Merge pull request #41646 from github/repo-sync

Repo sync

.github/workflows/sync-secret-scanning.yml

@@ -53,7 +53,7 @@ jobs:
           git config --global user.name "docs-bot"
           git config --global user.email "77750099+docs-bot@users.noreply.github.com"
 
-          branchname=sync-secret-scanning-${{ steps.secret-scanning-sync.outputs.sha }}
+          branchname=sync-secret-scanning-`date +%Y%m%d%H%M%S`
 
           remotesha=$(git ls-remote --heads origin $branchname)
           if [ -n "$remotesha" ]; then

content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/managing-support-entitlements-for-your-enterprise.md

@@ -18,7 +18,7 @@ People with support entitlements for your enterprise account can use the support
 
 Enterprise owners and billing managers automatically have a support entitlement. Enterprise owners can add support entitlements to a limited number of enterprise members.
 * **{% data variables.product.premium_support_plan %}, {% data variables.product.standard_support_plan %}:** Up to 20 members
-* **{% data variables.product.premium_plus_support_plan %}:** Up to 40 members
+* **{% data variables.product.premium_plus_support_plan %} / {% data variables.product.microsoft_premium_plus_support_plan %}:** Up to 40 members
 
 > [!NOTE] The level of support that members of your enterprise receive when submitting a ticket is determined by their support entitlement status:
 > * If your enterprise has a Premium or Premium Plus plan and the user has a support entitlement, their ticket will receive Premium Support, which includes expedited response times and prioritized handling.

content/billing/concepts/cost-centers.md

@@ -21,7 +21,7 @@ Cost centers allow you to attribute usage and spending to business units, improv
 
 When you create a cost center, you define which resources it contains from users, repositories, and organizations. If your account is billed through Azure, you can also add an Azure subscription to bill usage to a different Azure subscription than the enterprise default.
 
-To get started with cost centers, see [AUTOTITLE](/billing/tutorials/use-cost-centers).
+To get started with cost centers, see [AUTOTITLE](/billing/tutorials/control-costs-at-scale).
 
 ## Cost center allocation
 

content/billing/get-started/introduction-to-billing.md

@@ -61,4 +61,4 @@ For more information, see [AUTOTITLE](/enterprise-cloud@latest/billing/managing-
 
 * [AUTOTITLE](/billing/how-tos/products/view-product-use)
 * [AUTOTITLE](/billing/tutorials/set-up-budgets)
-* [AUTOTITLE](/billing/tutorials/use-cost-centers)
+* [AUTOTITLE](/billing/tutorials/control-costs-at-scale)

content/billing/how-tos/manage-for-client/create-as-csp-partner.md

@@ -35,7 +35,7 @@ As a Microsoft CSP partner, you can get started with {% data variables.product.p
 1. Select **Get started with {% data variables.product.prodname_enterprise %}**.
 1. Choose an enterprise type. To help you decide which choice is best for the enterprise, see [AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/choosing-an-enterprise-type-for-github-enterprise-cloud).
 1. Complete the form with your client's information.
-1. Click **Create your enterprise**.
+{% data reusables.billing.enterprise-create-button %}
 
 ## Step 2: Purchase {% data variables.product.prodname_enterprise %}
 
@@ -45,7 +45,7 @@ At any time during the trial, you can purchase {% data variables.product.prodnam
 1. At the top of the page, in the blue banner, click **Activate Enterprise**.
 1. Click **Add Azure subscription**.
 1. To sign in to your Microsoft account, follow the prompts.
-1. Review the "Permissions requested" prompt. If you agree with the terms, click **Accept**.
+{% data reusables.billing.azure-accept-permissions %}
 
    If you don't see a "Permissions requested" prompt, and instead see a message indicating that you need admin approval, see [AUTOTITLE](/billing/how-tos/troubleshooting/azure-sub-connection).
 

content/billing/how-tos/manage-for-client/create-client-enterprise.md

@@ -43,7 +43,7 @@ If you already have a personal account on {% data variables.product.prodname_dot
 1. Complete the form with your client's information.
 
    If you chose Enterprise managed users, define your data hosting requirements [AUTOTITLE](/admin/data-residency/about-github-enterprise-cloud-with-data-residency).
-1. Click **Create your enterprise**.
+{% data reusables.billing.enterprise-create-button %}
 
 ## Step 3: Upgrade the enterprise to a yearly paid subscription
 
@@ -51,7 +51,7 @@ If you already have a personal account on {% data variables.product.prodname_dot
 {% data reusables.enterprise-accounts.settings-tab %}
 {% data reusables.enterprise-accounts.billing-tab %}
 1. At the top of the page, click **Buy Enterprise**.
-1. Under "How often do you want to be billed?", select **Pay yearly**.
+{% data reusables.billing.client-billing-yearly %}
 1. Under "How many seats do you want to include?", type the number of seats your client wants.
 1. Under "Payment method", input your payment details.
 1. Click **Complete {% data variables.product.prodname_enterprise %} purchase**.

content/billing/how-tos/manage-for-client/create-client-org.md

@@ -61,7 +61,7 @@ If you already have a personal account on {% data variables.product.prodname_dot
 {% data reusables.profile.org_settings %}
 {% data reusables.organizations.billing_plans_or_licensing %}
 {% data reusables.dotcom_billing.upgrade_org %}
-1. Under "How often do you want to be billed?", select **Pay yearly** to pay for the organization yearly.
+{% data reusables.billing.client-billing-yearly %}
 1. Under "How many seats do you want to include?", define the number of seats you require.
 {% data reusables.dotcom_billing.enter-payment-info %}
 1. Review the information, then click **Save** to confirm the changes.

content/billing/how-tos/manage-plan-and-licenses/manage-user-licenses.md

@@ -28,7 +28,7 @@ If you're the **owner** or **billing manager** of an organization on a {% data v
 {% data reusables.profile.access_org %}
 {% data reusables.profile.org_settings %}
 {% data reusables.billing.org-billing-menu %}
-1. Click **Licensing**.
+{% data reusables.billing.click-licensing %}
 1. In the {% data variables.product.prodname_team %} banner, click **Edit** and select **Add seats** or **Remove seats**.
 1. Define the number of new seats you require. The details of the prorated cost for the remainder of the billing cycle and the total for your next bill are updated automatically.
 1. Click **Add seats** or **Remove seats**.
@@ -55,8 +55,8 @@ To add or remove licenses from your enterprise account:
 
 Enterprise **owners** or **billing managers** can add or remove user licenses.
 
-1. Navigate to your enterprise account.
+{% data reusables.billing.nav-to-ent %}
 {% data reusables.billing.enterprise-billing-menu %}
-1. In the left sidebar, click {% octicon "law" aria-hidden="true" aria-label="law" %} **Licensing**.
+{% data reusables.billing.click-licensing %}
 1. Next to "Enterprise Cloud", click **{% octicon "kebab-horizontal" aria-hidden="true" aria-label="kebab-horizontal" %}**, then click **Manage licenses**.
 1. Choose your number of licenses, then click **Confirm licenses**.

content/billing/how-tos/pay-third-parties/cancel-sponsorship.md

@@ -28,7 +28,7 @@ Organizations that pay for {% data variables.product.prodname_sponsors %} by inv
 
 {% data reusables.profile.access_org %}
 {% data reusables.profile.org_settings %}
-1. In the "Access" section of the sidebar, click **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing and licensing**.
+{% data reusables.billing.access-billing-sidebar %}
 1. Under "{% data variables.product.prodname_sponsors %}", in the yellow banner with the start date, click **Undo**.
 1. Review the alert about undoing the activation of the sponsorship, then click **OK**.
 

content/billing/how-tos/pay-third-parties/downgrade-marketplace-app.md

@@ -55,9 +55,7 @@ contentType: how-tos
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.billing-tab %}
-1. In the "Marketplace apps" tab, find the app you want to downgrade.
-1. Next to the organization where you want to downgrade the app, select **{% octicon "kebab-horizontal" aria-label="More" %}** and then click **Change plan**.
-1. Select the **Edit your plan** dropdown and click an account's plan to edit.
+{% data reusables.billing.marketplace-find-app-downgrade %}
 {% data reusables.marketplace.choose-new-plan %}
 {% data reusables.marketplace.choose-new-quantity %}
 {% data reusables.marketplace.issue-plan-changes %}

content/billing/how-tos/pay-third-parties/upgrade-marketplace-app.md

@@ -53,9 +53,7 @@ contentType: how-tos
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.billing-tab %}
-1. In the "Marketplace apps" tab, find the app you want to upgrade.
-1. Next to the organization where you want to upgrade the app, select **{% octicon "kebab-horizontal" aria-label="More" %}** and then click **Change plan**.
-1. Select the **Edit your plan** dropdown and click an account's plan to edit.
+{% data reusables.billing.marketplace-find-app-upgrade %}
 {% data reusables.marketplace.choose-new-plan %}
 {% data reusables.marketplace.choose-new-quantity %}
 {% data reusables.marketplace.issue-plan-changes %}

content/billing/how-tos/products/buy-advanced-security.md

@@ -22,15 +22,8 @@ contentType: how-tos
 
 You must use a {% data variables.product.prodname_team %} or {% data variables.product.prodname_enterprise %} plan before you can enable {% data variables.product.prodname_GH_cs_or_sp %} on private repositories.
 
-1. In the upper-right corner of any page on {% data variables.product.github %}, click your profile picture.
-
-1. Select the account you want to view and then access the "Billing & Licensing" pages:
-
-   * **Organizations**: Click **Your organizations**, then next to the organization, click **Settings**. In the organization sidebar, click **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing & Licensing**.
-
-   * **Enterprises**: Click **Your enterprises**, then click the enterprise name. Click the **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing & Licensing** tab at the top of the page.
-
-1. From the list of "Billing & licensing" pages, click {% octicon "law" aria-hidden="true" aria-label="law" %} **Licensing** to display the licensing page.
+{% data reusables.billing.nav-to-org-or-ent %}
+{% data reusables.billing.click-licensing %}
 
 Your current plan is shown with any options to upgrade to a different plan.
 
@@ -44,15 +37,8 @@ The most effective way to control and enable these features is using security co
 
 If you use volume/subscription billing, then you will need to purchase licenses before you can start using {% data variables.product.prodname_GH_cs_or_sp %} on private or internal repositories.
 
-1. In the upper-right corner of any page on {% data variables.product.github %}, click your profile picture.
-
-1. Select the account you want to view and then access the "Billing & Licensing" pages:
-
-   * **Organizations**: Click **Your organizations**, then next to the organization, click **Settings**. In the organization sidebar, click **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing & Licensing**.
-
-   * **Enterprises**: Click **Your enterprises**, then click the enterprise name. Click the **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing & Licensing** tab at the top of the page.
-
-1. From the list of "Billing & licensing" pages, click {% octicon "law" aria-hidden="true" aria-label="law" %} **Licensing** to display the licensing page.
+{% data reusables.billing.nav-to-org-or-ent %}
+{% data reusables.billing.click-licensing %}
 
 1. To the right of "{% data variables.product.prodname_GHAS %}", click **Buy {% data variables.product.prodname_AS %}**.
 

content/billing/how-tos/products/download-license-use.md

@@ -23,15 +23,8 @@ For more detailed reports on usage of all paid products, see [AUTOTITLE](/billin
 
 ## On {% data variables.product.prodname_ghe_cloud %}
 
-1. In the upper-right corner of any page on {% data variables.product.github %}, click your profile picture.
-
-1. Select the account you want to view and then access the "Billing & Licensing" pages:
-
-   * **Organizations**: Click **Your organizations**, then next to the organization, click **Settings**. In the organization sidebar, click **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing & Licensing**.
-
-   * **Enterprises**: Click **Your enterprises**, then click the enterprise name. Click the **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing & Licensing** tab at the top of the page.
-
-1. From the list of "Billing & licensing" pages, click {% octicon "law" aria-hidden="true" aria-label="law" %} **Licensing** to display the licensing page.
+{% data reusables.billing.nav-to-ent %}
+{% data reusables.billing.click-licensing %}
 
 1. In the license area of interest, click **Download CSV report**. If offered a choice, choose your preferred report.
 

content/billing/how-tos/products/index.md

@@ -26,8 +26,8 @@ children:
   - /view-productlicense-use
   - /download-license-use
   - /buy-advanced-security
+  - /use-cost-centers
   - /manage-ghas-licenses
   - /view-ghas-committers
 contentType: how-tos
 ---
-

content/billing/how-tos/products/manage-ghas-licenses.md

@@ -23,15 +23,8 @@ For information about using policies to control use of licenses in your enterpri
 
 ## Changing the size of your license
 
-1. In the upper-right corner of any page on {% data variables.product.github %}, click your profile picture.
-
-1. Select the account you want to view and then access the "Billing & Licensing" pages:
-
-   * **Organizations**: Click **Your organizations**, then next to the organization, click **Settings**. In the organization sidebar, click **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing & Licensing**.
-
-   * **Enterprises**: Click **Your enterprises**, then click the enterprise name. Click the **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing & Licensing** tab at the top of the page.
-
-1. From the list of "Billing & licensing" pages, click {% octicon "law" aria-hidden="true" aria-label="law" %} **Licensing** to display the licensing page.
+{% data reusables.billing.nav-to-org-or-ent %}
+{% data reusables.billing.click-licensing %}
 
    ![Screenshot of the {% data variables.product.prodname_AS %} licensing screen. The "Manage licenses" button is outlined in orange.](/assets/images/help/enterprises/ghas-licenses-dropdown.png)
 
@@ -44,7 +37,7 @@ For information about using policies to control use of licenses in your enterpri
 
 ## Canceling your {% data variables.product.prodname_AS %} subscription
 
-1. Navigate to the "Billing & licensing" pages for your enterprise or organization.
-1. Click {% octicon "law" aria-hidden="true" aria-label="law" %} **Licensing** to display the licensing page.
+{% data reusables.billing.nav-to-org-or-ent %}
+{% data reusables.billing.click-licensing %}
 1. To the right of "{% data variables.product.prodname_AS %}", select {% octicon "kebab-horizontal" aria-label="Open menu" %}, then click **Cancel subscription**.
 1. To confirm your cancellation, click **I understand, cancel {% data variables.product.prodname_AS %}**.

content/billing/how-tos/products/use-cost-centers.md

@@ -8,12 +8,13 @@ redirect_from:
   - /billing/using-the-enhanced-billing-platform-for-enterprises/charging-business-units
   - /billing/using-the-new-billing-platform/charging-business-units
   - /billing/managing-your-billing/charging-business-units
+  - /billing/tutorials/use-cost-centers
 topics:
   - Billing
   - Enterprise
 product: '{% data variables.product.prodname_ghe_cloud %}'
 shortTitle: Use cost centers
-contentType: tutorials
+contentType: how-tos
 ---
 
 >[!NOTE] Before you create or update a cost center, if you're unsure of how spending will be allocated to the cost center, see [AUTOTITLE](/billing/reference/cost-center-allocation).
@@ -29,15 +30,14 @@ When you create a cost center, you can add **organizations**, **repositories**,
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.billing.enterprise-billing-menu %}
-1. Click **Cost centers**.
-1. Click **New cost center** in the upper-right corner.
+{% data reusables.billing.cost-center-click-new %}
 1. In the text box under "Name", enter a name for your cost center.
 1. If your account is billed to Azure, you have the option to add an Azure ID. Your credentials will be verified against Azure to ensure the Azure IDs associated to your account are available.
 1. Under **Resources**, select the organizations, repositories, and/or users that will be a part of the cost center.
 
    >[!NOTE] A resource (organization, repository, or user) can only be assigned to one cost center at a time. If you add a resource that belongs to a different cost center, it will be moved to the new cost center and you will be notified.
 
-1. Click **Create cost center**.
+{% data reusables.billing.cost-center-create-button %}
 
 ## Adding a budget to a cost center
 
@@ -59,4 +59,5 @@ You can view, edit, and delete cost centers to manage your business units effect
 
 ## Further reading
 
+* [AUTOTITLE](/billing/tutorials/control-costs-at-scale)
 * [AUTOTITLE](/rest/enterprise-admin/billing)

content/billing/how-tos/products/view-ghas-committers.md

@@ -28,8 +28,7 @@ For more information about billing for {% data variables.product.prodname_AS %},
 
 ## Viewing committer information
 
-1. In the upper-right corner of any page, click {% octicon "rocket" aria-label="Site admin" %} to display the "Site admin" pages.
-1. In the left sidebar, click **Advanced Security Committers**. If this option is not displayed, at the top of the page, click {% octicon "rocket" aria-hidden="true" aria-label="Site admin" %} **Site admin** to show the top-level "Site admin" page.
+{% data reusables.billing.ghas-site-admin-committers %}
 
 The page shows the number of licenses currently being used and the number of licenses you would use if you enabled {% data variables.product.prodname_AS %} for all repositories.
 
@@ -37,8 +36,7 @@ The page shows the number of licenses currently being used and the number of lic
 
 Under "Calculate Additional Advanced Licenses", you can calculate how many more new or additional licenses will be used if you enable {% data variables.product.prodname_cs_or_sp %} for specific organizations and repositories.
 
-1. In the upper-right corner of any page, click {% octicon "rocket" aria-label="Site admin" %} to display the "Site admin" pages.
-1. In the left sidebar, click **Advanced Security Committers**. If this option is not displayed, at the top of the page, click {% octicon "rocket" aria-hidden="true" aria-label="Site admin" %} **Site admin** to show the top-level "Site admin" page.
+{% data reusables.billing.ghas-site-admin-committers %}
 1. Under "Organizations and Repositories", enter or paste a list of organizations and repositories, with one organization or repository per line. For example:
 
    ```text

content/billing/how-tos/products/view-productlicense-use.md

@@ -66,13 +66,8 @@ The options available to you vary according to your role and {% data variables.p
 
 ### Organization and enterprise accounts
 
-1. Display the settings for the organization or enterprise account you want to view data for. For example, using the context switcher shown on all personal and organization account settings pages.
-
-   ![Screenshot of the "Public profile" settings for The Octocat. Next to "Your personal profile," a "Switch settings context" link is outlined in orange.](/assets/images/help/settings/context-switcher-button.png)
-
-1. Click **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing & Licensing** to display the billing and licensing overview for the account:
-   * **Organization** accounts: under "Access" in the sidebar for settings.
-   * **Enterprise** accounts: a separate tab at the top of the page.
+{% data reusables.billing.nav-to-org-or-ent %}
+{% data reusables.billing.access-org-or-ent-page %}
 
 ## Exploring usage data in more detail
 

content/billing/how-tos/set-up-payment/add-sales-tax-certificate.md

@@ -24,14 +24,8 @@ If you're a {% data variables.product.github %} customer in the United States, y
 
 Enterprise owners, organization owners, and billing managers can upload a sales tax exemption certificate to an enterprise account if the account uses the {% data variables.product.company_short %} Customer Agreement.
 
-1. In the upper-right corner of any page on {% data variables.product.github %}, click your profile picture.
-
-1. Select the account you want to view and then access the "Billing & Licensing" pages:
-
-   * **Organizations**: Click **Your organizations**, then next to the organization, click **Settings**. In the organization sidebar, click **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing & Licensing**.
-   * For **enterprises**, click **Your enterprises**, then click the enterprise name. Click the **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing & Licensing** tab at the top of the page.
-
-1. From the list of "Billing & licensing" pages, click **Payment information**.
+{% data reusables.billing.nav-to-org-or-ent %}
+{% data reusables.billing.click-payment-info %}
 1. Review your "Billing information" and update any incorrect data. You must ensure that the address fields are correct and that the "City" and "Postal/Zip code" fields are accepted. If there is any missing information or any errors are reported, the option to upload a sales tax certificate is hidden.
 1. At the bottom of the page in the "Sales Tax" section, click **Upload certificate**, and select the certificate file you want to upload. If "Sales Tax" is missing, check that your billing information defines your country as "United States of America."
 

content/billing/how-tos/set-up-payment/connect-azure-sub.md

@@ -31,37 +31,19 @@ You can pay for metered usage of {% data variables.product.github %} features th
 
 * You must be logged into Azure as a user who is able to provide tenant-wide admin consent or arrange to work with an Azure AD global administrator to configure an admin consent workflow. See [AUTOTITLE](/billing/concepts/azure-subscriptions).
 
-## Connecting your Azure subscription to your organization account
+## Connecting your Azure subscription to an organization or enterprise account
 
-{% data reusables.profile.access_org %}
-{% data reusables.profile.org_settings %}
+{% data reusables.billing.nav-to-org-or-ent %}
+{% data reusables.billing.access-org-or-ent-page %}
+{% data reusables.billing.click-payment-info %}
 
-1. In the "Access" section of the sidebar, click **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing and licensing**.
-1. Under "Payment Information", to the right of "Metered billing via Azure", click **Add Azure Subscription**.
+1. Scroll to the bottom of the page, to the right of "Metered billing via Azure", click **Add Azure Subscription**.
 1. Sign in to your Microsoft account.
-1. Review the "Permissions requested" prompt. If you agree with the terms, click **Accept**.
+{% data reusables.billing.azure-accept-permissions %}
 
    {% data reusables.enterprise-accounts.azure-admin-approval-required-message %}
 
-1. Under "Select a subscription", select the Azure Subscription ID that you want to connect to your organization.
-   {% data reusables.enterprise-accounts.connect-azure %}
-
-   {% data reusables.enterprise-accounts.tenant-app-permissions %}
-
-## Connecting your Azure subscription to your enterprise account
-
-{% data reusables.enterprise-accounts.access-enterprise %}
-{% data reusables.billing.enterprise-billing-menu %}
-{% data reusables.enterprise-accounts.payment-information-tab-both-platforms %}
-
-1. Under "Payment Information", click **Add Azure Subscription**.
-1. To sign in to your Microsoft account, follow the prompts.
-1. Review the "Permissions requested" prompt. If you agree with the terms, click **Accept**.
-
-   {% data reusables.enterprise-accounts.azure-admin-approval-required-message %}
-
-1. Under "Select a subscription", select the Azure subscription ID that you want to connect to your enterprise.
-
+{% data reusables.billing.azure-select-subscription %}
    {% data reusables.enterprise-accounts.connect-azure %}
 
    {% data reusables.enterprise-accounts.tenant-app-permissions %}
@@ -70,7 +52,7 @@ You can pay for metered usage of {% data variables.product.github %} features th
 
 If you disconnect your Azure subscription from your account, your usage can no longer exceed the amounts included with your plan.
 
-1. Under "Billing Management", then under "Metered billing via Azure", to the right of the subscription ID you want change.
+1. On the "Payment information" page, to the right of the subscription ID you want change.
 
    * **Edit the subscription**: Click {% octicon "pencil" aria-label="Edit Azure Subscription" %} to edit your subscription.
    * **Disconnect the subscription** Click {% octicon "trash" aria-label="Delete Azure Subscription" %} to remove the connection.
@@ -79,7 +61,7 @@ If you disconnect your Azure subscription from your account, your usage can no l
 
 To connect an Azure subscription, you'll need appropriate access permissions on both {% data variables.product.github %} and the Azure billing portal. This may require coordination between two different people.
 
-To see a demo of the process from beginning to end, see [Billing GitHub consumption through an Azure subscription](https://www.youtube.com/watch?v=Y-f7JKJ4_8Y) on {% data variables.product.company_short %}'s YouTube channel. This video demonstrates the process for an enterprise account. If you're connecting a subscription to an organization account, see [Connecting your Azure subscription to your organization account](/free-pro-team@latest/billing/managing-the-plan-for-your-github-account/connecting-an-azure-subscription#connecting-your-azure-subscription-to-your-organization-account).
+To see a demo of the process from beginning to end, see [Billing GitHub consumption through an Azure subscription](https://www.youtube.com/watch?v=Y-f7JKJ4_8Y) on {% data variables.product.company_short %}'s YouTube channel. This video demonstrates the process for an enterprise account.
 
 ## Further reading
 

content/billing/reference/billing-reports.md

@@ -30,7 +30,6 @@ The following report types are available.
    * **Detailed usage report**: A detailed usage report for all paid products for a maximum period of 31 days.
 * Premium request analytics page:
    * **Premium requests usage report**: A detailed per-user breakdown of premium requests consumed for a maximum period of 31 days.
-   * **Legacy premium request usage report**: A detailed, user-based report of premium request usage for the last 45 days.
 
 ### Summarized usage report
 
@@ -50,12 +49,6 @@ This report includes additional detail about premium request usage. The report s
 
 This report contains usage beginning October 01, 2025 00:00 UTC.
 
-### Legacy premium request usage report
-
-This report includes each recorded use of a premium request and includes the following fields: `Timestamp`,`User`,`Model`,`Requests Used`,`Exceeds Monthly Quota`, and `Total Monthly Quota`. The time period of the report is the most recent 45 days.
-
-This report will be closing down on December 1, 2025, at which point all premium request usage activity will be available via the Premium requests usage report.
-
 ## Usage report fields
 
 The usage reports contain the following fields.

content/billing/reference/cost-center-allocation.md

@@ -12,7 +12,7 @@ contentType: reference
 product: '{% data variables.product.prodname_ghe_cloud %}'
 ---
 
-This article contains reference information for how spending is assigned to cost centers. To create and manage cost centers, see [AUTOTITLE](/billing/tutorials/use-cost-centers).
+This article contains reference information for how spending is assigned to cost centers. To create and manage cost centers, see [AUTOTITLE](/billing/how-tos/products/use-cost-centers).
 
 ## Overview
 

content/billing/tutorials/control-costs-at-scale.md

@@ -47,14 +47,13 @@ Follow these steps to plan your cost centers:
 
 Now you'll create your first cost center using the user interface (UI) to familiarize yourself with how cost centers work. Choose one of the cost centers you've identified as an example—it's best to start with a small financial entity.
 
-1. Navigate to your enterprise. For example, from [https://github.com/settings/enterprises](https://github.com/settings/enterprises?ref_product=ghec&ref_type=engagement&ref_style=text).
+{% data reusables.billing.nav-to-ent %}
 {% data reusables.billing.enterprise-billing-menu %}
-1. Click **Cost centers**.
-1. Click **New cost center** in the upper-right corner.
+{% data reusables.billing.cost-center-click-new %}
 1. In the text box under "Name", enter the name of the financial entity you want to track costs for.
 1. Optionally, if this financial entity has a separate Azure subscription, you can add the Azure subscription to the cost center to charge usage directly to it. The credentials will be verified against Azure to ensure the Azure ID associated with the account is available.
 1. Under **Resources**, select the users, organizations, and repositories to track as part of this cost center.
-1. Click **Create cost center**.
+{% data reusables.billing.cost-center-create-button %}
 
 Your new cost center is now active and usage will begin to attribute to the cost center immediately. Future billing reports will include this cost center with an entry in the `cost_center_name` column for usage allocated to it. You'll also be able to filter usage charts by this cost center.
 
@@ -98,7 +97,7 @@ Create one budget for each product, SKU, or group of SKUs that you want to contr
 
    Under "Alert Recipients", select any additional recipients to receive the alerts.
 
-1. Click **Create budget**.
+{% data reusables.billing.budget-create-button %}
 
 ### Review existing budgets for conflicts
 

content/billing/tutorials/gather-insights.md

@@ -29,7 +29,7 @@ The new billing platform provides you with the tools to:
 You can view the usage of your personal account and download the usage data for further analysis.
 
 {% data reusables.user-settings.access_settings %}
-1. In the "Access" section of the sidebar, click **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing & Licensing**.
+{% data reusables.billing.access-billing-sidebar %}
 1. Click **Usage**.
 1. To search or filter the graph, click the search bar. Then click the filter you want to use.
 1. To further filter the graph, use the dropdown menus.
@@ -114,7 +114,7 @@ You can also view your active {% data variables.product.prodname_enterprise %} i
 
 {% endif %}
 
-1. Click **Licensing**.
+{% data reusables.billing.click-licensing %}
 1. To download a CSV report of the license usage, click {% octicon "kebab-horizontal" aria-label="Licensing dropdown" %} to the right of the usage you want to download, then click **{% octicon "download" aria-hidden="true" aria-label="download" %} CSV report**.
 
 ## Further reading

content/billing/tutorials/index.md

@@ -12,8 +12,8 @@ children:
   - /automate-usage-reporting
   - /set-up-budgets
   - /control-costs-at-scale
-  - /use-cost-centers
   - /estimate-spending
   - /gather-insights
 contentType: tutorials
 ---
+

content/billing/tutorials/set-up-budgets.md

@@ -64,14 +64,14 @@ You can set budgets and receive alerts when your usage of a product reaches 75%,
    >[!IMPORTANT] If you do not select **Stop usage when budget limit is reached**, you will be notified by email if you exceed your budget, but usage **will not** be stopped.
 
 1. To receive an alert if your budget has reached 75%, 90% and 100% thresholds, select **Receive budget threshold alerts** under "Alerts". When the budget has reached the specific threshold, you will be notified via email and a banner on {% data variables.product.github %}. You may opt out at any time.
-1. Click **Create budget**.
+{% data reusables.billing.budget-create-button %}
 
 To edit or delete a budget, on the "Budget and alerts" page, click **Edit** or **Delete** next to the budget you want to edit or delete. Follow the prompts.
 
 ## Managing budgets for your organization or enterprise
 
 > [!IMPORTANT]
-> * {% data reusables.billing.pru-sku-split-notice %} 
+> * {% data reusables.billing.pru-sku-split-notice %}
 > * Existing {% data variables.product.prodname_copilot_short %} premium request budgets will automatically migrate to a **bundled premium requests budget** on November 1, 2025. This ensures that your budget continues to account for all of your premium request usage.
 
 You can set budgets and receive alerts when your usage of a product or license type reaches 75%, 90%, or 100% of a defined budget. For budgets that control metered use of a product, you can also block further use when the budget is exhausted. Each budget has a scope.
@@ -85,13 +85,8 @@ You can set budgets and receive alerts when your usage of a product or license t
 
 If you are an organization owner, enterprise owner, or billing manager, any account-level budget is listed at the top of the "Budgets and alerts" page, followed by budgets for smaller scopes.
 
-1. Display the settings for the organization or enterprise account you want to view data for. For example, using the context switcher shown on all personal and organization account settings pages.
-
-   ![Screenshot of the "Public profile" settings for The Octocat. Next to "Your personal profile," a "Switch settings context" link is outlined in orange.](/assets/images/help/settings/context-switcher-button.png)
-
-1. Click **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing & Licensing** to display the billing and licensing overview for the account:
-   * **Organization** accounts: under "Access" in the sidebar for settings.
-   * **Enterprise** accounts: a separate tab at the top of the page.
+{% data reusables.billing.nav-to-org-or-ent %}
+{% data reusables.billing.access-org-or-ent-page %}
 
 1. Click **Budgets and alerts**.
 1. Optionally, in the enterprise view only, to filter by scope, select **Scope**, then choose a scope.
@@ -117,7 +112,7 @@ To limit spending on premium requests across all features, enable "Bundled premi
 
    Under "Alert Recipients", select the people who will receive the alerts.
 
-1. Click **Create budget**.
+{% data reusables.billing.budget-create-button %}
 
 ### Editing or deleting a budget
 

content/code-security/dependabot/working-with-dependabot/configuring-multi-ecosystem-updates.md

@@ -7,6 +7,7 @@ type: how_to
 versions:
   fpt: '*'
   ghec: '*'
+  ghes: '>=3.19'
 topics:
   - Dependabot
   - Version updates
@@ -18,7 +19,7 @@ shortTitle: Multi-ecosystem updates
 
 ## About multi-ecosystem updates
 
-Multi-ecosystem updates allow you to create groups that span multiple package ecosystems and get a single {% data variables.product.prodname_dependabot %} pull request with updates across all supported ecosystems.  This approach helps reduce the number of {% data variables.product.prodname_dependabot %} pull requests you receive and streamlines your dependency update workflow.  
+Multi-ecosystem updates allow you to create groups that span multiple package ecosystems and get a single {% data variables.product.prodname_dependabot %} pull request with updates across all supported ecosystems.  This approach helps reduce the number of {% data variables.product.prodname_dependabot %} pull requests you receive and streamlines your dependency update workflow.
 
 Multi-ecosystem updates are particularly useful for:
 
@@ -28,9 +29,9 @@ Multi-ecosystem updates are particularly useful for:
 
 ## Getting Started
 
-You should follow these instructions to set up your first multi-ecosystem group.  
+You should follow these instructions to set up your first multi-ecosystem group.
 
-### 1. Add `multi-ecosystem-groups` to your `.github/dependabot.yml` file  
+### 1. Add `multi-ecosystem-groups` to your `.github/dependabot.yml` file
 
 Start by defining a group with a schedule in the top-level `multi-ecosystem-groups` section:
 
@@ -46,7 +47,7 @@ updates:
   # Your existing package ecosystems will go here
 ```
 
-### 2. Assign ecosystems to groups with patterns  
+### 2. Assign ecosystems to groups with patterns
 
 1. Add the `multi-ecosystem-group` key.
 1. Add `patterns` to your package ecosystem configurations.
@@ -64,7 +65,7 @@ updates:
     directory: "/"
     patterns: ["nginx", "redis", "postgres"]
     multi-ecosystem-group: "infrastructure"
-  
+
   - package-ecosystem: "terraform"
     directory: "/"
     patterns: ["aws", "terraform-*"]
@@ -72,18 +73,18 @@ updates:
 ```
 
 > [!IMPORTANT]
-> The `patterns` key is required when using `multi-ecosystem-group`. You can specify dependency patterns to include only certain dependencies in the group, or use `["*"]` to include all dependencies.  
+> The `patterns` key is required when using `multi-ecosystem-group`. You can specify dependency patterns to include only certain dependencies in the group, or use `["*"]` to include all dependencies.
 
-### 3. Commit and watch for consolidated pull requests  
+### 3. Commit and watch for consolidated pull requests
 
-Once you commit the changes to your `dependabot.yml` file, {% data variables.product.prodname_dependabot %} will:  
+Once you commit the changes to your `dependabot.yml` file, {% data variables.product.prodname_dependabot %} will:
 
 * Check for updates according to the group's schedule
 * Check for updates according to the group's schedule.
 * Create a single pull request containing updates for all the ecosystems specified in the group.
 * Use the group identifier in the branch name and the pull request title.
 
-### 4. Customize with additional keys (optional)  
+### 4. Customize with additional keys (optional)
 
 Add [`assignees`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#assignees--), [`labels`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#labels--), and other settings to your groups:
 
@@ -100,7 +101,7 @@ updates:
     directory: "/"
     patterns: ["nginx", "redis", "postgres"]
     multi-ecosystem-group: "infrastructure"
-  
+
   - package-ecosystem: "terraform"
     directory: "/"
     patterns: ["aws", "terraform-*"]
@@ -111,8 +112,8 @@ updates:
 
 Multi-ecosystem updates use a two-level configuration structure to provide flexibility and control over how updates are grouped and managed:
 
-* **Group-level** (`multi-ecosystem-groups`): This is where you define the overall group behavior, scheduling, and shared settings that apply to all package ecosystems in the group.  
-* **Ecosystem-level** (`updates`): Configure individual package managers within the group, including which dependencies to include and ecosystem-specific settings.  
+* **Group-level** (`multi-ecosystem-groups`): This is where you define the overall group behavior, scheduling, and shared settings that apply to all package ecosystems in the group.
+* **Ecosystem-level** (`updates`): Configure individual package managers within the group, including which dependencies to include and ecosystem-specific settings.
 
 This structure allows you to set consistent policies at the group level while maintaining fine-grained control over individual package ecosystems.
 
@@ -151,7 +152,7 @@ The following table shows the configuration keys available at the group level, a
 | [`commit-message`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#commit-message--) |{% octicon "x" aria-label="Not required" %} |Group-only |
 | [`pull-request-branch-name`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#pull-request-branch-nameseparator--) |{% octicon "x" aria-label="Not required" %} |Group-only |
 
-### Ecosystem-level (`updates`)  
+### Ecosystem-level (`updates`)
 
 The following table shows the configuration keys available at the ecosystem level, along with their behavior types. For more information, see [Configuration behavior](#configuration-behavior).
 
@@ -262,9 +263,9 @@ updates:
     multi-ecosystem-group: "infrastructure"
 ```
 
-**Result**: One weekly pull request containing updates for Docker images, Terraform providers, and Python dependencies used in infrastructure automation.  
+**Result**: One weekly pull request containing updates for Docker images, Terraform providers, and Python dependencies used in infrastructure automation.
 
-### Full-stack applications  
+### Full-stack applications
 
 **Scenario**: You have a web application with a React frontend and Rails backend. You want frontend and backend dependencies updated together to ensure compatibility and streamline testing.
 
@@ -289,7 +290,7 @@ updates:
 
 **Result**: Daily PRs containing both frontend JavaScript/TypeScript updates and backend Ruby gem updates, allowing you to test the complete application together.
 
-### Cross-platform libraries  
+### Cross-platform libraries
 
 **Scenario**: You're building a library or service that uses the same protocols across different languages (like gRPC and Protocol Buffers). You want to keep the library versions synchronized across all implementations.
 
@@ -331,7 +332,7 @@ multi-ecosystem-groups:
     commit-message:
       prefix: "infra"
       include: "scope"
-  
+
   # Application code updates - daily, with development team
   full-stack:
     schedule:
@@ -347,20 +348,20 @@ updates:
     assignees: ["@docker-admin"]            # adds to @platform-team (additive)
     labels: ["docker"]                      # adds to infrastructure, dependencies (additive)
     multi-ecosystem-group: "infrastructure"
-  
+
   # Terraform - infrastructure group with terraform specialists
   - package-ecosystem: "terraform"
     directory: "/"
     patterns: ["aws", "terraform-*"]
     multi-ecosystem-group: "infrastructure"
-    
+
   # Frontend - full-stack group with frontend focus
   - package-ecosystem: "npm"
     directory: "/frontend"
     patterns: ["react", "lodash", "@types/*"]
     labels: ["frontend"]                    # adds to full-stack (additive)
     multi-ecosystem-group: "full-stack"
-    
+
   # Backend - full-stack group with backend specialist
   - package-ecosystem: "bundler"
     directory: "/backend"
@@ -394,11 +395,11 @@ updates:
 
 This approach ensures that the right people are involved for each type of update while maintaining consistent policies across related technologies.
 
-## Best practices  
+## Best practices
 
-* **Group related dependencies**: Only group ecosystems that logically belong together.  
-* **Use descriptive identifiers**: Choose group names that clearly indicate the group's purpose.  
+* **Group related dependencies**: Only group ecosystems that logically belong together.
+* **Use descriptive identifiers**: Choose group names that clearly indicate the group's purpose.
 
-### Further reading  
+### Further reading
 
 * [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference)

content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md

@@ -205,6 +205,9 @@ The table below shows the package managers for which SemVer is supported.
 
 | Package manager        | SemVer supported |
 |-----------------------|------------------|
+| {% ifversion dependabot-bazel-support %} |
+| Bazel               | {% octicon "x" aria-label="Not supported" %}              |
+| {% endif %} |
 | Bundler               | {% octicon "check" aria-label="Supported" %}              |
 | Bun                   | {% octicon "check" aria-label="Supported" %}              |
 | Cargo                 | {% octicon "check" aria-label="Supported" %}              |
@@ -475,6 +478,9 @@ When `open-pull-requests-limit` is defined:
 
 Package manager | YAML value      | Supported versions |
 ---------------|------------------|:------------------:|
+| {% ifversion dependabot-bazel-support %} |
+| Bazel         | `bazel`          | v7, v8, v9               |
+| {% endif %} |
 | {% ifversion dependabot-bun-support %} |
 | Bun | `bun`         | >=v1.2.5              |
 | {% endif %} |

content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md

@@ -103,6 +103,8 @@ The list of valid values for `source` are:
 * Commit_comment
 * Gist_content
 * Gist_comment
+* Wiki_content
+* Wiki_commit
 * Npm
 * Unknown
 

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/about-your-exposure-to-vulnerable-dependencies.md

@@ -65,8 +65,8 @@ Focus on vulnerabilities that present the highest risk to your organization.
 
 * Prioritize alerts with high or critical severity. For {% data variables.product.prodname_dependabot_alerts %}, also prioritize high EPSS scores, and available patches.
 * Use the repository breakdown information to direct remediation efforts to the most at-risk projects.{% ifversion fpt or ghec %}
-* Encourage development teams to address vulnerabilities that are actually used in deployed artifacts through repository custom properties and using production context. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/alerts-in-production-code).{% endif %}
-* Create security campaigns to encourage and track the remediation of high priority {% data variables.product.prodname_code_scanning %} alerts. See [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-managing-security-campaigns).
+* Encourage development teams to address vulnerabilities that are actually used in deployed artifacts through repository custom properties and using production context. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/alerts-in-production-code).{% endif %}{% ifversion security-campaigns %}
+* Create security campaigns to encourage and track the remediation of high priority {% data variables.product.prodname_code_scanning %} alerts. See [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-managing-security-campaigns).{% endif %}
 
 ### 4. Communicate risk and progress
 

content/contributing/style-guide-and-content-model/style-guide.md

@@ -151,34 +151,28 @@ A CTA is an explicit direction to the user to take an immediate action, such as
 
 For example, the CTA on [AUTOTITLE](/enterprise-cloud@latest/admin/overview/setting-up-a-trial-of-github-enterprise-cloud) links to [an enterprise sales page](https://github.com/account/enterprises/new?ref_product=ghec&ref_type=trial&ref_style=text&ref_plan=enterprise) on {% data variables.product.prodname_dotcom_the_website %}.
 
-### Required CTA parameters
+### Building CTAs
 
-* `ref_product`:
-  * **Purpose**: The GitHub product the CTA leads users to.
-  * **Allowed values**: `copilot`, `ghec`, `desktop`, `code-quality`
-  * **Example**: `ref_product=copilot`
-* `ref_type`:
-  * **Purpose**: The type of action the CTA encourages users to take.
-  * **Allowed values**: `trial`, `purchase`, `engagement`
-  * **Example**: `ref_type=purchase`
-* `ref_style`:
-  * **Purpose**: The way we are formatting the CTA in the docs.
-  * **Allowed values**: `button` or `text`
-  * **Example**: `ref_style=button`
-* `ref_plan` (_optional_):
-  * **Purpose**: For links to sign up for or trial a plan, the specific plan we link to.
-  * **Allowed values**: `enterprise`, `business`, `pro`, `free`
-  * **Example**: `ref_plan=business`
+To build a valid CTA URL with the correct parameters, use the CTA builder script in your docs repository checkout:
 
-Replace the placeholders with the relevant information for your CTA, where `DESTINATION/URL` is the URL that the button should navigate to:
-
-```html
-{% raw %}<a href="https://github.com/DESTINATION/URL?ref_product=PRODUCT&ref_type=TYPE&ref_style=STYLE&ref_plan=PLAN" target="_blank" class="btn btn-primary mt-3 mr-3 no-underline"><span>Try PRODUCT NAME</span> {% octicon "link-external" height:16 %}</a>{% endraw %}
+```shell
+npm run cta-builder
 ```
 
-### Getting help with CTAs
+The script will guide you through an interactive process to:
+* Select the appropriate {% data variables.product.company_short %} product (`ref_product`)
+  * Use `github` as the default when the link is not specific to a particular feature or product
+* Choose the type of action (`ref_type`)
+* Specify the formatting style (`ref_style`)
+* Optionally select a specific plan (`ref_plan`)
 
-For help building a valid CTA URL, you can enter the command `npm run cta-builder` in your docs repo checkout. Answer each question and at the end you'll see your valid CTA.
+The script provides all available options for each parameter and generates a complete, valid CTA URL at the end. Use this tool to ensure you're using current, approved values for CTA parameters.
+
+For example, the script might generate a URL like:
+
+```
+https://github.com/account/enterprises/new?ref_product=ghec&ref_type=trial&ref_style=button&ref_plan=enterprise
+```
 
 ## Code
 

content/copilot/concepts/agents/coding-agent/about-coding-agent.md

@@ -153,7 +153,7 @@ Users can include hidden messages in issues assigned to {% data variables.copilo
 ### Limitations in {% data variables.copilot.copilot_coding_agent %}'s compatibility with other features
 
 * **{% data variables.product.prodname_copilot_short %} isn't able to comply with certain rules that may be configured for your repository**. If you have configured a ruleset or branch protection rule that isn't compatible with {% data variables.copilot.copilot_coding_agent %} (for example the "Require signed commits" rule), access to the agent will be blocked. If the rule is configured using rulesets, you can add {% data variables.product.prodname_copilot_short %} as a bypass actor to enable access. See [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#granting-bypass-permissions-for-your-branch-or-tag-ruleset).
-* **{% data variables.copilot.copilot_coding_agent %} does not work in personal repositories owned by {% data variables.enterprise.prodname_managed_users %}**. This is because {% data variables.copilot.copilot_coding_agent %} requires {% data variables.product.company_short %}-hosted runners, which are not available to repositories owned by {% data variables.enterprise.prodname_managed_users %}. See [AUTOTITLE](/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners).
+* **{% data variables.copilot.copilot_coding_agent %} does not work in personal repositories owned by {% data variables.enterprise.prodname_managed_users %}**. This is because {% data variables.copilot.copilot_coding_agent %} requires {% data variables.product.company_short %}-hosted runners, which are not available to personal repositories owned by {% data variables.enterprise.prodname_managed_users %}. See [AUTOTITLE](/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners).
 * **{% data variables.copilot.copilot_coding_agent %} doesn't account for content exclusions**. Content exclusions allow administrators to configure {% data variables.product.prodname_copilot_short %} to ignore certain files. When using {% data variables.copilot.copilot_coding_agent %}, {% data variables.product.prodname_copilot_short %} will not ignore these files, and will be able to see and update them. See [AUTOTITLE](/copilot/managing-copilot/configuring-and-auditing-content-exclusion/excluding-content-from-github-copilot).
 * **{% data variables.copilot.copilot_coding_agent %} only works with repositories hosted on {% data variables.product.github %}**. If your repository is stored using a different code hosting platform, {% data variables.product.prodname_copilot_short %} won't be able to work on it.
 * **You cannot select the AI model used by {% data variables.copilot.copilot_coding_agent %}**. A model picker is not available to switch between models, and {% data variables.product.company_short %} reserves the right to change models at any time.

content/copilot/concepts/context/spaces.md

@@ -1,7 +1,7 @@
 ---
 title: About GitHub Copilot Spaces
 shortTitle: Spaces
-intro: Understand how organizing and sharing context with {% data variables.copilot.copilot_spaces %} can improve your {% data variables.copilot.copilot_chat_dotcom_short %} results and help your teammates.
+intro: Understand how organizing and sharing context with {% data variables.copilot.copilot_spaces %} can improve your {% data variables.copilot.copilot_chat_dotcom_short %} results and help your collaborators.
 permissions: Anyone with a {% data variables.product.prodname_copilot_short %} license can use {% data variables.copilot.copilot_spaces_short %}.
 versions:
   feature: copilot
@@ -19,7 +19,7 @@ category:
   - Learn about Copilot
 ---
 
-{% data variables.copilot.copilot_spaces %} let you organize the context that {% data variables.product.prodname_copilot_short %} uses to answer your questions. {% data variables.copilot.copilot_spaces_short %} can include repositories, code, pull requests, issues, free-text content like transcripts or notes, images, and file uploads. You can ask {% data variables.product.prodname_copilot_short %} questions grounded in that context, or share the space with your team to support collaboration and knowledge sharing.
+{% data variables.copilot.copilot_spaces %} let you organize the context that {% data variables.product.prodname_copilot_short %} uses to answer your questions. {% data variables.copilot.copilot_spaces_short %} can include repositories, code, pull requests, issues, free-text content like transcripts or notes, images, and file uploads. You can ask {% data variables.product.prodname_copilot_short %} questions grounded in that context, or share the space with your team, or share publicly, to support collaboration and knowledge sharing.
 
 ## Why use {% data variables.copilot.copilot_spaces %}?
 
@@ -38,7 +38,25 @@ Your spaces stay in sync as your project evolves. {% data variables.product.gith
 
 Anyone with a {% data variables.product.prodname_copilot_short %} license, including {% data variables.copilot.copilot_free_short %}, can create and use {% data variables.copilot.copilot_spaces_short %}.
 
-{% data variables.copilot.copilot_spaces_short %} can belong to a personal account or to an organization. Spaces owned by an organization can be shared with other organization members or kept private to the person who created the space.
+## Who can I share {% data variables.copilot.copilot_spaces_short %} with?
+
+{% data variables.copilot.copilot_spaces_short %} can belong to a personal account or to an organization, and the sharing options differ depending on who the space belongs to.
+
+### Organization-owned spaces
+
+Organization-owned spaces can be shared with other organization members, and you decide which level of access you want to grant other members (admin, editor, viewer).
+
+Alternatively, you can choose to grant "No access" to organization members, and keep the space hidden.
+
+### Individual-owned spaces
+
+Spaces belonging to a personal account can be shared publicly, shared with specific {% data variables.product.github %} users, or kept private to the person who created the space.
+
+Publicly shared spaces are view-only by default.
+
+Viewers can only see sources that they have access to.
+
+Eligibility to create or use {% data variables.copilot.copilot_spaces_short %} is user-based and depends on the organization that grants the user a {% data variables.product.prodname_copilot_short %} seat. Currently, the system does not block the creation of a space under an organization that has not configured {% data variables.copilot.copilot_spaces_short %}, or has {% data variables.copilot.copilot_spaces_short %} disabled. This means users can create spaces in such organizations if their {% data variables.product.prodname_copilot_short %} seat comes from another organization where {% data variables.copilot.copilot_spaces_short %} are enabled.
 
 ## Where can I use {% data variables.copilot.copilot_spaces_short %}?
 

content/copilot/concepts/prompting/response-customization.md

@@ -200,33 +200,89 @@ For information on how to enable, create, and use prompt files, see [AUTOTITLE](
 
 {% visualstudio %}
 
-> [!NOTE] This version of this article is about custom instructions in {% data variables.product.prodname_vs %}. Click the tabs above for other environments. <!-- markdownlint-disable-line MD027 -->
+> [!NOTE] This version of this article is about custom instructions and prompt files in {% data variables.product.prodname_vs %}. Click the tabs above for other environments. <!-- markdownlint-disable-line MD027 -->
 
 ## About customizing {% data variables.product.prodname_copilot_short %} responses
 
-{% data variables.product.prodname_copilot %} can provide responses that are tailored to the way your team works, the tools you use, or the specifics of your project, if you provide it with enough context to do so. Instead of repeatedly adding this contextual detail to your prompts, you can create a custom instructions file in your repository that automatically adds this information for you. The additional information is not displayed in the chat input box, but is available to {% data variables.product.prodname_copilot_short %} to allow it to generate higher quality responses.
+{% data variables.product.prodname_copilot %} can provide responses that are tailored to the way your team works, the tools you use, or the specifics of your project, if you provide it with enough context to do so. Instead of repeatedly adding this contextual detail to your prompts, you can create files in your repository that automatically add this information for you.
+
+There are two types of files you can use to provide context and instructions to {% data variables.product.prodname_copilot_short %} in {% data variables.product.prodname_vs %}:
+
+* **Repository custom instructions** allow you to specify instructions and preferences that {% data variables.product.prodname_copilot_short %} will consider when working in the context of the repository.
+* **Prompt files** allow you to save common prompt instructions and relevant context in Markdown files (`*.prompt.md`) that you can then reuse in your chat prompts. {% data reusables.copilot.prompt-files-available-in-editors %}
+
+While custom instructions help to add codebase-wide context to each AI workflow, prompt files let you add instructions to a specific chat interaction.
 
 {% data reusables.copilot.custom-insts-nondeterministic %}
 
 ## About repository custom instructions
 
-In {% data variables.product.prodname_vs %}, repository custom instructions consist of a single file, `.github/copilot-instructions.md`, that you create in a repository. The instructions you add to the file should be short, self-contained statements that add context or relevant information to supplement a {% data variables.product.prodname_copilot_short %} prompt.
+You can use two types of repository custom instructions in {% data variables.product.prodname_vs %}:
+
+* **Repository-wide custom instructions**, which apply to all requests made in the context of a repository.
+
+  These are specified in a `copilot-instructions.md` file in the `.github` directory of the repository.
+
+* **Path-specific custom instructions**, which apply to requests made in the context of files that match a specified path.
+
+  These are specified in one or more `NAME.instructions.md` files within the `.github/instructions` directory in the repository.
+
+  By using path-specific instructions you can avoid overloading your repository-wide instructions with information that only applies to files of certain types, or in certain directories.
+
+See the table below for details of support for each of these types of repository custom instructions across different {% data variables.product.prodname_copilot_short %} features.
+
+For a curated collection of examples, see [AUTOTITLE](/copilot/tutorials/customization-library/custom-instructions).
 
 {% data reusables.copilot.repository-custom-instructions-support %}
 
-### Use cases for custom instructions
+## About prompt files
 
-Common use cases for repository custom instructions include:
+Prompt files let you build and share reusable prompt instructions with additional context. A prompt file is a Markdown file, stored in your workspace, that mimics the existing format of writing prompts in {% data variables.copilot.copilot_chat_short %} (for example, `Rewrite #file:x.ts`). This allows blending natural language instructions, additional context, and even linking to other prompt files as dependencies.
 
-* **Test generation.** Create instructions for test generation, such as specifying the use of a certain test framework.
-* **Code review.** Specify instructions for reviewing code, such as telling a reviewer to look for a specific error in the code.
-* **Commit message generation.** Write instructions for generating commit messages, such as format or the type of information to include.
+Common use cases include:
 
-### Example
+* **Code generation**. Create reusable prompts for components, tests, or migrations (for example, React forms, or API mocks).
+* **Domain expertise**. Share specialized knowledge through prompts, such as security practices, or compliance checks.
+* **Team collaboration**. Document patterns and guidelines with references to specs and documentation.
+* **Onboarding**. Create step-by-step guides for complex processes or project-specific patterns.
 
-{% data reusables.copilot.repository-custom-instructions-example %}
+You can have multiple prompt files in your workspace, each of which defines a prompt for a different purpose.
 
-For a curated collection of examples, see [AUTOTITLE](/copilot/tutorials/customization-library/custom-instructions).
+### Examples
+
+The following examples demonstrate how to use prompt files.
+
+* `New React form.prompt.md` - contains instructions for a reusable task to generate a form using React.
+
+  ```markdown
+  Your goal is to generate a new React form component.
+
+  Ask for the form name and fields if not provided.
+
+  Requirements for the form:
+  - Use form design system components: [design-system/Form.md](../docs/design-system/Form.md)
+  - Use `react-hook-form` for form state management:
+    - Always define TypeScript types for your form data
+    - Prefer *uncontrolled* components using register
+    - Use `defaultValues` to prevent unnecessary rerenders
+  - Use `yup` for validation:
+    - Create reusable validation schemas in separate files
+    - Use TypeScript types to ensure type safety
+    - Customize UX-friendly validation rules
+  ```
+
+* `API security review.prompt.md` - contains reusable information about security practices for REST APIs, which can be used to do security reviews of REST APIs.
+
+  ```markdown
+  Secure REST API review:
+  - Ensure all endpoints are protected by authentication and authorization
+  - Validate all user inputs and sanitize data
+  - Implement rate limiting and throttling
+  - Implement logging and monitoring for security events
+  …
+  ```
+
+For information on how to create and use prompt files, see [AUTOTITLE](/copilot/how-tos/configure-custom-instructions/add-repository-instructions?tool=visualstudio#using-prompt-files).
 
 {% data reusables.copilot.custom-instructions-effective %}
 

content/copilot/how-tos/configure-custom-instructions/add-repository-instructions.md

@@ -39,7 +39,7 @@ This version of this article is for using repository custom instructions and pro
 
 {% visualstudio %}
 
-This version of this article is for using repository custom instructions in {% data variables.product.prodname_vs %}. Click the tabs above for instructions on using custom instructions in other environments.
+This version of this article is for using repository custom instructions and prompt files in {% data variables.product.prodname_vs %}. Click the tabs above for instructions on using custom instructions in other environments.
 
 {% data reusables.copilot.repository-custom-instructions-about %}
 
@@ -282,7 +282,19 @@ Once saved, these instructions will apply to the current project in Eclipse that
 
 {% visualstudio %}
 
-{% data variables.product.prodname_vs %} supports a single `.github/copilot-instructions.md` custom instructions file stored in the repository.
+{% data variables.product.prodname_vs %} supports two types of custom instructions. For details of which {% data variables.product.prodname_copilot %} features support these types of instructions, see [AUTOTITLE](/copilot/concepts/prompting/response-customization?tool=visualstudio#support-for-repository-custom-instructions-2).
+
+* **Repository-wide custom instructions**, which apply to all requests made in the context of a repository.
+
+  These are specified in a `copilot-instructions.md` file in the `.github` directory of the repository. See [Creating repository-wide custom instructions](#creating-repository-wide-custom-instructions-2).
+
+* **Path-specific custom instructions**, which apply to requests made in the context of files that match a specified path.
+
+  These are specified in one or more `NAME.instructions.md` files within the `.github/instructions` directory in the repository. See [Creating path-specific custom instructions](#creating-path-specific-custom-instructions-2).
+
+  If the path you specify matches a file that {% data variables.product.prodname_copilot_short %} is working on, and a repository-wide custom instructions file also exists, then the instructions from both files are used.
+
+## Creating repository-wide custom instructions
 
 1. In the root of your repository, create a file named `.github/copilot-instructions.md`.
 
@@ -292,6 +304,10 @@ Once saved, these instructions will apply to the current project in Eclipse that
 
    Whitespace between instructions is ignored, so the instructions can be written as a single paragraph, each on a new line, or separated by blank lines for legibility.
 
+## Creating path-specific custom instructions
+
+{% data reusables.copilot.custom-instructions-path %}
+
 {% endvisualstudio %}
 
 {% webui %}
@@ -533,9 +549,24 @@ Custom instructions are enabled for {% data variables.copilot.copilot_code-revie
 
 {% data reusables.copilot.custom-instructions-enabling-for-ccr %}
 
+## Using prompt files
+
+{% data reusables.copilot.prompt-files-preview-note %}
+
+Prompt files let you build and share reusable prompt instructions with additional context. A prompt file is a Markdown file, stored in your workspace, that mimics the existing format of writing prompts in {% data variables.copilot.copilot_chat_short %} (for example, `Rewrite #file:x.ts`). You can have multiple prompt files in your workspace, each of which defines a prompt for a different purpose.
+
+### Creating prompt files
+
+1. Add a prompt file, including the `.prompt.md` file name extension inside the `.github/prompts` folder in the root of the repository. The name can contain alphanumeric characters and spaces and should describe the purpose of the prompt information the file will contain.
+1. Write the prompt instructions, using Markdown formatting.
+
+   You can reference other files in the workspace by using Markdown links—for example, `[index](../../web/index.ts)`—or by using the `#file:'../../web/index.ts'` syntax. Paths are relative to the prompt file. Referencing other files allows you to provide additional context, such as API specifications or product documentation.
+
+For more information about prompt files, see [Use prompt files in {% data variables.product.prodname_vs %}](https://learn.microsoft.com/en-us/visualstudio/ide/copilot-chat-context?view=vs-2022#use-prompt-files) in the {% data variables.product.prodname_vs %} documentation.
+
 ## Further reading
 
-* [AUTOTITLE](/copilot/tutorials/customization-library/custom-instructions)—a curated collection of examples
+* [AUTOTITLE](/copilot/tutorials/customization-library)—a curated collection of examples
 
 {% endvisualstudio %}
 

content/copilot/how-tos/manage-and-track-spending/manage-company-spending.md

@@ -51,7 +51,7 @@ You can create cost centers to map spending to individual business units or grou
 
 For example, if you were running a pilot program for {% data variables.copilot.copilot_enterprise %} for a group of employees, you might want to create a cost center to track their spending and set a budget independently of the rest of the company.
 
-For more information, see [AUTOTITLE](/billing/tutorials/use-cost-centers).
+For more information, see [AUTOTITLE](/billing/tutorials/control-costs-at-scale).
 
 ## Preventing overspending
 

content/copilot/how-tos/provide-context/use-copilot-spaces/collaborate-with-others.md

@@ -1,7 +1,7 @@
 ---
-title: Collaborating with your team using GitHub Copilot Spaces
-shortTitle: Collaborate with your team
-intro: 'Learn how to share {% data variables.copilot.copilot_spaces %} with your team to support collaboration and knowledge sharing.'
+title: Collaborating with others using GitHub Copilot Spaces
+shortTitle: Collaborate with others
+intro: 'Learn how to share {% data variables.copilot.copilot_spaces %} to support collaboration and knowledge sharing.'
 permissions: 'Anyone with a {% data variables.product.prodname_copilot_short %} license can use {% data variables.copilot.copilot_spaces_short %}.'
 versions:
   feature: copilot
@@ -12,21 +12,22 @@ redirect_from:
   - /copilot/how-tos/context/copilot-spaces/collaborating-with-your-team-using-copilot-spaces
   - /copilot/how-tos/context/copilot-spaces/collaborate-with-your-team
   - /copilot/how-tos/context/use-copilot-spaces/collaborate-with-your-team
+  - /copilot/how-tos/provide-context/use-copilot-spaces/collaborate-with-your-team
 contentType: how-tos
 category: 
   - Author and optimize with Copilot
 ---
 
-{% data variables.copilot.copilot_spaces %} let you organize the context that {% data variables.product.prodname_copilot_short %} uses to answer your questions. Sharing {% data variables.copilot.copilot_spaces %} helps your team:
+{% data variables.copilot.copilot_spaces %} let you organize the context that {% data variables.product.prodname_copilot_short %} uses to answer your questions. Sharing {% data variables.copilot.copilot_spaces %} helps others:
 
 * Avoid repeated explanations and handoffs.
 * Stay aligned on how a system works or what’s expected.
 * Learn from past work, documentation, and examples.
-* Get better help from {% data variables.product.prodname_copilot_short %} with grounded, team-curated context.
+* Get better help from {% data variables.product.prodname_copilot_short %} with grounded, curated context.
 
-## Use cases for team collaboration
+## Use cases for collaboration
 
-* **Onboarding**: Share a space with code, documentation, diagrams, and checklists to help new developers get started faster. Make other members of your team editors so anyone can update the included resources.
+* **Onboarding**: Share a space with code, documentation, diagrams, and checklists to help new developers get started faster. Make other people editors so anyone can update the included resources.
 * **System knowledge**: Create a space for a complex system or workflow (like authentication or CI pipelines) that other people can reference.
 * **Style guides or review checklists**: Document standards and examples in a space that {% data variables.product.prodname_copilot_short %} can reference when suggesting changes.
 
@@ -34,14 +35,15 @@ For example, a subject matter expert creates a space called “Accessibility Rev
 
 ## Sharing {% data variables.copilot.copilot_spaces_short %}
 
-When you create a space, you can choose whether it’s owned by you or by one of your organizations. If you choose an organization:
+{% data variables.copilot.copilot_spaces_short %} can belong to a personal account or to an organization, and the sharing options differ depending on who the space belongs to.
 
-* You can share the space with the organization, giving viewer, editor, or admin access to all organization members.
-* You can give access to specific users or teams in the organization. For example, make everyone on your team an editor, or give admin access to a specific person so they can update the space's settings.
+### Organization-owned spaces
 
-If you choose to create a personal space, **you can't share it with others**.
+Organization-owned spaces can be shared with other organization members, and you decide which level of access you want to grant other members (admin, editor, viewer).
 
-To share a space with others:
+Alternatively, you can choose to grant "No access" to organization members, and keep the space hidden.
+
+To share a organization-owned space with others:
 
 1. In the top right corner of the space, click **{% octicon "share" aria-hidden="true" aria-label="share" %}**.
 1. To add specific users or teams, search for them with the search bar, then choose a role for the people you added.
@@ -50,9 +52,22 @@ To share a space with others:
    * **Viewers** can use the space to ask questions and view the included attachments and instructions.
    * **Editors** can update the space's attachments, description, name, and instructions, in addition to having all the permissions of viewers. However, editors can't update sharing settings or delete the space.
    * **Admins** can update sharing settings or delete the space, in addition to having all the permissions of viewers and editors.
+   * **No access** means the space will be hidden from other organization members.
 
 1. Optionally, click **{% octicon "link" aria-label="the link" %} Copy link** to copy the link to the space and share it with others.
 
+### Individual-owned spaces
+
+Spaces belonging to a personal account can be shared publicly, shared with specific {% data variables.product.github %} users, or kept private to the person who created the space.
+
+To share an individual-owned space with others:
+
+1. In the top right corner of the space, click **{% octicon "share" aria-hidden="true" aria-label="share" %}**.
+1. To add specific {% data variables.product.github %} users, search for them with the search bar, then choose a role for the people you added.
+1. Optionally, to make the space public, under "General access", select **Anyone with link**. Then, copy the link to the space and share it with others.
+
+   > [!NOTE] Publicly shared spaces are view-only by default, and viewers can only see sources that they have access to.
+
 ## Accessing shared {% data variables.copilot.copilot_spaces_short %}
 
 If you’re part of an organization that has shared spaces, you can access them in the **Organizations** tab on [https://github.com/copilot/spaces](https://github.com/copilot/spaces?ref_product=copilot&ref_type=engagement&ref_style=text).

content/copilot/how-tos/provide-context/use-copilot-spaces/create-copilot-spaces.md

@@ -49,6 +49,16 @@ You can add two types of context to your space:
   * **{% octicon "upload" aria-hidden="true" aria-label="upload" %} Upload a file**: You can upload files directly from your local machine. This includes images, text files, rich documents, and spreadsheets.
   * **{% octicon "paste" aria-hidden="true" aria-label="paste" %} Add text content**: You can type or paste free-text content, such as transcripts, notes, or any other relevant information that can help {% data variables.product.prodname_copilot_short %} understand the context of your space.
 
+## Adding context as you're working
+
+You can add files to a space directly from the code view on {% data variables.product.github %}, so you don't need to break your flow when building context for your space.
+
+1. At the top of any file in the code view, click **{% octicon "space" aria-label="Add to space" %}**.
+
+   ![Screenshot of a file in the code view. The "Add to space" icon is highlighted in orange.](/assets/images/help/copilot/add-to-copilot-space.png)
+
+1. From the dropdown, select the space you want to add the file to, or create a new space.
+
 ## Next steps
 
 * To learn more about using {% data variables.copilot.copilot_spaces_short %} in {% data variables.product.github %} and your IDE, see [AUTOTITLE](/copilot/how-tos/provide-context/use-copilot-spaces/use-copilot-spaces).

content/copilot/how-tos/provide-context/use-copilot-spaces/index.md

@@ -9,7 +9,7 @@ topics:
 children:
   - /create-copilot-spaces
   - /use-copilot-spaces
-  - /collaborate-with-your-team
+  - /collaborate-with-others
 redirect_from:
   - /copilot/using-github-copilot/copilot-spaces
   - /copilot/how-tos/context/copilot-spaces

content/copilot/how-tos/use-copilot-agents/coding-agent/customize-the-agent-environment.md

@@ -144,22 +144,7 @@ jobs:
 
 ## Using self-hosted {% data variables.product.prodname_actions %} runners with ARC
 
-You can use self-hosted {% data variables.product.prodname_actions %} runners to support {% data variables.copilot.copilot_coding_agent %} using ARC (Actions Runner Controller). This allows you to run {% data variables.product.prodname_copilot_short %}'s development environment on your own infrastructure.
-
-Before {% data variables.product.prodname_copilot_short %} can use self-hosted runners, you must first set up ARC-managed scale sets in your environment. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller).
-
-To use self-hosted runners with ARC, update the `runs-on` attribute in your `copilot-setup-steps` job to target your ARC-managed scale set:
-
-```yaml
-# ...
-
-jobs:
-  copilot-setup-steps:
-    runs-on: arc-scale-set-name
-    # ...
-```
-
-Replace `arc-scale-set-name` with the name of your ARC-managed scale set.
+You can use ARC (Actions Runner Controller) to run {% data variables.copilot.copilot_coding_agent %} on self-hosted runners. You must first set up ARC-managed scale sets in your environment. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller).
 
 > [!WARNING]
 > Persistent runners are not recommended for autoscaling scenarios with {% data variables.copilot.copilot_coding_agent %}.
@@ -169,14 +154,21 @@ Replace `arc-scale-set-name` with the name of your ARC-managed scale set.
 > * {% data variables.copilot.copilot_coding_agent %} is only compatible with Ubuntu x64 Linux runners. Runners with Windows, macOS or other operating systems are not supported.
 > * For more information about ARC, see [AUTOTITLE](/actions/concepts/runners/actions-runner-controller).
 
-### Repository firewall requirements
+1. In your `copilot-setup-steps.yml` file, set the `runs-on` attribute to your ARC-managed scale set name:
 
-To enable communication between {% data variables.copilot.copilot_coding_agent %} and your self-hosted runners, you must disable the repository firewall in the coding agent's repository settings. Without this change, runners will not be able to connect to {% data variables.product.prodname_copilot_short %}.
+   ```yaml
+   # ...
 
-For more information about disabling the firewall, see [AUTOTITLE](/copilot/customizing-copilot/customizing-or-disabling-the-firewall-for-copilot-coding-agent).
+   jobs:
+     copilot-setup-steps:
+       runs-on: arc-scale-set-name
+       # ...
+   ```
 
-> [!WARNING]
-> Disabling the firewall reduces isolation between {% data variables.product.prodname_copilot_short %} and your self-hosted environment. You must implement alternative network security controls to protect your environment.
+1. Disable {% data variables.copilot.copilot_coding_agent %}'s integrated firewall in your repository settings, as it is not compatible with self-hosted runners. Without disabling the firewall, runners will not be able to connect to {% data variables.product.prodname_copilot_short %}. You must configure your own network security controls before disabling the built-in firewall. For more information, see [AUTOTITLE](/copilot/customizing-copilot/customizing-or-disabling-the-firewall-for-copilot-coding-agent).
+    
+    > [!WARNING]
+    > Disabling the firewall reduces isolation between {% data variables.product.prodname_copilot_short %} and your self-hosted environment. You must implement alternative network security controls to protect your environment.
 
 ### Security considerations for self-hosted runners
 
@@ -186,6 +178,8 @@ When using self-hosted runners, especially with the firewall disabled, ensure yo
 * `uploads.github.com`
 * `user-images.githubusercontent.com`
 
+For a comprehensive list of other hosts that must also be allowlisted for {% data variables.product.prodname_actions %} self-hosted runners, see [AUTOTITLE](/actions/reference/runners/self-hosted-runners#accessible-domains-by-function).
+
 ## Enabling Git Large File Storage (LFS)
 
 If you use Git Large File Storage (LFS) to store large files in your repository, you will need to customize {% data variables.product.prodname_copilot_short %}'s environment to install Git LFS and fetch LFS objects.

content/copilot/how-tos/use-copilot-agents/coding-agent/customize-the-agent-firewall.md

@@ -41,7 +41,7 @@ The agent firewall has important limitations that affect its security coverage.
 
 These limitations mean that the firewall provides a layer of protection for common scenarios, but should not be considered a comprehensive security solution.
 
-## Managing the recommended firewall allowlist
+## Understanding the recommended firewall allowlist
 
 The recommended allowlist, enabled by default, allows access to:
 
@@ -51,7 +51,11 @@ The recommended allowlist, enabled by default, allows access to:
 * Common certificate authorities (to allow SSL certificates to be validated).
 * Hosts used to download web browsers for the Playwright MCP server.
 
-You can choose to turn off the recommended allowlist.
+For the complete list of hosts included in the recommended allowlist, see [AUTOTITLE](/copilot/reference/copilot-allowlist-reference#copilot-coding-agent-recommended-allowlist).
+
+## Disabling the recommended allowlist
+
+You can choose to turn off the recommended allowlist. Disabling the recommended allowlist is likely to increase the risk of unauthorized access to external resources.
 
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-settings %}

content/copilot/reference/copilot-allowlist-reference.md

@@ -42,6 +42,352 @@ Depending on the security policies and editors your organization uses, you may n
 
 Every user of the proxy server or firewall also needs to configure their own environment to connect to {% data variables.product.prodname_copilot_short %}. See [AUTOTITLE](/copilot/configuring-github-copilot/configuring-network-settings-for-github-copilot).
 
+## {% data variables.copilot.copilot_coding_agent %} recommended allowlist
+
+The {% data variables.copilot.copilot_coding_agent %} includes a built-in firewall with a recommended allowlist that is enabled by default. The recommended allowlist allows access to:
+
+* Common operating system package repositories (for example, Debian, Ubuntu, Red Hat).
+* Common container registries (for example, Docker Hub, Azure Container Registry, AWS Elastic Container Registry).
+* Packages registries used by popular programming languages (C#, Dart, Go, Haskell, Java, JavaScript, Perl, PHP, Python, Ruby, Rust, Swift).
+* Common certificate authorities (to allow SSL certificates to be validated).
+* Hosts used to download web browsers for the Playwright MCP server.
+
+For more information about configuring the {% data variables.copilot.copilot_coding_agent %} firewall, see [AUTOTITLE](/copilot/how-tos/use-copilot-agents/coding-agent/customize-the-agent-firewall).
+
+The allowlist allows access to the following hosts:
+
+### Azure Infrastructure: Metadata Service
+
+* `168.63.129.16`
+
+### Certificate Authorities: DigiCert
+
+* `crl3.digicert.com`
+* `crl4.digicert.com`
+* `ocsp.digicert.com`
+
+### Certificate Authorities: Symantec
+
+* `ts-crl.ws.symantec.com`
+* `ts-ocsp.ws.symantec.com`
+* `s.symcb.com`
+* `s.symcd.com`
+
+### Certificate Authorities: GeoTrust
+
+* `crl.geotrust.com`
+* `ocsp.geotrust.com`
+
+### Certificate Authorities: Thawte
+
+* `crl.thawte.com`
+* `ocsp.thawte.com`
+
+### Certificate Authorities: VeriSign
+
+* `crl.verisign.com`
+* `ocsp.verisign.com`
+
+### Certificate Authorities: GlobalSign
+
+* `crl.globalsign.com`
+* `ocsp.globalsign.com`
+
+### Certificate Authorities: SSL.com
+
+* `crls.ssl.com`
+* `ocsp.ssl.com`
+
+### Certificate Authorities: IdenTrust
+
+* `crl.identrust.com`
+* `ocsp.identrust.com`
+
+### Certificate Authorities: Sectigo
+
+* `crl.sectigo.com`
+* `ocsp.sectigo.com`
+
+### Certificate Authorities: UserTrust
+
+* `crl.usertrust.com`
+* `ocsp.usertrust.com`
+
+### Container Registries: Docker
+
+* `172.18.0.1`
+* `ghcr.io`
+* `registry.hub.docker.com`
+* `*.docker.io`
+* `*.docker.com`
+* `production.cloudflare.docker.com`
+* `auth.docker.io`
+* `quay.io`
+* `mcr.microsoft.com`
+* `gcr.io`
+* `public.ecr.aws`
+
+### GitHub: Content & API
+
+* `*.githubusercontent.com`
+* `raw.githubusercontent.com`
+* `objects.githubusercontent.com`
+* `lfs.github.com`
+* `github-cloud.githubusercontent.com`
+* `github-cloud.s3.amazonaws.com`
+* `codeload.github.com`
+* `scanning-api.github.com`
+* `api.mcp.github.com`
+* `uploads.github.com/copilot/chat/attachments/`
+
+### GitHub: Actions Artifact Storage
+
+* `productionresultssa0.blob.core.windows.net`
+* `productionresultssa1.blob.core.windows.net`
+* `productionresultssa2.blob.core.windows.net`
+* `productionresultssa3.blob.core.windows.net`
+* `productionresultssa4.blob.core.windows.net`
+* `productionresultssa5.blob.core.windows.net`
+* `productionresultssa6.blob.core.windows.net`
+* `productionresultssa7.blob.core.windows.net`
+* `productionresultssa8.blob.core.windows.net`
+* `productionresultssa9.blob.core.windows.net`
+* `productionresultssa10.blob.core.windows.net`
+* `productionresultssa11.blob.core.windows.net`
+* `productionresultssa12.blob.core.windows.net`
+* `productionresultssa13.blob.core.windows.net`
+* `productionresultssa14.blob.core.windows.net`
+* `productionresultssa15.blob.core.windows.net`
+* `productionresultssa16.blob.core.windows.net`
+* `productionresultssa17.blob.core.windows.net`
+* `productionresultssa18.blob.core.windows.net`
+* `productionresultssa19.blob.core.windows.net`
+
+### Programming Languages & Package Managers: C# / .NET
+
+* `nuget.org`
+* `dist.nuget.org`
+* `api.nuget.org`
+* `nuget.pkg.github.com`
+* `dotnet.microsoft.com`
+* `pkgs.dev.azure.com`
+* `builds.dotnet.microsoft.com`
+* `dotnetcli.blob.core.windows.net`
+* `nugetregistryv2prod.blob.core.windows.net`
+* `azuresearch-usnc.nuget.org`
+* `azuresearch-ussc.nuget.org`
+* `dc.services.visualstudio.com`
+* `dot.net`
+* `download.visualstudio.microsoft.com`
+* `dotnetcli.azureedge.net`
+* `ci.dot.net`
+* `www.microsoft.com`
+* `oneocsp.microsoft.com`
+* `www.microsoft.com/pkiops/crl/`
+
+### Programming Languages & Package Managers: Dart
+
+* `pub.dev`
+* `pub.dartlang.org`
+* `storage.googleapis.com/pub-packages/`
+* `storage.googleapis.com/dart-archive/`
+
+### Programming Languages & Package Managers: Go
+
+* `go.dev`
+* `golang.org`
+* `proxy.golang.org`
+* `sum.golang.org`
+* `pkg.go.dev`
+* `goproxy.io`
+* `storage.googleapis.com/proxy-golang-org-prod/`
+
+### Programming Languages & Package Managers: Haskell
+
+* `haskell.org`
+* `*.hackage.haskell.org`
+* `get-ghcup.haskell.org`
+* `downloads.haskell.org`
+
+### Programming Languages & Package Managers: Java
+
+* `www.java.com`
+* `jdk.java.net`
+* `api.adoptium.net`
+* `adoptium.net`
+* `search.maven.org`
+* `maven.apache.org`
+* `repo.maven.apache.org`
+* `repo1.maven.org`
+* `maven.pkg.github.com`
+* `maven-central.storage-download.googleapis.com`
+* `maven.google.com`
+* `maven.oracle.com`
+* `jcenter.bintray.com`
+* `oss.sonatype.org`
+* `repo.spring.io`
+* `gradle.org`
+* `services.gradle.org`
+* `plugins.gradle.org`
+* `plugins-artifacts.gradle.org`
+* `repo.grails.org`
+* `download.eclipse.org`
+* `download.oracle.com`
+
+### Programming Languages & Package Managers: Node.js / JavaScript
+
+* `npmjs.org`
+* `npmjs.com`
+* `registry.npmjs.com`
+* `registry.npmjs.org`
+* `skimdb.npmjs.com`
+* `npm.pkg.github.com`
+* `api.npms.io`
+* `nodejs.org`
+* `yarnpkg.com`
+* `registry.yarnpkg.com`
+* `repo.yarnpkg.com`
+* `deb.nodesource.com`
+* `get.pnpm.io`
+* `bun.sh`
+* `deno.land`
+* `registry.bower.io`
+* `binaries.prisma.sh`
+
+### Programming Languages & Package Managers: Perl
+
+* `cpan.org`
+* `www.cpan.org`
+* `metacpan.org`
+* `cpan.metacpan.org`
+
+### Programming Languages & Package Managers: PHP
+
+* `repo.packagist.org`
+* `packagist.org`
+* `getcomposer.org`
+
+### Programming Languages & Package Managers: Python
+
+* `pypi.python.org`
+* `pypi.org`
+* `pip.pypa.io`
+* `*.pythonhosted.org`
+* `files.pythonhosted.org`
+* `bootstrap.pypa.io`
+* `conda.binstar.org`
+* `conda.anaconda.org`
+* `binstar.org`
+* `anaconda.org`
+* `download.pytorch.org`
+* `repo.continuum.io`
+* `repo.anaconda.com`
+
+### Programming Languages & Package Managers: Ruby
+
+* `rubygems.org`
+* `api.rubygems.org`
+* `rubygems.pkg.github.com`
+* `bundler.rubygems.org`
+* `gems.rubyforge.org`
+* `gems.rubyonrails.org`
+* `index.rubygems.org`
+* `cache.ruby-lang.org`
+* `*.rvm.io`
+
+### Programming Languages & Package Managers: Rust
+
+* `crates.io`
+* `index.crates.io`
+* `static.crates.io`
+* `sh.rustup.rs`
+* `static.rust-lang.org`
+
+### Programming Languages & Package Managers: Swift
+
+* `download.swift.org`
+* `swift.org`
+* `cocoapods.org`
+* `cdn.cocoapods.org`
+
+### Infrastructure & Tools: HashiCorp
+
+* `releases.hashicorp.com`
+* `apt.releases.hashicorp.com`
+* `yum.releases.hashicorp.com`
+* `registry.terraform.io`
+
+### Infrastructure & Tools: JSON Schema
+
+* `json-schema.org`
+* `json.schemastore.org`
+
+### Infrastructure & Tools: Playwright
+
+* `playwright.download.prss.microsoft.com`
+* `cdn.playwright.dev`
+* `playwright.azureedge.net`
+* `playwright-akamai.azureedge.net`
+* `playwright-verizon.azureedge.net`
+
+### Linux Package Managers: Ubuntu
+
+* `archive.ubuntu.com`
+* `security.ubuntu.com`
+* `ppa.launchpad.net`
+* `keyserver.ubuntu.com`
+* `azure.archive.ubuntu.com`
+* `api.snapcraft.io`
+
+### Linux Package Managers: Debian
+
+* `deb.debian.org`
+* `security.debian.org`
+* `keyring.debian.org`
+* `packages.debian.org`
+* `debian.map.fastlydns.net`
+* `apt.llvm.org`
+
+### Linux Package Managers: Fedora
+
+* `dl.fedoraproject.org`
+* `mirrors.fedoraproject.org`
+* `download.fedoraproject.org`
+
+### Linux Package Managers: CentOS
+
+* `mirror.centos.org`
+* `vault.centos.org`
+
+### Linux Package Managers: Alpine
+
+* `dl-cdn.alpinelinux.org`
+* `pkg.alpinelinux.org`
+
+### Linux Package Managers: Arch
+
+* `mirror.archlinux.org`
+* `archlinux.org`
+
+### Linux Package Managers: SUSE
+
+* `download.opensuse.org`
+
+### Linux Package Managers: Red Hat
+
+* `cdn.redhat.com`
+
+### Linux Package Managers: Common Package Sources
+
+* `packagecloud.io`
+* `packages.cloud.google.com`
+* `packages.microsoft.com`
+
+### Other
+
+* `dl.k8s.io`
+* `pkgs.k8s.io`
+
 ## Further reading
 
 * [Network Connections in {% data variables.product.prodname_vscode %}](https://code.visualstudio.com/docs/setup/network) in the {% data variables.product.prodname_vs %} documentation

content/enterprise-onboarding/support-for-your-enterprise/managing-support-entitlements.md

@@ -18,7 +18,7 @@ People with support entitlements for your enterprise account can use the support
 
 Enterprise owners and billing managers automatically have a support entitlement. Enterprise owners can add support entitlements to a limited number of enterprise members.
 * **{% data variables.product.premium_support_plan %}:** Up to 20 members
-* **{% data variables.product.premium_plus_support_plan %}:** Up to 40 members
+* **{% data variables.product.premium_plus_support_plan %} / {% data variables.product.microsoft_premium_plus_support_plan %}:** Up to 40 members
 
 ## Adding support entitlements
 

content/rest/code-scanning/alert-dismissal-requests.md

@@ -1,9 +1,15 @@
 ---
-title: REST API endpoints for {% data variables.product.prodname_code_scanning %} alert dismissal requests
+title: >-
+  REST API endpoints for {% data variables.product.prodname_code_scanning %}
+  alert dismissal requests
 shortTitle: Alert dismissal requests
-intro: Use the REST API to interact with {% data variables.product.prodname_code_scanning %} alert dismissal requests from a repository.
+intro: >-
+  Use the REST API to interact with {% data
+  variables.product.prodname_code_scanning %} alert dismissal requests from a
+  repository.
 versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖
   ghec: '*'
+  ghes: '>=3.19'
 topics:
   - API
 autogenerated: rest

content/rest/enterprise-admin/bypass-requests.md

@@ -4,6 +4,7 @@ shortTitle: Bypass requests
 intro: Use the REST API to manage enterprise push rule bypass requests.
 versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖
   ghec: '*'
+  ghes: '>=3.19'
 topics:
   - API
 autogenerated: rest

content/rest/enterprise-admin/organization-installations.md

@@ -1,9 +1,13 @@
 ---
 title: REST API for managing organization GitHub App installations
 shortTitle: GitHub App installations
-intro: Use the REST API to manage which {% data variables.product.prodname_github_apps %} are installed in your enterprise's organizations.
+intro: >-
+  Use the REST API to manage which {% data
+  variables.product.prodname_github_apps %} are installed in your enterprise's
+  organizations.
 versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖
   ghec: '*'
+  ghes: '>=3.19'
 topics:
   - API
 autogenerated: rest

content/rest/enterprise-admin/rules.md

@@ -1,9 +1,12 @@
 ---
 title: REST API endpoints for rules
 shortTitle: Rules
-intro: Use the REST API to manage rulesets for an enterprise. Rulesets control how people can interact with repositories and code.
+intro: >-
+  Use the REST API to manage rulesets for an enterprise. Rulesets control how
+  people can interact with repositories and code.
 versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖
   ghec: '*'
+  ghes: '>=3.19'
 topics:
   - API
 autogenerated: rest

content/rest/issues/issue-dependencies.md

@@ -5,6 +5,7 @@ intro: Use the REST API to view, add, and remove issue dependencies.
 versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖
   fpt: '*'
   ghec: '*'
+  ghes: '>=3.19'
 topics:
   - API
 autogenerated: rest

content/rest/projects/fields.md

@@ -5,6 +5,7 @@ intro: Use the REST API to manage Project fields
 versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖
   fpt: '*'
   ghec: '*'
+  ghes: '>=3.19'
 topics:
   - API
 autogenerated: rest

content/rest/projects/index.md

@@ -12,5 +12,6 @@ children:
 versions:
   fpt: '*'
   ghec: '*'
+  ghes: '>=3.19'
 ---
 

content/rest/projects/items.md

@@ -5,6 +5,7 @@ intro: Use the REST API to manage Project items
 versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖
   fpt: '*'
   ghec: '*'
+  ghes: '>=3.19'
 topics:
   - API
 autogenerated: rest

content/rest/projects/projects.md

@@ -5,6 +5,7 @@ intro: Use the REST API to manage Projects
 versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖
   fpt: '*'
   ghec: '*'
+  ghes: '>=3.19'
 topics:
   - API
 autogenerated: rest

content/rest/secret-scanning/push-protection.md

@@ -5,6 +5,7 @@ intro: Use the REST API to manage secret scanning push protection.
 versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖
   fpt: '*'
   ghec: '*'
+  ghes: '>=3.19'
 topics:
   - API
 autogenerated: rest

content/support/learning-about-github-support/about-github-premium-support.md

@@ -32,11 +32,11 @@ topics:
 
 ## {% data variables.contact.premium_support %} plans
 
-There are two {% data variables.contact.premium_support %} plans: Premium and Premium Plus / {% data variables.product.microsoft_premium_plus_support_plan %}.
+There are two {% data variables.contact.premium_support %} plans: Premium and {% data variables.product.premium_plus_support_plan %} / {% data variables.product.microsoft_premium_plus_support_plan %}.
 
 {% rowheaders %}
 
-| | {% data variables.product.premium_support_plan %} | {% data variables.product.premium_plus_support_plan %} |
+| | {% data variables.product.premium_support_plan %} | {% data variables.product.premium_plus_support_plan %} / {% data variables.product.microsoft_premium_plus_support_plan %} |
 |---|---|------|
 | Hours of operation | 24 x 7 | 24 x 7 |
 | Initial response time | <ul><li>30 minutes for {% data variables.product.support_ticket_priority_urgent %} (including initial troubleshooting)</li><li>4 hours for {% data variables.product.support_ticket_priority_high %}</li><li>48 hours for {% data variables.product.support_ticket_priority_normal %}</li><li>48 hours for {% data variables.product.support_ticket_priority_low %}</li></ul> | <ul><li>30 minutes for {% data variables.product.support_ticket_priority_urgent %} (including initial troubleshooting)</li><li>4 hours for {% data variables.product.support_ticket_priority_high %}</li><li>24 hours for {% data variables.product.support_ticket_priority_normal %}</li><li>48 hours for {% data variables.product.support_ticket_priority_low %}</li></ul> |
@@ -65,7 +65,7 @@ How you are charged for {% data variables.contact.premium_support %} will depend
 
 * If you are a **licensed billing** customer, the support fee percentage is applied to the cost of licenses for the current year.
 
-* If you are a **metered billing** customer, the support fee percentage for **{% data variables.product.premium_support_plan %}**, **Premium Plus plan**, and **{% data variables.product.microsoft_premium_plus_support_plan %}** is calculated as either a percentage of your estimated metered spending or a set minimum annual fee—whichever amount is higher. For {% data variables.product.microsoft_premium_plus_support_plan %} customers, this is in addition to the Unified Support contract fee.
+* If you are a **metered billing** customer, the support fee percentage for **{% data variables.product.premium_support_plan %}**, **{% data variables.product.premium_plus_support_plan %}**, and **{% data variables.product.microsoft_premium_plus_support_plan %}** is calculated as either a percentage of your estimated metered spending or a set minimum annual fee—whichever amount is higher. For {% data variables.product.microsoft_premium_plus_support_plan %} customers, this is in addition to the Unified Support contract fee.
 
   The support fee for metered billing is estimated from the previous 12 months' spending. If you have less than 12 months of spending history, {% data variables.product.github %} will take a 12-month run rate based on your spending history. If your last 3 to 6 months spending is vastly different to the last 6 to 9 months, the last 3 to 6 month period will be used.
 
@@ -73,7 +73,7 @@ How you are charged for {% data variables.contact.premium_support %} will depend
 
 * If you are both a licensed and metered billing customer (hybrid), your charge will be calculated from the support fee percentage applied to the current year's license purchases **plus** the support fee percentage applied to your estimated metered billing spend.
 
-New {% data variables.product.github %} customers who are only planning to use metered products will be required to pay the annual minimum for {% data variables.product.premium_support_plan %} or {% data variables.product.premium_plus_support_plan %}.
+New {% data variables.product.github %} customers who are only planning to use metered products will be required to pay the annual minimum for {% data variables.product.premium_support_plan %} or {% data variables.product.premium_plus_support_plan %} / {% data variables.product.microsoft_premium_plus_support_plan %}.
 
 If you would like a quote for {% data variables.contact.premium_support %}, contact [{% data variables.product.github %}'s Sales team](https://github.com/enterprise/contact?scid=&utm_campaign=2023q3-site-ww-PremiumSupport&utm_content=Premium+Support&utm_medium=referral&utm_source=github).
 
@@ -101,7 +101,7 @@ For tickets you submit, support is available 24 hours a day, 7 days per week. Th
 
 | | Urgent Response Time | High Response Time | Normal Response Time | Low Response Time |
 | --- | ---| --- | --- | --- |
-| {% data variables.product.premium_plus_support_plan %} | 30 minutes | 4 hours | 24 hours | 48 hours |
+| {% data variables.product.premium_plus_support_plan %} / {% data variables.product.microsoft_premium_plus_support_plan %} | 30 minutes | 4 hours | 24 hours | 48 hours |
 | {% data variables.product.premium_support_plan %} | 30 minutes | 4 hours | 48 hours | 48 hours |
 
 {% endrowheaders %}

content/support/learning-about-github-support/about-github-support.md

@@ -131,7 +131,7 @@ For pricing, licensing, renewals, quotes, payments, and other related questions,
 To learn more about training options, including customized trainings, see [{% data variables.product.company_short %}'s training site](https://services.github.com/).
 
 > [!NOTE]
-> Training is included in the {% data variables.product.premium_plus_support_plan %}. For more information, see [AUTOTITLE](/support/learning-about-github-support/about-github-premium-support).
+> Training is included in the {% data variables.product.premium_plus_support_plan %} / {% data variables.product.microsoft_premium_plus_support_plan %}. For more information, see [AUTOTITLE](/support/learning-about-github-support/about-github-premium-support).
 
 {% endif %}
 

data/features/copilot-enterprise.yml

@@ -1,2 +0,0 @@
-versions:
-  ghec: '*'

data/features/dependabot-bazel-support.yml

@@ -0,0 +1,6 @@
+# Reference: #16918
+# Bazel support for Dependabot
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '> 3.19'

data/release-notes/enterprise-server/3-14/20.yml

@@ -0,0 +1,62 @@
+date: '2025-12-02'
+sections:
+  security_fixes:
+    - |
+      **HIGH:** A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys—thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability has been assigned [CVE-2025-11578](https://nvd.nist.gov/vuln/detail/CVE-2025-11578) and was reported through the GitHub Bug Bounty program.
+    - |
+      Authenticated users could target the internal aqueduct-lite endpoints by using a domain name to circumvent checks. To mitigate this issue, a Server-Side Request Forgery (SSRF) vulnerability has been fixed by blocking connections to loopback addresses after resolving the domain name for the webhook delivery address.
+    - |
+      Packages have been updated to the latest security versions.
+  bugs:
+    - |
+      Administrators may have experienced delays with configuration runs after a reboot if `ghe-reconfigure.service` was still activating, impacting run performance and stability.
+    - |
+      On instances with a "No Proxy" setting configured for GitHub Actions with MinIO or AWS remote blob providers, administrators sometimes experienced failures reading or writing Actions logs, artifacts, or caches because some traffic was incorrectly routed through the instance's proxy.
+    - |
+      <!-- markdownlint-disable-line GHD046 --> New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation.
+    - |
+      An "Invite member" button intended only for GitHub.com was displayed on the enterprise "People" tab.
+    - |
+      Audit log searches could temporarily miss recent events or show incomplete results right after new index creation at the start of a month. Administrators now experience reduced lag between the creation of monthly audit log search indexes and their availability for searches and write operations.
+    - |
+      When new Elasticsearch indexes were created, index routing memos could go to a read-only MySQL replica and fail, causing delays in audit log indexing after monthly rollovers. The memos are now written to the primary database rather than a read-only replica.
+  changes:
+    - |
+      <!-- markdownlint-disable-line GHD046 --> A new weekly job automatically disables Elasticsearch deprecation logging and removes existing deprecation logs every Saturday at midnight. This helps administrators manage disk space by regularly cleaning up deprecation data streams and log indices that are no longer needed.
+    - |
+      Administrators can add security key-backed (SK) SSH certificate authorities.
+    - |
+      Administrators and users experience faster and more efficient searching of GitHub Actions workflow runs, with lower compute and networking resource usage. Searches for workflow runs within a repository are now always scoped to an associated repository.
+  known_issues:
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. See "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
+    - |
+      {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
+    - |
+      In the header bar displayed to site administrators, some icons are not available.
+    - |
+      When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded.
+    - |
+      When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
+    - |
+      After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
+    - |
+      After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the Actions workflow of a repository does not have any suggested workflows.
+    - |
+      Unexpected elements may appear in the UI on the repository overview page for locked repositories.

data/release-notes/enterprise-server/3-15/14.yml

@@ -26,7 +26,7 @@ sections:
       On instances where GitHub Actions workflows require approval to run on pull requests from forked repositories, workflows remained queued indefinitely after users clicked "Approve and run".
   changes:
     - |
-      Elasticsearch deprecation warnings, which are logged to index files in new versions of Elasticsearch, have been disabled. These warnings provided no value to administrators, and in some cases could block upgrades of instances in high-availability or cluster configurations.
+      <!-- markdownlint-disable-line GHD046 --> Elasticsearch deprecation warnings, which are logged to index files in new versions of Elasticsearch, have been disabled. These warnings provided no value to administrators, and in some cases could block upgrades of instances in high-availability or cluster configurations.
   known_issues:
     - |
       Custom firewall rules are removed during the upgrade process.

data/release-notes/enterprise-server/3-15/15.yml

@@ -0,0 +1,72 @@
+date: '2025-12-02'
+sections:
+  security_fixes:
+    - |
+      **HIGH:** A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys—thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability has been assigned [CVE-2025-11578](https://nvd.nist.gov/vuln/detail/CVE-2025-11578) and was reported through the GitHub Bug Bounty program.
+    - |
+      Authenticated users could target the internal aqueduct-lite endpoints by using a domain name to circumvent checks. To mitigate this issue, this fixes a Server-Side Request Forgery (SSRF) vulnerability by blocking connections to loopback addresses after resolving the domain name for the webhook delivery address.
+    - |
+      Packages have been updated to the latest security versions.
+  bugs:
+    - |
+      Administrators may have experienced delays with configuration runs after a reboot if `ghe-reconfigure.service` was still activating, impacting run performance and stability.
+    - |
+      On instances with a "No Proxy" setting configured for GitHub Actions with MinIO or AWS remote blob providers, administrators sometimes experienced failures reading or writing Actions logs, artifacts, or caches because some traffic was incorrectly routed through the instances proxy.
+    - |
+      <!-- markdownlint-disable-line GHD046 --> New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation.
+    - |
+      Site administrators using the Management Console would see overly verbose error messages on the maintenance page. These error messages were not cleared when a new request was made, and no message was displayed when maintenance mode changes were saved successfully.
+    - |
+      An "Invite member" button intended only for GitHub.com was displayed on the enterprise "People" tab.
+    - |
+      Link previews did not appear in Slack conversations when messages were delivered through socket mode, affecting the visibility of linked GitHub content.
+    - |
+      Audit log searches could temporarily miss recent events or show incomplete results right after new index creation at the start of a month. Administrators now experience reduced lag between the creation of monthly audit log search indexes and their availability for searches and write operations.
+    - |
+      When new Elasticsearch indexes were created, index routing memos could go to a read-only MySQL replica and fail, causing delays in audit log indexing after monthly rollovers. The memos are now written to the primary database rather than a read-only replica.
+  changes:
+    - |
+      <!-- markdownlint-disable-line GHD046 --> A new weekly job automatically disables Elasticsearch deprecation logging and removes existing deprecation logs every Saturday at midnight. This helps administrators manage disk space by regularly cleaning up deprecation data streams and log indices that are no longer needed.
+    - |
+      Administrators can add security key-backed (SK) SSH certificate authorities.
+    - |
+      Administrators and users experience faster and more efficient searching of GitHub Actions workflow runs, with lower compute and networking resource usage. Searches for workflow runs within a repository are now always scoped to an associated repository.
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. See "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
+    - |
+      {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
+    - |
+      In the header bar displayed to site administrators, some icons are not available.
+    - |
+      When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded.
+    - |
+      When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
+    - |
+      When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration.
+    - |
+      Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories.
+    - |
+      After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
+    - |
+      After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the Actions workflow of a repository does not have any suggested workflows.
+    - |
+      Unexpected elements may appear in the UI on the repository overview page for locked repositories.

data/release-notes/enterprise-server/3-16/10.yml

@@ -38,7 +38,7 @@ sections:
       The GitHub system user was not always properly set on startup, occasionally surfacing in authentication errors or failed secret scanning jobs in logs.
   changes:
     - |
-      Elasticsearch deprecation warnings, which are logged to index files in new versions of Elasticsearch, have been disabled. These warnings provided no value to administrators, and in some cases could block upgrades of instances in high-availability or cluster configurations.
+      <!-- markdownlint-disable-line GHD046 --> Elasticsearch deprecation warnings, which are logged to index files in new versions of Elasticsearch, have been disabled. These warnings provided no value to administrators, and in some cases could block upgrades of instances in high-availability or cluster configurations.
     - |
       Logging of configuration runs is improved with streamlined logging for different configuration phases. Phase-specific logs are written to both the main log file (`ghe-config.log`) and the console for better visibility.
   known_issues:

data/release-notes/enterprise-server/3-16/11.yml

@@ -0,0 +1,76 @@
+date: '2025-12-02'
+sections:
+  security_fixes:
+    - |
+      **HIGH:** A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys—thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability has been assigned [CVE-2025-11578](https://nvd.nist.gov/vuln/detail/CVE-2025-11578) and was reported through the GitHub Bug Bounty program.
+    - |
+      Packages have been updated to the latest security versions.
+  bugs:
+    - |
+      Administrators may have experienced delays with configuration runs after a reboot if `ghe-reconfigure.service` was still activating, impacting run performance and stability.
+    - |
+      On instances with a "No Proxy" setting configured for GitHub Actions with MinIO or AWS remote blob providers, administrators sometimes experienced failures reading or writing Actions logs, artifacts, or caches because some traffic was incorrectly routed through the instances proxy.
+    - |
+      <!-- markdownlint-disable-line GHD046 --> New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation.
+    - |
+      Site administrators using the Management Console would see overly verbose error messages on the maintenance page. These error messages were not cleared when a new request was made, and no message was displayed when maintenance mode changes were saved successfully.
+    - |
+      An "Invite member" button intended only for GitHub.com was displayed on the enterprise "People" tab.
+    - |
+      When a pull request was closed and reopened, the `merge` ref was not recreated.
+    - |
+      Administrators who had upgraded to the previous patch release may have observed a significant increase in executions of the `SecurityOverviewAnalytics::UpdateFeatureStatusSummaryJob` job, causing background job queue saturation, service delays, reduced stability, and lower performance for environments using security overview analytics.
+    - |
+      Link previews did not appear in Slack conversations when messages were delivered through socket mode, affecting the visibility of linked GitHub content.
+    - |
+      Users who accessed GitHub Enterprise Server with Chromium-based browsers experienced slow logout performance.
+    - |
+      Audit log searches could temporarily miss recent events or show incomplete results right after new index creation at the start of a month. Administrators now experience reduced lag between the creation of monthly audit log search indexes and their availability for searches and write operations.
+    - |
+      When new Elasticsearch indexes were created, index routing memos could go to a read-only MySQL replica and fail, causing delays in audit log indexing after monthly rollovers. The memos are now written to the primary database rather than a read-only replica.
+  changes:
+    - |
+      <!-- markdownlint-disable-line GHD046 --> A new weekly job automatically disables Elasticsearch deprecation logging and removes existing deprecation logs every Saturday at midnight. This helps administrators manage disk space by regularly cleaning up deprecation data streams and log indices that are no longer needed.
+    - |
+      Administrators can add security key-backed (SK) SSH certificate authorities.
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. See "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
+    - |
+      {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
+    - |
+      When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded.
+    - |
+      When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
+    - |
+      When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration.
+    - |
+      Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories.
+    - |
+      In a cluster, the host running restore requires access the storage nodes via their private IPs.
+    - |
+      On an instance hosted on Azure, commenting on an issue via email meant the comment was not added to the issue.
+    - |
+      After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
+    - |
+      After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the Actions workflow of a repository does not have any suggested workflows.
+    - |
+      Unexpected elements may appear in the UI on the repository overview page for locked repositories.

data/release-notes/enterprise-server/3-17/7.yml

@@ -46,7 +46,7 @@ sections:
       In rare cases, inconsistent data could lead to a panic in the code scanning service, causing it to restart and become unavailable for a few seconds. This could cause HTTP 500 errors when interacting with the code scanning API or in parts of the UI.
   changes:
     - |
-      Elasticsearch deprecation warnings, which are logged to index files in new versions of Elasticsearch, have been disabled. These warnings provided no value to administrators, and in some cases could block upgrades of instances in high-availability or cluster configurations.
+      <!-- markdownlint-disable-line GHD046 --> Elasticsearch deprecation warnings, which are logged to index files in new versions of Elasticsearch, have been disabled. These warnings provided no value to administrators, and in some cases could block upgrades of instances in high-availability or cluster configurations.
     - |
       Logging of configuration runs is improved with streamlined logging for different configuration phases. Phase-specific logs are written to both the main log file (`ghe-config.log`) and the console for better visibility.
   known_issues:

data/release-notes/enterprise-server/3-17/8.yml

@@ -0,0 +1,84 @@
+date: '2025-12-02'
+sections:
+  security_fixes:
+    - |
+      **HIGH:** A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys—thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability has been assigned [CVE-2025-11578](https://nvd.nist.gov/vuln/detail/CVE-2025-11578) and was reported through the GitHub Bug Bounty program.
+    - |
+      Packages have been updated to the latest security versions.
+  bugs:
+    - |
+      Administrators may have experienced delays with configuration runs after a reboot if `ghe-reconfigure.service` was still activating, impacting run performance and stability.
+    - |
+      On instances with a "No Proxy" setting configured for GitHub Actions with MinIO or AWS remote blob providers, administrators sometimes experienced failures reading or writing Actions logs, artifacts, or caches because some traffic was incorrectly routed through the instances proxy.
+    - |
+      <!-- markdownlint-disable-line GHD046 --> New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation.
+    - |
+      Site administrators using the Management Console would see overly verbose error messages on the maintenance page. These error messages were not cleared when a new request was made, and no message was displayed when maintenance mode changes were saved successfully.
+    - |
+      Teams granted all-repository organization roles could not be requested as reviewers in pull requests.
+    - |
+      GraphQL queries using fine-grained tokens returned empty fields for organization members' public email addresses, while classic tokens provided expected results. All queries now receive that information, resolving inconsistency for integrations and reporting workflows that depend on member email data.
+    - |
+      Organization creation would fail with a 500 error when the system attempted to verify CAPTCHA responses even when no CAPTCHA challenge was presented to the user.
+    - |
+      An "Invite member" button intended only for GitHub.com was displayed on the enterprise "People" tab.
+    - |
+      Administrators who had upgraded to the previous patch release may have observed a significant increase in executions of the `SecurityOverviewAnalytics::UpdateFeatureStatusSummaryJob` job, causing background job queue saturation, service delays, reduced stability, and lower performance for environments using security overview analytics.
+    - |
+      Link previews did not appear in Slack conversations when messages were delivered through socket mode, affecting the visibility of linked GitHub content.
+    - |
+      Users who accessed GitHub Enterprise Server with Chromium-based browsers experienced slow logout performance.
+    - |
+      Audit log searches could temporarily miss recent events or show incomplete results right after new index creation at the start of a month. Administrators now experience reduced lag between the creation of monthly audit log search indexes and their availability for searches and write operations.
+    - |
+      When new Elasticsearch indexes were created, index routing memos could go to a read-only MySQL replica and fail, causing delays in audit log indexing after monthly rollovers. The memos are now written to the primary database rather than a read-only replica.
+  changes:
+    - |
+      <!-- markdownlint-disable-line GHD046 --> A new weekly job automatically disables Elasticsearch deprecation logging and removes existing deprecation logs every Saturday at midnight. This helps administrators manage disk space by regularly cleaning up deprecation data streams and log indices that are no longer needed.
+    - |
+      Administrators can add security key-backed (SK) SSH certificate authorities.
+    - |
+      Administrators and users experience faster and more efficient searching of GitHub Actions workflow runs, with lower compute and networking resource usage. Searches for workflow runs within a repository are now always scoped to an associated repository.
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. See "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
+    - |
+      {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
+    - |
+      When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded.
+    - |
+      When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
+    - |
+      When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration.
+    - |
+      Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories.
+    - |
+      In a cluster, the host running restore requires access the storage nodes via their private IPs.
+    - |
+      On an instance hosted on Azure, commenting on an issue via email meant the comment was not added to the issue.
+    - |
+      After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
+    - |
+      After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the Actions workflow of a repository does not have any suggested workflows.
+    - |
+      Unexpected elements may appear in the UI on the repo overview page for locked repositories.
+    - |
+      When publishing npm packages in a workflow after restoring from a backup to GitHub Enterprise Server 3.13.5.gm4 or 3.14.2.gm3, you may encounter a `401 Unauthorized` error from the GitHub Packages service. This can happen if the restore is from an N-1 or N-2 version and the workflow targets the npm endpoint on the backup instance. To avoid this issue, ensure the access token is valid and includes the correct scopes for publishing to GitHub Packages.

data/release-notes/enterprise-server/3-18/1.yml

@@ -44,7 +44,7 @@ sections:
       The GitHub system user was not always properly set on startup, occasionally surfacing in authentication errors or failed secret scanning jobs in logs.
   changes:
     - |
-      Elasticsearch deprecation warnings, which are logged to index files in new versions of Elasticsearch, have been disabled. These warnings provided no value to administrators, and in some cases could block upgrades of instances in high-availability or cluster configurations.
+      <!-- markdownlint-disable-line GHD046 --> Elasticsearch deprecation warnings, which are logged to index files in new versions of Elasticsearch, have been disabled. These warnings provided no value to administrators, and in some cases could block upgrades of instances in high-availability or cluster configurations.
     - |
       Logging of configuration runs is improved with streamlined logging for different configuration phases. Phase-specific logs are written to both the main log file (`ghe-config.log`) and the console for better visibility.
     - |

data/release-notes/enterprise-server/3-18/2.yml

@@ -0,0 +1,92 @@
+date: '2025-12-02'
+sections:
+  security_fixes:
+    - |
+      **HIGH:** A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys—thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability has been assigned [CVE-2025-11578](https://nvd.nist.gov/vuln/detail/CVE-2025-11578) and was reported through the GitHub Bug Bounty program.
+    - |
+      Packages have been updated to the latest security versions.
+  bugs:
+    - |
+      Administrators may have experienced delays with configuration runs after a reboot if `ghe-reconfigure.service` was still activating, impacting run performance and stability.
+    - |
+      After an administrator clicked the "Clear Dependencies" button in the dependency graph section of the site admin dashboard, dependencies were not deleted as expected.
+    - |
+      On instances with a "No Proxy" setting configured for GitHub Actions with MinIO or AWS remote blob providers, administrators sometimes experienced failures reading or writing Actions logs, artifacts, or caches because some traffic was incorrectly routed through the instances proxy.
+    - |
+      <!-- markdownlint-disable-line GHD046 --> New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation.
+    - |
+      Administrators running the `ghe-repl-decommission` script received an error.
+    - |
+      Site administrators using the Management Console would see overly verbose error messages on the maintenance page. These error messages were not cleared when a new request was made, and no message was displayed when maintenance mode changes were saved successfully.
+    - |
+      Some instances were blocked from upgrading to GitHub Enterprise Server 3.18.1 because of an issue with concurrent execution of certain database migrations.
+    - |
+      Teams granted all-repository organization roles could not be requested as reviewers in pull requests.
+    - |
+      An "Invite member" button intended only for GitHub.com was displayed on the enterprise "People" tab.
+    - |
+      Administrators who had upgraded to the previous patch release may have observed a significant increase in executions of the `SecurityOverviewAnalytics::UpdateFeatureStatusSummaryJob`, causing background job queue saturation, service delays, reduced stability, and lower performance for environments using security overview analytics.
+    - |
+      Link previews did not appear in Slack conversations when messages were delivered through socket mode, affecting the visibility of linked GitHub content.
+    - |
+      Users who accessed GitHub Enterprise Server with Chromium-based browsers experienced slow logout performance.
+    - |
+      Audit log searches could temporarily miss recent events or show incomplete results right after new index creation at the start of a month. Administrators now experience reduced lag between the creation of monthly audit log search indexes and their availability for searches and write operations.
+    - |
+      When new Elasticsearch indexes were created, index routing memos could go to a read-only MySQL replica and fail, causing delays in audit log indexing after monthly rollovers. The memos are now written to the primary database rather than a read-only replica.
+  changes:
+    - |
+      Site administrators can monitor NUMA (Non-Uniform Memory Access) performance metrics using newly enabled collectors in `node_exporter` and dedicated Grafana dashboard panels.
+    - |
+      Site administrators configuring server monitoring using OpenTelemetry metrics will see improvements and adjustments to the metrics and monitoring options. The changes focus on better security, enhanced observability, and improved configuration consistency in multi-node deployments. In addition, it is easier to export Grafana dashboards and import them into your own environments.
+    - |
+      Administrators can add security key-backed (SK) SSH certificate authorities.
+    - |
+      Administrators and users experience faster and more efficient searching of GitHub Actions workflow runs, with lower compute and networking resource usage. Searches for workflow runs within a repository are now always scoped to an associated repository.
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. See "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
+    - |
+      {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
+    - |
+      When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded.
+    - |
+      When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
+    - |
+      When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration.
+    - |
+      Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories.
+    - |
+      In a cluster, the host running restore requires access the storage nodes via their private IPs.
+    - |
+      On an instance hosted on Azure, commenting on an issue via email means the comment is not added to the issue.
+    - |
+      After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
+    - |
+      After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the Actions workflow of a repository does not have any suggested workflows.
+    - |
+      Unexpected elements may appear in the UI on the repository overview page for locked repositories.
+    - |
+      When publishing npm packages in a workflow after restoring from a backup to GitHub Enterprise Server 3.13.5.gm4 or 3.14.2.gm3, you may encounter a `401 Unauthorized` error from the GitHub Packages service. This can happen if the restore is from an N-1 or N-2 version and the workflow targets the npm endpoint on the backup instance. To avoid this issue, ensure the access token is valid and includes the correct scopes for publishing to GitHub Packages.
+    - |
+      The setting to define private registries at the organization level for code scanning is only available if Dependabot is also enabled for the instance.
+    - |
+      Custom Network Time Protocol (NTP) settings are removed during the upgrade process.

data/release-notes/enterprise-server/3-19/0-rc1.yml

@@ -0,0 +1,254 @@
+date: '2025-12-02'
+release_candidate: true
+deprecated: false
+intro: |
+  > [!NOTE] Release candidate (RC) builds are intended solely for use in a test environment. Do not install an RC in a production environment.
+  >
+  > Do not upgrade to an RC from a supported, earlier version.
+  >
+  > If {% data variables.location.product_location %} is running an RC, you cannot upgrade to the general availability (GA) release. You also cannot upgrade with a hotpatch.
+
+  For upgrade instructions, see [AUTOTITLE](/admin/upgrading-your-instance/preparing-to-upgrade/overview-of-the-upgrade-process).
+sections:
+  # Remove section heading if the section contains no notes.
+
+  features:
+    # Remove a sub-section heading if the heading contains no notes. If sections
+    # that regularly recur are missing, add placeholders to this template.
+
+    - heading: Instance services
+      notes:
+        #
+        - |
+          You can configure which SSH and TLS ciphers are used on your instance. You can view the default ciphers and select preferred ones, providing you flexibility and ability to exclude weak ciphers.
+        # https://github.com/github/releases/issues/6908
+        - |
+          Starting 3.19, new installations of GHES will have OpenTelemetry metrics enabled and Collectd metrics disabled by default. You have the option to toggle between the two. Upgraded instances will retain their current settings. In about two to three releases, OpenTelemetry metrics will become the only supported metrics. To learn about OTel metrics, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/monitoring-your-instance/opentelemetry-metrics).
+
+    - heading: Migrations
+      notes:
+        # https://github.com/github/releases/issues/6385
+        - |
+          Administrators must update network allowlists with the new IP address ranges for GitHub Enterprise Importer migrations. Without this configuration, migration operations will fail due to blocked connectivity between environments.
+
+    - heading: APIs
+      notes:
+        # https://github.com/github/releases/issues/4653
+        - |
+          You can install GitHub Apps on the enterprise account and use them to manage your enterprise. Enterprise-installed GitHub Apps have access to a new set of permissions:
+
+          * Managing GitHub App installations across the enterprise
+          * SCIM provisioning and SSO management
+          * Custom repository properties
+          * Custom organization roles owned by the enterprise
+          * Enterprise people management
+
+          Managing GitHub Apps across the enterprise allows you to programmatically audit, install, and uninstall GitHub Apps for all of the organizations in your enterprise using a single token. This high-powered permission enables better organization management at scale.
+        # https://github.com/github/releases/issues/6053
+        - |
+          Users can be made application managers of GitHub Apps owned by the enterprise. App Managers can update the application registration but do not have the ability to manage application installations.
+
+          The app manager feature has also been updated to use the roles platform, which means that organization teams can be made app managers of individual organization-owned apps, and a new Organization App Manager role can be assigned to teams and users to give them access to _all_ of the apps owned by an organization. For more information, see [AUTOTITLE](/apps/maintaining-github-apps/about-github-app-managers).
+
+    - heading: GitHub Advanced Security
+      notes:
+        # https://github.com/github/releases/issues/5007
+        - |
+          Administrators can delegate code scanning alert dismissal to repository users. This enables responsible users to manage security findings and streamline remediation directly from the repository. The delegated alert dismissal feature is now generally available. For more information, see [the changelog](https://github.blog/changelog/2025-07-01-delegated-alert-dismissal-for-code-scanning-is-now-generally-available/)
+        # https://github.com/github/releases/issues/5327
+        - |
+          Administrators and security teams can now choose between default and advanced CodeQL setups for code scanning. The advanced setup allows for custom queries and more granular configuration, while the default setup offers a simplified workflow for standard security analysis. For more information, see [the changelog](https://github.blog/changelog/2025-07-15-security-configurations-support-for-running-codeql-in-either-default-or-advanced-setup/)
+        # https://github.com/github/releases/issues/6181
+        - |
+          The REST API for secret scanning now returns `first_location_detected` and `has_more_locations` fields in its responses.
+        # https://github.com/github/releases/issues/5332
+        - |
+          Administrators can specify which secret scanning patterns are included in push protection to enhance control over exposure prevention workflows. This update allows finer-tuning of push protected secrets.
+        # https://github.com/github/releases/issues/6436
+        - |
+         Organization and security admins can now run a free scan to understand how their repositories are affected by secret leaks and exposures. These secret risk assessments can be run at the organization level from the `Security` tab.
+        # https://github.com/github/releases/issues/6232
+        - |
+          When uploading analysis results for code scanning using SARIF files, each run in a multi-run SARIF file is now processed as a separate scan. Previously, multiple runs in one SARIF file were combined into a single scan, which could cause confusion in results and reporting. For more information, see [the changelog](https://github.blog/changelog/2025-07-21-code-scanning-will-stop-combining-multiple-sarif-runs-uploaded-in-the-same-sarif-file/).
+        # https://github.com/github/releases/issues/6435
+        - |
+          GitHub secret scanning now detects and alerts you on secrets found in GitHub wikis, in addition to previously supported locations, including GitHub issues, pull requests, and discussions.
+
+          Secrets, like API keys, passwords, and tokens, can hide in many places. If these leaks aren't managed correctly, each one of them could pose a substantial risk. To help protect you from leaked secrets, anywhere within your GitHub perimeter, GitHub provides visibility across all major surfaces for hundreds of supported token formats.
+        - |
+          This release comes installed with version 2.22.4 of the CodeQL CLI, used in the CodeQL action for code scanning. Significant updates since the default version installed on GitHub Enterprise Server 3.18 include:
+            * Users can analyze Go codebases more comprehensively, as CodeQL 2.22.0 improves coverage for Go. The release extends support for Go's generics and enhances the precision of dataflow analysis, enabling identification of vulnerabilities and defects in a wider variety of Go code patterns.
+            * Users working with Swift can analyze projects using Swift 6.1.2, with CodeQL now supporting this version. This enhancement enables security and quality analyses for organizations adopting the latest Swift updates.
+            * Users can now analyze Rust projects using CodeQL, with Rust support available in public preview. Organizations developing in Rust can begin early adoption of vulnerability detection and quality analyses in this language. Rust support is subject to change as feedback is gathered during the preview period.
+            * Users analyzing Go codebases can scan projects built with Go 1.25, as CodeQL adds support for this new Go release.
+            * View more in the changelogs for versions [CodeQL 2.22.0](https://github.blog/changelog/2025-06-12-codeql-2-22-0-improves-coverage-for-go-and-adds-support-for-swift-6-1-2/), [CodeQL 2.22.1](https://github.blog/changelog/2025-07-03-codeql-2-22-1-bring-rust-support-to-public-preview/), and [CodeQL 2.22.4](https://github.blog/changelog/2025-09-03-codeql-2-22-4-adds-support-for-go-1-25-and-accuracy-improvements/).
+
+
+    - heading: Dependabot
+      notes:
+        # https://github.com/github/releases/issues/5745
+        - |
+          Administrators and security teams can prioritize security fixes using the new Dependabot metrics page. The page provides insights on open vulnerable dependencies and other metrics to inform vulnerability management. This feature is now generally available for GitHub Advanced Security customers.
+        # https://github.com/github/releases/issues/5979
+        - |
+          Administrators and security teams can use the new Dependabot metrics page to prioritize remediation efforts. The page displays summary metrics and detailed insights to help track code security status over time.
+        # https://github.com/github/releases/issues/6156
+        - |
+          Dependabot now supports Gradle lockfiles in GHES, enabling users to keep dependencies up to date and improve supply chain security by automatically creating pull requests when newer versions are detected. This helps maintainers ensure project stability and security when managing Gradle projects.
+        # https://github.com/github/releases/issues/5454
+        - |
+          Administrators can optionally configure Dependabot to wait for a package to reach a specified minimum age before updating dependencies in their `dependabot.yml` files.
+        # https://github.com/github/releases/issues/6149
+        - |
+          Administrators can configure Dependabot in the dependabot.yml file to create a single pull request that updates dependencies across multiple package ecosystems within a repository.
+        # https://github.com/github/releases/issues/5747
+        - |
+          Administrators can centrally manage configurations for private registries used by Dependabot. This allows for streamlined setup and maintenance of registry credentials, improving the workflow for managing dependencies securely across the organization.
+        # https://github.com/github/releases/issues/6400
+        - |
+          Users can keep vcpkg dependencies up to date with Dependabot version updates. For more information, see the [changelog](https://github.blog/changelog/2025-08-12-dependabot-version-updates-now-support-vcpkg/).
+        # https://github.com/github/releases/issues/6401
+        - |
+          Administrators and users can automate version updates for Rust toolchain dependencies using Dependabot. This enhancement streamlines the process of keeping Rust environments up to date and secure, reducing manual overhead for dependency management. For details, see the [changelog](https://github.blog/changelog/2025-08-19-dependabot-now-supports-rust-toolchain-updates/).
+        # https://github.com/github/releases/issues/6480
+        - |
+          Administrators and repository maintainers can now configure Dependabot to exclude automatic pull requests for dependency manifests located in selected subdirectories. This update helps users manage updates more flexibly and avoid unnecessary PRs for specific project paths. For more information, see the [changelog](https://github.blog/changelog/2025-08-26-dependabot-can-now-exclude-automatic-pull-requests-for-manifests-in-selected-subdirectories/).
+        # https://github.com/github/releases/issues/6264
+        - |
+          You can now choose a "Not set" option for GitHub Code Security features in your organization's security configurations. Previously, you could only enable or disable features like code scanning and Dependabot at the organization level. With the new "Not set" option, you can enforce some security settings (such as secret scanning) while letting repository administrators decide whether to enable GitHub Code Security features on their repositories.
+
+          This update gives organizations more flexibility in managing security requirements and helps repository administrators tailor their security setup to their specific needs.
+
+          To learn more about configuring security settings at the organization level, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration).
+        # https://github.com/github/releases/issues/6381
+        - |
+          Administrators can configure expanded cooldown windows for Dependabot alerts, allowing more flexible alert suppression during periods of high activity. Additionally, Dependabot now supports additional package managers, simplifying workflows for enterprises using diverse ecosystems. For the full list, see [AUTOTITLE](/enterprise-server@3.19/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories).
+        # https://github.com/github/releases/issues/6351
+        - |
+          Administrators and repository owners can manage Dependabot alerts using batched updates for dependencies. This feature reduces alert noise by grouping related alerts and allowing simultaneous remediation, streamlining workflow and improving oversight for security and maintenance.
+
+    - heading: GitHub Actions
+      notes:
+        # Required Actions Runner version
+        - |
+          {% data reusables.actions.actions-runner-release-note %}
+        # https://github.com/github/releases/issues/4277
+        - |
+          Enterprise administrators can assign fine-grained permissions for GitHub Actions through custom repository roles. This update enables precise control over workflow access, improving security and flexibility for automation management in repositories.
+        #
+        - |
+          Administrators can enforce policies to block specific actions and require SHA-based pinning when workflows use actions from public repositories. These policies help improve security for workflows by ensuring only approved actions are used and referenced by immutable SHAs.
+
+    - heading: Community experience
+      notes:
+        # https://github.com/github/releases/issues/6393
+        - |
+          Users can view a repository's contributing guidelines directly from both the repository's main tab and the sidebar. This feature makes it easier for contributors to find and follow project-specific contribution instructions, supporting a more accessible and collaborative workflow.
+
+    - heading: Organizations
+      notes:
+        # https://github.com/github/releases/issues/6098
+        - |
+          Enterprise administrators can create custom organization roles that are available in every organization in the enterprise, setting a standard set of roles for your organization owners to assign. These roles cannot be edited by organization owners.
+
+          As part of this update, the number of custom roles that can be created in enterprises and organizations has been raised to 20 per role type and owner. This means that an organization owner can have up to 40 custom roles to pick from.
+
+    - heading: Repositories
+      notes:
+        # https://github.com/github/releases/issues/5128
+        - |
+          Enterprise administrators can manage rules more efficiently with the general availability of ruleset history, import, and export. Ruleset history allows tracking and rolling back changes, while import and export simplify sharing and reusing rulesets, including [GitHub's ruleset-recipes](https://github.com/github/ruleset-recipes).
+
+    - heading: Issues
+      notes:
+        # https://github.com/github/releases/issues/6233
+        - |
+          Users can duplicate issues to any repository with a Duplicate issue action in the sidebar. The new form prepopulates title, description, assignees, labels, type, projects, and milestone, helping reuse formats, split large tasks, and create variants across repositories. Edit details before creation to tailor scope.
+        # https://github.com/github/releases/issues/6290
+        - |
+          Users can attach a wider range of code, data, document, image, audio, and log files in issues, pull requests, discussions, and comments: .py .yaml .yml .css .xml .html .htm .js .sql .java .c .cpp .sh .php .ts .tsx .cs .ipynb .pdb .xlsm .tsv .drawio .bin .rtf .doc .debug .msg .eml .copilotmd .bmp .tif .tiff .mp3 and .wav.
+
+    - heading: Commits
+      notes:
+        # https://github.com/github/releases/issues/4321
+        - |
+          Users benefit from a refreshed commit details page that enhances code review and navigation. The improved experience displays comment counts directly in the file tree, enables seamless switching between unified and split views, and introduces settings for line height and minimizing comments shown in diffs.
+
+    - heading: Pull requests
+      notes:
+        # https://github.com/github/releases/issues/6195
+        - |
+          The improved "Files changed" experience for pull requests introduces a streamlined interface with enhanced navigation and filtering options, making it easier to review and manage changes. This feature is in public preview and subject to change.
+        # https://github.com/github/releases/issues/6257
+        - |
+          Pull request search in the web interface and via GraphQL and REST APIs now uses Elasticsearch as its dedicated backend, matching the existing issues search infrastructure. This update improves reliability and helps prevent timeouts when searching for pull requests in large repositories.
+
+    - heading: Accessibility
+      notes:
+        # https://github.com/github/releases/issues/6281
+        - |
+          Improved accessibility for pull request reviewer status indicators. Users with assistive technologies can more easily identify reviewer status, supporting a more inclusive code review experience across pull requests. For more information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews#about-pull-request-reviews).
+
+  changes:
+        # https://github.com/github/releases/issues/6326
+        - |
+          The code viewer and editor consistently respect each user's defined tab width preference across files and sessions. Previously, tab width settings could be inconsistently applied, causing code to display with unexpected indentation. This update ensures a uniform code viewing experience.
+        # https://github.com/github/releases/issues/6398
+        - |
+          The default tab size for code rendering is now set to 4 spaces instead of 8. This change provides a more consistent and readable display for code across the platform, aligning with common coding standards and improving the experience for developers who view or review code.
+        # https://github.com/github/releases/issues/6420
+        - |
+          Email notifications for issues and pull requests include additional headers to improve filtering and organization in email clients. These new custom headers give users and administrators more options for managing and sorting notification emails.
+        # https://github.com/github/releases/issues/6385
+        - |
+          Enterprises using IP allowlists should verify and update their network settings to include the newly required IP ranges for importer migrations. Failure to allow these addresses prevents successful migrations.
+
+  known_issues:
+    # INCLUDE NOTES FOR RELEASE FROM "GHES Release Note Tracking" PROJECT'S "Known Issues" TAB
+    - |
+      **Note:** This list is not complete. Any new known issues that are identified for the 3.19 release will be added between now and the general availability release.
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      During the validation phase of a configuration run, a No such object error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration.
+    - |
+      Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories.
+    - |
+      In a cluster, the host running restore requires access the storage nodes via their private IPs.
+    - |
+      On an instance hosted on Azure, commenting on an issue via email meant the comment was not added to the issue.
+    - |
+      After a restore, existing outside collaborators are unable to be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
+    - |
+      After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows.
+    - |
+      When publishing npm packages in a workflow after restoring from a backup to GitHub Enterprise Server 3.13.5.gm4 or 3.14.2.gm3, you may encounter a `401 Unauthorized` error from the GitHub Packages service. This can happen if the restore is from an N-1 or N-2 version and the workflow targets the npm endpoint on the backup instance. To avoid this issue, ensure the access token is valid and includes the correct scopes for publishing to GitHub Packages.
+    - |
+      Users may see a mismatch between repository-level Dependabot alerts and the overall Security Risk dashboard metrics. This can be resolved by reloading the page.
+    - |
+      The setting to define private registries at the organization level for code scanning is only available if dependabot is also enabled for the instance.
+
+  closing_down:
+    # https://github.com/github/releases/issues/7007
+    - |
+      As announced in [this previous blog post](https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/), GitHub will stop supporting basic authentication to APIs using a username and password in the coming versions of GHES. Instead of using password authentication, [create a {% data variables.product.pat_generic %}]((/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) in limited situations like testing. You should authenticate apps in production by using the web applications flow. For more information, see [AUTOTITLE](/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps)
+    # https://github.com/github/releases/issues/5771
+    - |
+      The "reviewers" configuration option for Dependabot pull requests is retired. Reviewers are now determined by repository CODEOWNERS files. If your workflow depended on the "reviewers" option, update your automation to use CODEOWNERS for assigning pull request reviewers.
+    # https://github.com/github/releases/issues/6651
+    - |
+      Starting 3.21, networking-related syscalls will be disabled by default in the pre-receive hook environment. For enhanced security, hook environments will be placed in dedicated network namespaces. You will be able to override the default setting by setting pre-receive-hook-networking to enabled. As an alternative to many pre-receive hooks, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#push-rulesets).

data/reusables/billing/access-billing-sidebar.md

@@ -0,0 +1 @@
+1. In the "Access" section of the sidebar, click **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing and licensing**.

data/reusables/billing/access-org-or-ent-page.md

@@ -0,0 +1,3 @@
+1. Click **{% octicon "credit-card" aria-hidden="true" aria-label="credit-card" %} Billing & Licensing** to display the billing and licensing overview for the account:
+   * **Organization** accounts: under "Access" in the sidebar for settings.
+   * **Enterprise** accounts: a separate tab at the top of the page.

data/reusables/billing/azure-accept-permissions.md

@@ -0,0 +1 @@
+1. Review the "Permissions requested" prompt. If you agree with the terms, click **Accept**.

data/reusables/billing/azure-select-subscription.md

@@ -0,0 +1 @@
+1. Under "Select a subscription", select the Azure Subscription ID that you want to connect to your account.

data/reusables/billing/budget-create-button.md

@@ -0,0 +1 @@
+1. Click **Create budget**.

data/reusables/billing/click-licensing.md

@@ -0,0 +1 @@
+1. From the list of "Billing & licensing" pages, click **Licensing**.

data/reusables/billing/click-payment-info.md

@@ -0,0 +1 @@
+1. From the list of "Billing & licensing" pages, click **Payment information**.

data/reusables/billing/client-billing-yearly.md

@@ -0,0 +1 @@
+1. Under "How often do you want to be billed?", select **Pay yearly**.

data/reusables/billing/cost-center-click-new.md

@@ -0,0 +1,2 @@
+1. Click **Cost centers**.
+1. Click **New cost center** in the upper-right corner.

data/reusables/billing/cost-center-create-button.md

@@ -0,0 +1 @@
+1. Click **Create cost center**.

data/reusables/billing/enterprise-create-button.md

@@ -0,0 +1 @@
+1. Click **Create your enterprise**.

data/reusables/billing/ghas-site-admin-committers.md

@@ -0,0 +1,2 @@
+1. In the upper-right corner of any page, click {% octicon "rocket" aria-label="Site admin" %} to display the "Site admin" pages.
+1. In the left sidebar, click **Advanced Security Committers**. If this option is not displayed, at the top of the page, click {% octicon "rocket" aria-hidden="true" aria-label="Site admin" %} **Site admin** to show the top-level "Site admin" page.

data/reusables/billing/marketplace-find-app-downgrade.md

@@ -0,0 +1,3 @@
+1. In the "Marketplace apps" tab, find the app you want to downgrade.
+1. Next to the organization where you want to downgrade the app, select **{% octicon "kebab-horizontal" aria-label="More" %}** and then click **Change plan**.
+1. Select the **Edit your plan** dropdown and click an account's plan to edit.

data/reusables/billing/marketplace-find-app-upgrade.md

@@ -0,0 +1,3 @@
+1. In the "Marketplace apps" tab, find the app you want to upgrade.
+1. Next to the organization where you want to upgrade the app, select **{% octicon "kebab-horizontal" aria-label="More" %}** and then click **Change plan**.
+1. Select the **Edit your plan** dropdown and click an account's plan to edit.

data/reusables/billing/nav-to-ent.md

@@ -0,0 +1 @@
+1. Navigate to your enterprise. For example, from [https://github.com/settings/enterprises](https://github.com/settings/enterprises?ref_product=ghec&ref_type=engagement&ref_style=text).

data/reusables/billing/nav-to-org-or-ent.md

@@ -0,0 +1 @@
+1. Navigate to your organization or enterprise. For example, from [https://github.com/settings/organizations](https://github.com/settings/organizations?ref_product=github&ref_type=engagement&ref_style=text) or [https://github.com/settings/enterprises](https://github.com/settings/enterprises?ref_product=ghec&ref_type=engagement&ref_style=text).

data/reusables/copilot/coding-agent-emu-limitation.md

@@ -1,3 +1,3 @@
-{% data variables.copilot.copilot_coding_agent %} is not available in personal repositories owned by {% data variables.enterprise.prodname_managed_users %}. This is because {% data variables.copilot.copilot_coding_agent %} runs on {% data variables.product.company_short %}-hosted runners, which are not available to repositories owned by {% data variables.enterprise.prodname_managed_users %}. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners).
+{% data variables.copilot.copilot_coding_agent %} is not available in personal repositories owned by {% data variables.enterprise.prodname_managed_users %}. This is because {% data variables.copilot.copilot_coding_agent %} runs on {% data variables.product.company_short %}-hosted runners, which are not available to personal repositories owned by {% data variables.enterprise.prodname_managed_users %}. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners).
 
 <!--If you update this text, you may also need to update "Limitations in Copilot's compatibility with other features" in https://docs.github.com/en/copilot/using-github-copilot/coding-agent/about-assigning-tasks-to-copilot  -->

data/reusables/copilot/prompt-files-available-in-editors.md

@@ -1 +1 @@
-Prompt files are only available in {% data variables.product.prodname_vscode_shortname %} and JetBrains IDEs.
+Prompt files are only available in {% data variables.product.prodname_vscode_shortname %}, {% data variables.product.prodname_vs %}, and JetBrains IDEs.

data/reusables/copilot/prompt-files-preview-note.md

@@ -1,3 +1,3 @@
 > [!NOTE]
-> * {% data variables.product.prodname_copilot_short %} prompt files are in {% data variables.release-phases.public_preview %} and subject to change. {% data reusables.copilot.prompt-files-available-in-editors %} See [AUTOTITLE](/copilot/concepts/prompting/response-customization?tool=vscode#about-prompt-files).
+> * {% data variables.product.prodname_copilot_short %} prompt files are in {% data variables.release-phases.public_preview %} and subject to change. {% data reusables.copilot.prompt-files-available-in-editors %} See [AUTOTITLE](/copilot/concepts/prompting/response-customization#about-prompt-files).
 > * For community-contributed examples of prompt files for specific languages and scenarios, see the [Awesome GitHub Copilot Customizations](https://github.com/github/awesome-copilot/blob/main/docs/README.prompts.md) repository.

data/reusables/copilot/repository-custom-instructions-support.md

@@ -6,7 +6,7 @@ The following table shows which {% data variables.product.prodname_copilot_short
 
 | | Eclipse | JetBrains IDEs | {% data variables.product.prodname_vs %} | {% data variables.product.prodname_vscode_shortname %} | {% data variables.product.prodname_dotcom_the_website %} | Xcode |
 | --- | --- | --- | --- | --- | --- | --- |
-| {% data variables.copilot.copilot_chat_short %} | {% octicon "check" aria-label="Included" %} <sup>1</sup> | {% octicon "check" aria-label="Included" %} <sup>1</sup> | {% octicon "check" aria-label="Included" %} <sup>1</sup> | {% octicon "check" aria-label="Included" %} <sup>3</sup> | {% octicon "check" aria-label="Included" %} <sup>1</sup> | {% octicon "check" aria-label="Included" %} <sup>1</sup> |
+| {% data variables.copilot.copilot_chat_short %} | {% octicon "check" aria-label="Included" %} <sup>1</sup> | {% octicon "check" aria-label="Included" %} <sup>1</sup> | {% octicon "check" aria-label="Included" %} <sup>2</sup> | {% octicon "check" aria-label="Included" %} <sup>3</sup> | {% octicon "check" aria-label="Included" %} <sup>1</sup> | {% octicon "check" aria-label="Included" %} <sup>1</sup> |
 | {% data variables.copilot.copilot_coding_agent %} | N/A | N/A | N/A | {% octicon "check" aria-label="Included" %} <sup>4</sup> | {% octicon "check" aria-label="Included" %} <sup>4</sup> | N/A |
 | {% data variables.copilot.copilot_code-review_short %} | N/A | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} <sup>1</sup> | {% octicon "check" aria-label="Included" %} <sup>1</sup> | {% octicon "check" aria-label="Included" %} <sup>2</sup> | {% octicon "x" aria-label="Not included" %} |
 

data/reusables/dependabot/supported-package-managers.md

@@ -2,6 +2,9 @@
 
 Package manager | YAML value      | Supported versions | Version updates | Security updates | Private repositories | Private registries | Vendoring |
 ---------------|------------------|------------------|:---:|:---:|:---:|:---:|:---:|
+| {% ifversion dependabot-bazel-support %} |
+Bazel | `bazel`         | v7, v8, v9              | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
+| {% endif %} |
 | {% ifversion dependabot-bun-support %} |
 [Bun](#bun) | `bun`         | >=v1.1.39               | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
 | {% endif %} |

data/reusables/dependency-graph/supported-package-ecosystems.md

@@ -1,5 +1,8 @@
 | Package manager | Languages | Static transitive dependencies | Automatic dependency submission | Recommended files | Additional files |
 | --- | --- | --- | --- | --- | ---|
+| {% ifversion dependabot-bazel-support %} |
+| Bazel | Starlark | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | `MODULE.bazel`, `WORKSPACE` | `MODULE.bazel.lock`, `maven_install.json`, `*.MODULE.bazel` |
+| {% endif %} |
 | Cargo | Rust | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | `Cargo.lock` | `Cargo.toml` |
 | Composer             | PHP           | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | `composer.lock` | `composer.json` |
 | NuGet | .NET languages (C#, F#, VB), C++  | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | `.csproj`, `.vbproj`, `.nuspec`, `.vcxproj`, `.fsproj` | `packages.config` |

data/reusables/repositories/request-changes-tips.md

@@ -2,8 +2,8 @@
 > * The **Request changes** option is purely informational and will not prevent merging unless a ruleset or classic branch protection rule is configured with the "require a pull request" option. If configured and a collaborator with `admin`, `owner`, or `write` access to the repository submits a review requesting changes, the pull request cannot be merged until the same collaborator submits another review approving the changes in the pull request.
 > * Repository owners and administrators can merge a pull request even if it hasn't received an approving review, or if a reviewer who requested changes has left the organization or is unavailable.
 > * If both required reviews and stale review dismissal are enabled and a code-modifying commit is pushed to the branch of an approved pull request, the approval is dismissed. The pull request must be reviewed and approved again before it can be merged.
-> * When several open pull requests each have a head branch pointing to the same commit, you won’t be able to merge them if one or both have a pending or rejected review.
+> * When several open pull requests each have a head branch pointing to the same commit, you won’t be able to merge them if one or both have a pending or rejected review. {% ifversion fpt or ghec or ghes > 3.18 %}
 > * If your repository requires approving reviews from people with write or admin permissions, the reviewers sidebar groups approvals by permission level. Approvals can appear in two sections:
 >     * The **top section** mostly contains approvals from people with write or admin permissions that count toward merge requirements. Approvals by {% data variables.product.prodname_copilot %} also appear in this section even though {% data variables.product.prodname_copilot %} reviews do not count toward those requirements.
->     * The **collapsible section (if present)** shows approvals from reviewers whose reviews do not affect whether the pull request can be merged.
+>     * The **collapsible section (if present)** shows approvals from reviewers whose reviews do not affect whether the pull request can be merged. {% endif %}
 > * Pull request authors cannot approve their own pull requests.{% ifversion copilot %} You will also not be able to approve a pull request that was raised by {% data variables.product.prodname_copilot %} if it was you who assigned {% data variables.product.prodname_copilot_short %} to the issue to which the pull request relates.{% endif %}

data/reusables/support/premium-support-features.md

@@ -8,7 +8,7 @@ In addition to all of the benefits of {% data variables.contact.enterprise_suppo
 * Access to premium content
 * Health checks
 {%- ifversion ghes %}
-* Crisis prevention: Guided incident simulations that help you prepare for—and experience—an incident without risk. ({% data variables.product.premium_plus_support_plan %} only)
+* Crisis prevention: Guided incident simulations that help you prepare for—and experience—an incident without risk. ({% data variables.product.premium_plus_support_plan %} / {% data variables.product.microsoft_premium_plus_support_plan %} only)
 {%- endif %}
-* Application upgrade assistance: Before your upgrade, we review your upgrade plans, playbooks, and other documentation and answer questions specific to your environment ({% data variables.product.premium_plus_support_plan %} only)
-* Technical advisory hours ({% data variables.product.premium_plus_support_plan %} only)
+* Application upgrade assistance: Before your upgrade, we review your upgrade plans, playbooks, and other documentation and answer questions specific to your environment ({% data variables.product.premium_plus_support_plan %} / {% data variables.product.microsoft_premium_plus_support_plan %} only)
+* Technical advisory hours ({% data variables.product.premium_plus_support_plan %} / {% data variables.product.microsoft_premium_plus_support_plan %} only)

data/reusables/support/submit-a-ticket.md

@@ -9,7 +9,7 @@
 1. Select the **Select personal account, enterprise account or organization** dropdown menu and click the name of the account your support ticket is regarding.
 
    > [!NOTE]
-   > * For Premium, Premium Plus, or Engineering Direct support, you need to choose an enterprise account with a {% data variables.contact.premium_support %} plan. If you don't see an Enterprises section in the dropdown menu, you're not entitled to open support tickets on behalf of an enterprise account. For more information, see [AUTOTITLE](/support/learning-about-github-support/about-github-support#about-support-entitlement)
+   > * For {% data variables.product.premium_support_plan %}, {% data variables.product.premium_plus_support_plan %}, or {% data variables.product.microsoft_premium_plus_support_plan %} support, you need to choose an enterprise account with a {% data variables.contact.premium_support %} plan. If you don't see an Enterprises section in the dropdown menu, you're not entitled to open support tickets on behalf of an enterprise account. For more information, see [AUTOTITLE](/support/learning-about-github-support/about-github-support#about-support-entitlement)
    > * To see a list of your enterprise accounts with a {% data variables.contact.premium_support %} plan, you must be signed into the {% data variables.contact.enterprise_portal %}. For more information, see [AUTOTITLE](/support/contacting-github-support/getting-your-enterprise-started-with-the-github-support-portal).
 
 {% endif %}

data/variables/product.yml

@@ -96,7 +96,7 @@ prodname_codeql_cli: 'CodeQL CLI'
 # CodeQL usually bumps its minor version for each minor version of GHES.
 # Update this whenever a new enterprise version of CodeQL is being prepared.
 codeql_cli_ghes_recommended_version: >-
-  {% ifversion ghes < 3.15 %}2.17.6{% elsif ghes < 3.16 %}2.18.4{% elsif ghes < 3.17 %}2.20.3{% elsif ghes < 3.18 %}2.20.7{% elsif ghes < 3.19 %}2.21.4{% endif %}
+  {% ifversion ghes < 3.15 %}2.17.6{% elsif ghes < 3.16 %}2.18.4{% elsif ghes < 3.17 %}2.20.3{% elsif ghes < 3.18 %}2.20.7{% elsif ghes < 3.19 %}2.21.4{% elsif ghes < 3.20 %}2.22.4{% endif %}
 codeql_cli_version_min_version_create_bundle: '2.17.6'
 # Projects v2
 prodname_projects_v2: 'Projects'
@@ -149,7 +149,7 @@ prodname_unfurls: 'Content Attachments'
 prodname_actions: 'GitHub Actions'
 prodname_actions_runner_controller: 'Actions Runner Controller'
 runner_required_version: >-
-  {% ifversion ghes < 3.15 %}2.317.0{% elsif ghes < 3.16 %}2.319.1{% elsif ghes < 3.17 %}2.321.0{% elsif ghes < 3.18 %}2.322.0{% elsif ghes < 3.19 %}2.324.0{% endif %}
+  {% ifversion ghes < 3.15 %}2.317.0{% elsif ghes < 3.16 %}2.319.1{% elsif ghes < 3.17 %}2.321.0{% elsif ghes < 3.18 %}2.322.0{% elsif ghes < 3.19 %}2.324.0{% elsif ghes < 3.20 %}2.328.0{% endif %}
 
 # GitHub Debug
 prodname_debug: 'GitHub Debug'
@@ -248,8 +248,8 @@ prodname_roadmap_link: 'https://github.com/github/roadmap#github-public-roadmap'
 # GitHub Support plans
 standard_support_plan: 'Standard plan'
 premium_support_plan: 'Premium plan'
-premium_plus_support_plan: 'Premium Plus plan / GitHub Engineering Direct'
-microsoft_premium_plus_support_plan: 'GitHub Engineering Direct'
+premium_plus_support_plan: 'Premium Plus plan'
+microsoft_premium_plus_support_plan: 'Mission Critical Services for GitHub plan'
 support_ticket_priority_urgent: 'Urgent'
 support_ticket_priority_high: 'High'
 support_ticket_priority_normal: 'Normal'

package-lock.json

@@ -38,7 +38,7 @@
         "dereference-json-schema": "^0.2.1",
         "dotenv": "^17.0.1",
         "escape-string-regexp": "5.0.0",
-        "express": "^5.1.0",
+        "express": "^5.2.0",
         "fastest-levenshtein": "1.0.16",
         "file-type": "21.0.0",
         "flat": "^6.0.1",
@@ -65,7 +65,7 @@
         "lowlight": "^3.3.0",
         "markdownlint-rule-helpers": "^0.25.0",
         "mdast-util-from-markdown": "^2.0.2",
-        "mdast-util-to-hast": "^13.2.0",
+        "mdast-util-to-hast": "^13.2.1",
         "mdast-util-to-markdown": "2.1.2",
         "mdast-util-to-string": "^4.0.0",
         "next": "^16.0.1",
@@ -107,7 +107,7 @@
         "@axe-core/playwright": "^4.10.1",
         "@eslint/js": "^9.33.0",
         "@github/markdownlint-github": "^0.6.3",
-        "@graphql-inspector/core": "^6.1.0",
+        "@graphql-inspector/core": "^7.0.3",
         "@graphql-tools/load": "^8.0.19",
         "@octokit/rest": "22.0.0",
         "@playwright/test": "^1.56",
@@ -241,6 +241,7 @@
       "resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.2.0.tgz",
       "integrity": "sha512-1LFfa/qnMQvEOAdzlQymH0ulepxbxnCYAKJZfMci/5XJyIHWgEYnDmgnKakbTh7CH2tFQ5O60oYDvns4i9RAIg==",
       "dev": true,
+      "peer": true,
       "dependencies": {
         "@octokit/auth-token": "^4.0.0",
         "@octokit/graphql": "^7.1.0",
@@ -401,7 +402,6 @@
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.3.0.tgz",
       "integrity": "sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==",
-      "peer": true,
       "dependencies": {
         "@jridgewell/gen-mapping": "^0.3.5",
         "@jridgewell/trace-mapping": "^0.3.24"
@@ -587,7 +587,6 @@
       "version": "7.23.3",
       "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.23.3.tgz",
       "integrity": "sha512-BmR4bWbDIoFJmJ9z2cZ8Gmm2MXgEDgjdWgpKmKWUt54UGFJdlj31ECtbaDvCG/qVdG3AQ1SfpZEs01lUFbzLOQ==",
-      "peer": true,
       "engines": {
         "node": ">=6.9.0"
       }
@@ -625,14 +624,12 @@
     "node_modules/@babel/core/node_modules/convert-source-map": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz",
-      "integrity": "sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==",
-      "peer": true
+      "integrity": "sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg=="
     },
     "node_modules/@babel/core/node_modules/semver": {
       "version": "6.3.1",
       "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
       "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
-      "peer": true,
       "bin": {
         "semver": "bin/semver.js"
       }
@@ -666,7 +663,6 @@
       "version": "7.22.15",
       "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.22.15.tgz",
       "integrity": "sha512-y6EEzULok0Qvz8yyLkCvVX+02ic+By2UdOhylwUOvOn9dvYc9mKICJuuU1n1XBI02YWsNsnrY1kc6DVbjcXbtw==",
-      "peer": true,
       "dependencies": {
         "@babel/compat-data": "^7.22.9",
         "@babel/helper-validator-option": "^7.22.15",
@@ -682,7 +678,6 @@
       "version": "5.1.1",
       "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-5.1.1.tgz",
       "integrity": "sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w==",
-      "peer": true,
       "dependencies": {
         "yallist": "^3.0.2"
       }
@@ -691,7 +686,6 @@
       "version": "6.3.1",
       "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
       "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
-      "peer": true,
       "bin": {
         "semver": "bin/semver.js"
       }
@@ -699,8 +693,7 @@
     "node_modules/@babel/helper-compilation-targets/node_modules/yallist": {
       "version": "3.1.1",
       "resolved": "https://registry.npmjs.org/yallist/-/yallist-3.1.1.tgz",
-      "integrity": "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==",
-      "peer": true
+      "integrity": "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g=="
     },
     "node_modules/@babel/helper-environment-visitor": {
       "version": "7.22.20",
@@ -748,7 +741,6 @@
       "version": "7.23.3",
       "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.23.3.tgz",
       "integrity": "sha512-7bBs4ED9OmswdfDzpz4MpWgSrV7FXlc3zIagvLFjS5H+Mk7Snr21vQ6QwrsoCGMfNC4e4LQPdoULEt4ykz0SRQ==",
-      "peer": true,
       "dependencies": {
         "@babel/helper-environment-visitor": "^7.22.20",
         "@babel/helper-module-imports": "^7.22.15",
@@ -775,7 +767,6 @@
       "version": "7.22.5",
       "resolved": "https://registry.npmjs.org/@babel/helper-simple-access/-/helper-simple-access-7.22.5.tgz",
       "integrity": "sha512-n0H99E/K+Bika3++WNL17POvo4rKWZ7lZEp1Q+fStVbUi8nxPQEBOlTmCOxW/0JsS56SKKQ+ojAe2pHKJHN35w==",
-      "peer": true,
       "dependencies": {
         "@babel/types": "^7.22.5"
       },
@@ -814,7 +805,6 @@
       "version": "7.22.15",
       "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.22.15.tgz",
       "integrity": "sha512-bMn7RmyFjY/mdECUbgn9eoSY4vqvacUnS9i9vGAGttgFWesO6B4CYWA7XlpbWgBt71iv/hfbPlynohStqnu5hA==",
-      "peer": true,
       "engines": {
         "node": ">=6.9.0"
       }
@@ -823,7 +813,6 @@
       "version": "7.26.10",
       "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.26.10.tgz",
       "integrity": "sha512-UPYc3SauzZ3JGgj87GgZ89JVdC5dj0AoetR5Bw6wj4niittNyFh6+eOGonYvJ1ao6B8lEa3Q3klS7ADZ53bc5g==",
-      "peer": true,
       "dependencies": {
         "@babel/template": "^7.26.9",
         "@babel/types": "^7.26.10"
@@ -1744,13 +1733,14 @@
       }
     },
     "node_modules/@graphql-inspector/core": {
-      "version": "6.1.0",
-      "resolved": "https://registry.npmjs.org/@graphql-inspector/core/-/core-6.1.0.tgz",
-      "integrity": "sha512-5/kqD5330duUsfMBfhMc0iVld76JwSKTkKi7aOr1x9MvSnP8p1anQo7BCNZ5VY9+EvWn4njHbkNfdS/lrqsi+A==",
+      "version": "7.0.3",
+      "resolved": "https://registry.npmjs.org/@graphql-inspector/core/-/core-7.0.3.tgz",
+      "integrity": "sha512-85WkFZkC2GjGLTf+PB6L347zJhQLZ7FH5OoMz6EXoacFjd6iQ5Xf/Qdz3Vu1tjLY70ZKj7jddI4GEPompNSkJg==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
         "dependency-graph": "1.0.0",
-        "object-inspect": "1.13.1",
+        "object-inspect": "1.13.2",
         "tslib": "2.6.2"
       },
       "engines": {
@@ -2711,6 +2701,7 @@
       "version": "7.0.2",
       "resolved": "https://registry.npmjs.org/@octokit/core/-/core-7.0.2.tgz",
       "integrity": "sha512-ODsoD39Lq6vR6aBgvjTnA3nZGliknKboc9Gtxr7E4WDNqY24MxANKcuDQSF0jzapvGb3KWOEDrKfve4HoWGK+g==",
+      "peer": true,
       "dependencies": {
         "@octokit/auth-token": "^6.0.0",
         "@octokit/graphql": "^9.0.1",
@@ -3349,6 +3340,7 @@
       "integrity": "sha512-vSMYtL/zOcFpvJCW71Q/OEGQb7KYBPAdKh35WNSkaZA75JlAO8ED8UN6GUNTm3drWomcbcqRPFqQbLae8yBTdg==",
       "devOptional": true,
       "license": "Apache-2.0",
+      "peer": true,
       "dependencies": {
         "playwright": "1.56.1"
       },
@@ -4160,6 +4152,7 @@
       "integrity": "sha512-wGA0NX93b19/dZC1J18tKWVIYWyyF2ZjT9vin/NRu0qzzvfVzWjs04iq2rQ3H65vCTQYlRqs3YHfY7zjdV+9Kw==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@types/body-parser": "*",
         "@types/express-serve-static-core": "^5.0.0",
@@ -4321,6 +4314,7 @@
       "resolved": "https://registry.npmjs.org/@types/react/-/react-18.3.20.tgz",
       "integrity": "sha512-IPaCZN7PShZK/3t6Q87pfTkRm6oLTd4vztyoj+cbHUF1g3FfVb2tFIL79uCRKEfv16AhqDMBywP2VW3KIZUvcg==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@types/prop-types": "*",
         "csstype": "^3.0.2"
@@ -4332,6 +4326,7 @@
       "integrity": "sha512-nf22//wEbKXusP6E9pfOCDwFdHAX4u172eaJI4YkDRQEZiorm6KfYnSC2SWLDMVWUOWPERmJnN0ujeAfTBLvrw==",
       "devOptional": true,
       "license": "MIT",
+      "peer": true,
       "peerDependencies": {
         "@types/react": "^18.0.0"
       }
@@ -4502,6 +4497,7 @@
       "integrity": "sha512-pUXGCuHnnKw6PyYq93lLRiZm3vjuslIy7tus1lIQTYVK9bL8XBgJnCWm8a0KcTtHC84Yya1Q6rtll+duSMj0dg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@typescript-eslint/scope-manager": "8.39.1",
         "@typescript-eslint/types": "8.39.1",
@@ -5147,6 +5143,7 @@
       "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -5176,6 +5173,7 @@
       "version": "8.17.1",
       "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz",
       "integrity": "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==",
+      "peer": true,
       "dependencies": {
         "fast-deep-equal": "^3.1.3",
         "fast-uri": "^3.0.1",
@@ -5556,25 +5554,52 @@
       "license": "MIT"
     },
     "node_modules/body-parser": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.0.tgz",
-      "integrity": "sha512-02qvAaxv8tp7fBa/mw1ga98OGm+eCbqzJOKoRt70sLmfEEi+jyBYVTDGfCL/k06/4EMk/z01gCe7HoCH/f2LTg==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.1.tgz",
+      "integrity": "sha512-nfDwkulwiZYQIGwxdy0RUmowMhKcFVcYXUU7m4QlKYim1rUtg83xm2yjZ40QjDuc291AJjjeSc9b++AWHSgSHw==",
       "license": "MIT",
       "dependencies": {
         "bytes": "^3.1.2",
         "content-type": "^1.0.5",
-        "debug": "^4.4.0",
+        "debug": "^4.4.3",
         "http-errors": "^2.0.0",
-        "iconv-lite": "^0.6.3",
+        "iconv-lite": "^0.7.0",
         "on-finished": "^2.4.1",
         "qs": "^6.14.0",
-        "raw-body": "^3.0.0",
-        "type-is": "^2.0.0"
+        "raw-body": "^3.0.1",
+        "type-is": "^2.0.1"
       },
       "engines": {
         "node": ">=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
       }
     },
+    "node_modules/body-parser/node_modules/debug": {
+      "version": "4.4.3",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
+      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
+      "license": "MIT",
+      "dependencies": {
+        "ms": "^2.1.3"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/body-parser/node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
+      "license": "MIT"
+    },
     "node_modules/body-parser/node_modules/on-finished": {
       "version": "2.4.1",
       "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz",
@@ -5676,6 +5701,7 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "caniuse-lite": "^1.0.30001733",
         "electron-to-chromium": "^1.5.199",
@@ -5926,6 +5952,7 @@
       "resolved": "https://registry.npmjs.org/cheerio/-/cheerio-1.0.0-rc.12.tgz",
       "integrity": "sha512-VqR8m68vM46BNnuZ5NtnGBKIE/DfN0cRIzg9n40EIq9NOv90ayxLBXA8fXC5gquFRGJSTRqBq25Jt2ECLR431Q==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "cheerio-select": "^2.1.0",
         "dom-serializer": "^2.0.0",
@@ -7165,6 +7192,7 @@
       "integrity": "sha512-TS9bTNIryDzStCpJN93aC5VRSW3uTx9sClUn4B87pwiCaJh220otoI0X8mJKr+VcPtniMdN8GKjlwgWGUv5ZKA==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.2.0",
         "@eslint-community/regexpp": "^4.12.1",
@@ -7226,6 +7254,7 @@
       "integrity": "sha512-82GZUjRS0p/jganf6q1rEO25VSoHH0hKPCTrgillPjdI/3bgBhAE1QzHrHTizjpRvy6pGAvKjDJtk2pF9NDq8w==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "eslint-config-prettier": "bin/cli.js"
       },
@@ -7484,6 +7513,7 @@
       "integrity": "sha512-whOE1HFo/qJDyX4SnXzP4N6zOWn79WhnCUY/iDR0mPfQZO8wcYE4JClzI2oZrhBnnMUCBCHZhO6VQyoBU95mZA==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@rtsao/scc": "^1.1.0",
         "array-includes": "^3.1.9",
@@ -8173,18 +8203,19 @@
       }
     },
     "node_modules/express": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/express/-/express-5.1.0.tgz",
-      "integrity": "sha512-DT9ck5YIRU+8GYzzU5kT3eHGA5iL+1Zd0EutOmTE9Dtk+Tvuzd23VBU+ec7HPNSTxXYO55gPV/hq4pSBJDjFpA==",
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/express/-/express-5.2.0.tgz",
+      "integrity": "sha512-XdpJDLxfztVY59X0zPI6sibRiGcxhTPXRD3IhJmjKf2jwMvkRGV1j7loB8U+heeamoU3XvihAaGRTR4aXXUN3A==",
       "license": "MIT",
       "dependencies": {
         "accepts": "^2.0.0",
-        "body-parser": "^2.2.0",
+        "body-parser": "^2.2.1",
         "content-disposition": "^1.0.0",
         "content-type": "^1.0.5",
         "cookie": "^0.7.1",
         "cookie-signature": "^1.2.1",
         "debug": "^4.4.0",
+        "depd": "^2.0.0",
         "encodeurl": "^2.0.0",
         "escape-html": "^1.0.3",
         "etag": "^1.8.1",
@@ -8655,7 +8686,6 @@
     "node_modules/gensync": {
       "version": "1.0.0-beta.2",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=6.9.0"
       }
@@ -8862,6 +8892,7 @@
       "resolved": "https://registry.npmjs.org/graphql/-/graphql-16.9.0.tgz",
       "integrity": "sha512-GGTKBX4SD7Wdb8mqeDLni2oaRGYQWjWHGKPQ24ZMnUtKfcsVoiv4uX8+LJr1K6U5VW2Lu1BwJnj7uiori0YtRw==",
       "dev": true,
+      "peer": true,
       "engines": {
         "node": "^12.22.0 || ^14.16.0 || ^16.0.0 || >=17.0.0"
       }
@@ -9344,28 +9375,23 @@
       "license": "BSD-2-Clause"
     },
     "node_modules/http-errors": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.0.tgz",
-      "integrity": "sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
+      "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==",
       "license": "MIT",
       "dependencies": {
-        "depd": "2.0.0",
-        "inherits": "2.0.4",
-        "setprototypeof": "1.2.0",
-        "statuses": "2.0.1",
-        "toidentifier": "1.0.1"
+        "depd": "~2.0.0",
+        "inherits": "~2.0.4",
+        "setprototypeof": "~1.2.0",
+        "statuses": "~2.0.2",
+        "toidentifier": "~1.0.1"
       },
       "engines": {
         "node": ">= 0.8"
-      }
-    },
-    "node_modules/http-errors/node_modules/statuses": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.1.tgz",
-      "integrity": "sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
       }
     },
     "node_modules/http-proxy": {
@@ -9495,15 +9521,19 @@
       }
     },
     "node_modules/iconv-lite": {
-      "version": "0.6.3",
-      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz",
-      "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==",
+      "version": "0.7.0",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.7.0.tgz",
+      "integrity": "sha512-cf6L2Ds3h57VVmkZe+Pn+5APsT7FpqJtEhhieDCvrE2MK5Qk9MyffgQyuxQTm6BChfeZNtcOLHp9IcWRVcIcBQ==",
       "license": "MIT",
       "dependencies": {
         "safer-buffer": ">= 2.1.2 < 3.0.0"
       },
       "engines": {
         "node": ">=0.10.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
       }
     },
     "node_modules/ieee754": {
@@ -10234,6 +10264,7 @@
       "resolved": "https://registry.npmjs.org/jiti/-/jiti-2.6.1.tgz",
       "integrity": "sha512-ekilCSN1jwRvIbgeg/57YFh8qQDNbwDb9xT/qu2DAHbFFZUicIl4ygVaAvzveMhMVr3LnpSKTNnwt8PoOfmKhQ==",
       "dev": true,
+      "peer": true,
       "bin": {
         "jiti": "lib/jiti-cli.mjs"
       }
@@ -10352,7 +10383,6 @@
     "node_modules/json5": {
       "version": "2.2.3",
       "license": "MIT",
-      "peer": true,
       "bin": {
         "json5": "lib/cli.js"
       },
@@ -11262,9 +11292,10 @@
       }
     },
     "node_modules/mdast-util-to-hast": {
-      "version": "13.2.0",
-      "resolved": "https://registry.npmjs.org/mdast-util-to-hast/-/mdast-util-to-hast-13.2.0.tgz",
-      "integrity": "sha512-QGYKEuUsYT9ykKBCMOEDLsU5JRObWQusAolFMeko/tYPufNkRffBAQjIE+99jbA87xv6FgmjLtwjh9wBWajwAA==",
+      "version": "13.2.1",
+      "resolved": "https://registry.npmjs.org/mdast-util-to-hast/-/mdast-util-to-hast-13.2.1.tgz",
+      "integrity": "sha512-cctsq2wp5vTsLIcaymblUriiTcZd0CwWtCbLvrOzYCDZoWyMNV8sZ7krj09FSnsiJi3WVsHLM4k6Dq/yaPyCXA==",
+      "license": "MIT",
       "dependencies": {
         "@types/hast": "^3.0.0",
         "@types/mdast": "^4.0.0",
@@ -12693,10 +12724,14 @@
       }
     },
     "node_modules/object-inspect": {
-      "version": "1.13.1",
-      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.1.tgz",
-      "integrity": "sha512-5qoj1RUiKOMsCCNLV1CBiPYE10sziTsnmNxkAI/rZhiD63CF7IqdFGC/XzjWjpSgLf0LxXX3bDFIh0E18f6UhQ==",
+      "version": "1.13.2",
+      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.2.tgz",
+      "integrity": "sha512-IRZSRuzJiynemAXPYtPe5BoI/RESNYR7TYm50MC5Mqbd3Jmw5y790sErYw3V6SryFJD64b74qQQs9wn5Bg/k3g==",
       "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
       "funding": {
         "url": "https://github.com/sponsors/ljharb"
       }
@@ -13305,6 +13340,7 @@
       "integrity": "sha512-hutraynyn31F+Bifme+Ps9Vq59hKuUCz7H1kDOcBs+2oGguKkWTU50bBWrtz34OUWmIwpBTWDxaRPXrIXkgvmQ==",
       "devOptional": true,
       "license": "Apache-2.0",
+      "peer": true,
       "bin": {
         "playwright-core": "cli.js"
       },
@@ -13368,6 +13404,7 @@
       "integrity": "sha512-QQtaxnoDJeAkDvDKWCLiwIXkTgRhwYDEQCghU9Z6q03iyek/rxRh/2lC3HB7P8sWT2xC/y5JDctPLBIGzHKbhw==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "prettier": "bin/prettier.cjs"
       },
@@ -13519,24 +13556,25 @@
       }
     },
     "node_modules/raw-body": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-3.0.0.tgz",
-      "integrity": "sha512-RmkhL8CAyCRPXCE28MMH0z2PNWQBNk2Q09ZdxM9IOOXwxwZbN+qbWaatPkdkWIKL2ZVDImrN/pK5HTRz2PcS4g==",
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-3.0.2.tgz",
+      "integrity": "sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA==",
       "license": "MIT",
       "dependencies": {
-        "bytes": "3.1.2",
-        "http-errors": "2.0.0",
-        "iconv-lite": "0.6.3",
-        "unpipe": "1.0.0"
+        "bytes": "~3.1.2",
+        "http-errors": "~2.0.1",
+        "iconv-lite": "~0.7.0",
+        "unpipe": "~1.0.0"
       },
       "engines": {
-        "node": ">= 0.8"
+        "node": ">= 0.10"
       }
     },
     "node_modules/react": {
       "version": "18.3.1",
       "resolved": "https://registry.npmjs.org/react/-/react-18.3.1.tgz",
       "integrity": "sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ==",
+      "peer": true,
       "dependencies": {
         "loose-envify": "^1.1.0"
       },
@@ -13557,6 +13595,7 @@
       "version": "18.3.1",
       "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-18.3.1.tgz",
       "integrity": "sha512-5m4nQKp+rZRb09LNH59GM4BxTh9251/ylbKIbpe7TpGxfJ+9kv6BLkLBXIjjspbgbnIBNqlI23tRnTWT0snUIw==",
+      "peer": true,
       "dependencies": {
         "loose-envify": "^1.1.0",
         "scheduler": "^0.23.2"
@@ -14224,6 +14263,7 @@
       "integrity": "sha512-d0NoFH4v6SjEK7BoX810Jsrhj7IQSYHAHLi/iSpgqKc7LaIDshFRlSg5LOymf9FqQhxEHs2W5ZQXlvy0KD45Uw==",
       "devOptional": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "chokidar": "^4.0.0",
         "immutable": "^5.0.2",
@@ -15150,6 +15190,7 @@
       "resolved": "https://registry.npmjs.org/styled-components/-/styled-components-5.3.11.tgz",
       "integrity": "sha512-uuzIIfnVkagcVHv9nE0VPlHPSCmXIUGKfJ42LNjxCCTDTL5sgnJ8Z7GZBq0EnLYGln77tPpEpExt2+qa+cZqSw==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@babel/helper-module-imports": "^7.0.0",
         "@babel/traverse": "^7.4.5",
@@ -15396,6 +15437,7 @@
       "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -15721,6 +15763,7 @@
       "integrity": "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==",
       "dev": true,
       "license": "Apache-2.0",
+      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -16068,6 +16111,7 @@
       "dev": true,
       "hasInstallScript": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "napi-postinstall": "^0.2.2"
       },
@@ -16270,6 +16314,7 @@
       "integrity": "sha512-ZWyE8YXEXqJrrSLvYgrRP7p62OziLW7xI5HYGWFzOvupfAlrLvURSzv/FyGyy0eidogEM3ujU+kUG1zuHgb6Ug==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "esbuild": "^0.25.0",
         "fdir": "^6.5.0",
@@ -16378,6 +16423,7 @@
       "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=12"
       },

package.json

@@ -183,7 +183,7 @@
     "dereference-json-schema": "^0.2.1",
     "dotenv": "^17.0.1",
     "escape-string-regexp": "5.0.0",
-    "express": "^5.1.0",
+    "express": "^5.2.0",
     "fastest-levenshtein": "1.0.16",
     "file-type": "21.0.0",
     "flat": "^6.0.1",
@@ -210,7 +210,7 @@
     "lowlight": "^3.3.0",
     "markdownlint-rule-helpers": "^0.25.0",
     "mdast-util-from-markdown": "^2.0.2",
-    "mdast-util-to-hast": "^13.2.0",
+    "mdast-util-to-hast": "^13.2.1",
     "mdast-util-to-markdown": "2.1.2",
     "mdast-util-to-string": "^4.0.0",
     "next": "^16.0.1",
@@ -252,7 +252,7 @@
     "@axe-core/playwright": "^4.10.1",
     "@eslint/js": "^9.33.0",
     "@github/markdownlint-github": "^0.6.3",
-    "@graphql-inspector/core": "^6.1.0",
+    "@graphql-inspector/core": "^7.0.3",
     "@graphql-tools/load": "^8.0.19",
     "@octokit/rest": "22.0.0",
     "@playwright/test": "^1.56",

src/audit-logs/data/fpt/organization.json

@@ -1340,7 +1340,7 @@
       "actor_is_bot",
       "request_access_security_header"
     ],
-    "docs_reference_titles": "Creating and managing GitHub Copilot knowledge bases"
+    "docs_reference_titles": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases"
   },
   {
     "action": "copilot.knowledge_base_deleted",
@@ -1364,7 +1364,7 @@
       "actor_is_bot",
       "request_access_security_header"
     ],
-    "docs_reference_titles": "Creating and managing GitHub Copilot knowledge bases"
+    "docs_reference_titles": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases"
   },
   {
     "action": "copilot.knowledge_base_updated",
@@ -1388,7 +1388,7 @@
       "actor_is_bot",
       "request_access_security_header"
     ],
-    "docs_reference_titles": "Creating and managing GitHub Copilot knowledge bases"
+    "docs_reference_titles": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases"
   },
   {
     "action": "copilot.plan_changed",
@@ -15158,6 +15158,29 @@
     ],
     "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
   },
+  {
+    "action": "secret_scanning_alert.delete",
+    "description": "A secret scanning alert was deleted by GitHub.",
+    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo",
+      "created_at",
+      "reason"
+    ],
+    "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
+  },
   {
     "action": "secret_scanning_alert.public_leak",
     "description": "A secret scanning alert was leaked in a public repo.",

src/audit-logs/data/ghec/enterprise.json

@@ -4272,7 +4272,7 @@
       "actor_is_bot",
       "request_access_security_header"
     ],
-    "docs_reference_titles": "Creating and managing GitHub Copilot knowledge bases"
+    "docs_reference_titles": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases"
   },
   {
     "action": "copilot.knowledge_base_deleted",
@@ -4296,7 +4296,7 @@
       "actor_is_bot",
       "request_access_security_header"
     ],
-    "docs_reference_titles": "Creating and managing GitHub Copilot knowledge bases"
+    "docs_reference_titles": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases"
   },
   {
     "action": "copilot.knowledge_base_updated",
@@ -4320,7 +4320,7 @@
       "actor_is_bot",
       "request_access_security_header"
     ],
-    "docs_reference_titles": "Creating and managing GitHub Copilot knowledge bases"
+    "docs_reference_titles": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases"
   },
   {
     "action": "copilot.plan_changed",
@@ -18575,6 +18575,29 @@
     ],
     "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
   },
+  {
+    "action": "secret_scanning_alert.delete",
+    "description": "A secret scanning alert was deleted by GitHub.",
+    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo",
+      "created_at",
+      "reason"
+    ],
+    "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
+  },
   {
     "action": "secret_scanning_alert.public_leak",
     "description": "A secret scanning alert was leaked in a public repo.",

src/audit-logs/data/ghec/organization.json

@@ -1340,7 +1340,7 @@
       "actor_is_bot",
       "request_access_security_header"
     ],
-    "docs_reference_titles": "Creating and managing GitHub Copilot knowledge bases"
+    "docs_reference_titles": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases"
   },
   {
     "action": "copilot.knowledge_base_deleted",
@@ -1364,7 +1364,7 @@
       "actor_is_bot",
       "request_access_security_header"
     ],
-    "docs_reference_titles": "Creating and managing GitHub Copilot knowledge bases"
+    "docs_reference_titles": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases"
   },
   {
     "action": "copilot.knowledge_base_updated",
@@ -1388,7 +1388,7 @@
       "actor_is_bot",
       "request_access_security_header"
     ],
-    "docs_reference_titles": "Creating and managing GitHub Copilot knowledge bases"
+    "docs_reference_titles": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases"
   },
   {
     "action": "copilot.plan_changed",
@@ -15158,6 +15158,29 @@
     ],
     "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
   },
+  {
+    "action": "secret_scanning_alert.delete",
+    "description": "A secret scanning alert was deleted by GitHub.",
+    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo",
+      "created_at",
+      "reason"
+    ],
+    "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
+  },
   {
     "action": "secret_scanning_alert.public_leak",
     "description": "A secret scanning alert was leaked in a public repo.",