to the pull request.{% ifversion actions-private-fork-workflow-approvals %}
+- **Require approval for fork pull request workflows** - Workflow runs on pull requests from collaborators without write permission will require approval from someone with write permission before they will run.{% endif %}

data/reusables/actions/private-repository-forks-options.md

@@ -0,0 +1,9 @@
+Maintainers with write access to a repository can use the following procedure to review and run workflows on pull requests from contributors that require approval.
+
+{% data reusables.repositories.sidebar-pr %}
+{% data reusables.repositories.choose-pr-review %}
+{% data reusables.repositories.changed-files %}
+1. Inspect the proposed changes in the pull request and ensure that you are comfortable running your workflows on the pull request branch. You should be especially alert to any proposed changes in the `.github/workflows/` directory that affect workflow files.
+1. If you are comfortable with running workflows on the pull request branch, return to the {% octicon "comment-discussion" aria-label="The discussion icon" %} **Conversation** tab, and under "Workflow(s) awaiting approval", click **Approve and run**.
+
+   ![Approve and run workflows](/assets/images/help/pull_requests/actions-approve-and-run-workflows-from-fork.png)