Merge pull request #41904 from github/repo-sync

Repo sync

content/account-and-profile/how-tos/organization-membership/index.md

@@ -19,6 +19,7 @@ children:
   - /requesting-organization-approval-for-oauth-apps
   - /publicizing-or-hiding-organization-membership
   - /removing-yourself-from-an-organization
+  - /removing-yourself-from-an-enterprise
 shortTitle: Organization membership
 contentType: how-tos
 ---

content/account-and-profile/how-tos/organization-membership/removing-yourself-from-an-enterprise.md

@@ -0,0 +1,35 @@
+---
+title: Removing yourself from an enterprise
+intro: You can leave an enterprise after removing yourself from every organization in the enterprise.
+versions:
+  fpt: '*'
+  ghec: '*'
+topics:
+  - Accounts
+shortTitle: Leave an enterprise
+contentType: how-tos
+---
+
+If your personal {% data variables.product.github %} account is a member of an enterprise, you can leave the enterprise at any time.
+
+After leaving an enterprise, you will no longer be a member of any organization in the enterprise, and you will lose {% data variables.product.prodname_copilot %} licenses and other privileges granted through the enterprise.
+
+>[!NOTE] If you use a {% data variables.enterprise.prodname_managed_user %} provided by your enterprise, only administrators can remove you from the enterprise. You're using a {% data variables.enterprise.prodname_managed_user %} if all usernames in your enterprise end with a pattern like `_CODE`, or if you access the enterprise at a domain like `{% data variables.enterprise.data_residency_example_domain %}`.
+
+## Leaving an enterprise
+
+To leave an enterprise, you must remove yourself from every organization in the enterprise, then leave the enterprise itself.
+
+1. Leave every organization in the enterprise.
+   1. Go to the [Enterprises](https://github.com/settings/enterprises) page in your settings.
+   1. Click the enterprise you want to leave, then click the **Organizations** tab.
+   1. Use the **Your role** dropdown to see the organizations that you're a member of.
+   1. Leave each organization by following the instructions in [AUTOTITLE](/account-and-profile/how-tos/organization-membership/removing-yourself-from-an-organization).
+1. Go back to the [Enterprises](https://github.com/settings/enterprises) page and check if the enterprise is still listed. If it is **not** listed, you have left the enterprise.
+1. If the enterprise **is** still listed, check your role for the enterprise and take the appropriate action to leave:
+
+   * If you're an **unaffiliated member**, next to the enterprise name, click **Leave**.
+   * If you're an **owner**, you must go to the enterprise settings and remove yourself. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise#removing-an-enterprise-administrator-from-your-enterprise-account).
+   * If you're a **billing manager**, you must ask an enterprise owner to remove you using the instructions in [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise#removing-an-enterprise-administrator-from-your-enterprise-account).
+
+   ![Screenshot of the enterprises page. Next to "unaffilated member", the "Leave" button is highlighted with an orange outline.](/assets/images/help/enterprises/enterprise-self-removal.png)

content/account-and-profile/how-tos/organization-membership/removing-yourself-from-an-organization.md

@@ -30,3 +30,9 @@ contentType: how-tos
 {% data reusables.user-settings.access_settings %}
 {% data reusables.user-settings.organizations %}
 1. Under "Organizations", next to the organization you'd like to remove yourself from, click **Leave**.
+
+{% ifversion fpt or ghec %}
+
+If you remove yourself from every organization in an enterprise, you may also be automatically removed from the enterprise account. If you haven't been removed and want to leave an enterprise, see [AUTOTITLE](/account-and-profile/how-tos/organization-membership/removing-yourself-from-an-enterprise).
+
+{% endif %}

content/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/abilities-of-roles.md

@@ -124,12 +124,17 @@ If a user is a member or owner of any organization, they are listed as an **orga
 
 ### Unaffiliated users
 
-If a user is not a member of any organization, they are listed as an **unaffiliated user**. These users:
+If a user is not a member of any organization, and doesn't have the enterprise owner or billing manager role, the user is listed as an unaffiliated user.
 
-* Do not consume a {% data variables.product.prodname_enterprise %} license.
+Unaffiliated users:
+
+* Do not consume a {% data variables.product.prodname_enterprise %} license, unless they meet another criterion listed in [AUTOTITLE](/billing/reference/github-license-users#organizations-on-github-enterprise-cloud).
 * Cannot access private or internal repositories.
 * Can be added as members of enterprise teams.
-* Can receive a {% data variables.product.prodname_copilot_short %} license directly from your enterprise.
+* Can receive a {% data variables.product.prodname_copilot_short %} license or custom role directly from your enterprise.
+* Can remove themselves from the enterprise at any time, unless you use {% data variables.product.prodname_emus %}.
+
+If you have an enterprise with personal accounts, you can disable this role. See [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/control-offboarding).
 
 {% endif %}
 

content/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-access/disable-for-organizations.md

@@ -16,10 +16,12 @@ redirect_from:
   - /copilot/how-tos/administer/enterprises/manage-access/disable-for-organizations
   - /copilot/how-tos/administer/manage-for-enterprise/manage-access/disable-for-organizations
 contentType: how-tos
-category: 
+category:
   - Manage Copilot for a team
 ---
 
+When you disable {% data variables.product.prodname_copilot %} for organizations, organization owners cannot assign {% data variables.product.prodname_copilot %} licenses to members of their organization. Enterprise owners will still be able to assign {% data variables.copilot.copilot_business_short %} licenses to users and teams in the enterprise settings.
+
 {% data reusables.enterprise-accounts.copilot-licensing %}
 1. Next to "Organization access", choose whether to disable {% data variables.product.prodname_copilot_short %} for all organizations or allow for specific organizations.
 
@@ -33,6 +35,8 @@ category:
        * If your enterprise has a {% data variables.copilot.copilot_business_short %} plan, click **Disabled**.
        * If your enterprise has a {% data variables.copilot.copilot_enterprise_short %} plan, click **Remove access**.
 
+Once {% data variables.product.prodname_copilot_short %} is disabled, licenses that are currently granted through the organization will be revoked at the end of the billing period. You will **not** be double-billed if a user also receives a license from your enterprise during this period.
+
 ## Further reading
 
 * [AUTOTITLE](/billing/managing-billing-for-github-copilot/about-billing-for-github-copilot)

content/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-access/grant-access.md

@@ -17,7 +17,7 @@ redirect_from:
   - /copilot/how-tos/administer/manage-for-enterprise/manage-access/enable-for-organizations
   - /copilot/how-tos/administer-copilot/manage-for-enterprise/manage-access/enable-for-organizations
 contentType: how-tos
-category: 
+category:
   - Manage Copilot for a team
 ---
 
@@ -47,6 +47,7 @@ When you assign licenses to an enterprise team, users receive or lose access to
 1. Click the **All members** or **Enterprise Teams** tab.
 1. Click **Assign licenses**.
 1. Search for users or teams, then click **Add licenses**.
+1. Optionally, disable {% data variables.product.prodname_copilot_short %} for organizations to prevent organization owners from assigning licenses. See [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-access/disable-for-organizations).
 
 ## Enabling {% data variables.product.prodname_copilot_short %} for organizations
 

data/release-notes/enterprise-server/3-14/20.yml

@@ -27,6 +27,8 @@ sections:
       Administrators can add security key-backed (SK) SSH certificate authorities.
     - |
       Administrators and users experience faster and more efficient searching of GitHub Actions workflow runs, with lower compute and networking resource usage. Searches for workflow runs within a repository are now always scoped to an associated repository.
+    - |
+      `ghe-repl-start` can now be executed without requiring a maintenance window when setting up a new replica, as long as `ghe-repl-setup` is immediately followed by `ghe-config-apply`. [Updated: 2025-12-17]
   known_issues:
     - |
       During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.

data/release-notes/enterprise-server/3-15/15.yml

@@ -13,7 +13,7 @@ sections:
     - |
       On instances with a "No Proxy" setting configured for GitHub Actions with MinIO or AWS remote blob providers, administrators sometimes experienced failures reading or writing Actions logs, artifacts, or caches because some traffic was incorrectly routed through the instances proxy.
     - |
-      New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation. <!-- markdownlint-disable-line GHD046 --> 
+      New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation. <!-- markdownlint-disable-line GHD046 -->
     - |
       Site administrators using the Management Console would see overly verbose error messages on the maintenance page. These error messages were not cleared when a new request was made, and no message was displayed when maintenance mode changes were saved successfully.
     - |
@@ -26,11 +26,13 @@ sections:
       When new Elasticsearch indexes were created, index routing memos could go to a read-only MySQL replica and fail, causing delays in audit log indexing after monthly rollovers. The memos are now written to the primary database rather than a read-only replica.
   changes:
     - |
-      A new weekly job automatically disables Elasticsearch deprecation logging and removes existing deprecation logs every Saturday at midnight. This helps administrators manage disk space by regularly cleaning up deprecation data streams and log indices that are no longer needed. <!-- markdownlint-disable-line GHD046 --> 
+      A new weekly job automatically disables Elasticsearch deprecation logging and removes existing deprecation logs every Saturday at midnight. This helps administrators manage disk space by regularly cleaning up deprecation data streams and log indices that are no longer needed. <!-- markdownlint-disable-line GHD046 -->
     - |
       Administrators can add security key-backed (SK) SSH certificate authorities.
     - |
       Administrators and users experience faster and more efficient searching of GitHub Actions workflow runs, with lower compute and networking resource usage. Searches for workflow runs within a repository are now always scoped to an associated repository.
+    - |
+      `ghe-repl-start` can now be executed without requiring a maintenance window when setting up a new replica, as long as `ghe-repl-setup` is immediately followed by `ghe-config-apply`. [Updated: 2025-12-17]
   known_issues:
     - |
       Custom firewall rules are removed during the upgrade process.

data/release-notes/enterprise-server/3-16/11.yml

@@ -11,7 +11,7 @@ sections:
     - |
       On instances with a "No Proxy" setting configured for GitHub Actions with MinIO or AWS remote blob providers, administrators sometimes experienced failures reading or writing Actions logs, artifacts, or caches because some traffic was incorrectly routed through the instances proxy.
     - |
-      New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation. <!-- markdownlint-disable-line GHD046 --> 
+      New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation. <!-- markdownlint-disable-line GHD046 -->
     - |
       Site administrators using the Management Console would see overly verbose error messages on the maintenance page. These error messages were not cleared when a new request was made, and no message was displayed when maintenance mode changes were saved successfully.
     - |
@@ -30,9 +30,11 @@ sections:
       When new Elasticsearch indexes were created, index routing memos could go to a read-only MySQL replica and fail, causing delays in audit log indexing after monthly rollovers. The memos are now written to the primary database rather than a read-only replica.
   changes:
     - |
-      A new weekly job automatically disables Elasticsearch deprecation logging and removes existing deprecation logs every Saturday at midnight. This helps administrators manage disk space by regularly cleaning up deprecation data streams and log indices that are no longer needed. <!-- markdownlint-disable-line GHD046 --> 
+      A new weekly job automatically disables Elasticsearch deprecation logging and removes existing deprecation logs every Saturday at midnight. This helps administrators manage disk space by regularly cleaning up deprecation data streams and log indices that are no longer needed. <!-- markdownlint-disable-line GHD046 -->
     - |
       Administrators can add security key-backed (SK) SSH certificate authorities.
+    - |
+      `ghe-repl-start` can now be executed without requiring a maintenance window when setting up a new replica, as long as `ghe-repl-setup` is immediately followed by `ghe-config-apply`. [Updated: 2025-12-17]
   known_issues:
     - |
       Custom firewall rules are removed during the upgrade process.

data/release-notes/enterprise-server/3-17/8.yml

@@ -11,7 +11,7 @@ sections:
     - |
       On instances with a "No Proxy" setting configured for GitHub Actions with MinIO or AWS remote blob providers, administrators sometimes experienced failures reading or writing Actions logs, artifacts, or caches because some traffic was incorrectly routed through the instances proxy.
     - |
-      New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation. <!-- markdownlint-disable-line GHD046 --> 
+      New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation. <!-- markdownlint-disable-line GHD046 -->
     - |
       Site administrators using the Management Console would see overly verbose error messages on the maintenance page. These error messages were not cleared when a new request was made, and no message was displayed when maintenance mode changes were saved successfully.
     - |
@@ -34,11 +34,13 @@ sections:
       When new Elasticsearch indexes were created, index routing memos could go to a read-only MySQL replica and fail, causing delays in audit log indexing after monthly rollovers. The memos are now written to the primary database rather than a read-only replica.
   changes:
     - |
-      A new weekly job automatically disables Elasticsearch deprecation logging and removes existing deprecation logs every Saturday at midnight. This helps administrators manage disk space by regularly cleaning up deprecation data streams and log indices that are no longer needed. <!-- markdownlint-disable-line GHD046 --> 
+      A new weekly job automatically disables Elasticsearch deprecation logging and removes existing deprecation logs every Saturday at midnight. This helps administrators manage disk space by regularly cleaning up deprecation data streams and log indices that are no longer needed. <!-- markdownlint-disable-line GHD046 -->
     - |
       Administrators can add security key-backed (SK) SSH certificate authorities.
     - |
       Administrators and users experience faster and more efficient searching of GitHub Actions workflow runs, with lower compute and networking resource usage. Searches for workflow runs within a repository are now always scoped to an associated repository.
+    - |
+      `ghe-repl-start` can now be executed without requiring a maintenance window when setting up a new replica, as long as `ghe-repl-setup` is immediately followed by `ghe-config-apply`. [Updated: 2025-12-17]
   known_issues:
     - |
       Custom firewall rules are removed during the upgrade process.

data/release-notes/enterprise-server/3-18/2.yml

@@ -13,7 +13,7 @@ sections:
     - |
       On instances with a "No Proxy" setting configured for GitHub Actions with MinIO or AWS remote blob providers, administrators sometimes experienced failures reading or writing Actions logs, artifacts, or caches because some traffic was incorrectly routed through the instances proxy.
     - |
-      New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation. <!-- markdownlint-disable-line GHD046 --> 
+      New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation. <!-- markdownlint-disable-line GHD046 -->
     - |
       Administrators running the `ghe-repl-decommission` script received an error.
     - |
@@ -43,6 +43,8 @@ sections:
       Administrators can add security key-backed (SK) SSH certificate authorities.
     - |
       Administrators and users experience faster and more efficient searching of GitHub Actions workflow runs, with lower compute and networking resource usage. Searches for workflow runs within a repository are now always scoped to an associated repository.
+    - |
+      `ghe-repl-start` can now be executed without requiring a maintenance window when setting up a new replica, as long as `ghe-repl-setup` is immediately followed by `ghe-config-apply`. [Updated: 2025-12-17]
   known_issues:
     - |
       Custom firewall rules are removed during the upgrade process.

data/release-notes/enterprise-server/3-19/0.yml

@@ -18,6 +18,9 @@ sections:
         # https://github.com/github/releases/issues/6908
         - |
           Starting 3.19, new installations of GHES will have OpenTelemetry metrics enabled and Collectd metrics disabled by default. You have the option to toggle between the two. Upgraded instances will retain their current settings. In about two to three releases, OpenTelemetry metrics will become the only supported metrics. To learn about OTel metrics, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/monitoring-your-instance/opentelemetry-metrics).
+        # https://github.com/github/releases/issues/6922
+        - |
+          `ghe-repl-start` can now be executed without requiring a maintenance window when setting up a new replica, as long as `ghe-repl-setup` is immediately followed by `ghe-config-apply`. [Updated: 2025-12-17]
 
     - heading: Migrations
       notes:
@@ -199,14 +202,12 @@ sections:
         # https://github.com/github/releases/issues/6385
         - |
           Enterprises using IP allowlists should verify and update their network settings to include the newly required IP ranges for importer migrations. Failure to allow these addresses prevents successful migrations.
-        # https://github.com/github/releases/issues/6019  
+        # https://github.com/github/releases/issues/6019
         - |
           Projects now support up to 50,000 active items and 10,000 archived items. The previous limit was 1,200 items total. There is no option to opt out of this increased limit.
 
   known_issues:
     # INCLUDE NOTES FOR RELEASE FROM "GHES Release Note Tracking" PROJECT'S "Known Issues" TAB
-    - |
-      **Note:** This list is not complete. Any new known issues that are identified for the 3.19 release will be added between now and the general availability release.
     - |
       Custom firewall rules are removed during the upgrade process.
     - |
@@ -253,4 +254,4 @@ sections:
     - |
       Starting 3.21, networking-related syscalls will be disabled by default in the pre-receive hook environment. For enhanced security, hook environments will be placed in dedicated network namespaces. You will be able to override the default setting by setting pre-receive-hook-networking to enabled. As an alternative to many pre-receive hooks, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#push-rulesets).
     - |
-      In 3.20, we will be retiring `Telegraf`. For context, this was a dark-shipped service running in the background and not part of any customer workflows. If you have discovered it and notice it is missing in a future release, we want to you to know we have intentionally removed it. 
+      In 3.20, we will be retiring `Telegraf`. For context, this was a dark-shipped service running in the background and not part of any customer workflows. If you have discovered it and notice it is missing in a future release, we want to you to know we have intentionally removed it.