github
diff --git a/‎.dockerignore
+1-2 b/‎.dockerignore
+1-2
diff --git a/‎.gitignore
-3 b/‎.gitignore
-3
diff --git a/‎Dockerfile
+83-114 b/‎Dockerfile
+83-114
diff --git a/‎content/enterprise-onboarding/feature-enhancements/about-access-permissions-on-github.md
+39 b/‎content/enterprise-onboarding/feature-enhancements/about-access-permissions-on-github.md
+39
diff --git a/‎content/enterprise-onboarding/feature-enhancements/about-code-security-for-your-enterprise.md
+19 b/‎content/enterprise-onboarding/feature-enhancements/about-code-security-for-your-enterprise.md
+19
@@ -8,5 +8,4 @@ node_modules/
 tests/
 # Folder is cloned during the preview + prod workflows, the assets are merged into other locations for use before the build
 docs-early-access/
-# During the preview deploy untrusted user code may be cloned into this directory
-user-code/
+README.md
@@ -27,9 +27,6 @@ broken_links.md
 # still have these files on their disk.
 lib/redirects/.redirects-cache*.json
 
-# During the preview deploy untrusted user code may be cloned into this directory
-# We ignore it from git to keep things deterministic
-user-code/
 
 # Logs from scripts
 */logs/
 
@@ -1,162 +1,131 @@
 # This Dockerfile is used solely for production deployments to Moda
-# For staging deployments, see src/deployments/staging/Dockerfile
 # For building this file locally, see src/deployments/production/README.md
+# Environment variables are set in the Moda configuration:
+#   config/moda/configuration/*/env.yaml
 
-# --------------------------------------------------------------------------------
-# BASE IMAGE
-# --------------------------------------------------------------------------------
+# ---------------------------------------------------------------
+# BASE STAGE: Install linux dependencies and set up the node user
+# ---------------------------------------------------------------
 # To update the sha:
 # https://github.com/github/gh-base-image/pkgs/container/gh-base-image%2Fgh-base-noble
 FROM ghcr.io/github/gh-base-image/gh-base-noble:20250131-172559-g0fd5a2edc AS base
 
+# Install curl for Node install and determining the early access branch
 # Install git for cloning docs-early-access & translations repos
-# Install curl for determining the early access branch
-RUN apt-get -qq update && apt-get -qq install --no-install-recommends git curl
-
 # Install Node.js latest LTS
 # https://github.com/nodejs/release#release-schedule
 # Ubuntu's apt-get install nodejs is _very_ outdated
-RUN curl -sL https://deb.nodesource.com/setup_22.x | bash -
-RUN apt-get install -y nodejs
-RUN node --version
-
-# This directory is owned by the node user
-RUN useradd -ms /bin/bash node
-ARG APP_HOME=/home/node/app
-RUN mkdir -p $APP_HOME && chown -R node:node $APP_HOME
+# Must run as root
+RUN apt-get -qq update && apt-get -qq install --no-install-recommends curl git \
+  && curl -sL https://deb.nodesource.com/setup_22.x | bash - \
+  && apt-get install -y nodejs \
+  && node --version
+
+# Create the node user and home directory
+ARG APP_HOME="/home/node/app" # Define in base so all child stages inherit it
+RUN useradd -ms /bin/bash node \
+  && mkdir -p $APP_HOME && chown -R node:node $APP_HOME
+
+# -----------------------------------------------------------------
+# CLONES STAGE: Clone docs-internal, early-access, and translations
+# -----------------------------------------------------------------
+FROM base AS clones
+USER node:node
 WORKDIR $APP_HOME
 
-# Switch to root to ensure we have permissions to copy, chmod, and install
-USER root
-
-# Copy in build scripts
-COPY src/deployments/production/build-scripts/*.sh ./build-scripts/
-
-# Make scripts executable
-RUN chmod +x build-scripts/*.sh
-
 # We need to copy over content that will be merged with early-access
-COPY content ./content
-COPY assets ./assets
-COPY data ./data
+COPY --chown=node:node content content/
+COPY --chown=node:node assets assets/
+COPY --chown=node:node data data/
+
+# Copy in build scripts and make them executable
+COPY --chown=node:node --chmod=+x \
+  src/deployments/production/build-scripts/*.sh build-scripts/
 
 # Use the mounted --secret to:
 # - 1. Fetch the docs-internal repo
 # - 2. Fetch the docs-early-access repo & override docs-internal with early access content
 # - 3. Fetch each translations repo to the repo/translations directory
 # We use --mount-type=secret to avoid the secret being copied into the image layers for security
 # The secret passed via --secret can only be used in this RUN command
-RUN --mount=type=secret,id=DOCS_BOT_PAT_READPUBLICKEY \
+RUN --mount=type=secret,id=DOCS_BOT_PAT_READPUBLICKEY,mode=0444 \
   # We don't cache because Docker can't know if we need to fetch new content from remote repos
   echo "Don't cache this step by printing date: $(date)" && \
   . ./build-scripts/fetch-repos.sh
 
-# Give node user access to the copied content since we cloned as root
-RUN chown -R node:node $APP_HOME/content
-RUN chown -R node:node $APP_HOME/assets
-RUN chown -R node:node $APP_HOME/data
-# Give node user access to translations repos
-RUN chown -R node:node $APP_HOME/translations
-
-# Change back to node to make sure we don't run anything as the root user
-USER node
-
-# ---------------
-# ALL DEPS Image
-# ---------------
-FROM base AS all_deps
-
-ARG APP_HOME=/home/node/app
-USER node
+# -----------------------------------------
+# DEPENDENCIES STAGE: Install node packages
+# -----------------------------------------
+FROM base AS dependencies
+USER node:node
 WORKDIR $APP_HOME
 
 # Copy what is needed to run npm ci
 COPY --chown=node:node package.json package-lock.json ./
 
-RUN npm ci --no-optional --registry https://registry.npmjs.org/
+RUN npm ci --omit=optional --registry https://registry.npmjs.org/
 
-# ---------------
-# BUILDER Image
-# ---------------
-FROM all_deps AS builder
-
-ARG APP_HOME=/home/node/app
-USER node
+# -----------------------------------------
+# BUILD STAGE: Prepare for production stage
+# -----------------------------------------
+FROM base AS build
+USER node:node
 WORKDIR $APP_HOME
 
-# Copy what is needed to:
-# 1. Build the app
-# 2. run warmup-remotejson script
-# 3. run precompute-pageinfo script
-# Dependencies
-COPY --chown=node:node --from=all_deps $APP_HOME/node_modules $APP_HOME/node_modules
-# Content with merged early-access content
-COPY --chown=node:node --from=base $APP_HOME/data ./data
-COPY --chown=node:node --from=base $APP_HOME/assets ./assets
-COPY --chown=node:node --from=base $APP_HOME/content ./content
 # Source code
-COPY --chown=node:node --from=all_deps $APP_HOME/package.json ./
-COPY src ./src
-COPY next.config.js ./
-COPY tsconfig.json ./
-
-# 1. Build
-RUN npm run build
-
-# 2. Warm up the remotejson cache
-RUN npm run warmup-remotejson
-
-# 3. Precompute the pageinfo cache
-RUN npm run precompute-pageinfo -- --max-versions 2
-
-# Prune deps for prod image
-RUN npm prune --production
-
-# --------------------------------------------------------------------------------
-# PRODUCTION IMAGE
-# --------------------------------------------------------------------------------
+COPY --chown=node:node src src/
+COPY --chown=node:node package.json ./
+COPY --chown=node:node next.config.js ./
+COPY --chown=node:node tsconfig.json ./
+
+# From the clones stage
+COPY --chown=node:node --from=clones $APP_HOME/data data/
+COPY --chown=node:node --from=clones $APP_HOME/assets assets/
+COPY --chown=node:node --from=clones $APP_HOME/content content/
+COPY --chown=node:node --from=clones $APP_HOME/translations translations/
+
+# From the dependencies stage
+COPY --chown=node:node --from=dependencies $APP_HOME/node_modules node_modules/
+
+# Generate build files
+RUN npm run build \
+  && npm run warmup-remotejson \
+  && npm run precompute-pageinfo -- --max-versions 2 \
+  && npm prune --production
+
+# -------------------------------------------------
+# PRODUCTION STAGE: What will run on the containers
+# -------------------------------------------------
 FROM base AS production
-
-ARG APP_HOME=/home/node/app
-USER node
+USER node:node
 WORKDIR $APP_HOME
 
-# Copy the content with merged early-access content
-COPY --chown=node:node --from=base $APP_HOME/data ./data
-COPY --chown=node:node --from=base $APP_HOME/assets ./assets
-COPY --chown=node:node --from=base $APP_HOME/content ./content
-
-# Include cloned translations
-COPY --chown=node:node --from=base $APP_HOME/translations ./translations
-
-# Copy prod dependencies
-COPY --chown=node:node --from=builder $APP_HOME/package.json ./
-COPY --chown=node:node --from=builder $APP_HOME/node_modules $APP_HOME/node_modules
-
-# Copy built artifacts needed at runtime for the server
-COPY --chown=node:node --from=builder $APP_HOME/.next $APP_HOME/.next
+# Source code
+COPY --chown=node:node src src/
+COPY --chown=node:node package.json ./
+COPY --chown=node:node next.config.js ./
+COPY --chown=node:node tsconfig.json ./
 
-# Copy cache files generated during build scripts
-COPY --chown=node:node --from=builder $APP_HOME/.remotejson-cache ./.remotejson-cache
-COPY --chown=node:node --from=builder $APP_HOME/.pageinfo-cache.json.br* ./.pageinfo-cache.json.br
+# From clones stage
+COPY --chown=node:node --from=clones $APP_HOME/data data/
+COPY --chown=node:node --from=clones $APP_HOME/assets assets/
+COPY --chown=node:node --from=clones $APP_HOME/content content/
+COPY --chown=node:node --from=clones $APP_HOME/translations translations/
 
-# Copy only what's needed to run the server
-COPY --chown=node:node --from=builder $APP_HOME/src ./src
-COPY --chown=node:node --from=builder $APP_HOME/.remotejson-cache ./.remotejson-cache
-COPY --chown=node:node --from=builder $APP_HOME/.pageinfo-cache.json.br* ./.pageinfo-cache.json.br
-COPY --chown=node:node --from=builder $APP_HOME/next.config.js ./
-COPY --chown=node:node --from=builder $APP_HOME/tsconfig.json ./
+# From dependencies stage (*modified in build stage)
+COPY --chown=node:node --from=build $APP_HOME/node_modules node_modules/
 
-# - - -
-# Environment variables are set in the Moda
-# configuration: config/moda/configuration/*/env.yaml
-# - - -
+# From build stage
+COPY --chown=node:node --from=build $APP_HOME/.next .next/
+COPY --chown=node:node --from=build $APP_HOME/.remotejson-cache ./
+COPY --chown=node:node --from=build $APP_HOME/.pageinfo-cache.json.br* ./
 
 # This makes it possible to set `--build-arg BUILD_SHA=abc123`
 # and it then becomes available as an environment variable in the docker run.
 ARG BUILD_SHA
 ENV BUILD_SHA=$BUILD_SHA
 
 # Entrypoint to start the server
-# Note: Currently we have to use tsx because we have a mix of `.ts` and `.js` files with multiple import patterns
+# Note: Currently we have to use tsx because
+# we have a mix of `.ts` and `.js` files with multiple import patterns
 CMD ["node_modules/.bin/tsx", "src/frame/server.ts"]
@@ -0,0 +1,39 @@
+---
+title: About access permissions on GitHub
+intro: 'Learn about roles, and how you can control who has access to your enterprise''s resources and the level of access each person has.'
+versions:
+  ghec: '*'
+type: overview
+topics:
+  - Enterprise
+shortTitle: Access permissions
+---
+
+## About access permissions on {% data variables.product.github %}
+
+{% data reusables.organizations.about-roles %}
+
+Roles work differently for different types of accounts. For more information about accounts, see [AUTOTITLE](/get-started/learning-about-github/types-of-github-accounts).
+
+## Personal accounts
+
+A repository owned by a personal account has two permission levels: the **repository owner** and **collaborators**. See [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-user-account-settings/permission-levels-for-a-personal-account-repository).
+
+## Organization accounts
+
+Organization members can have **owner**, **billing manager**, or **member** roles. Owners have complete administrative access to your organization, while billing managers can manage billing settings. Member is the default role for everyone else. You can manage access permissions for multiple members at a time with teams. For more information, see:
+* [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization)
+* [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization)
+* [AUTOTITLE](/organizations/organizing-members-into-teams/about-teams)
+
+## Enterprise accounts
+
+_Enterprise owners_ have ultimate power over the enterprise account and can take every action in the enterprise account. _Billing managers_ can manage your enterprise account's billing settings. Members and outside collaborators of organizations owned by your enterprise account are automatically members of the enterprise account, although they have no access to the enterprise account itself or its settings.
+
+Enterprise owners cannot access organization content or repositories unless they are explicitly granted a role in the organization. However, enterprise owners can manage enterprise settings and policies that impact an organization in the enterprise. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/roles-in-an-enterprise).
+
+If an enterprise uses {% data variables.product.prodname_emus %}, members are provisioned as new personal accounts on {% data variables.product.github %} and are fully managed by the identity provider. The {% data variables.enterprise.prodname_managed_users %} have read-only access to repositories that are not a part of their enterprise and cannot interact with users that are not also members of the enterprise. Within the organizations owned by the enterprise, the {% data variables.enterprise.prodname_managed_users %} can be granted the same granular access levels available for regular organizations. For more information, see [AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/about-enterprise-managed-users).
+
+## Next steps
+
+Next, learn about how you can use rulesets to manage how people interact with your enterprise's repositories. See [AUTOTITLE](/enterprise-onboarding/feature-enhancements/about-rulesets).
@@ -0,0 +1,19 @@
+---
+title: 'About security for your enterprise'
+shortTitle: 'About enterprise security'
+intro: 'Learn about the security features available to your enterprise.'
+versions:
+  ghec: '*'
+allowTitleToDifferFromFilename: true
+type: overview
+topics:
+  - Enterprise
+  - Set up
+  - Security
+---
+
+{% data variables.product.prodname_dotcom %} has many features that help you improve and maintain the quality of your code. Some of these are included in all plans, such as dependency graph and {% data variables.product.prodname_dependabot_alerts %}. Other security features require a {% data variables.product.prodname_GH_advanced_security %} (GHAS) license to run on repositories apart from public repositories on {% data variables.product.prodname_dotcom_the_website %}.
+
+To learn about the security features available to your enterprise, see [AUTOTITLE](/code-security).
+
+To learn about the extra security features available with a {% data variables.product.prodname_GH_advanced_security %} license, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security).