From 27b28afd98287c4779dc8479ea08129f8c8d386f Mon Sep 17 00:00:00 2001
From: Aakash Shah <aashah@github.com>
Date: Mon, 10 Oct 2022 10:58:51 -0600
Subject: [PATCH 1/2] Clarify how example payload signatures were derived
 (#31462)

Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
---
 .../secret-scanning-partner-program.md        | 60 +++++++++++++------
 1 file changed, 41 insertions(+), 19 deletions(-)

diff --git a/content/developers/overview/secret-scanning-partner-program.md b/content/developers/overview/secret-scanning-partner-program.md
index c6591020ba2d..6f888275c8eb 100644
--- a/content/developers/overview/secret-scanning-partner-program.md
+++ b/content/developers/overview/secret-scanning-partner-program.md
@@ -59,26 +59,25 @@ Send this information to <a href="mailto:secret-scanning@github.com">secret-scan
 
 Create a public, internet accessible HTTP endpoint at the URL you provided to us. When a match of your regular expression is found in a public repository, {% data variables.product.prodname_dotcom %} will send an HTTP `POST` message to your endpoint.
 
-#### Example POST sent to your endpoint
+#### Example request body
 
-```http
-POST / HTTP/2
-Host: HOST
-Accept: */*
-Content-Type: application/json
-GITHUB-PUBLIC-KEY-IDENTIFIER: f9525bf080f75b3506ca1ead061add62b8633a346606dc5fe544e29231c6ee0d
-GITHUB-PUBLIC-KEY-SIGNATURE: MEUCIQDfLvT8/zM8F1aB3cM0ZwyeWF1m5YR6IhcUIv1OKQYL0wIgBZ5lVXB3gHK+dT8+xt0WgRVLqvsTPFiDO9QP/7eJ4yE=
-Content-Length: 187
-
-[{"token":"NMIfyYncKcRALEXAMPLE","type":"mycompany_api_token","url":"https://github.com/octocat/Hello-World/blob/12345600b9cbe38a219f39a9941c9319b600c002/foo/bar.txt","source":"content"}]
+```json
+[
+  {
+    "token":"NMIfyYncKcRALEXAMPLE",
+    "type":"mycompany_api_token",
+    "url":"https://github.com/octocat/Hello-World/blob/12345600b9cbe38a219f39a9941c9319b600c002/foo/bar.txt",
+    "source":"content"
+  }
+]
 ```
 
-The message body is a JSON array that contains one or more objects with the following contents. When multiple matches are found, {% data variables.product.prodname_dotcom %}  may send a single message with more than one secret match. Your endpoint should be able to handle requests with a large number of matches without timing out.
+The message body is a JSON array that contains one or more objects, with each object representing a single secret match. Your endpoint should be able to handle requests with a large number of matches without timing out. The keys for each secret match are:
 
 * **token**: The value of the secret match.
 * **type**: The unique name you provided to identify your regular expression.
 * **url**: The public URL where the match was found (may be empty)
-* **source**: Where the token was found on GitHub.
+* **source**: Where the token was found on {% data variables.product.prodname_dotcom %}.
 
 The list of valid values for `source` are:
 
@@ -97,9 +96,17 @@ The list of valid values for `source` are:
 
 ### Implement signature verification in your secret alert service
 
-We strongly recommend you implement signature validation in your secret alert service to ensure that the messages you receive are genuinely from {% data variables.product.prodname_dotcom %} and not malicious.
+The HTTP request to your service will also contain headers that we strongly recommend using
+to validate the messages you receive are genuinely from {% data variables.product.prodname_dotcom %}, and are not malicious.
+
+The two HTTP headers to look for are:
+
+* `GITHUB-PUBLIC-KEY-IDENTIFIER`: Which `key_identifier` to use from our API
+* `GITHUB-PUBLIC-KEY-SIGNATURE`: Signature of the payload
 
-You can retrieve the {% data variables.product.prodname_dotcom %} secret scanning public key from https://api.github.com/meta/public_keys/secret_scanning and validate the message using the `ECDSA-NIST-P256V1-SHA256` algorithm.
+You can retrieve the {% data variables.product.prodname_dotcom %} secret scanning public key from https://api.github.com/meta/public_keys/secret_scanning and validate the message using the `ECDSA-NIST-P256V1-SHA256` algorithm. The endpoint
+will provide several `key_identifier` and public keys. You can determine which public
+key to use based on the value of `GITHUB-PUBLIC-KEY-IDENTIFIER`.
 
 {% note %}
 
@@ -107,16 +114,14 @@ You can retrieve the {% data variables.product.prodname_dotcom %} secret scannin
 
 {% endnote %}
 
-Assuming you receive the following message, the code snippets below demonstrate how you could perform signature validation.
-The code snippets assume you've set an environment variable called `GITHUB_PRODUCTION_TOKEN` with a generated PAT (https://github.com/settings/tokens) to avoid hitting rate limits. The PAT does not need any scopes/permissions.
-
 {% note %}
 
 **Note**: The signature was generated using the raw message body. So it's important you also use the raw message body for signature validation, instead of parsing and stringifying the JSON, to avoid rearranging the message or changing spacing.
 
 {% endnote %}
 
-**Sample message sent to verify endpoint**
+**Sample HTTP POST sent to verify endpoint**
+
 ```http
 POST / HTTP/2
 Host: HOST
@@ -129,6 +134,23 @@ Content-Length: 83
 [{"token":"some_token","type":"some_type","url":"some_url","source":"some_source"}]
 ```
 
+{% note %}
+
+**Note**: The key id and signature from the example payload is derived from a test key.
+The public key for them is:
+
+```
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsz9ugWDj5jK5ELBK42ynytbo38gP
+HzZFI03Exwz8Lh/tCfL3YxwMdLjB+bMznsanlhK0RwcGP3IDb34kQDIo3Q==
+-----END PUBLIC KEY-----
+```
+
+{% endnote %}
+
+The following code snippets demonstrate how you could perform signature validation.
+The code examples assume you've set an environment variable called `GITHUB_PRODUCTION_TOKEN` with a generated [personal access token](https://github.com/settings/tokens) (PAT) to avoid hitting rate limits. The PAT does not need any scopes/permissions.
+
 **Validation sample in Go**
 ```golang
 package main

From 0d6e19dd263ff04e047a4af8df8376b1a99fec7a Mon Sep 17 00:00:00 2001
From: Peter Bengtsson <peterbe@github.com>
Date: Mon, 10 Oct 2022 19:17:10 +0200
Subject: [PATCH 2/2] Guide pages have no data-search="article-body" (#31433)

---
 components/guides/ProductGuides.tsx | 40 +++++++++++++++--------------
 1 file changed, 21 insertions(+), 19 deletions(-)

diff --git a/components/guides/ProductGuides.tsx b/components/guides/ProductGuides.tsx
index 56d60569ec79..b4ef7b3011b4 100644
--- a/components/guides/ProductGuides.tsx
+++ b/components/guides/ProductGuides.tsx
@@ -17,26 +17,28 @@ export const ProductGuides = () => {
         <GuidesHero />
       </LandingSection>
 
-      {learningTracks && learningTracks.length > 0 && (
-        <LandingSection
-          title={`${title} learning paths`}
-          className="border-top py-6"
-          sectionLink="learning-paths"
-          description={t('learning_paths_desc')}
-        >
-          <LearningTracks />
-        </LandingSection>
-      )}
+      <div data-search="article-body">
+        {learningTracks && learningTracks.length > 0 && (
+          <LandingSection
+            title={`${title} learning paths`}
+            className="border-top py-6"
+            sectionLink="learning-paths"
+            description={t('learning_paths_desc')}
+          >
+            <LearningTracks />
+          </LandingSection>
+        )}
 
-      {includeGuides && (
-        <LandingSection
-          title={`All ${title} guides`}
-          className="border-top py-6 color-border-default"
-          sectionLink="all-guides"
-        >
-          <ArticleCards />
-        </LandingSection>
-      )}
+        {includeGuides && (
+          <LandingSection
+            title={`All ${title} guides`}
+            className="border-top py-6 color-border-default"
+            sectionLink="all-guides"
+          >
+            <ArticleCards />
+          </LandingSection>
+        )}
+      </div>
     </DefaultLayout>
   )
 }