chore: Revert updates to honor maintenance mode (#85)

Author: chriswblake

.github/steps/-step.txt

@@ -0,0 +1 @@
+0

.github/steps/0-welcome.md

@@ -0,0 +1 @@
+<!-- readme -->

.github/steps/1-dependency-graph.md

@@ -1,5 +1,7 @@
 ## Step 1: Review and add dependencies using dependency graph
 
+_Welcome to "Secure your repository's supply chain"! :wave:_
+
 **What's the big deal about securing your repository's supply chain?**: With the accelerated use of open source, most projects depend on hundreds of open-source dependencies. This poses a security problem: what if the dependencies you're using are vulnerable? You could be putting your users at risk of a supply chain attack. One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies and replace any malware.
 
 GitHub offers a range of features to help you understand the dependencies in your environment, know about vulnerabilities in those dependencies, and patch them. The supply chain features on GitHub are:
@@ -20,32 +22,28 @@ GitHub offers a range of features to help you understand the dependencies in you
 
 **We recommend opening another browser tab to work through the following activities so you can keep these instructions open for reference.**
 
->[!NOTE]
-> Dependency graph is enabled by default for all new public repositories.
+Dependency graph is enabled by default for all new public repositories. If you're working in a public repository, you can go straight to "Activity 1.2: Add a new dependency and view your dependency graph." For private or internal repositories, you'll need to enable Dependency graph.
 
 1. Navigate to the **Settings** tab.
-1. Click **Advanced Security**.
-1. Verify **Dependency Graph** is **Enabled**
+1. Click **Code security and analysis**.
+1. **Enable** "Dependency graph." 
 
 ### :keyboard: Activity 1.2: Add a new dependency and view your dependency graph
 
 1. Navigate to the **Code** tab and locate the `code/src/AttendeeSite` folder.
-1. Commit the following content on the `main` branch to the `package-lock.json` file as the last item on the `dependencies` map _(after the third to last bracket `}` and before the last two brackets)_
-
-    > 🪧 **Note:** You can edit and commit the file on github.com directly or hit the `.` key to open the lightweight editor to edit and commit changes.
-
-    ```json
-    ,
+1. Add the following content to the `package-lock.json` file after the third to last bracket `}` and before the last two brackets.
+   ```
+   ,
     "follow-redirects": {
       "version": "1.14.1",
       "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.1.tgz",
       "integrity": "sha512-HWqDgT7ZEkqRzBvc2s64vSZ/hfOceEol3ac/7tKwzuvEyWx3/4UegXh5oBOIotkGsObyk3xznnSRVADBgWSQVg=="
     }
-    ```
-
+   ```
 1. Navigate to the **Insights** tab.
 1. Select **Dependency graph** from the side navigation bar.
 1. Review all the dependencies on the **Dependencies** tab.
 1. Search for `follow-redirects` and review the new dependency you just added.
    ![Screen Shot showing the "follow-redirects" dependency.](https://user-images.githubusercontent.com/6351798/196288729-734e3319-c5d7-4f35-a19c-676c12f0e27d.png)
-1. With the new dependency added, Mona should already be busy checking your work. Give her a moment and keep watch in the comments. You will see her respond with progress info and the next lesson.
+
+Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to display the next step.

.github/steps/2-dependabot-alerts.md

@@ -4,9 +4,7 @@ _Nice work! :tada: You added and viewed a dependency using Dependency graph!_
 
 Given how many dependencies our repository uses, maintaining them needs to become an automated task. Keeping our code secure is a top priority, so the first thing we need to do is set up a way to be notified when a dependency we are using is vulnerable or malware. We can do this by enabling Dependabot alerts.
 
-**What are Dependabot alerts?**
-
-Dependabot alerts tell you that your code depends on a package that is insecure. These Dependabot alerts reference the [GitHub Advisory Database](https://github.com/advisories), which contains a list of known security vulnerabilities and malware, grouped in two categories: **GitHub reviewed advisories** and **unreviewed advisories**.
+**What are Dependabot alerts?**: Dependabot alerts tell you that your code depends on a package that is insecure. These Dependabot alerts reference the [GitHub Advisory Database](https://github.com/advisories), which contains a list of known security vulnerabilities and malware, grouped in two categories: **GitHub reviewed advisories** and **unreviewed advisories**.
 
 If your code depends on a package that has a security vulnerability, this can cause a range of problems for your project or the people who use it. You should upgrade to a secure version of the package as soon as possible. If your code uses malware, you need to replace the package with a secure alternative.
 
@@ -26,7 +24,7 @@ Let's enable Dependabot alerts on our repository!
 ### :keyboard: Activity 2.2: Enable Dependabot alerts
 
 1. Navigate to the **Settings** tab.
-1. Display the settings for **Advanced Security**.
+1. Display the settings for **Code security and analysis**.
 1. **Enable** Dependabot alerts.
 1. **Wait about 60 seconds for Dependabot to check for alerts.**
 1. Navigate to the **Security** tab.
@@ -44,4 +42,5 @@ Let's see how this would work by using Dependabot to create a pull request for o
 1. Click the **Review security update** button to display the pull request.
    - You can view the pull request and **Files changed** tab to review the update.
 1. Navigate back to the **Conversation** tab and merge the pull request.
-1. With the pull request merged, Mona should already be busy checking your work. Give her a moment and keep watch in the comments. You will see her respond with progress info and the next lesson.
+
+Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to display the next step.

.github/steps/3-dependabot-security.md

@@ -4,17 +4,15 @@ _Nice work enabling, viewing, and creating Dependabot alerts :sparkles:_
 
 Enabling Dependabot alerts on our repository was a great step toward improving our code security, but we still had to manually select an alert and then manually select the option to create the pull request. It would be nice to further improve the automation and maintenance of our dependencies! Well, with Dependabot security updates, we can do just that.
 
-**What are Dependabot security updates?**
-
-When this feature is enabled, Dependabot detects *and* fixes vulnerable dependencies for you by opening pull requests automatically to resolve Dependabot alerts.
+**What are Dependabot security updates?**: When this feature is enabled, Dependabot detects *and* fixes vulnerable dependencies for you by opening pull requests automatically to resolve Dependabot alerts.
 
 We manually created a pull request to fix the "Prototype Pollution in minimist" alert, but let's enable Dependabot security updates to automate this process for future alerts!
 
 ### :keyboard: Activity 3.1: Enable and trigger Dependabot security updates
 
-1. Navigate to the **Settings** tab and select **Advanced Security**.
-1. Enable **Dependabot security updates**. You may need to wait 30-60 seconds before you see any new pull requests.
-1. Navigate to the **Pull requests** repository tab to view the what Dependabot has found.
-1. Find the new pull request that requests to patch the **axios** dependency.
+1. Navigate to the **Settings** tab and select **Code security and analysis**.
+1. Enable Dependabot security updates. You may need to wait 30-60 seconds before you see any new pull requests.
+1. Navigate to the **Pull requests** repository tab and select the newly created pull request that updates axios from version 0.21.1 to a patched version.
 1. Review and merge the pull request.
-1. With the pull request merged, Mona should already be busy checking your work. Give her a moment and keep watch in the comments. You will see her respond with progress info and the next lesson.
+
+Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update this page to display the next step.

.github/steps/4-dependabot-versions.md

@@ -4,11 +4,6 @@ _Nicely done!_ :partying_face:
 
 You now have automated the process for Dependabot to alert you to vulnerabilities with your dependencies and to create pull requests to update them to secure versions! At this point, you only need to review the pull request and then merge it to stay on top of security problems with Dependencies.
 
-> [!NOTE]  
-> Did you notice that there were several pull requests suggested by Dependabot? You only merged the one related to the **axios** dependency, but the others disappeared from the **Pull requests** panel. That's because the upgrade of the axios dependency triggered changes of other transitive dependencies, that might be either removed or updated to other versions. Whenever there is a change in your dependency graph, Dependabot will automatically review the existing pull requests and close the ones that are no longer relevant. So don't merge everything at once, let Dependabot do the job for you! 
-<img width="955" alt="Screenshot showing that the axios PR was merged and that the 2 others were closed" src="https://github.com/user-attachments/assets/6c97f90b-c6e2-4865-b1eb-dd7053383f07" />
-
-
 The security updates feature helps automate the process to resolve alerts, but what about just keeping up-to-date with version updates? We can also automate pull request generation for updated versions of dependencies using the Dependabot version updates feature.
 
 **What are Dependabot version updates?**: In addition to security alerts, Dependabot can also take the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on. Similar to security alerts, Dependabot will identify an outdated dependency and create a pull request to update the manifest to the latest version of the dependency.
@@ -17,11 +12,16 @@ Let's see how this works!
 
 ### :keyboard: Activity 4.1: Enable and trigger Dependabot version updates
 
-1. Navigate to the **Settings** tab and select **Advanced Security**.
-1. Locate **Dependabot version updates** and click **Configure** to open a new file editor with pre-poplulated contents. The file is called `dependabot.yml`.
+1. Navigate to the **Settings** tab and select **Code security and analysis**.
+1. Locate "Dependabot version updates" and click **Configure** to open a new file editor with pre-poplulated contents. The file is called `dependabot.yml`.
 1. Notice that the file is prepopulated to update the GitHub actions in the repository, the `github-actions` package ecosystem.
-1. Edit your `dependabot.yml` configuration file to include another entry. It should look like:
-
+1. Copy the lines that define the GitHub actions updates and append them to the file.
+1. Edit your copy of the content:
+   - Change the `package-ecosystem` to `nuget`.
+   - Change the `directory` to `/code/`.
+   - Change the `interval` to `weekly`.
+   
+   The `dependabot.yml` file should now look like this.
    ```yaml
    version: 2
    updates:
@@ -33,14 +33,11 @@ Let's see how this works!
        directory: "/code/"
        schedule:
          interval: "weekly"
-   ```
-  
-   > 💡 **Tip:** While, you can edit and commit a file directly on github.com, you can also press the period key `.` to open a lightweight VS Code editor directly in browser.
-
+    ```
 1. Commit your changes directly to the `main` branch.
-1. With the configuration file updated, Mona should already be busy checking your work. Give her a moment and keep watch in the comments. You will see her respond with progress info and the next lesson.
 
 You have now configured Dependabot version updates to run and check for updates as follows:
-
 - Check once a month for updates to GitHub Actions and create pull requests to update any that are out of date.
 - Check once a week for updates to .NET packages and create pull requests to update any that are out of date. By default, this check runs on a Monday, to run the check on a different day, see [schedule.day](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleday).
+
+Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to display the next step.

.github/steps/x-review.md renamed to .github/steps/X-finish.md

@@ -1,8 +1,9 @@
-## Review
+## Finish
 
-_Congratulations, you've completed this exercise and learned a lot securing your supply chain!_
+_Congratulations friend, you've completed this course!_
+
+<img src="https://octodex.github.com/images/welcometocat.png" alt=celebrate width=300 align=right>
 
-<img src="https://octodex.github.com/images/jetpacktocat.png" alt="celebrate" width=200 align=right>
 Here's a recap of all the tasks you've accomplished in your repository:
 
 - You've learned how to view and use dependency graph.
@@ -21,6 +22,7 @@ Here's a recap of all the tasks you've accomplished in your repository:
 ### What's next?
 
 - Learn more about securing your supply chain by reading: [Securing your supply chain](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security).
-- Check out other security focused [GitHub Skills exercises](https://skills.github.com/#code-security-and-analysis).
+- [We'd love to hear what you thought of this course](https://github.com/skills/.github/discussions).
+- [Learn another GitHub skill](https://github.com/skills).
 - [Read the Get started with GitHub docs](https://docs.github.com/en/get-started).
 - To find projects to contribute to, check out [GitHub Explore](https://github.com/explore).

.github/workflows/0-start-exercise.yml

@@ -0,0 +1,63 @@
+name: Step 0, Welcome
+
+# This step triggers after the learner creates a new repository from the template.
+# This workflow updates from step 0 to step 1.
+
+# This will run every time we create push a commit to `main`.
+# Reference: https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+# Reference: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
+permissions:
+  # Need `contents: read` to checkout the repository.
+  # Need `contents: write` to update the step metadata.
+  contents: write
+
+jobs:
+  # Get the current step to only run the main job when the learner is on the same step.
+  get_current_step:
+    name: Check current step number
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - id: get_step
+        run: |
+          echo "current_step=$(cat ./.github/steps/-step.txt)" >> $GITHUB_OUTPUT
+    outputs:
+      current_step: ${{ steps.get_step.outputs.current_step }}
+
+  on_start:
+    name: On start
+    needs: get_current_step
+
+    # We will only run this action when:
+    # 1. This repository isn't the template repository.
+    # 2. The step is currently 0.
+    # Reference: https://docs.github.com/en/actions/learn-github-actions/contexts
+    # Reference: https://docs.github.com/en/actions/learn-github-actions/expressions
+    if: >-
+      ${{ !github.event.repository.is_template
+          && needs.get_current_step.outputs.current_step == 0 }}
+
+    # We'll run Ubuntu for performance instead of Mac or Windows.
+    runs-on: ubuntu-latest
+
+    steps:
+      # We'll need to check out the repository so that we can edit the README.
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Let's get all the branches.
+
+      # In README.md, switch step 0 for step 1.
+      - name: Update to step 1
+        uses: skills/action-update-step@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          from_step: 0
+          to_step: 1