jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-19 09:57:42 -05:00
Code Issues Projects Releases Wiki Activity

October 28-29: GitHub Universe 2025 docs-internal megabranch (#57869)

Browse Source 
Signed-off-by: Meredith Lancaster <malancas@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Co-authored-by: Felicity Chapman <felicitymay@github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Laura Coursen <lecoursen@github.com>
Co-authored-by: AlonaHlobina <54394529+AlonaHlobina@users.noreply.github.com>
Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com>
Co-authored-by: Jules <19994093+jules-p@users.noreply.github.com>
Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com>
Co-authored-by: Kelly Arwine <kellyarwine@github.com>
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
Co-authored-by: Jon Janego <jonjanego@github.com>
Co-authored-by: Jules Porter <jules-p@users.noreply.github.com>
Co-authored-by: hubwriter <hubwriter@github.com>
Co-authored-by: Laurenzo <lsto@github.com>
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
Co-authored-by: Vanessa <vgrl@github.com>
Co-authored-by: Melanie Yarbrough <11952755+myarb@users.noreply.github.com>
Co-authored-by: Claire W <78226508+crwaters16@users.noreply.github.com>
Co-authored-by: Felix Guntrip <guntrip@github.com>
Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com>
Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com>
Co-authored-by: Tim Rogers <timrogers@github.com>
Co-authored-by: docs-bot <77750099+docs-bot@users.noreply.github.com>
Co-authored-by: Guillaume Perrot <guperrot@github.com>
Co-authored-by: Mark Tareshawty <tarebyte@github.com>
Co-authored-by: Hirsch Singhal <1666363+hpsin@users.noreply.github.com>
Co-authored-by: Emily Gould <4822039+emilyistoofunky@users.noreply.github.com>
Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com>
Co-authored-by: PJ Quirk <pjquirk@github.com>
Co-authored-by: Steve Ward <steveward@github.com>
Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com>
Co-authored-by: Kevin Heis <heiskr@users.noreply.github.com>
Co-authored-by: SiaraMist <siaramist@github.com>
Co-authored-by: Tomoko Tanaka <28242405+tallzeebaa@users.noreply.github.com>
Co-authored-by: a1exmozz <187176404+a1exmozz@users.noreply.github.com>
Co-authored-by: Meredith Lancaster <malancas@users.noreply.github.com>
Co-authored-by: Sarah Schneider <sarahs@users.noreply.github.com>
Co-authored-by: Andy Barnes <kurgol@github.com>
Co-authored-by: Sheena Ganju <sheenyg@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sydney Wilson <86739163+swilson15@users.noreply.github.com>
Co-authored-by: Robert Sese <734194+rsese@users.noreply.github.com>
Co-authored-by: Vimala Moger <166641453+VimalaMoger@users.noreply.github.com>
Co-authored-by: Sharra-writes <sharra-writes@github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jenni C <97056108+dihydroJenoxide@users.noreply.github.com>
Co-authored-by: Greg Mondello <72952982+gmondello@users.noreply.github.com>
Co-authored-by: Mia Arts <107727642+its-mia@users.noreply.github.com>
Co-authored-by: sunbrye <sunbrye@github.com>
Co-authored-by: Lorenz Vanthillo <lorenz.vanthillo@gmail.com>
Co-authored-by: Eboni <32157169+EboniLM@users.noreply.github.com>
Co-authored-by: Junko Suzuki <pnsk@github.com>
Co-authored-by: Alex Nguyen <150945400+nguyenalex836@users.noreply.github.com>
Co-authored-by: heiskr <1221423+heiskr@users.noreply.github.com>
Co-authored-by: Patrick Knight <patrick-knight@github.com>
Co-authored-by: T. Greg Doucette <58960990+LawDevNull@users.noreply.github.com>
Co-authored-by: Evan Bonsignori <ebonsignori@github.com>
Co-authored-by: Robert Justin Monzingo <robertjmonzingo@gmail.com>
Co-authored-by: John Coleman <thenewcoke@gmail.com>
Co-authored-by: Brendan Scott-Smith <117171930+bss-mc@users.noreply.github.com>
Co-authored-by: Chad Bentz <1760475+felickz@users.noreply.github.com>
Co-authored-by: Justin Alex <1155821+jusuchin85@users.noreply.github.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: azenMatt <7584089+azenMatt@users.noreply.github.com>
Co-authored-by: Felix Guntrip <stevecat@github.com>
Co-authored-by: timrogers <116134+timrogers@users.noreply.github.com>
Co-authored-by: John Clement <70238417+jclement136@users.noreply.github.com>
Co-authored-by: vaindil <vaindil@github.com>
Co-authored-by: Matthew Isabel <matthewisabel@github.com>
Co-authored-by: Matthew Isabel <matthew.isabel@gmail.com>
This commit is contained in:
Sophie
2025-10-28 16:40:35 +01:00
committed by GitHub
parent ca6e79d917
commit c1ca049106
448 changed files with 197004 additions and 1171262 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/images/help/code-quality/ai-suggestions-repo-fixes.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 255 KiB

BIN
assets/images/help/code-quality/ai-suggestions-repo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 113 KiB

BIN
assets/images/help/code-quality/all-findings-overview-repo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 262 KiB

BIN
assets/images/help/code-quality/all-findings-rules-repo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 132 KiB

BIN
assets/images/help/code-quality/cca-pr-ai-findings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 217 KiB

BIN
assets/images/help/code-quality/click-rule-name.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 104 KiB

BIN
assets/images/help/code-quality/click-show-more.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 75 KiB

BIN
assets/images/help/code-quality/code-quality-merge-block.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

BIN
assets/images/help/code-quality/generate-fix.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 96 KiB

BIN
assets/images/help/code-quality/invoke-coding-agent.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

BIN
assets/images/help/code-quality/merge-block-warnings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 88 KiB

BIN
assets/images/help/code-quality/standard-findings-filters.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 104 KiB

BIN
assets/images/help/code-quality/user-pr-ai-findings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 81 KiB

BIN
assets/images/help/copilot/coding-agent/assign-to-copilot-dialog.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 132 KiB

After

Width:  |  Height:  |  Size: 99 KiB

BIN
assets/images/help/copilot/coding-agent/open-workbench.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
assets/images/help/copilot/copilot-chat-dashboard.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 27 KiB

After

Width:  |  Height:  |  Size: 28 KiB

12
content/account-and-profile/get-started/personal-dashboard-quickstart.md
View File

@@ -69,6 +69,18 @@ This feed shows activity and recommendations based on your network on {% data va
{% endif %}
{% ifversion home-dashboard-view %}
## Working with {% data variables.product.prodname_copilot %} from your dashboard
{% data reusables.dashboard.home-dashboard-public-preview-note %}
The home dashboard view gives you visibility into your {% data variables.copilot.copilot_coding_agent %} sessions and helps you manage your most important tasks more efficiently. You can prompt {% data variables.product.prodname_copilot %} directly from the dashboard, track the latest agent sessions you've triggered, quickly access agent logs to see progress, and manage the resulting pull requests and tasks. This centralized view makes it easier to stay on top of your agent activities and follow up on their outcomes.
To view the updated home dashboard, which is currently in {% data variables.release-phases.public_preview %}, you will first need to enable **New Dashboard Experience** with feature preview. For more information, see [AUTOTITLE](/get-started/using-github/exploring-early-access-releases-with-feature-preview#exploring-public-preview-releases-with-feature-preview).
{% endif %}
## Next steps
To understand how {% data variables.product.github %} determines what is displayed on your personal dashboard, see [AUTOTITLE](/account-and-profile/reference/personal-dashboard).

17
content/account-and-profile/reference/personal-dashboard.md
View File

@@ -74,3 +74,20 @@ You will see updates from the network you have created, including:
* Organizations you follow
{% endif %}
{% ifversion home-dashboard-view %}
## Home dashboard view
{% data reusables.dashboard.home-dashboard-public-preview-note %}
To view the updated home dashboard, which is currently in {% data variables.release-phases.public_preview %}, you will first need to enable **New Dashboard Experience** with feature preview. For more information, see [AUTOTITLE](/get-started/using-github/exploring-early-access-releases-with-feature-preview#exploring-public-preview-releases-with-feature-preview).
The home dashboard includes:
* **A {% data variables.product.prodname_copilot %} prompt box**: You can prompt {% data variables.product.prodname_copilot %}, assign {% data variables.copilot.copilot_coding_agent %} to tasks, create an issue with {% data variables.product.prodname_copilot %}, and start building with {% data variables.product.prodname_spark %}.
* **Agent sessions**: A list of your running and past {% data variables.copilot.copilot_coding_agent %} sessions. Click **View all** to open the agents tab.
* **Pull requests**: A list of the most recent pull requests that you authored, reviewed, were mentioned on, or where you've been requested as a reviewer.
* **Issues**: A list of the most recent issues assigned to you or involving you.
{% endif %}

21
content/actions/concepts/runners/github-hosted-runners.md
View File

@@ -26,12 +26,16 @@ versions:
Runners are the machines that execute jobs in a {% data variables.product.prodname_actions %} workflow. For example, a runner can clone your repository locally, install testing software, and then run commands that evaluate your code.
{% data variables.product.prodname_dotcom %} provides runners that you can use to run your jobs, or you can [host your own runners](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). Each {% data variables.product.prodname_dotcom %}-hosted runner is a new virtual machine (VM) hosted by {% data variables.product.prodname_dotcom %} with the runner application and other tools preinstalled, and is available with Ubuntu Linux, Windows, or macOS operating systems. When you use a {% data variables.product.prodname_dotcom %}-hosted runner, machine maintenance and upgrades are taken care of for you.
{% data variables.product.prodname_dotcom %} provides runners that you can use to run your jobs, or you can [host your own runners](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). {% data reusables.actions.single-cpu-runners %}
Each runner comes with the runner application and other tools preinstalled. {% data variables.product.prodname_dotcom %}-hosted runners are available with Ubuntu Linux, Windows, or macOS operating systems. When you use a {% data variables.product.prodname_dotcom %}-hosted runner, machine maintenance and upgrades are taken care of for you.
{% ifversion not ghes %}
You can choose one of the standard {% data variables.product.prodname_dotcom %}-hosted runner options or, if you are on the {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} plan, you can provision a runner with more cores, or a runner that's powered by a GPU processor. These machines are referred to as "{% data variables.actions.hosted_runner %}." For more information, see [AUTOTITLE](/enterprise-cloud@latest/actions/using-github-hosted-runners/about-larger-runners/about-larger-runners).
{% data variables.actions.hosted_runners_caps %} also support custom images, which let you create and manage your own preconfigured VM images. For more information, see [Custom images](#custom-images).
Using {% data variables.product.prodname_dotcom %}-hosted runners requires network access with at least 70 kilobits per second upload and download speeds.
{% endif %}
@@ -45,7 +49,7 @@ Using {% data variables.product.prodname_dotcom %}-hosted runners requires netwo
{% ifversion not ghes %}
## Runner Images
## Runner images
{% data variables.product.github %} maintains our own set of VM images for our standard hosted runners. This includes the images for macOS, x64 linux and Windows images. The list of images and their included tools are managed in the [`actions/runner-images`](https://github.com/actions/runner-images) repository. Our arm64 images are partner images, and those are managed in the [`actions/partner-runner-images`](https://github.com/actions/partner-runner-images) repository.
@@ -75,6 +79,19 @@ If there is a tool that you'd like to request, please open an issue at [actions/
> * You can also install additional software on {% data variables.product.prodname_dotcom %}-hosted runners. See [AUTOTITLE](/actions/using-github-hosted-runners/customizing-github-hosted-runners).
> * While nested virtualization is technically possible while using runners, it is not officially supported. Any use of nested VMs is experimental and done at your own risk, we offer no guarantees regarding stability, performance, or compatibility.
### Custom images
Custom images let you start with a {% data variables.product.github %}-provided base image and build your own VM image thats customized to your workflow needs. With custom images, you can:
* Build custom VM images using existing workflow YAML syntax.
* Pre-configure environments with approved tooling, security patches, and dependencies before workflows start.
* Create consistent, validated base environments across all builds.
Custom images can include repository code, container images, binaries, certificates, and other dependencies to create a consistent build environment across workflows. This helps you gain control over your supply chain. They help reduce setup time, improve build performance, and strengthen security by reducing the surface attack vector on your images. Administrators can also apply policies to manage image versions, retention, and age to meet organizational security and compliance requirements.
Custom images can only be used with larger runners and are billed at the same per-minute rates as those runners. Storage for custom images is billed and metered through {% data variables.product.prodname_actions %} storage. For more information about billing, see [AUTOTITLE](/billing/concepts/product-billing/github-actions).
To get started with custom images, see [AUTOTITLE](/actions/how-tos/manage-runners/larger-runners/use-custom-images).
## Cloud hosts used by {% data variables.product.prodname_dotcom %}-hosted runners
{% data variables.product.prodname_dotcom %} hosts Linux and Windows runners on virtual machines in Microsoft Azure with the {% data variables.product.prodname_actions %} runner application installed. The {% data variables.product.prodname_dotcom %}-hosted runner application is a fork of the Azure Pipelines Agent. Inbound ICMP packets are blocked for all Azure virtual machines, so ping or traceroute commands might not work. {% data variables.product.prodname_dotcom %} hosts macOS runners in Azure data centers.

2
content/actions/how-tos/manage-runners/index.md
View File

@@ -9,4 +9,6 @@ children:
- /github-hosted-runners
- /self-hosted-runners
- /larger-runners
- /use-proxy-servers
---

1
content/actions/how-tos/manage-runners/larger-runners/index.md
View File

@@ -8,6 +8,7 @@ children:
- /manage-larger-runners
- /control-access
- /use-larger-runners
- /use-custom-images
redirect_from:
- /actions/using-github-hosted-runners/about-larger-runners
- /actions/using-github-hosted-runners/using-larger-runners

3
content/actions/how-tos/manage-runners/larger-runners/manage-larger-runners.md
View File

@@ -2,7 +2,8 @@
title: Managing larger runners
shortTitle: Manage larger runners
intro: 'You can configure {% data variables.actions.hosted_runner %}s for your organization or enterprise.'
permissions: '{% data reusables.actions.larger-runner-permissions %}<br><br> Enterprise or organization owners can manage larger runners.{% ifversion custom-org-roles %} Users with the "Manage organization runners and runner groups" permission can manage larger runners at the organization level.{% endif %}'
product: '{% data variables.actions.github_hosted_larger_runners %} are only available for organizations and enterprises using the {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} plans. <br><a href="https://github.com/pricing?ref_product=ghec&ref_type=trial&ref_style=button" target="_blank" class="btn btn-primary mt-3 mr-3 no-underline"><span>Sign up for {% data variables.product.prodname_actions %}</span> {% octicon "link-external" height:16 %}</a>'
permissions: 'Enterprise or organization owners can manage larger runners.{% ifversion custom-org-roles %} Users with the "Manage organization runners and runner groups" permission can manage larger runners at the organization level.{% endif %}'
versions:
feature: actions-hosted-runners
redirect_from:

172
content/actions/how-tos/manage-runners/larger-runners/use-custom-images.md Normal file
View File

@@ -0,0 +1,172 @@
---
title: Using custom images
shortTitle: Use custom images
intro: 'Create, manage, and use custom images for {% data variables.actions.github_hosted_larger_runners %} in your organization or enterprise.'
versions:
feature: actions-hosted-runners
product: '{% data variables.actions.github_hosted_larger_runners %} are only available for organizations and enterprises using the {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} plans. <br><a href="https://github.com/pricing?ref_product=ghec&ref_type=trial&ref_style=button&utm_source=docs-signup-actions&utm_medium=docs&utm_campaign=universe25" target="_blank" class="btn btn-primary mt-3 mr-3 no-underline"><span>Sign up for {% data variables.product.prodname_actions %}</span> {% octicon "link-external" height:16 %}</a>'
---
## Custom images
You can create a custom image to define the exact environment that your {% data variables.actions.github_hosted_larger_runners %} use. Custom images let you preinstall tools, dependencies, and configurations to speed up workflows and improve consistency across jobs.
When your runner uses a custom image, it acts as a “pre-warmed” environment, allowing workflows to complete quicker, by downloading packages and binaries once during image creation instead of every time a workflow is run. For more information about custom images, see [Runner images](/actions/concepts/runners/github-hosted-runners#runner-images).
The process of using a custom image involves three main steps:
1. [Setting up an image-generation runner](#setting-up-an-image-generation-runner): Create a {% data variables.actions.hosted_runner %} to build and store your custom image.
1. [Generating a custom image](#generating-a-custom-image): Generate your custom image by running a workflow using the image-generation runner.
1. [Installing custom images](#installing-custom-images): Create a runner that uses your custom image.
## Prerequisites
Before you can create custom images, make sure the following requirements are met.
* **Policy**: Custom images must be enabled for your organization or enterprise. Enterprise owners can manage access to custom images and set retention policies in the Actions policy settings. For more information, see [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#custom-images).
* **Permissions**: To create and manage custom images, you must be an organization or enterprise owner, or have the `CI/CD Admin` role, or have a role with the following fine-grained permissions.
* View organization hosted runner custom images
* Manage organization hosted runner custom images
* Manage organization runners and runner groups
For more information, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles).
## Setting up an image-generation runner
To create a custom image, you must first set up an image-generation runner. When you create the runner, the platform that you select for your runner must match the platform of the image you want to build. The platform of the runner can be Linux x64, Linux ARM64, or Windows x64.
1. Create a {% data variables.actions.hosted_runner %}:
* For organizations, see [Adding a larger runner to an organization](/actions/how-tos/manage-runners/larger-runners/manage-larger-runners#adding-a-larger-runner-to-an-organization).
* For enterprises, see [Adding a larger runner to an enterprise](/actions/how-tos/manage-runners/larger-runners/manage-larger-runners#adding-a-larger-runner-to-an-enterprise).
1. When configuring the runner, select the following configurations for your image-generation runner:
* **Platform**: Select a supported platform that matches the platform of the image you plan to create (Linux x64, Linux ARM64, or Windows x64).
* **Image**: Select an image to build on, then enable the checkbox **Enable this runner to generate custom images**.
* You can start from a {% data variables.product.github %}-owned image or choose a base image to start from a clean OS.
* For ARM64 platforms, you can also select an ARM-maintained image with preinstalled tooling.
* **Runner group**: Select the group for your runner to be a member of. Once the custom image is created, only runners in this runner group can generate new versions of that image.
## Generating a custom image
After you create an image-generation runner, run a workflow that includes the `snapshot` keyword to generate a custom image.
To configure a workflow for image generation:
* Set the `runs-on` value to the name of the image-generation runner that you created.
* Add the `snapshot` keyword to the job, using either the string syntax or mapping syntax shown below.
* Each job that includes the `snapshot` keyword creates a separate image. To generate only one image or image version, include all workflow steps in a single job.
* Each successful run of a job that includes the `snapshot` keyword creates a new version of that image.
It can take some time for your image to be fully generated and ready to use after the workflow completes. Provisioning time varies based on runner size and configuration, and may take several hours for larger runners.
The image is generated only when the job completes successfully. This prevents new image versions from being created when a workflow fails or ends in an incomplete state.
Once the image is generated, it is available for use in your workflows. For more information about managing custom images, see [Managing custom images](#managing-custom-images).
### String syntax
You can use the string syntax with `snapshot` to define the image name. This method creates a new image or adds a new version to an existing image with the same name. You cannot specify a version number using this syntax.
```yaml
jobs:
build:
runs-on: my-image-generation-runner
snapshot: my-custom-image
steps:
# Add any steps to download and setup any dependencies here
```
### Mapping syntax
You can use the mapping syntax with `snapshot` to define both the `image-name` and the optional `version`. When you specify a major version, the minor versioning automatically increments if that major version already exists. Patch versions are not supported.
```yaml
jobs:
build:
runs-on: my-image-generation-runner
snapshot:
image-name: my-custom-image
version: 2.*
steps:
# Add any steps to download and setup any dependencies here
```
### Conditionals
The `snapshot` keyword supports conditional execution using the `if` keyword around the snapshot mapping. You can use conditions to control when an image snapshot is created. For example, the following job skips image creation for tag builds.
```yaml
jobs:
build:
runs-on: my-image-generation-runner
snapshot:
if: {% raw %}${{ ! startsWith(github.ref, 'refs/tags/') }}{% endraw %}
image-name: my-custom-image
version: 2.*
steps:
# Add any steps to download and setup any dependencies here
```
For more information about the `if` keyword, see [AUTOTITLE](/actions/writing-workflows/choosing-when-your-workflow-runs/using-conditions-to-control-job-execution).
## Versioning
When you generate custom images, {% data variables.product.github %} automatically assigns version numbers to help you manage updates and track image history.
### Default behavior
If an image with the specified name does not exist in your organization or enterprise, {% data variables.product.github %} creates it with an initial version number of 1.0.0.
If an image with the same name already exists, {% data variables.product.github %} creates a new version by incrementing the minor version number (for example, 1.1.0, 1.2.0, etc.).
If you do not specify a version in your YAML file, image generation uses this default behavior.
### Specifying a version in your workflow
If you include a version in the YAML mapping, {% data variables.product.github %} checks the major version number first.
* If the specified major version already exists, the new image uses the next minor version (for example, 1.0 becomes 1.1).
* If the major version does not exist, {% data variables.product.github %} creates a new major version (for example, 2.0).
Patch versions are not supported.
### Latest tag
The most recent workflow run for an image is always tagged as latest.
If you specify an older major version in the YAML (for example, version: 1.* when a 2.0 version exists), {% data variables.product.github %} generates a new minor version under the older major version and marks it as latest.
> [!NOTE]
> {% data variables.actions.github_hosted_larger_runner %} creation does not support wildcards in image version selection.
## Managing custom images
You can view detailed information about each image, delete unused images or specific versions, and track image versions over time.
{% data reusables.organizations.navigate-to-org %}
{% data reusables.organizations.org_settings %}
{% data reusables.organizations.settings-sidebar-actions-custom-images %}
1. On the "Custom images" page, you can view all custom images that have been created in your organization or enterprise.
1. To view details about a specific image, click the image name.
## Installing custom images
Once your custom image is ready, you can install it on a new {% data variables.actions.github_hosted_larger_runner %}.
1. Follow the steps for creating a {% data variables.actions.hosted_runner %}:
* For organizations, see [Adding a larger runner to an organization](/actions/how-tos/manage-runners/larger-runners/manage-larger-runners#adding-a-larger-runner-to-an-organization).
* For enterprises, see [Adding a larger runner to an enterprise](/actions/how-tos/manage-runners/larger-runners/manage-larger-runners#adding-a-larger-runner-to-an-enterprise).
1. When configuring the runner:
* **Platform**: Select the same platform that you used to generate the image (Linux x64, Linux ARM64, or Windows x64).
* **Image**: Select the **Custom** tab, then choose your custom image from the list.
* If you dont see your image, make sure youve selected the correct platform and that youre creating the runner at the same level (organization or enterprise) where the image was generated.
* **Image version**: Choose **Latest** to automatically use the most recent version, or select a specific version number to pin the runner to that version.
* If you select **Latest**, your runner automatically updates when a new version of the image becomes available. If you pin the runner to a specific version, youll need to edit the runner manually to upgrade later.
* **Size**: Choose a runner size with storage equal to or larger than your images size. For example, if the image was generated on an 8-core runner, select an 8-core or larger to run this image.
* **Runner group**: Assign the runner to a runner group that is shared with the repositories that need to use this image.
1. In your {% data variables.product.prodname_actions %} workflow job, set the `runs-on` key to the name of your runner.
```yaml
jobs:
build:
runs-on: my-custom-runner
steps:
# Add any steps for your workflow here
```
1. Run your workflow to verify that it completes successfully. The job logs will show the image name and version in the "Set up job" section.

1
content/actions/how-tos/manage-runners/self-hosted-runners/index.md
View File

@@ -11,7 +11,6 @@ children:
- /run-scripts
- /customize-containers
- /configure-the-application
- /use-proxy-servers
- /apply-labels
- /use-in-a-workflow
- /manage-access

58
content/actions/how-tos/manage-runners/self-hosted-runners/use-proxy-servers.md
View File

@@ -1,58 +0,0 @@
---
title: Using a proxy server with self-hosted runners
shortTitle: Use proxy servers
intro: 'You can configure self-hosted runners to use a proxy server to communicate with {% data variables.product.github %}.'
redirect_from:
- /actions/automating-your-workflow-with-github-actions/using-a-proxy-server-with-self-hosted-runners
- /actions/hosting-your-own-runners/using-a-proxy-server-with-self-hosted-runners
- /actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners
- /actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners
- /actions/how-tos/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners
versions:
fpt: '*'
ghes: '*'
ghec: '*'
---
{% data reusables.actions.enterprise-github-hosted-runners %}
## Configuring a proxy server using environment variables
If you need a self-hosted runner to communicate via a proxy server, the self-hosted runner application uses proxy configurations set in the following environment variables:
* `https_proxy`: Proxy URL for HTTPS traffic. You can also include basic authentication credentials, if required. For example:
* `http://proxy.local`
* `http://192.168.1.1:8080`
* `http://username:password@proxy.local`
* `http_proxy`: Proxy URL for HTTP traffic. You can also include basic authentication credentials, if required. For example:
* `http://proxy.local`
* `http://192.168.1.1:8080`
* `http://username:password@proxy.local`
* `no_proxy`: Comma separated list of hosts that should not use a proxy. Only hostnames are allowed in `no_proxy`, you cannot use IP addresses. For example:
* `example.com`
* `example.com,myserver.local:443,example.org`
The proxy environment variables are read when the self-hosted runner application starts, so you must set the environment variables before configuring or starting the self-hosted runner application. If your proxy configuration changes, you must restart the self-hosted runner application.
{% data reusables.actions.environment-variables-as-case-sensitive %}
On Windows machines, the proxy environment variable names are case insensitive. On Linux and macOS machines, we recommend that you use all lowercase environment variables. If you have an environment variable in both lowercase and uppercase on Linux or macOS, for example `https_proxy` and `HTTPS_PROXY`, the self-hosted runner application uses the lowercase environment variable.
{% data reusables.actions.self-hosted-runner-ports-protocols %}
## Using a .env file to set the proxy configuration
If setting environment variables is not practical, you can set the proxy configuration variables in a file named `.env` in the self-hosted runner application directory (that is, the directory into which you downloaded and unpacked the runner software). For example, this might be necessary if you want to configure the runner application as a service under a system account. When the runner application starts, it reads the variables set in `.env` for the proxy configuration.
### Example `.env` proxy configuration
```shell
https_proxy=http://proxy.local:8080
no_proxy=example.com,myserver.local:443
```
## Setting proxy configuration for Docker containers
If you use Docker container actions or service containers in your workflows, you might also need to configure Docker to use your proxy server in addition to setting the above environment variables.
For information on the required Docker configuration, see [Configure Docker to use a proxy server](https://docs.docker.com/network/proxy/) in the Docker documentation.

112
content/actions/how-tos/manage-runners/use-proxy-servers.md Normal file
View File

@@ -0,0 +1,112 @@
---
title: Using proxy servers with a runner
shortTitle: Use proxy servers
intro: You can configure runners in isolated environments to use a proxy server for secure communication with {% data variables.product.github %}.
redirect_from:
- /actions/automating-your-workflow-with-github-actions/using-a-proxy-server-with-self-hosted-runners
- /actions/hosting-your-own-runners/using-a-proxy-server-with-self-hosted-runners
- /actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners
- /actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners
- /actions/how-tos/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners
- /actions/how-tos/manage-runners/self-hosted-runners/use-proxy-servers
versions:
fpt: '*'
ghes: '*'
ghec: '*'
contentType: how-tos
---
{% data reusables.actions.enterprise-github-hosted-runners %}
## Configuring a proxy for Linux and Windows runners
If your runner needs to communicate via a proxy server, you can configure proxy settings using environment variables or system-level configurations.
| Variable | Description | Example |
| ------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------- |
| `https_proxy` | Proxy URL for HTTPS traffic. You can include basic authentication if required. | `http://proxy.local`<br>`http://192.168.1.1:8080`<br>`http://username:password@proxy.local` |
| `http_proxy` | Proxy URL for HTTP traffic. You can include basic authentication if required. | `http://proxy.local`<br>`http://192.168.1.1:8080`<br>`http://username:password@proxy.local` |
| `no_proxy` | A comma-separated list of hosts or IP addresses that should bypass the proxy. Some clients only honor IP addresses when connections are made directly to the IP rather than a hostname. | `example.com`<br>`example.com,myserver.local:443,example.org` |
The proxy environment variables are read when the runner application starts, so you must set the environment variables before configuring or starting the runner application. If your proxy configuration changes, you must restart the runner application.
On Windows machines, the proxy environment variable names are case-insensitive. On Linux and macOS machines, we recommend that you use all lowercase environment variables. If you have an environment variable in both lowercase and uppercase on Linux or macOS, for example `https_proxy` and `HTTPS_PROXY`, the self-hosted runner application uses the lowercase environment variable.
{% data reusables.actions.self-hosted-runner-ports-protocols %}
### Example configurations
{% data reusables.actions.environment-variables-as-case-sensitive %}
#### Linux and macOS
Set proxy environment variables for your runner.
```shell copy
export https_proxy=http://proxy.local:8080
export http_proxy=http://proxy.local:8080
export no_proxy=example.com,localhost,127.0.0.1
```
#### Windows
On Windows, you can configure proxy settings either by setting environment variables or by using the [netsh command](https://learn.microsoft.com/en-us/windows/win32/winhttp/netsh-exe-commands&utm_source=docs-microsoft-proxy-servers&utm_medium=docs&utm_campaign=universe25#set-advproxy).
The netsh approach applies to applications and services that rely on the WinHTTP API.
Setting environment variables is still required for runners that use private networking. Whether you also need to configure netsh depends on the applications used in your workflows.
```shell copy
netsh winhttp set advproxy setting-scope=machine settings={\"Proxy\":\"proxy.local:8080\",\"ProxyBypass\":\"168.63.129.16;169.254.169.254\",\"AutoconfigUrl\":\"\",\"AutoDetect\":false}
```
When configuring this during custom image generation, use `setting-scope=machine` to ensure the proxy settings persist after reboots and during VM imaging.
### Making proxy settings persistent
When setting these environment variables during custom image generation, ensure the configuration persists across reboots or image rebuilds.
#### Linux and macOS
Write the variables to `/etc/environment`.
```shell
echo 'http_proxy=http://proxy.local' >> /etc/environment
```
#### Windows
Set the system-wide environment variables.
```shell copy
[Environment]::SetEnvironmentVariable("http_proxy", "http://proxy.local", "Machine")
```
## Configuring a proxy for Azure runners
If your runner is hosted in Azure, either as a self-hosted runner or a GitHub-hosted larger runner deployed with private networking, you may need to configure a proxy to allow outbound connectivity to GitHub services while maintaining network isolation.
You should add Azure metadata and management IPs to your `no_proxy` list to ensure the runner can access required Azure services. These endpoints allow Azure VMs to retrieve configuration and identity information needed for proper operation.
The two Azure IPs are:
* 168.63.129.16 (see [Azure IP address 168.63.129.16 overview](https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16?tabs=linux&utm_source=docs-microsoft-proxy-servers&utm_medium=docs&utm_campaign=universe25))
* 169.254.169.254 (see [Azure Instance Metadata Service](https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux&utm_source=docs-microsoft-proxy-servers&utm_medium=docs&utm_campaign=universe25))
## Using a .env file to set the proxy configuration
> [!NOTE]
> Using a `.env` file to set the proxy configuration cannot be done on a GitHub-hosted runner.
On self-hosted runners, you can configure proxy settings by adding the variables to a `.env` file in the self-hosted runner application directory (the directory where you downloaded and unpacked the runner software). This approach is useful when the runner is configured to run as a service under a system account. When the runner starts, it reads the variables set in `.env` for the proxy configuration.
### Example `.env` proxy configuration
```shell copy
https_proxy=http://proxy.local:8080
no_proxy=example.com,myserver.local:443
```
## Setting proxy configuration for Docker containers
If you use Docker container actions or service containers in your workflows, you might also need to configure Docker to use your proxy server in addition to setting the above environment variables.
For information on the required Docker configuration, see [Configure Docker to use a proxy server](https://docs.docker.com/network/proxy/?utm_source=docs-microsoft-proxy-servers&utm_medium=docs&utm_campaign=universe25) in the Docker documentation.

20
content/actions/reference/runners/github-hosted-runners.md
View File

@@ -44,6 +44,26 @@ Workflow logs list the runner used to run a job. For more information, see [AUTO
{% data reusables.actions.macos-runner-limitations %}
### Single-CPU runners
> [!NOTE]
> * Single-CPU runners are in {% data variables.release-phases.public_preview %} and subject to change.{% ifversion ghec %}
> * Single-CPU runners are not available in {% data variables.product.prodname_ghe_cloud %} with Data Residency (`ghe.com`).
{% endif %}
Single-CPU {% data variables.product.github %}-hosted runners are available in both public and private repositories. These runners—specified using the workflow label `ubuntu-slim`—offer a lower-cost option for running lightweight operations. This type of runner is optimized for automation tasks, issue operations and short-running jobs. They are not suitable for typical heavyweight CI/CD builds.
`ubuntu-slim` runners execute Actions workflows in Ubuntu Linux, inside a container rather than a full VM instance. When the job begins, {% data variables.product.github %} automatically provisions a new container for that job. All steps in the job execute in the container, allowing the steps in that job to share information using the runner's file system. When the job has finished, the container is automatically decommissioned. Each container provides hypervisor level 2 isolation.
A minimal set of tools is installed on the `ubuntu-slim` runner image, appropriate for lightweight tasks.
#### Usage limits
Single-CPU runners follow the same concurrency model as other {% data variables.product.github %}-hosted standard runners. See [AUTOTITLE](/actions/reference/limits#job-concurrency-limits-for-github-hosted-runners). The concurrency for the runners is determined by your plan.
The job timeout for single-CPU runners is 15 minutes. If a job reaches this limit, the job is terminated and fails.
### {% data variables.actions.hosted_runner_caps %}s
{% data reusables.actions.about-larger-runners %}

21
content/actions/reference/workflows-and-actions/events-that-trigger-workflows.md
View File

@@ -234,6 +234,27 @@ on:
gollum
```
## image_version_ready
| Webhook event payload | Activity types | `GITHUB_SHA` | `GITHUB_REF` |
|----------------------| -------------- | ------------ | -------------|
| Not applicable | Not applicable | Last commit on default branch | Default branch |
Runs your workflow when a new version of a specified image becomes available for use. This event is typically triggered after a successful image version creation, allowing you to automate actions such as deployment or notifications in response to new image versions.
This event supports glob patterns for both image names and versions. The example below triggers when a new image version matches any of the specified name and version combinations. For example, `["MyNewImage", 1.0.0]`, `["MyNewImage", 2.53.0]`, `["MyOtherImage", 1.0.0]`, and `["MyOtherImage", 2.0.0]`.
```yaml
on:
image_version:
names:
- "MyNewImage"
- "MyOtherImage"
versions:
- 1.*
- 2.*
```
## `issue_comment`
| Webhook event payload | Activity types | `GITHUB_SHA` | `GITHUB_REF` |

8
content/actions/reference/workflows-and-actions/workflow-syntax.md
View File

@@ -383,6 +383,14 @@ env:
{% data reusables.actions.jobs.choosing-runner-group %}
{% ifversion not ghes %}
## `jobs.<job_id>.snapshot`
{% data reusables.actions.jobs.choosing-runner-custom-images %}
{% endif %}
## `jobs.<job_id>.environment`
{% data reusables.actions.jobs.section-using-environments-for-jobs %}

38
content/admin/concepts/best-practices.md
View File

@@ -18,43 +18,7 @@ redirect_from:
allowTitleToDifferFromFilename: true
---
## Use organizations for work or governance
There are two main models of using organizations:
* **Group related work projects**: Group repositories for a specific application and related services. Teams that work on that application will then be able to communicate effectively and contribute across the different repositories.
* **Group similar governance requirements**: Group repositories that require similar policies, security settings, or access restrictions. You will be able to apply the necessary settings to the organization at scale. For example, if you have highly confidential work projects or a specific data classification, group these in an organization where only a limited number of people have access.
## Create organizations intentionally
Creating organizations is a balance. While {% data variables.product.company_short %} continues to make organization management more scalable, you should be intentional about why you create an organization. It's always easier to add organizations than to remove them.
Don't try to fit unnatural pieces of your company together into a single large organization. The administrative features of an enterprise account allow you to automate processes, manage access, and apply policies across multiple organizations at once. However, there are tradeoffs of segregating work into many different organizations:
* It's easier for people to communicate within one organization, as @-mentions only work between members of the same organization.
* It's easier for people to find resources in one organization, as there's only one place to search.
You may want to start with a small number of organizations as you develop your strategy. After you build confidence in what works well for your business, you can create additional organizations as the need arises.
You should regularly evaluate your strategies for access, governance, and organization of work. Cleaning up legacy organizations is a part of that process.
{% ifversion enterprise-teams %}
## Use teams to organize people
>[!NOTE] Enterprise teams are in public preview and subject to change.
Enterprise teams are the best way to control access and permissions at scale. Create teams and manage their membership as your primary means of performing actions like adding users to organizations, granting licenses, and delegating access to enterprise settings.
When you use teams in this way, controlling membership of teams is a sensitive action. Limit the permission to control teams and their membership to a small number of people. If you use an external identity provider (IdP), sync teams to IdP groups so that team membership can be controlled by a central administrator.
Use roles to delegate administrative duties to teams. This allows you to limit the number of enterprise owners in your company and give people just the permissions they need to do their jobs effectively. For example, a team of auditors can receive access to the enterprise audit log without being able to access any other settings.
{% endif %}
## Collaborate in organization-owned repositories
We recommend collaborating in organization-owned repositories whenever possible and minimizing collaboration in user-owned repositories. Organization-owned repositories have more sophisticated security and administrative features, and they remain accessible even as enterprise membership changes.
{% data reusables.enterprise-onboarding.best-practices %}
{% ifversion ghec %}

26
content/admin/concepts/enterprise-fundamentals/roles-in-an-enterprise.md
View File

@@ -12,31 +12,7 @@ redirect_from:
contentType: concepts
---
## What are roles?
Roles allow you to delegate administrative duties and manage access securely at every level of your enterprise.
A role is a **set of permissions** that you can assign to individuals or teams. A permission is the ability to perform a specific action, such as changing billing settings.
A user in an enterprise has roles for both the enterprise account and organizations where they have access.
* The enterprise-level roles define the user's access to enterprise settings.
* Organization-level roles define the user's access to organization settings and repositories in an organization.
## Predefined and custom roles
Organization and enterprise roles can be **predefined** or **custom**. Enterprise custom roles are in {% data variables.release-phases.public_preview %}.
* Predefined roles, such as enterprise owner, organization owner, or billing manager, are available for all accounts. They grant a predefined set of permissions to users or teams and may contain more permissions than someone needs to do their job.
* Custom roles include your choice of fine-grained permissions. They can include access to account settings and (for organization custom roles) repository access, allowing you to provide teams with just the access they need to do their jobs. For example, you could allow a team to view your enterprise's audit logs without allowing them to change any settings.
To follow the principle of least privilege access, we recommend using custom roles if they allow for the permissions you require. However, not all capabilities of predefined roles can currently be replicated in custom roles.
## Who manages roles?
Enterprise owners can create custom enterprise roles and assign enterprise roles to users and teams. They can also create custom organization roles to be used across organizations, but these roles can only be assigned by organization owners.
Organization owners can grant organization roles and create custom organization roles, but cannot edit roles or change role assignments that are defined at the enterprise level.
{% data reusables.enterprise-onboarding.about-roles %}
## Next steps

51
content/admin/concepts/enterprise-fundamentals/teams-in-an-enterprise.md
View File

@@ -12,56 +12,7 @@ redirect_from:
contentType: concepts
---
## What are teams?
Teams are **groups of users** in an enterprise or organization. By creating teams, you can manage users at scale and simplify access, licensing, and communication. For example, you could create an auditor team for users who need access to audit logs, or a {% data variables.product.prodname_copilot_short %} team for users who receive {% data variables.product.prodname_copilot_short %} licenses.
**Enterprise teams** are managed at the enterprise level and can include users from across the enterprise and its organizations. With enterprise teams, you can centralize administration and manage organization access, roles, and licensing at scale.
**Organization teams** are managed at the organization level and can only include members of a single organization. There are certain features of organization teams that are not currently supported for enterprise teams, such as CODEOWNER status.
>[!NOTE] Enterprise teams are in public preview and subject to change.
## Can I manage teams from an identity provider?
If you have integrated {% data variables.product.github %} with an identity provider (IdP), you can link teams on {% data variables.product.github %} with groups in your IdP. When membership of the IdP group changes, the change is reflected in the {% data variables.product.github %} team, allowing you to centralize access management.
The capabilities of this feature depend on whether you use {% data variables.product.prodname_emus %} or personal accounts.
### {% data variables.product.prodname_emus %}
You can make changes to IdP groups to manage repository access, add or remove users from organizations, or grant or remove {% data variables.product.prodname_copilot %} licenses. For example, if a new user is added to an IdP group that is linked to a team with access to an organization, the user receives access to that organization. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups#about-team-management-with-enterprise-managed-users).
This feature is available with both enterprise and organization teams.
### Personal accounts
Team synchronization allows you to centrally manage any privileges linked to an organization team, such as repository access and CODEOWNER status. However, team sync cannot be used to add users to organizations where they don't already have access. For more information, see [AUTOTITLE](/admin/managing-iam/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise).
Team sync with personal accounts is only available with organization teams, and you must use Entra ID or Okta as an IdP.
## What kind of team should I use?
To simplify administration at scale, {% data variables.product.company_short %} recommends using enterprise teams for any use cases that apply to the enterprise account or to multiple organizations. Organization teams are useful when the need for the team is scoped to a single organization and the team can be managed by an organization administrator.
You may need to create organization teams if the functionality you need is not covered by enterprise teams. {% data variables.product.company_short %} plans to address some limitations in the near future.
{% data reusables.enterprise.enterprise-teams-can %}
However, unlike organization teams, enterprise teams currently do **not** support:
* `@-mentions` of the team name in organizations
* Review requests of the team in pull requests
* Adding the team to a project board
* Team sync if you use {% data variables.product.prodname_ghe_cloud %} with personal accounts
* CODEOWNER status
* Secret teams
* Nested teams
* Team maintainers
{% data reusables.enterprise.enterprise-teams-limits %}
For more information about the capabilities of organization teams, see [AUTOTITLE](/organizations/organizing-members-into-teams/about-teams).
{% data reusables.enterprise-onboarding.about-teams %}
## Next steps

4
content/admin/concepts/identity-and-access-management/index.md
View File

@@ -1,7 +1,7 @@
---
title: Identity and access management
shortTitle: Identity and access management
intro: 'Learn the concepts around identity and access management (IAM) for {% data variables.location.product_location %}, including authentication, authorization, {% ifversion ghec %}Enterprise Managed Users, {% endif %}and user management.'
intro: Learn the concepts around identity and access management (IAM) for {% data variables.location.product_location %}, including authentication, authorization, {% ifversion ghec %}Enterprise Managed Users, {% endif %}and user management.
versions:
ghes: '*'
ghec: '*'
@@ -9,7 +9,7 @@ topics:
- Enterprise
children:
- /identity-and-access-management-fundamentals
- /enterprise-types-for-github-enterprise-cloud
- /enterprise-managed-users
contentType: concepts
---

34
content/admin/concepts/security-and-compliance/audit-log-for-an-enterprise.md
View File

@@ -23,39 +23,7 @@ topics:
- Security
---
## What are audit logs?
> [!NOTE]
> {% data reusables.webhooks.webhooks-as-audit-log-alternative %}
{% data reusables.audit_log.retention-periods %}
{% data reusables.audit_log.audit-log-search-list-info-about-action %}
{% ifversion ghes %}Site administrators can review the audit log for an instance, which contains a wider range of events including system administrative events. To access the instance-level audit log:
{% data reusables.enterprise_site_admin_settings.access-settings %}
1. In the left menu, click **Audit log**.{% endif %}
In addition to viewing your audit log, you can monitor activity in your enterprise in other ways, such as {% ifversion ghes %}viewing push logs and {% endif %}managing global webhooks. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/exploring-user-activity). You can also use the audit log, and other tools, to monitor the actions taken in response to security alerts. For more information, see [AUTOTITLE](/code-security/getting-started/auditing-security-alerts).
## How to use audit logs
As an enterprise owner{% ifversion ghes %} or site administrator{% endif %}, you can interact with the audit log data for your enterprise in several ways:
* You can view the audit log for your enterprise. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for-your-enterprise).
* You can search the audit log for specific events{% ifversion ghec %} and export audit log data{% endif %}. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/searching-the-audit-log-for-your-enterprise){% ifversion ghec %} and [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/exporting-audit-log-activity-for-your-enterprise){% endif %}.
* You can identify all events that were performed by a specific access token. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token).{% ifversion ghes %}
* You can configure settings, such as the retention period for audit log events and whether Git events are included. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/configuring-the-audit-log-for-your-enterprise).{% endif %}
{%- ifversion enterprise-audit-log-ip-addresses %}
* You can display the IP address associated with events in the audit log. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise).
{%- endif %}
* You can stream audit and Git events data from {% data variables.product.prodname_dotcom %} to an external data management system. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise).
{%- ifversion ghes %}
* You can forward audit and system logs, from your enterprise to an third-party hosted monitoring system. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/exploring-user-activity/log-forwarding).
{%- endif %}
* You can use the Audit log API to view actions performed in your enterprise. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/using-the-audit-log-api-for-your-enterprise).
For a full list of audit log actions that may appear in your enterprise audit log, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise).
{% data reusables.enterprise-onboarding.about-audit-logs %}
## Further reading

6
content/admin/concepts/security-and-compliance/enterprise-policies.md
View File

@@ -16,11 +16,7 @@ redirect_from:
## What are enterprise policies and why are they important?
To help you enforce business rules and regulatory compliance, policies provide a single point of management for all the organizations owned by an enterprise account.
{% data reusables.enterprise.about-policies %}
For example, with the "Base permissions" policy, you can allow organization owners to configure the "Base permissions" policy for their organization, or you can enforce a specific base permissions level, such as "Read", for all organizations within the enterprise.
{% data reusables.enterprise-onboarding.about-policies %}
## What are the steps to enforce enterprise policies?

72
content/admin/copilot-business-only/about-enterprise-accounts-for-copilot-business.md
View File

@@ -1,72 +0,0 @@
---
title: About enterprise accounts for Copilot Business
intro: 'Learn about the options for creating an enterprise account to manage {% data variables.copilot.copilot_business_short %} licenses, without adopting {% data variables.product.prodname_enterprise %}.'
versions:
ghec: '*'
topics:
- Accounts
- Enterprise
- Fundamentals
shortTitle: About the account
redirect_from:
- /early-access/copilot/managing-copilot-business-licenses-with-an-enterprise-account
---
<!-- expires 2025-10-28 -->
<!-- Part of the Copilot direct licensing rollout -->
<!-- Expired content will be addressed by the Drivers team -->
{% data reusables.copilot.cb-only-self-serve %}
<!-- end expires 2025-10-28 -->
## What is an enterprise account for {% data variables.copilot.copilot_business_short %}?
To use {% data variables.product.prodname_copilot %}, a user must authenticate to an account on {% data variables.product.prodname_dotcom %} that has a license for {% data variables.product.prodname_copilot_short %}. Organizations and enterprises on {% data variables.product.prodname_dotcom %} can manage members' access to {% data variables.product.prodname_copilot_short %} through a {% data variables.copilot.copilot_business_short %} subscription.
If you don't already manage users through an organization or enterprise, you can create an enterprise account specifically for allocating {% data variables.copilot.copilot_business_short %} licenses.
* You'll only pay for the {% data variables.product.prodname_copilot_short %} licenses you assign. For pricing, see [AUTOTITLE](/billing/concepts/product-billing/github-copilot-licenses#licenses-for-github-copilot).
* You won't pay for {% data variables.product.prodname_enterprise %} seats.
* You won't be able to create organizations or repositories in the enterprise, or use features that require repositories or organizations, such as {% data variables.product.prodname_actions %}.
When you create the account, you can choose whether your enterprise members will authenticate using their personal {% data variables.product.company_short %} accounts, or using new accounts that you will create and manage from an external identity management system. For a comparison, see [AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/choosing-an-enterprise-type-for-github-enterprise-cloud).
## How will I manage access for users?
How you will add users to your enterprise and manage license assignment depends on whether you choose an enterprise with personal accounts or with {% data variables.product.prodname_emus %}.
### Personal accounts
If you request an enterprise with personal accounts:
* You'll **add users** to the enterprise by sending an invitation to their personal {% data variables.product.prodname_dotcom %} account.
* You'll **create teams** in the enterprise to manage which users receive {% data variables.copilot.copilot_business_short %} licenses. You can manage membership of the teams on {% data variables.product.prodname_dotcom %} or with the REST API.
* When users receive a license, they can authenticate to {% data variables.product.prodname_dotcom %} from their development environment and **gain access** to {% data variables.product.prodname_copilot_short %}.
* Optionally, you can configure **SAML single sign-on** (SSO), so that users must authenticate to an external identity system in addition to their personal account.
### {% data variables.product.prodname_emus %}
If you request an {% data variables.enterprise.prodname_emu_enterprise %}:
* You'll **add users** to the enterprise by provisioning {% data variables.enterprise.prodname_managed_users %} from an identity provider (IdP), using SCIM.
* You'll **create teams** in the enterprise to manage which users receive {% data variables.copilot.copilot_business_short %} licenses. You can manage membership of the teams from your IdP, on {% data variables.product.prodname_dotcom %}, or with the REST API.
* When users receive a license, they can use single sign-on to authenticate to their {% data variables.product.prodname_dotcom %} account from their development environment and **gain access** to {% data variables.product.prodname_copilot_short %}.
## Limitations
* You will not be able to use REST API endpoints that require an organization. In particular, these include:
* [List enterprise consumed licenses](/rest/enterprise-admin/license#list-enterprise-consumed-licenses)
* [AUTOTITLE](/rest/orgs/members)
* [AUTOTITLE](/rest/copilot/copilot-user-management)
* Documentation on {% data variables.product.prodname_docs %} may not apply to your enterprise.
* With an enterprise for personal accounts, you cannot use team synchronization to manage membership of enterprise teams.
## Getting started
To get started, you will work with {% data variables.contact.contact_enterprise_sales %} to create an enterprise account, then add users to your enterprise and assign {% data variables.copilot.copilot_business_short %} licenses.
See the setup guide for your chosen type of enterprise.
* [AUTOTITLE](/admin/copilot-business-only/setting-up-a-dedicated-enterprise-for-copilot-business-personal-accounts)
* [AUTOTITLE](/admin/copilot-business-only/setting-up-a-dedicated-enterprise-for-copilot-business-managed-users)

11
content/admin/copilot-business-only/index.md
View File

@@ -1,11 +0,0 @@
---
title: Using a dedicated enterprise account for Copilot Business
intro: Get started with an enterprise account for managing {% data variables.copilot.copilot_business_short %} licenses.
versions:
ghec: '*'
children:
- /about-enterprise-accounts-for-copilot-business
- /setting-up-a-dedicated-enterprise-for-copilot-business-personal-accounts
- /setting-up-a-dedicated-enterprise-for-copilot-business-managed-users
shortTitle: Copilot Business only
---

103
content/admin/copilot-business-only/setting-up-a-dedicated-enterprise-for-copilot-business-managed-users.md
View File

@@ -1,103 +0,0 @@
---
title: Setting up a dedicated enterprise for Copilot Business ({% data variables.product.prodname_emus %})
intro: 'Set up your account, provision users, and assign licenses.'
versions:
ghec: '*'
topics:
- Accounts
- Enterprise
- Fundamentals
shortTitle: Set up with managed users
allowTitleToDifferFromFilename: true
redirect_from:
- /early-access/copilot/using-copilot-business-without-github-enterprise-managed-users
---
<!-- expires 2025-10-28 -->
<!-- Part of the Copilot direct licensing rollout -->
<!-- Expired content will be addressed by the Drivers team -->
{% data reusables.copilot.cb-only-self-serve %}
<!-- end expires 2025-10-28 -->
This article describes the setup for an **enterprise with managed users**. If you haven't chosen an enterprise type, see [AUTOTITLE](/admin/copilot-business-only/about-enterprise-accounts-for-copilot-business).
## Prerequisites
* To provision users, you must connect the enterprise account to an identity management system. {% data variables.product.company_short %} partners with some developers of identity management systems to provide a "paved-path" integration with {% data variables.product.prodname_emus %}. Alternatively, you can use any system, or combination of systems, that conforms to SAML 2.0 and SCIM 2.0. However, support for resolving problems with these systems may be limited. See [AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/about-enterprise-managed-users#identity-management-systems).
{% data reusables.copilot-business-for-non-ghe.prerequisites %}
## Requesting an enterprise account
{% data reusables.copilot-business-for-non-ghe.request-access %}
After we create your enterprise, you will receive an email inviting you to choose a password for the setup user, which is used to configure authentication and provisioning. The username is your enterprise's shortcode suffixed with `_admin`, for example `fabrikam_admin`. Make sure to open the password reset link using an **incognito or private browsing window**. The link can only be opened once and if done incorrectly you will need to contact {% data variables.contact.github_support %} to send you a new link.
>[!NOTE] {% data reusables.enterprise-accounts.emu-password-reset-session %}
## Adding users to the enterprise
To provision user accounts through your IdP, you'll need to **configure your IdP** by completing the following steps.
### Step 1: Configure authentication
To manage single sign-on (SSO) for users, you must connect your IdP to your enterprise account. You can use:
* **SAML** with Entra ID, Okta, or PingFederate. For instructions, see [AUTOTITLE](/admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users).
* **OIDC** with Entra ID. For instructions, see [AUTOTITLE](/admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users/configuring-oidc-for-enterprise-managed-users).
### Step 2: Configure SCIM provisioning
To provision accounts from your IdP, you must configure SCIM provisioning. For instructions, see [AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users).
If you want to manage membership of teams from your IdP, you must assign the relevant identity groups to the {% data variables.product.prodname_emu_idp_application %} application on your IdP.
### Step 3: Assign an enterprise owner
After you configure authentication and provisioning with your IdP, grant one or more users the enterprise owner role. Enterprise owners can enable {% data variables.product.prodname_copilot_short %} for the enterprise and manage which users receive licenses. For instructions, see [AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users#assigning-users-and-groups).
You can also grant the billing manager role. A billing manager can view the assigned licenses for an enterprise, but cannot assign licenses or manage enterprise teams.
## Adding a payment method
{% data reusables.copilot-business-for-non-ghe.add-payment-method %}
## Enabling {% data variables.product.prodname_copilot_short %} for the enterprise
{% data reusables.copilot-business-for-non-ghe.enable-copilot %}
## Assigning licenses to users
When {% data variables.product.prodname_copilot_short %} has been enabled for the enterprise, an **enterprise owner** can create teams in the enterprise and assign licenses to a team.
* You will grant or remove licenses for users by managing membership of the teams, either from your IdP, directly in {% data variables.product.prodname_dotcom %}, or with the REST API.
* You cannot assign licenses to individual users or to an entire enterprise.
* To manage membership from your IdP, ensure the relevant identity groups have been assigned to the {% data variables.product.prodname_emu_idp_application %} application in your IdP and pushed to {% data variables.product.prodname_dotcom %} via SCIM.
The same user can be a member of multiple teams. You will only be charged once per user.
### Creating a team
> [!NOTE] You can create teams and manage membership using the REST API. For endpoint documentation, please contact your account manager.
{% data reusables.enterprise-accounts.people-tab %}
1. Under "People", click **Enterprise teams**.
1. Click **New enterprise team**.
1. Enter a name for the team.
1. Optionally, to sync the team with an identity group and manage membership from your IdP, under "Identity Provider Group", select a group from the dropdown menu. If you leave this dropdown menu empty, you will manage membership of the team directly.
1. Click **Create team**.
1. Add users to the team:
* If you linked the team to an IdP group, add users to the related group in your IdP.
* If you are managing team membership directly, on the team page, click **Add a member**, then search for and select the user. For information about how {% data variables.product.company_short %} generates usernames for users provisioned from an IdP, see [AUTOTITLE](/admin/identity-and-access-management/iam-configuration-reference/username-considerations-for-external-authentication#about-usernames-for-managed-user-accounts).
### Assigning licenses to a team
{% data reusables.copilot-business-for-non-ghe.assign-licenses %}
> [!NOTE] If you manage team membership from Entra ID, addition or removal of a user from a team on {% data variables.product.prodname_dotcom %} may take up to 40 minutes. After Entra ID communicates with {% data variables.product.prodname_dotcom %}, the change will take effect after {% data variables.product.prodname_dotcom %} prompts the user to authenticate.
## Managing your enterprise
{% data reusables.copilot-business-for-non-ghe.manage-your-enterprise %}

87
content/admin/copilot-business-only/setting-up-a-dedicated-enterprise-for-copilot-business-personal-accounts.md
View File

@@ -1,87 +0,0 @@
---
title: Setting up a dedicated enterprise for Copilot Business (personal accounts)
intro: 'Set up your account, provision users, and assign licenses.'
versions:
ghec: '*'
topics:
- Accounts
- Enterprise
- Fundamentals
shortTitle: Set up with personal accounts
redirect_from:
- /early-access/copilot/using-copilot-business-without-github-enterprise-personal-accounts
---
<!-- expires 2025-10-28 -->
<!-- Part of the Copilot direct licensing rollout -->
<!-- Expired content will be addressed by the Drivers team -->
{% data reusables.copilot.cb-only-self-serve %}
<!-- end expires 2025-10-28 -->
This article describes the setup for an **enterprise with personal accounts**. If you haven't chosen an enterprise type, see [AUTOTITLE](/admin/copilot-business-only/about-enterprise-accounts-for-copilot-business).
## Prerequisites
{% data reusables.copilot-business-for-non-ghe.prerequisites %}
## Requesting an enterprise account
{% data reusables.copilot-business-for-non-ghe.request-access %}
## Adding users to the enterprise
After you invite someone to join the enterprise account, they must accept the emailed invitation before they can access the enterprise account. Pending invitations will expire after 7 days.
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.people-tab %}
1. Under "People", click **Members**.
1. Click **Invite member**.
1. Search for the user you want to invite, then click **Invite**.
### Inviting an enterprise owner
You can also invite a user as an enterprise owner. Enterprise owners can grant access to {% data variables.product.prodname_copilot %} and set policies for the enterprise. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise#inviting-an-enterprise-administrator-to-your-enterprise-account).
You can also invite a user as a billing manager. A billing manager can view the assigned licenses for an enterprise, but cannot assign licenses or manage enterprise teams.
### Configuring SAML authentication
You can configure SAML single sign-on to require users to authenticate to an external identity management system in addition to their personal account. See [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise).
## Adding a payment method
{% data reusables.copilot-business-for-non-ghe.add-payment-method %}
## Enabling {% data variables.product.prodname_copilot_short %} for the enterprise
{% data reusables.copilot-business-for-non-ghe.enable-copilot %}
## Assigning licenses to users
When {% data variables.product.prodname_copilot_short %} has been enabled for the enterprise, an **enterprise owner** can create teams in the enterprise and assign licenses to a team.
* You will grant or remove licenses for users by managing membership of the teams, either in {% data variables.product.prodname_dotcom %} or with the REST API.
* You cannot assign licenses to individual users or to an entire enterprise.
The same user can be a member of multiple teams. You will only be charged once per user.
### Creating a team
> [!NOTE] You can create teams and manage membership using the REST API. For endpoint documentation, please contact your account manager.
{% data reusables.enterprise-accounts.people-tab %}
1. Under "People", click **Enterprise teams**.
1. Click **New enterprise team**.
1. Enter a name for the team.
1. Click **Create team**.
1. To add users, click **Add a member**, then search for and select the user.
### Assigning licenses to a team
{% data reusables.copilot-business-for-non-ghe.assign-licenses %}
## Managing your enterprise
{% data reusables.copilot-business-for-non-ghe.manage-your-enterprise %}

2
content/admin/data-residency/about-storage-of-your-data-with-data-residency.md
View File

@@ -38,7 +38,7 @@ For the purposes outlined in our [Data Protection Agreement](https://github.com/
| Information that GitHub needs to administer a paid plan | <ul><li>Contact information</li><li>Billing, purchase, payment, or license information</li></ul> |
| Support and feedback data | <ul><li>Support requests or case notes</li><li>Phone conversations</li><li>Online chat sessions</li><li>Remote assistance sessions</li></ul> |
| {% data variables.product.prodname_copilot %} data | Data and logs for {% data variables.product.prodname_copilot %} |
| {% data variables.product.prodname_secret_scanning_caps %} data | Data for {% data variables.product.prodname_secret_scanning %} validity checks if you have chosen to enable the feature |
| {% data variables.product.prodname_secret_scanning_caps %} data | Data for {% data variables.product.prodname_secret_scanning %} validity checks and extended metadata checks if you have chosen to enable these features |
## Data transfers

1
content/admin/data-residency/feature-overview-for-github-enterprise-cloud-with-data-residency.md
View File

@@ -28,7 +28,6 @@ The following features are currently unavailable on {% data variables.enterprise
| {% data variables.product.prodname_github_models %} | Currently unavailable | [AUTOTITLE](/github-models/about-github-models) |
| macOS runners for {% data variables.product.prodname_actions %} | Currently unavailable. | [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners) |
| Maven and Gradle support for {% data variables.product.prodname_registry %} | Currently unavailable. | [AUTOTITLE](/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry) |
| {% data variables.product.prodname_secret_scanning_caps %} validity checks for partner patterns | Currently unavailable | [About validity checks](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository#about-validity-checks) |
| {% data variables.product.prodname_spark_short %} | Unavailable due to dependency on {% data variables.product.prodname_github_codespaces %} | [AUTOTITLE](/copilot/concepts/spark) |
| Some features currently in {% data variables.release-phases.public_preview %} or {% data variables.release-phases.private_preview %} | Certain features that are in a preview phase on {% data variables.product.prodname_dotcom_the_website %} may not be available on {% data variables.enterprise.data_residency_site %} | |

33
content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/control-offboarding.md Normal file
View File

@@ -0,0 +1,33 @@
---
title: Controlling user offboarding with the unaffiliated users policy
allowTitleToDifferFromFilename: true
intro: 'Set a policy to determine what happens when a user is removed from every organization in your enterprise.'
versions:
ghec: '*'
permissions: 'Enterprise owners'
product: 'Enterprises with personal accounts on {% data variables.product.prodname_dotcom_the_website %}'
shortTitle: Control offboarding
type: how_to
---
## About the unaffiliated users policy
By default, when a user loses access to all organizations in your enterprise, the user remains in your enterprise as an unaffiliated user. This can happen when you remove a user from organizations explicitly or remove an organization from your enterprise.
Unaffiliated users retain team membership, enterprise roles, and {% data variables.product.prodname_copilot %} licenses granted directly from the enterprise account.
You can set a policy to instead remove users from the enterprise completely when they are removed from every organization. Removed users will lose all privileges and licenses granted from the enterprise. This is useful if you have an offboarding process that depends on removing users from organizations, for example using team synchronization from an identity provider.
This policy:
* Applies regardless of how users lose their organization membership (through direct removal, a team, or removing an organization).
* Does **not** apply to users with the enterprise owner or enterprise billing manager role. These users remain in the enterprise regardless of their organization membership and the policy setting.
## Setting the policy
>[!NOTE] This policy is not available for {% data variables.product.prodname_emus %}.
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.policies-tab %}
1. In the left sidebar, click **{% octicon "shield" aria-hidden="true" aria-label="shield" %} Member privileges**.
1. Under "Unaffiliated user", choose your setting for the policy.

8
content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-governance.md
View File

@@ -16,10 +16,7 @@ topics:
## Introduction
You can create rulesets to control how users can interact with code in repositories across your enterprise. You can:
* Create a **branch or tag ruleset** to control things like who can push commits to a certain branch, how commits must be formatted, or who can delete or rename a tag.
* Create a **push ruleset** to block pushes to a private or internal repository and the repository's entire fork network. Push rulesets allow you to block pushes based on file extensions, file path lengths, file and folder paths, and file sizes.
{% data reusables.enterprise-onboarding.rulesets-intro %}
To learn more, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
@@ -33,7 +30,8 @@ To import a prebuilt ruleset created by {% data variables.product.company_short
Rulesets allow you to flexibly target the organizations, repositories, and branches where you want rules to apply.
* To target **organizations**, you can select all, choose from a list, or define a dynamic pattern for organization names using `fnmatch` syntax. For syntax details, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-fnmatch-syntax).
* To target **organizations**, you can select all, choose from a list, define a dynamic pattern for organization names using `fnmatch` syntax, or use organization custom properties to dynamically target organizations based on metadata. For syntax details, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-fnmatch-syntax). For information on custom properties, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/custom-properties).
* Within those organizations, you can target all **repositories**, or target a dynamic list by custom property. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
* Within the repositories, you can target certain **branches or tags**: all branches, the default branch, or a dynamic list using `fnmatch` syntax.

11
content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise.md
View File

@@ -33,7 +33,7 @@ shortTitle: Security & analysis
You can enforce policies to manage the use of security features within organizations owned by your enterprise. You can allow or disallow people with admin access to a repository to enable or disable the security and analysis features.
Additionally, you can enforce policies for the use of {% data variables.product.prodname_GHAS_cs_or_sp %} in your enterprise's organizations and repositories.
Additionally, you can enforce policies for the use of {% data variables.product.prodname_GH_sp_cs_and_cq_or_as %} in your enterprise's organizations and repositories.
## Enforcing a policy for the availability of {% data variables.product.prodname_AS %} in your enterprise's organizations
@@ -41,7 +41,7 @@ You are billed for {% data variables.product.prodname_GHAS_cs_and_sp %} products
You can enforce a policy that controls whether repository administrators are allowed to enable features for {% data variables.product.prodname_AS %} in an organization's repositories. You can configure a policy for all organizations owned by your enterprise account, or for individual organizations that you choose.
Disallowing {% data variables.product.prodname_GHAS_cs_or_sp %} for an organization prevents repository administrators from enabling {% data variables.product.prodname_GHAS_cs_or_sp %} features for additional repositories, but does not disable the features for repositories where the features are already enabled.
Disallowing {% data variables.product.prodname_GH_sp_cs_and_cq_or_as %} for an organization prevents repository administrators from enabling these features for additional repositories, but does not disable the features for repositories where the features are already enabled.
{% data reusables.enterprise.role-permission-hierarchy %}
@@ -91,7 +91,7 @@ Across all of your enterprise's organizations, you can allow or disallow people
{% data reusables.enterprise-accounts.policies-tab %}
{% data reusables.enterprise-accounts.code-security-and-analysis-policies %}
{% ifversion ghas-products %}
1. In the "Policies" section, under "Repository administrators can enable or disable `PRODUCT`", use the dropdown menu to define whether repository administrators can change the enablement of {% data variables.product.prodname_GHAS_cs_or_sp %}.
1. In the "Policies" section, under "Repository administrators can enable or disable `PRODUCT`", use the dropdown menu to define whether repository administrators can change the enablement of {% data variables.product.prodname_GH_sp_cs_and_cq_or_as %}.
{% else %}
1. In the "{% data variables.product.prodname_GHAS %} policies" section, under "Enable or disable {% data variables.product.prodname_GHAS %} by repository admins", select the dropdown menu and click a policy.
{% endif %}
@@ -130,11 +130,14 @@ Across all of your enterprise's organizations, you can allow or disallow people
## Enforcing a policy to manage the use of {% data variables.copilot.copilot_autofix_short %} in your enterprise's repositories
Across all of your enterprise's organizations, you can allow or disallow people with admin access to repositories to manage where {% data variables.copilot.copilot_autofix_short %} is enabled. {% data variables.product.prodname_GH_code_security %} must be enabled for the organization for this policy to take effect.
Across all of your enterprise's organizations, you can allow or disallow people with admin access to repositories to manage where {% data variables.copilot.copilot_autofix_short %} is enabled for {% data variables.product.prodname_code_security %} results. {% data variables.product.prodname_GH_code_security %} must be enabled for the organization for this policy to take effect.
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.policies-tab %}
{% data reusables.enterprise-accounts.code-security-and-analysis-policies %}
1. In the "Policies" section, under "{% data variables.copilot.copilot_autofix_short %}", select the dropdown menu and click a policy.
> [!NOTE]
> This policy controls the use of {% data variables.copilot.copilot_autofix_short %} on results found by {% data variables.product.prodname_code_scanning %} security queries only. {% data variables.copilot.copilot_autofix_short %} is an integral part of {% data variables.product.prodname_code_quality %} and cannot be disabled for that feature.
{% endif %}

22
content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md
View File

@@ -105,6 +105,28 @@ In the "Runners" section, you can mediate these risks by disabling the use of re
{% data reusables.actions.disable-selfhosted-runners-note %}
## Custom images
In the "Custom images" section, you can control which organizations in your enterprise are allowed to create and manage custom images with the following access policy:
* **Enable for all organizations**: All organizations, including any created in the future, may use or create custom images.
* **Enable for specific organizations**: Only selected organizations may use or create custom images.
* **Disable for all organizations**: No organization may use or create custom images.
### Custom images retention policies
You can define how long custom image versions are retained and when they become inactive.
* **Maximum versions per image**: Limits how many versions of each image are retained. When this limit is exceeded, the oldest unused image versions are automatically deleted.
* **Default**: 20 versions
* **Configurable range**: 1100 versions
* **Unused version retention**: Deletes image versions that have not been used for a specified number of days. Image versions that are assigned to a runner pool but not actively used are also considered unused.
* **Default**: 30 days
* **Configurable range**: 190 days
* **Maximum version age**: Disables image versions that were created earlier than the specified number of days. Disabled image versions cannot be used by runners until the policy limit is increased.
* **Default**: 60 days
* **Configurable range**: 790 days
## {% ifversion ghes %}Artifact, log, and cache settings{% else %}Artifact and log retention{% endif %}
{% ifversion ghes %}

1
content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/index.md
View File

@@ -16,6 +16,7 @@ topics:
children:
- /enforcing-repository-management-policies-in-your-enterprise
- /enforcing-policies-for-projects-in-your-enterprise
- /control-offboarding
- /restricting-email-notifications-for-your-enterprise
- /enforcing-policies-for-github-sponsors-in-your-enterprise
- /enforcing-policies-for-security-settings-in-your-enterprise

1
content/admin/index.md
View File

@@ -116,7 +116,6 @@ children:
- /managing-github-actions-for-your-enterprise
- /configuring-packages
- /managing-code-security
- /copilot-business-only
- /guides
- /release-notes
- /all-releases

47
content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/custom-properties.md Normal file
View File

@@ -0,0 +1,47 @@
---
title: Custom properties
intro: 'Custom properties allow you to add structured metadata to repositories and organizations, enabling better organization, governance, and automation across your {% data variables.product.github %} environment.'
permissions: 'Repository custom properties can be managed by organization owners and users with admin permissions to the repository. Organization custom properties can be managed by enterprise owners and users with the "Manage the Enterprise''s custom properties definitions" permission.'
versions:
ghec: '*'
ghes: '*'
topics:
- Enterprise
- Organizations
- Repositories
- Policies
shortTitle: Custom properties
contentType: concepts
---
## What are custom properties?
Custom properties are structured metadata fields that you can attach to repositories or organizations in {% data variables.location.product_location %}. They allow you to decorate your repositories or organizations with information such as compliance frameworks, data sensitivity, or project details.
An enterprise can have up to 100 property definitions. An allowed value list can have up to 200 items.
There are two types of custom properties:
* **Repository custom properties**: Metadata attached to individual repositories.
* **Organization custom properties**: Metadata attached to organizations within an enterprise.
{% data reusables.enterprise-accounts.org-custom-properties-public-preview %}
## What are the benefits of using custom properties?
As well as providing improved discovery, automated workflows, compliance tracking, targeted policy enforcement, and better reporting capabilities, custom properties enable powerful governance through **ruleset integration**.
Both repository and organization custom properties can be used as targeting criteria for rulesets, enabling fine-grained policy enforcement based on metadata.
* For repository custom rules, see [AUTOTITLE](/organizations/managing-organization-settings/creating-rulesets-for-repositories-in-your-organization#targeting-repositories-by-properties-in-your-organization){% ifversion ghec %} and [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/managing-custom-properties-for-repositories-in-your-enterprise).
* For organization custom rules, see [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/managing-policies-for-code-governance).{% endif %}
## How do I add and manage custom properties?
{% ifversion ghec %}
Custom properties are fully supported through {% data variables.product.github %}'s REST API, enabling programmatic management and integration with external systems. See [AUTOTITLE](/rest/enterprise-admin/custom-properties).
{% endif %}
You can add custom properties through {% data variables.product.github %}'s UI. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) and [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organizations).

5
content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/index.md
View File

@@ -24,11 +24,12 @@ children:
- /configuring-visibility-for-organization-membership
- /preventing-users-from-creating-organizations
- /requiring-two-factor-authentication-for-an-organization
- /custom-properties
- /managing-custom-properties-for-organizations
- /managing-your-role-in-an-organization-owned-by-your-enterprise
- /managing-requests-for-copilot-business-from-organizations-in-your-enterprise
- /managing-requests-for-copilot-business
- /removing-organizations-from-your-enterprise
- /restoring-a-deleted-organization
- /managing-projects-using-jira
shortTitle: Manage organizations
---

55
content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organizations.md Normal file
View File

@@ -0,0 +1,55 @@
---
title: Managing custom properties for organizations
intro: 'With custom properties, you can add metadata to organizations in your enterprise and use that metadata to target repositories with rulesets.'
permissions: 'Enterprise owners {% ifversion custom-org-roles %}and users with the "Manage the Enterprise''s custom properties definitions" permission {% endif %}can add and set a custom property schema at the enterprise level.'
versions:
ghec: '*'
ghes: '*'
topics:
- Enterprise
- Organizations
shortTitle: Organization custom properties
contentType: how-tos
---
{% data reusables.enterprise-accounts.org-custom-properties-public-preview %}
## About custom properties
{% data reusables.enterprise.custom-properties-intro %} See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/custom-properties).
This article relates to **organization custom properties.**
## Allowed characters
{% data reusables.repositories.custom-property-allowed-characters %}
## Adding custom properties
You can add custom properties to your enterprise and set values for those properties for organizations in your enterprise.
{% ifversion ghec %}You can also use the REST API to create and manage custom properties for an organization. See [AUTOTITLE](/rest/enterprise-admin/custom-properties).{% endif %}
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.click-organizations-tab %}
{% data reusables.enterprise-accounts.select-custom-properties %}
1. To add a new custom property, click **New property** in the upper right corner.
1. In the "Name" field, type the name you'd like to use for your custom property. The name can't contain spaces, and cannot exceed 75 characters in length.
1. Optionally, in the "Description" field, add a description for the custom property.
1. Under "Type", select the type of property you'd like to add.
1. Optionally, select **Allow organization actors to set this property** to allow organization users and apps with the organization-level "custom properties" fine-grained permission to set and update the property value for their organization.
1. Optionally, select **Require this property for all organizations** and add a default value. Enabling this option indicates that you require that **all organizations in your enterprise** have a value for this property. Organizations that don't have an explicit value for this property will inherit the default value.
1. Click **Save property**.
## Setting values for organizations in your enterprise
You, and any users with the "Edit custom properties values at the organization level" permission, can set values for custom properties for organizations in your enterprise.
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.click-organizations-tab %}
{% data reusables.enterprise-accounts.select-custom-properties %}
1. Click the "Set values" tab.
1. Select one or more organizations from the list and click **{% octicon "pencil" aria-hidden="true" aria-label="pencil" %} Edit properties**.
1. In the modal dialog that appears, select a value for each property you'd like to set for the selected organizations.
1. Click **Save changes**.

14
content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-requests-for-copilot-business-from-organizations-in-your-enterprise.md → content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-requests-for-copilot-business.md
View File

@@ -1,11 +1,13 @@
---
title: Managing requests for Copilot Business from organizations in your enterprise
intro: Learn how to view and satisfy requests to access Copilot from organizations owned by your enterprise.
title: Managing requests for Copilot Business
intro: Meet your developers' needs by accepting Copilot requests from organizations in your enterprise.
permissions: Enterprise owners
product: Enterprise accounts with a subscription to {% data variables.copilot.copilot_for_business %}.
versions:
ghec: '*'
type: how_to
redirect_from:
- /admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-requests-for-copilot-business-from-organizations-in-your-enterprise
topics:
- Administrator
- Enterprise
@@ -22,6 +24,8 @@ As an enterprise owner, you can view or dismiss these requests from your notific
## Approving requests for {% data variables.copilot.copilot_for_business %}
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.policies-tab %}
1. Under "{% octicon "law" aria-hidden="true" aria-label="law" %} Policies", click **Copilot**.
1. In the "Access management" section, next to the organization you want to give access, select the dropdown menu and click **Enabled**.
{% data reusables.enterprise-accounts.ai-controls-tab %}
{% data reusables.enterprise-accounts.view-copilot-policies %}
1. Click {% octicon "law" aria-hidden="true" aria-label="law" %} **Access management**.
1. In the "{% data variables.product.prodname_copilot_short %} access" section, click the {% octicon "organization" aria-hidden="true" aria-label="organization" %} **Organizations** tab.
1. Next to the organization you want to give access to, select the dropdown menu, then choose an access level.

2
content/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/removing-organizations-from-your-enterprise.md
View File

@@ -22,7 +22,7 @@ When you remove an organization from your enterprise:
* The organization will be downgraded to the free plan.
* The organization will be governed by our standard Terms of Service.
* Any internal repositories within the organization will be converted to private repositories.
* By default, organization members—who are not members of any other organization in the enterprise—remain in the enterprise as unaffiliated users. These users retain access to {% data variables.product.prodname_copilot_short %} if they were granted access directly from the enterprise.
* Depending on your policy settings, people who are not members of any other organization may remain in the enterprise as unaffiliated users. These users retain access to {% data variables.product.prodname_copilot_short %} if they were granted access directly from the enterprise. See [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/control-offboarding).
As part of the downgrade to the free plan:

32
content/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/managing-custom-properties-for-repositories-in-your-enterprise.md
View File

@@ -9,37 +9,7 @@ topics:
shortTitle: Custom properties
---
Custom properties allow you to decorate your repositories with information such as compliance frameworks, data sensitivity, or project details. Custom properties are private and can only be viewed by people with read permissions to the repository. An enterprise can have up to 100 property definitions. An allowed value list can have up to 200 items.
Defining custom properties at the enterprise level allows you to create consistent values that users can apply to repositories. With custom properties in place, you can apply consistent governance across repositories in your enterprise by creating a ruleset or repository policy targeting repositories with certain properties. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/governing-how-people-use-repositories-in-your-enterprise).
## Allowed characters
{% data reusables.repositories.custom-property-allowed-characters %}
## Who can set and view values for custom properties I define?
After you define a custom property, users can set a value for that property in repositories in the enterprise. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization#setting-values-for-repositories-in-your-organization).
* As an enterprise owner, you can set a default value for required properties.
* Organization owners can set values in their organization, either across repositories or at the repository level.
* If enabled, people with repository access, or the `custom properties` fine-grained permission, can set and update the property value for their repository.
People with read permissions to a repository can view the custom property values for that repository.
Additionally, organization owners can search for repositories in their organization by custom property values. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization#searching-and-filtering-repositories-by-custom-property-values).
## Adding custom properties
You can add custom properties to your enterprise to make those properties available in all of your orgaizations.
{% data reusables.enterprise-accounts.access-enterprise %}
1. In the left sidebar, under "Policies", click **Custom properties**.
1. To add a new custom property, in the upper-right corner, click **New property**.
1. Enter a name, description, and type for the custom property. The name must be unique across all of your organizations, and cannot contain spaces.
1. Optionally, select **Allow repository actors to set this property**. When enabled, repository users and apps with the repository-level `custom properties` fine-grained permission will be able to set and update the property value for their repository. Additionally, any actor creating a repository can set the property on the repository.
1. Optionally, select **Require this property for all repositories** and add a default value. This means that you require that all repositories in your enterprise have a value for this property. Repositories that dont have an explicit value for this property will inherit the default value.
1. Click **Save property**.
{% data reusables.enterprise-onboarding.creating-custom-properties %}
## Promoting organization properties to enterprise properties

40
content/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/assign-roles.md
View File

@@ -11,42 +11,4 @@ redirect_from:
- /admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/assign-roles
---
Enterprise owners can assign custom and predefined **enterprise roles** to users and teams. Some roles can be assigned to enterprise teams, whereas other roles are only available for individual users. Find the section below for the role you want to assign.
For more information about using roles effectively, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/identify-role-requirements).
## Assigning app managers, security managers, and custom roles
>[!NOTE] These roles are in public preview and subject to change.
These roles can be assigned to existing users and teams in your enterprise settings, including {% data variables.enterprise.prodname_managed_users %}.
Before you assign a role, you may need to create a team. Teams are the best way to manage role assignments at scale. The enterprise security manager role can **only** be assigned to a team, not to individual users. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/create-enterprise-teams).
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.people-tab %}
1. In the left sidebar, click **{% octicon "globe" aria-hidden="true" aria-label="globe" %} Enterprise roles**, then click **Role assignments**.
1. Click **Assign role**.
1. Choose the user or team and the role they should receive, then click **Assign role**.
## Assigning enterprise owners, billing managers, and guest collaborators
These predefined roles are chosen when you invite a user to your enterprise or provision a {% data variables.enterprise.prodname_managed_user %} from your identity provider (IdP).
These roles cannot currently be assigned to enterprise teams, but they can be changed for existing users.
### Assigning these roles to new users
* If you {% ifversion ghes %}have enabled SCIM provisioning{% else %}use **{% data variables.product.prodname_emus %}**{% endif %}, roles are assigned from your IdP via the SCIM `roles` attribute.
* If you use an **enterprise with personal accounts**, you can invite someone as a user or administrator. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/invite-users-directly) or [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise).
### Assigning these roles to existing administrators
You can change an administrator's role or convert them to a regular member once they have joined your enterprise.
* If you {% ifversion ghes %}provisioned the user via SCIM{% else %}use **{% data variables.product.prodname_emus %}**{% endif %}, you must do this from your IdP via the SCIM `roles` attribute.
* {% ifversion ghes %}For all other accounts{% else %}If you use an **enterprise with personal accounts**{% endif %}, you can change the role on your enterprise's "Administrators" page, using the **{% octicon "kebab-horizontal" aria-label="Administrator" %}** menu next to the user's name. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#viewing-enterprise-administrators).
## Assigning roles in an organization
Enterprise owners cannot assign organization-level roles from the enterprise settings. An organization administrator must do this. See [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/using-organization-roles#assigning-an-organization-role).
{% data reusables.enterprise-onboarding.assign-roles %}

34
content/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/create-custom-roles.md
View File

@@ -12,39 +12,7 @@ redirect_from:
- /admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/custom-organization-roles
---
>[!NOTE] The ability for enterprise owners to create custom roles for an organization or enterprise is in public preview and subject to change.
To tailor access management to your company's needs, you can create custom roles for your{% ifversion enterprise-custom-roles %} enterprise account and{% endif %} organizations.
Custom roles are sets of permissions for settings and resources that you can assign to users and teams.{% ifversion enterprise-custom-roles %} To learn best practices for using roles on {% data variables.product.github %}, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/identify-role-requirements).{% endif %}
{% ifversion enterprise-custom-roles %}
## Creating enterprise custom roles
Enterprise custom roles grant access to a subset of enterprise settings, such as viewing audit logs and creating organizations. {% data variables.product.github %} plans to expand the list of available permissions over time.
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.people-tab %}
1. In the left sidebar, click **{% octicon "globe" aria-hidden="true" aria-label="globe" %} Enterprise roles**, then click **Role management**.
1. Click **Create custom role**.
1. Enter the details, then click **Create role**.
{% endif %}
## Creating organization custom roles
Organization custom roles grant access to organization settings and repositories. Custom organization roles created at the enterprise level use the same permissions and base roles as roles created at the organization level. For more information, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles).
Enterprise owners can create and edit custom organization roles, but cannot assign them. Organization owners can assign custom roles in an organization.
>[!NOTE] An enterprise can create up to 20 custom organization roles. This limit applies to the enterprise: each organization can also create up to 20 custom organization roles.
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.people-tab %}
1. In the left sidebar, select **Organization roles**.
1. Click **Create custom role**.
1. Enter the details, then click **Create role**.
{% data reusables.enterprise-onboarding.create-custom-roles %}
{% ifversion enterprise-teams %}

62
content/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/identify-role-requirements.md
View File

@@ -10,67 +10,7 @@ allowTitleToDifferFromFilename: true
contentType: tutorials
---
Roles control people's access to settings and resources in your enterprise and organizations. For an introduction to roles, see [AUTOTITLE](/admin/concepts/enterprise-fundamentals/roles-in-an-enterprise).
By using roles effectively, you can:
* Delegate administrative duties and manage access securely at every level of your enterprise.
* Harden security by reducing the number of people with blanket administrative access in your enterprise.
* Ensure everyone has the permissions they need to be independent and productive.
## 1. Review available roles and permissions
This guide helps you understand best practices for roles, so you can plan which roles are required in your enterprise and organizations. You will then be able to create a team structure that uses roles effectively.
As you think about tasks that would benefit from a specific role, refer to the available predefined roles and custom permissions to see if a granular role for this task is currently possible. If not, you will need to rely on a role with more blanket access, such as enterprise owner.
>[!NOTE] Enterprise custom roles currently only cover a limited subset of enterprise settings, but {% data variables.product.company_short %} plans to expand the list of permissions over time.
| Role type | More information |
| --------- | ---------------- |
| Predefined enterprise roles | [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/abilities-of-roles) |
| Predefined organization roles | [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization)
| Custom enterprise roles | Review the list of available permissions at `github.com/enterprises/ENTERPRISE/enterprise_roles/new`, where ENTERPRISE is the name of your enterprise account. |
| Custom organization roles | [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles) |
## 2. Identify two owners per account
Decide who will serve as enterprise owners and organization owners. The "owner" role has full administrative access to an enterprise or organization account.
We recommend having at least two owners per account. Although it is good practice to limit the number of people with this level of access, if an account only has one owner, the account's resources can become inaccessible if the owner is unreachable.
## 3. Identify roles for administrative duties
Identify predefined or custom roles that will help you delegate time-consuming administrative duties to other teams. This will help enterprise owners to focus on urgent or strategic work.
It is unlikely that you can granularly assign every administrative duty in your enterprise to a specific team, so we recommend focusing on the most frequent and time-consuming tasks. Some examples of how you might use roles to delegate common tasks are:
* **Auditing**: Use a custom role to give a team access to your audit logs without allowing them to access any other settings.
* **Authentication**: Use a custom role to give your identity provider administrators permission to manage SSO settings on {% data variables.product.github %}, so they can configure authentication independently.
* **Security**: Use the enterprise security manager role to give security teams access to alerts and security data across the enterprise and organizations.
Some administrative tasks are more sensitive than others. For example, if your enterprise uses enterprise teams to manage licensing, access, and roles, then being able to change membership of a team is a powerful action that you may want to restrict to a small group of people.
## 4. Identify base permissions for non-administrators
Consider if there are permissions that every member of your enterprise would benefit from. These can be added to a custom role that you assign to everyone.
For example, regular users have limited visibility of your enterprise account by default. If you want more transparency, you may want to allow all employees to:
* View other enterprise members and administrators so they know where to go for help
* View audit logs to see what people are doing in the enterprise
## 5. Delegate work to apps
Not all tasks are best-suited to humans. Identify frequent, time-consuming, and easily automated tasks, and plan to delegate these tasks to {% data variables.product.prodname_github_apps %}.
{% data variables.product.prodname_github_apps %} provide scoped tokens for use in scripts and workflows. Although they use a different permissions system from the roles you assign to users, you can think about apps like humans with a role on {% data variables.product.github %}:
* They have fine-grained permissions for specific tasks.
* They have scoped access to specific repositories and accounts.
* They have their own identity, which you can trace in audit logs.
For more information about what apps can do, see [AUTOTITLE](/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps#understanding-what-type-of-github-app-to-build).
{% data reusables.enterprise-onboarding.identify-role-requirements %}
## Next steps

10
content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/auditing-users-across-your-enterprise.md
View File

@@ -33,7 +33,7 @@ Within the map, you can pan and zoom to see events around the world. Hover over
The audit log lists the following information about actions made within your enterprise:
* [The repository](#search-based-on-the-repository) an action was performed in
* [The user](#search-based-on-the-user) who performed the action
* [The {% data variables.product.github %} account](#search-based-on-the-actor) that performed the action
* [Which organization](#search-based-on-the-organization) an action pertained to
* [The action](#search-based-on-the-action-performed) that was performed
* [Which country](#search-based-on-the-location) the action took place in
@@ -53,13 +53,13 @@ The `repo` qualifier limits actions to a specific repository owned by your organ
You must include your organization's name within the `repo` qualifier; searching for just `repo:our-repo` will not work.
### Search based on the user
### Search based on the actor
The `actor` qualifier scopes events based on the member of your organization that performed the action. For example:
The `actor` qualifier scopes events based on the person or agent that performed the action. For example:
* `actor:octocat` finds all events performed by `octocat`.
* `actor:octocat actor:hubot` finds all events performed by both `octocat` and `hubot`.
* `-actor:hubot` excludes all events performed by `hubot`.
* `actor:octocat actor:Copilot` finds all events performed by both `octocat` and `Copilot`.
* `-actor:Copilot` excludes all events performed by `Copilot`.
You can only use a {% data variables.product.github %} username, not an individual's real name.

58
content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/create-enterprise-teams.md
View File

@@ -14,8 +14,6 @@ redirect_from:
- /admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/managing-organization-members-in-your-enterprise
---
>[!NOTE] Enterprise teams are in public preview and subject to change.
To simplify administration at scale, you can create enterprise teams. {% data reusables.enterprise.enterprise-teams-can %}
Adding a user to a team grants them the privileges associated with the team. Removing a user from a team removes those privileges, but does not remove the user from the enterprise account.
@@ -23,61 +21,7 @@ Adding a user to a team grants them the privileges associated with the team. Rem
{% data reusables.enterprise.enterprise-teams-limits %}
<!-- If the team size limit changes, also update the reference in "Limits on IdP group sizes" below -->
## 1. Navigate to the enterprise teams page
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.people-tab %}
1. In the left sidebar, click **{% octicon "people" aria-hidden="true" aria-label="people" %} Enterprise teams**.
## 2. Create a team
1. On the enterprise teams page, click **Create Enterprise team**.
1. Choose the team's name, description, and organization access.
When you give a team access to organizations, members of the team are added directly to those organizations, without an invitation, and receive the same access as other organization members.
* Unaffiliated users and outside collaborators in the team become standard enterprise members, meaning they have access to your enterprise's internal repositories and consume a {% data variables.product.prodname_enterprise %} license.
* Team members receive the base level of repository permissions for the organization.
* Organization administrators can give the team additional repository access and assign them organization-level roles, but **cannot** remove any permissions granted by enterprise administrators.
1. Click **Create Enterprise team**.
## 3. Add users
There are multiple ways to add users to an enterprise team.
* [Adding users manually](#adding-users-manually)
* [Syncing with an IdP group](#syncing-with-an-idp-group) ({% data variables.product.prodname_emus %} only)
* Using the [AUTOTITLE](/rest/enterprise-teams/enterprise-team-members)
Enterprise teams can contain organization members, unaffiliated users, and outside collaborators.
### Adding users manually
1. On the enterprise teams page, click the team you want to add users to.
1. Click **Add members**, then search for and select the users you want to add.
1. Click **Add**.
### Syncing with an IdP group
If you use {% data variables.product.prodname_emus %}, you can sync membership of an enterprise team to a group in your identity provider. That way, any changes made to the group in the IdP (such as adding or removing a user) will be synced to the enterprise team via SCIM. For details and requirements, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups).
1. On the enterprise teams page, click the team you want to sync.
1. Ensure the team contains no manually assigned users. You can remove users by using the **{% octicon "kebab-horizontal" aria-hidden="true" aria-label="More member actions" %}** menu next to the user's name in the member list.
1. Next to the team's name, click **{% octicon "pencil" aria-hidden="true" aria-label="pencil" %} Edit**.
1. Under "Manage members", click **Identity provider group**.
1. Click **Select group**, then choose the external IdP group to sync to the team. Members from the IdP group will display in the team's member list.
1. Click **Update team**.
#### Limits on IdP group sizes
If an IdP group goes over the team size limit of 500 users, the team will stop being synced.
For example:
* An enterprise team is initially synced with an IdP group of 5 users.
* 500 more users are added to the IdP group. Because the IdP group now has 505 users, the group isn't synced and the enterprise team remains at 5 members.
* 5 users are removed from the IdP group to bring it to 500 users. Syncing resumes and the enterprise team now contains the same 500 users as the IdP group.
{% data reusables.enterprise-onboarding.create-enterprise-teams %}
## 4. Assign licenses

10
content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/invite-users-directly.md
View File

@@ -10,7 +10,7 @@ topics:
- Administrator
- Enterprise
- User account
product: 'Enterprises that use **personal accounts** on {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.copilot.direct-assignment-rollout %}'
product: 'Enterprises that use **personal accounts** on {% data variables.product.prodname_dotcom_the_website %}.'
---
You can invite people directly to your enterprise as **unaffiliated users**. You can then add these users to organizations or enterprise teams and assign {% data variables.product.prodname_copilot_short %} licenses to them. For more information about unaffiliated users, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/roles-in-an-enterprise#unaffiliated-users).
@@ -19,13 +19,7 @@ You can invite people directly to your enterprise as **unaffiliated users**. You
## Inviting users
1. In the top-right corner of {% data variables.product.github %}, click your profile picture.
1. Click **Your enterprises** then click the enterprise you want to view.
{% data reusables.enterprise-accounts.people-tab %}
1. On the "Members" page, click **Invite member**.
1. Search for the users you want to invite, then click **Invite**.
After you invite someone to join the enterprise account, they must accept the emailed invitation before they can access the enterprise account. Pending invitations will expire after 7 days.
{% data reusables.enterprise-onboarding.inviting-users-to-your-enterprise %}
## Next steps

19
content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise.md
View File

@@ -58,16 +58,21 @@ You can see all pending invitations to become an administrator of your enterpris
Only enterprise owners can remove other enterprise administrators from the enterprise account.
{% ifversion ghec %}
If the administrator you want to remove is a member of any organizations owned by the enterprise, you can choose **Convert to member**, which will remove their administrative role but retain their organization memberships, or **Remove from enterprise**, which will remove both their administrative role and organization memberships.
{% endif %}
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.people-tab %}
{% data reusables.enterprise-accounts.administrators-tab %}
1. Next to the username of the person you'd like to remove, select the {% octicon "kebab-horizontal" aria-label="Administrator settings" %} dropdown menu, then click **Convert to member**{% ifversion ghec %} or **Remove from enterprise**{% endif %}.
{% data reusables.enterprise-accounts.administrators-tab %}{% ifversion ghes %}
1. Next to the username of the person you'd like to remove, select the {% octicon "kebab-horizontal" aria-label="Administrator settings" %} dropdown menu, then click **Convert to member**.{% endif %}{% ifversion ghec %}
1. Next to the username of the person you'd like to remove, select the {% octicon "kebab-horizontal" aria-label="Administrator settings" %} dropdown menu.
![Screenshot of a user in the enterprise administrators list. A dropdown menu, labeled with a kebab icon, is highlighted with an orange outline.](/assets/images/help/business-accounts/administrator-settings.png)
1. Read the confirmation, then click **Yes, convert USERNAME to member**{% ifversion ghec %} or **Yes, remove USERNAME**{% endif %}.
1. Choose one of the following:
* **Remove from enterprise**: Removes both the administrative role and all organization memberships.
* **Convert to member**: Removes the administrative role but keeps the users organization memberships.
* **Change role**, and then **Unaffiliated member**: If the user has no organization memberships, removes the administrative role but keeps the user in the enterprise as an unaffiliated member.{% endif %}
1. Read the confirmation message, then confirm.
## Further reading

4
content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/removing-a-member-from-your-enterprise.md
View File

@@ -14,13 +14,13 @@ redirect_from:
## About removal of enterprise members
If your enterprise does not use {% data variables.product.prodname_emus %}, you can remove an enterprise member from {% data variables.product.prodname_dotcom %}. When you remove a member from your enterprise, the member is removed from all organizations owned by your enterprise. Removing a member from your enterprise also removes any of the member's administrative roles, such as the owner or billing manager roles. For more information, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise).
If your enterprise does not use {% data variables.product.prodname_emus %}, you can remove an enterprise member from your enterprise on {% data variables.product.prodname_dotcom_the_website %}. When you remove a member from your enterprise, the member is removed from all organizations owned by your enterprise and loses access to any {% data variables.copilot.copilot_business_short %} licenses assigned through those organizations. Removing a member from your enterprise also removes any of the member's administrative roles, such as the owner or billing manager roles. See [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise).
If the enterprise member you're removing is the last owner of an organization owned by your enterprise, you will become an owner of that organization.
If your enterprise or any of the organizations owned by your enterprise uses an identity provider (IdP) to manage organization membership, the member may be added back to the organization by the IdP. Make sure to also make any necessary changes in your IdP.
If your enterprise does use {% data variables.product.prodname_emus %}, you must remove the enterprise members through your identity provider (IdP) and the SCIM integration instead. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users#about-organization-membership-management).
If your enterprise does use {% data variables.product.prodname_emus %}, you must remove the enterprise members through your identity provider (IdP) and the SCIM integration instead. See [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users#about-organization-membership-management).
## Removing a member from your enterprise

39
content/admin/managing-github-apps-for-your-enterprise/creating-github-apps-for-your-enterprise.md
View File

@@ -13,44 +13,7 @@ redirect_from:
contentType: other
---
You can create a {% data variables.product.prodname_github_app %} under your enterprise account. The app can only be installed on{% ifversion enterprise-installed-apps %} your enterprise or{% endif %} organizations within your enterprise, and can only be authorized by members of your enterprise. The app can't be installed on user accounts.
## Step 1: Registering a {% data variables.product.prodname_github_app %}
To create a {% data variables.product.prodname_github_app %}, you must first register the app. See [AUTOTITLE](/apps/creating-github-apps/registering-a-github-app/registering-a-github-app).
Apps can also be transferred to an enterprise from a member or organization. To transfer an app, see [AUTOTITLE](/apps/maintaining-github-apps/transferring-ownership-of-a-github-app).
{%- ifversion enterprise-app-manager %}
### Step 1a: Adding an enterprise app manager
Enterprise owners can add enterprise members to an app as an app manager. App managers can manage the app's settings and credentials, but cannot install the app. For more information, see [AUTOTITLE](/apps/maintaining-github-apps/about-github-app-managers).{% endif %}
## Step 2: Building a {% data variables.product.prodname_github_app %}
After registering a {% data variables.product.prodname_github_app %}, you will want to write code to make your {% data variables.product.prodname_github_app %} do something. For examples of how to write code, see:
* [AUTOTITLE](/apps/creating-github-apps/writing-code-for-a-github-app/quickstart)
* [AUTOTITLE](/apps/creating-github-apps/guides/building-a-github-app-that-responds-to-webhook-events)
* [AUTOTITLE](/apps/creating-github-apps/guides/building-a-login-with-github-button-with-a-github-app)
* [AUTOTITLE](/apps/creating-github-apps/guides/building-a-cli-with-a-github-app)
* [AUTOTITLE](/apps/creating-github-apps/writing-code-for-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow)
You should aim to follow best practices. See [AUTOTITLE](/apps/creating-github-apps/setting-up-a-github-app/best-practices-for-creating-a-github-app).
## Step 3: Authorizing or installing your {% data variables.product.prodname_github_app %}
Once your {% data variables.product.prodname_github_app %} is registered, you'll need to make it available for use, either through **authorization** or **installation**, depending on the apps purpose.
Enterprise owners {% ifversion enterprise-app-manager %}and app managers {% endif %}can modify the permissions for apps owned by their enterprise at any time. Permissions changes will be automatically accepted by organizations in the enterprise{% ifversion enterprise-app-manager %} if the change was made by the enterprise owner. Otherwise, the changes will be accepted only where the app manager is also an organization owner, and an organization owner must accept the update request for all other organizations{% endif %}.
### Step 3a: Authorizing your {% data variables.product.prodname_github_app %}
Some {% data variables.product.prodname_github_apps %}, like {% data variables.product.prodname_copilot_short %} extensions, require **authorization** but do not need to be installed on an organization. Users in your enterprise can authorize the app to access resources within organizations. However, the app will only have access to {% data variables.product.github %} resources where it is installed. See [AUTOTITLE](/apps/using-github-apps/authorizing-github-apps).
### Step 3b: Sharing your {% data variables.product.prodname_github_app %} via an installation link
For apps that require installation to function, you can provide organization owners with an installation link. Once the app is installed, it will have access to the organization's resources. See [AUTOTITLE](/apps/sharing-github-apps/sharing-your-github-app#sharing-your-github-app-via-an-install-link).
{% data reusables.enterprise-onboarding.create-enterprise-apps %}
## Step 4: Installing your {% data variables.product.prodname_github_app %} (if required)

2
content/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups.md
View File

@@ -55,7 +55,7 @@ If you use Microsoft Entra ID (previously known as Azure AD) as your IdP, you ca
## Syncing an enterprise team
Enterprise owners can create teams at the enterprise level. {% data reusables.copilot.direct-assignment-rollout %}
Enterprise owners can create teams at the enterprise level.
Most of the instructions in this article apply to organization-level teams. For instructions on creating an enterprise team and syncing it with an IdP group, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/create-enterprise-teams).

2
content/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users.md
View File

@@ -70,7 +70,7 @@ Using an **incognito or private browsing window**:
{% data reusables.enterprise-accounts.emu-configure-provisioning %}
## Manage organization membership
## Sync teams with IdP groups
{% data reusables.enterprise-accounts.emu-manage-org-membership %}

2
content/admin/managing-your-enterprise-account/creating-a-readme-for-an-enterprise.md
View File

@@ -9,6 +9,8 @@ topics:
- Enterprise
permissions: Enterprise owners can create and edit an enterprise README.
shortTitle: Create a README
redirect_from:
- /enterprise-onboarding/feature-enhancements/create-a-readme-for-your-enterprise
---
## About READMEs for enterprises

4
content/admin/managing-your-enterprise-account/deleting-an-enterprise-account.md
View File

@@ -16,7 +16,9 @@ redirect_from:
## Prerequisites
You must remove, transfer, or delete all organizations in the enterprise before you can delete the enterprise account. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts) and [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/removing-organizations-from-your-enterprise).
Before you can delete an enterprise account, you must remove, transfer, or delete all organizations in the enterprise. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts) and [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/removing-organizations-from-your-enterprise).
After removing organizations, check the "People" tab in your enterprise settings and remove any unaffiliated members who remain in the enterprise. Unaffiliated members are users who are not part of any organization within the enterprise.
You cannot delete an enterprise account if any of the following apply:

4
content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/searching-the-audit-log-for-your-enterprise.md
View File

@@ -60,7 +60,7 @@ The `key:value` pairs that can be used in a search query are:
| Key | Value |
| ------------ | ----- |
| `action` | Name of the audited action. |
| `actor` | Name of the user account that initiated the action. |
| `actor` | Name of the account that initiated the action. |
| {% ifversion ghes %} |
| `actor_id` | ID of the user account that initiated the action.
| {% endif %} |
@@ -105,7 +105,7 @@ The `key:value` pairs that can be used in a search query are:
| {% ifversion ghes %} |
| `user_id` | ID of the user affected by the action. |
| {% endif %} |
| `user` | Name of the user affected by the action. |
| `user` | Name of the user affected by the action. If the action was performed by an agent, this field contains the name of the user for whom the agent acted. |
To see actions grouped by category, you can also use the action qualifier as a `key:value` pair. For more information, see [Search based on the action performed](#search-based-on-the-action-performed).

2
content/admin/overview/about-github-enterprise-cloud.md
View File

@@ -27,6 +27,8 @@ A key difference between {% data variables.product.prodname_ghe_cloud %} and oth
{% data reusables.enterprise.ghe-includes-ghec-and-ghes %} For more information about {% data variables.product.prodname_ghe_server %} and how it differs from {% data variables.product.prodname_ghe_cloud %}, see [AUTOTITLE](/admin/overview/about-github-for-enterprises#about-deployment-options).
## About enterprise types
{% data reusables.enterprise.enterprise-types %}
## About {% data variables.enterprise.data_residency_short %}

12
content/admin/overview/establishing-a-governance-framework-for-your-enterprise.md
View File

@@ -62,6 +62,18 @@ The easiest way to enforce restrictions is to create a **repository policy**. Th
Other policies are available as blanket restrictions. These give you more control over the repository lifecycle, but aren't as flexible as the repository policy features. See{% else %}To learn how to set policies, see{% endif %} [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise).
## Targeting policies with metadata
You can enable better governance through automated policy enforcement. This is possible with custom properties, allowing you to add structured metadata to your resources. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/custom-properties).
With **repository custom properties**, you can classify repositories by attributes like risk level, team ownership, or compliance requirements. This metadata enables you to automatically apply different governance rules based on repository characteristics.
With **organization custom properties**, you can categorize organizations within your enterprise by data sensitivity, regulatory frameworks, or business units. You can then use these properties to selectively target organizations with enterprise rulesets.
Both types of custom properties integrate with rulesets, allowing you to create powerful governance frameworks that automatically enforce the right policies based on metadata rather than manual repository selection.
See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) and [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organizations).
## Monitoring activity
If something goes wrong, it's important to be able to search activity in your enterprise to investigate the cause or scope of the problem.

2
content/admin/overview/setting-up-a-trial-of-github-enterprise-cloud.md
View File

@@ -20,6 +20,8 @@ To set up a trial, you must be signed in to a personal account. If you don't hav
<a href="https://github.com/account/enterprises/new?ref_product=ghec&ref_type=trial&ref_style=button&ref_plan=enterprise" target="_blank" class="btn btn-primary mt-3 mr-3 no-underline"><span>Set up a trial of {% data variables.product.prodname_ghe_cloud %}</span> {% octicon "link-external" height:16 aria-label="link-external" %}</a>
## About enterprise types
{% data reusables.enterprise.enterprise-types %}
{% data reusables.enterprise.emus-trial-content %}

1
content/billing/concepts/product-billing/github-actions.md
View File

@@ -11,6 +11,7 @@ redirect_from:
- /github/setting-up-and-managing-billing-and-payments-on-github/managing-billing-for-github-actions
- /billing/managing-billing-for-github-actions
- /billing/managing-billing-for-your-products/about-billing-for-github-actions
- /enterprise-onboarding/github-actions-for-your-enterprise/about-billing-for-github-actions
versions:
fpt: '*'
ghec: '*'

42
content/billing/concepts/product-billing/github-code-quality.md Normal file
View File

@@ -0,0 +1,42 @@
---
title: '{% data variables.product.prodname_code_quality %} billing'
intro: 'Learn how usage of {% data variables.product.prodname_code_quality_short %} is measured.'
product: '{% data reusables.gated-features.code-quality-availability %}'
versions:
feature: code-quality
topics:
- Code Quality
- Billing
- Enterprise
- Licensing
shortTitle: GitHub Code Quality
contentType: concepts
---
> [!NOTE]
> {% data variables.product.prodname_code_quality %} is currently in {% data variables.release-phases.public_preview %} and subject to change.
## How use of {% data variables.product.prodname_code_quality %} is measured
{% data variables.product.prodname_code_quality %} usage is **free** for all **public repositories**.
### For general availability
When {% data variables.product.prodname_code_quality_short %} is generally available, scanning **private repositories** will incur two types of costs for an organization:
* Premium requests
* {% data variables.product.prodname_actions %} minutes needed to run the scans unless you use self-hosted runners
### For the {% data variables.release-phases.public_preview %}
When you scan private repositories during the {% data variables.release-phases.public_preview %}, you **will not be billed** for premium request usage, but {% data variables.product.prodname_actions %} minutes **will be consumed**.
To view consumption of actions by the `{% data variables.code-quality.workflow_name_billing %}` workflow, download a detailed usage report from the "Billing and licensing" tab. See [AUTOTITLE](/billing/how-tos/products/view-productlicense-use).
> [!NOTE]
> {% data reusables.code-quality.shared-workflow-preview %}
## Further reading
* [AUTOTITLE](/code-security/code-quality/get-started/quickstart)
* [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality)

8
content/billing/concepts/product-billing/github-copilot-premium-requests.md
View File

@@ -47,16 +47,18 @@ If you receive licenses from multiple enterprises, you must choose which entity
### Usage by {% data variables.copilot.copilot_coding_agent %}
When you use {% data variables.copilot.copilot_coding_agent %}, both **{% data variables.product.prodname_actions %} minutes** and **premium requests** are consumed:
When you use {% data variables.copilot.copilot_coding_agent %}, including any {% data variables.copilot.copilot_custom_agents %}, both **{% data variables.product.prodname_actions %} minutes** and **premium requests** are consumed:
* **{% data variables.product.prodname_actions %} minutes** come from your accounts monthly allowance of free minutes for {% data variables.product.github %}-hosted runners. This allowance is shared with all {% data variables.product.prodname_actions %} workflows. See [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions#included-storage-and-minutes).
* **Premium requests** come from your monthly allowance of premium {% data variables.product.prodname_copilot_short %} requests. This allowance is shared with other features, such as {% data variables.copilot.copilot_chat_short %}.
Each coding agent **session** consumes one premium request. A session begins when you ask {% data variables.product.prodname_copilot_short %} to create a pull request or make one or more changes to an existing pull request.
Each coding agent **session** consumes one premium request. A session begins when you:
* Ask {% data variables.product.prodname_copilot_short %} to create or edit a pull request
* Assign {% data variables.product.prodname_copilot_short %} to an issue
If you run out of free minutes or premium requests, and you have _not_ set up billing, a message is displayed explaining why {% data variables.product.prodname_copilot_short %} cannot work on the task.
For more information about {% data variables.copilot.copilot_coding_agent %}, see [AUTOTITLE](/copilot/concepts/about-copilot-coding-agent).
For more information about {% data variables.copilot.copilot_coding_agent %} and {% data variables.copilot.copilot_custom_agents %}, see [AUTOTITLE](/copilot/concepts/about-copilot-coding-agent) and [AUTOTITLE](/copilot/concepts/agents/coding-agent/about-custom-agents).
## Using more than your included premium requests

1
content/billing/concepts/product-billing/index.md
View File

@@ -12,6 +12,7 @@ children:
- /github-actions
- /github-advanced-security
- /github-codespaces
- /github-code-quality
- /github-copilot-licenses
- /github-copilot-premium-requests
- /github-models

1
content/billing/how-tos/manage-plan-and-licenses/downgrade-plan.md
View File

@@ -81,6 +81,7 @@ If you want to stop paying for {% data variables.product.prodname_enterprise %}
If you have a self-serve enterprise account, an enterprise account owner can:
1. Remove or delete all organizations from the enterprise. Removing an organization from an enterprise automatically downgrades the organization to {% data variables.product.prodname_free_team %}. See [AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/removing-organizations-from-your-enterprise).
1. Review and remove any remaining unaffiliated members from the enterprise. Depending on your policy settings, members who don't belong to any organizations may remain in your enterprise as unaffiliated members. To fully close the account, remove these unaffiliated members.
1. Delete the enterprise account to cancel the {% data variables.product.prodname_enterprise %} subscription. See [AUTOTITLE](/admin/managing-your-enterprise-account/deleting-an-enterprise-account).
## Further reading

2
content/billing/reference/actions-minute-multipliers.md
View File

@@ -18,6 +18,7 @@ contentType: reference
| Operating system | Per-minute rate (USD) |
|---------------------------------------| ----------------------|
| Linux 1-core | $0.002 |
| Linux 2-core | $0.008 |
| Windows 2-core | $0.016 |
| macOS 3-core or 4-core (M1 or Intel) | $0.08 |
@@ -74,3 +75,4 @@ contentType: reference
* For {% data variables.actions.hosted_runner %}s, there is no additional cost for configurations that assign public static IP addresses to a {% data variables.actions.hosted_runner %}. For more information on {% data variables.actions.hosted_runner %}s, see [AUTOTITLE](/actions/using-github-hosted-runners/using-larger-runners/about-larger-runners).
* Included minutes cannot be used for {% data variables.actions.hosted_runner %}s.
* The {% data variables.actions.hosted_runner %}s are not free for public repositories.
* Custom images can only be used with larger runners and are billed at the same per-minute rates as those runners.

6
content/billing/tutorials/automate-usage-reporting.md
View File

@@ -37,17 +37,15 @@ You need to use different endpoints to gather data depending on your account typ
## Getting premium request consumption
1. Authenticate with {% data variables.product.github %} with one of the following methods:
* **GitHub CLI:** use the `gh auth login` command to authenticate, see [AUTOTITLE](/github-cli/github-cli/quickstart).
* **{% data variables.product.prodname_cli %}:** use the `gh auth login` command to authenticate, see [AUTOTITLE](/github-cli/github-cli/quickstart).
* **Create a {% data variables.product.pat_v1 %}:** and pass the token to in your API call, see [Creating a {% data variables.product.pat_v1 %}](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic).
1. Call the required `premium_request/usage` endpoint, specifying the enterprise, organization, or user that you want data for.
To download other metrics for {% data variables.product.prodname_copilot %}, see [AUTOTITLE](/copilot/tutorials/roll-out-at-scale/measure-adoption/analyze-usage-over-time).
## Getting usage data for all paid products
1. Authenticate with {% data variables.product.github %} with one of the following methods:
* **GitHub CLI:** use the `gh auth login` command to authenticate, see [AUTOTITLE](/github-cli/github-cli/quickstart).
* **{% data variables.product.prodname_cli %}:** use the `gh auth login` command to authenticate, see [AUTOTITLE](/github-cli/github-cli/quickstart).
* **Create a {% data variables.product.pat_v1 %}:** and pass the token to in your API call, see [Creating a {% data variables.product.pat_v1 %}](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic).
1. Call the required `usage` endpoint, specifying the enterprise, organization, or user that you want data for.

75
content/code-security/code-quality/concepts/about-code-quality.md Normal file
View File

@@ -0,0 +1,75 @@
---
title: About GitHub Code Quality
shortTitle: About Code Quality
intro: 'Learn how {% data variables.product.prodname_code_quality %} helps you catch and fix code health risks, maintain high standards, and track code quality within your {% data variables.product.github %} workflow.'
product: '{% data reusables.gated-features.code-quality-availability %}'
versions:
feature: code-quality
topics:
- Code Quality
contentType: concepts
---
{% data reusables.code-quality.code-quality-preview-note %}
## Overview
{% data variables.product.prodname_code_quality %} helps you ensure your codebase is reliable, maintainable, and efficient. Whether you're building a new feature, reducing technical debt, or reporting on repository health, {% data variables.product.prodname_code_quality_short %} provides actionable insights and automated fixes so you can improve and maintain the code health of your repository efficiently.
## Key features and benefits
With {% data variables.product.prodname_code_quality_short %}, you can:
* Identify code quality risks and opportunities in **pull requests** and through **repository scans**.
* Review clear explanations for findings and apply one-click **{% data variables.product.prodname_copilot_short %}-powered autofixes**.
* Use **repository dashboards** to track reliability and maintainability scores, identify areas needing attention, and prioritize remediation.
* Set up **rulesets** for pull requests to enforce code quality standards and block changes that do not meet your criteria.
* Easily assign remediation work to **{% data variables.copilot.copilot_coding_agent %}**, if you have a {% data variables.product.prodname_copilot_short %} license.
## Availability and usage costs
{% data variables.product.prodname_code_quality %} is available for organization-owned repositories on {% data variables.product.prodname_team %} and {% data variables.product.prodname_ghe_cloud %} plans, as well as public repositories on {% data variables.product.prodname_dotcom_the_website %}.
{% data variables.product.prodname_code_quality %} won't be billed during public preview. However, {% data variables.product.prodname_code_quality_short %} scans will consume {% data variables.product.prodname_actions %} minutes. See [AUTOTITLE](/billing/concepts/product-billing/github-code-quality).
> [!NOTE]
> * You **don't** need a {% data variables.product.prodname_copilot_short %} or a {% data variables.product.prodname_code_security %} license to use {% data variables.product.prodname_code_quality_short %} or apply {% data variables.product.prodname_copilot_short %}-powered autofixes.
> * During the {% data variables.release-phases.public_preview %}, an enterprise policy that blocks the use of {% data variables.product.prodname_code_security %} by repository owners will also block use of {% data variables.product.prodname_code_quality_short %}. See [AUTOTITLE](/code-security/code-quality/how-tos/allow-in-enterprise).
## Supported languages
{% data variables.product.prodname_code_quality_short %} performs rule-based analysis of the following languages using {% data variables.product.prodname_codeql %}:
{% data reusables.code-quality.codeql-supported-languages %}
Code quality problems in other languages are detected by AI analysis alone. For more information on analysis, see [AUTOTITLE](/code-security/code-quality/responsible-use/code-quality).
## Understanding where {% data variables.product.prodname_code_quality_short %} findings appear after enablement
Once you enable {% data variables.product.prodname_code_quality_short %} for a repository, you'll see {% data variables.product.prodname_codeql %} scans for:
* Every new pull request opened against the default branch
* All existing pull requests to the default branch when they are updated, triggering a new run of CI tests
* The whole codebase on the default branch at the time and date shown on the "{% data variables.code-quality.code_quality_ui %}" settings page
In addition, you'll see an AI-powered analysis of all recent pushes to the default branch.
### Pull request results
When {% data variables.product.prodname_codeql %} finds rule-based problems on pull requests, you'll see comments from the `{% data variables.code-quality.pr_commenter %}`. Where possible, each comment will include a {% data variables.copilot.copilot_autofix_short %} suggestion on how to fix the problem. See [AUTOTITLE](/code-security/code-quality/tutorials/fix-findings-in-prs).
### Default branch results
{% data variables.product.prodname_code_quality_short %} findings on the default branch are reported on "{% data variables.code-quality.code_quality_ui %}" pages on the **Security** tab for the repository:
* **{% data variables.code-quality.all_findings %}** shows the results of {% data variables.product.prodname_codeql %} quality analysis. See [AUTOTITLE](/code-security/code-quality/tutorials/improve-your-codebase).
* **{% data variables.code-quality.recent_suggestions %}** shows the results of AI-powered analysis of the files most recently pushed to the default branch. See [AUTOTITLE](/code-security/code-quality/tutorials/improve-recent-merges).
### Scan information
Each {% data variables.product.prodname_codeql %} analysis will use {% data variables.product.prodname_actions %} minutes and can be seen on the **Actions** tab of the repository as a run of the dynamic "{% data variables.code-quality.workflow_name_actions %}" workflow.
## Next steps
* Enable {% data variables.product.prodname_code_quality_short %} for your repository, see [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality). Enterprise owners **may** need to first update their Advanced Security policies, see [AUTOTITLE](/code-security/code-quality/how-tos/allow-in-enterprise)
* See how {% data variables.product.prodname_code_quality %} works on your default branch to surface code quality issues and help you understand your repository's code health at a glance. See [AUTOTITLE](/code-security/code-quality/get-started/quickstart).

13
content/code-security/code-quality/concepts/index.md Normal file
View File

@@ -0,0 +1,13 @@
---
title: Concepts for GitHub Code Quality
shortTitle: Concepts
allowTitleToDifferFromFilename: true
intro: Learn about {% data variables.product.prodname_code_quality %} and how it can help improve and maintain the quality of your code.
versions:
feature: code-quality
topics:
- Code Quality
children:
- /about-code-quality
contentType: concepts
---

12
content/code-security/code-quality/get-started/index.md Normal file
View File

@@ -0,0 +1,12 @@
---
title: Get started with GitHub Code Quality
shortTitle: Get started
intro: 'Learn how to get started with {% data variables.product.prodname_code_quality %}.'
versions:
feature: code-quality
topics:
- Code Quality
children:
- /quickstart
contentType: get-started
---

89
content/code-security/code-quality/get-started/quickstart.md Normal file
View File

@@ -0,0 +1,89 @@
---
title: Quickstart for GitHub Code Quality
intro: 'Review code quality findings, generate a {% data variables.copilot.copilot_autofix_short %}, and merge a pull request to improve reliability and maintainability with {% data variables.product.prodname_code_quality %}.'
allowTitleToDifferFromFilename: true
versions:
feature: code-quality
shortTitle: Quickstart
product: '{% data reusables.gated-features.code-quality-availability %}'
permissions: '{% data reusables.permissions.code-quality-see-repo-findings %}'
topics:
- Code Quality
contentType: get-started
---
## Introduction
{% data variables.product.prodname_code_quality %} ({% data variables.release-phases.public_preview %}) helps keep your code reliable and maintainable by surfacing code quality findings in pull requests and on your default branch.
In this tutorial, youll learn how to identify and fix a code quality finding on your default branch, helping to improve your repositorys code health.
### Prerequisites
* {% data variables.product.prodname_code_quality %} must be enabled for your repository and you must have code in a supported language. See [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality).
* If you're enabling {% data variables.product.prodname_code_quality %} for the first time, ensure you've waited a few minutes after enablement for a scan of the default branch to complete.
## Review scan results for your default branch
In your repository, go to the **Security** tab, click **{% data variables.code-quality.code_quality_ui_views %}** in the left sidebar, then click **{% data variables.code-quality.all_findings %}** to open the repository dashboard.
Here you'll see:
* Ratings for the **Reliability** and **Maintainability** of your codebase, which help you understand your code health at a glance.
* A **results list** of all the quality issues detected on your default branch, which are grouped by rule and language.
![Screenshot of code quality ratings in the "{% data variables.code-quality.all_findings %}" view for {% data variables.product.prodname_code_quality_short %}.](/assets/images/help/code-quality/all-findings-overview-repo.png)
## Identify a high-impact finding
Use the **dashboard filters** to identify a high severity level finding ("Error" or "Warning").
Resolving these will have the biggest impact on your repository's ratings.
![Screenshot showing the dashboard filters for the "{% data variables.code-quality.all_findings %}" view.](/assets/images/help/code-quality/standard-findings-filters.png)
### Inspect the details of the finding
Click the rule name itself to see a detailed view of the files and lines of code affected by that rule.
![Screenshot showing a rule in the "{% data variables.code-quality.all_findings %}" view. The rule name is highlighted in dark orange.](/assets/images/help/code-quality/click-rule-name.png)
Once you're in the detailed view, click **Show more** to gather context and understand the results.
![Screenshot of the findings for the "Overwritten property" rule. The text, "Show more", is highlighted in dark orange.](/assets/images/help/code-quality/click-show-more.png)
## Generate a {% data variables.copilot.copilot_autofix_short %}
To the right of a highlighted finding, click **{% octicon "copilot" aria-hidden="true" aria-label="copilot" %} Generate fix**.
![Screenshot of the "Generate fix" button.](/assets/images/help/code-quality/generate-fix.png)
Review the suggested fix, then click **Open pull request**.
### Merge the fix
Carefully review the draft pull request. If you're satisfied with the proposed changes, and all checks and tests are passing, go ahead and merge the pull request.
## Observe the metrics change
Return to the {% data variables.product.prodname_code_quality_short %} dashboard (**Security** tab, then **{% data variables.code-quality.code_quality_ui_views %}**, then **{% data variables.code-quality.all_findings %}**).
Wait a few minutes for the next scan to complete — {% data variables.product.prodname_code_quality_short %} scans automatically re-run after every push to the default branch.
Observe the change in metrics at the top of the dashboard:
* The **number of findings** for "Reliability" or "Maintainability" should have decreased.
* Your **ratings** for "Reliability" or "Maintainability" may have improved, if your fix addressed a number of high-impact findings.
To understand more about how the ratings are calculated, see [AUTOTITLE](/code-security/code-quality/reference/metrics-and-ratings).
## Conclusion
You've successfully used {% data variables.product.prodname_code_quality_short %} and {% data variables.copilot.copilot_autofix_short %} to improve your repository's code health!
Healthy code iseasier to understand, maintain, and extend, and remediating code quality issues makes your codebase more reliable, compliant, and accelerates future development.
## Next steps
* Learn how {% data variables.product.prodname_code_quality %} works on pull requests to prevent code quality issues from reaching your default branch. See [AUTOTITLE](/code-security/code-quality/tutorials/fix-findings-in-prs).
* Provide feedback on {% data variables.product.prodname_code_quality %} in the [community discussion](https://github.com/orgs/community/discussions/177488?utm_source=docs-discussions-code-quality&utm_medium=docs&utm_campaign=universe25).

37
content/code-security/code-quality/how-tos/allow-in-enterprise.md Normal file
View File

@@ -0,0 +1,37 @@
---
title: Allowing use of {% data variables.product.prodname_code_quality %} in your enterprise
shortTitle: Allow in enterprise
intro: 'Define policies for {% data variables.product.prodname_AS %} that allow repository owners to enable {% data variables.product.prodname_code_quality %}.'
versions:
feature: code-quality
product: '{% data reusables.gated-features.code-quality-availability %}'
permissions: 'Enterprise owners'
audience:
- driver
topics:
- Code Quality
contentType: how-tos
---
{% data reusables.code-quality.code-quality-preview-note %}
## Policy control during the {% data variables.release-phases.public_preview %}
During the {% data variables.release-phases.public_preview %}, the {% data variables.product.prodname_AS %} policies have been extended to control access to {% data variables.product.prodname_code_quality %}. If you create a new enterprise, {% data variables.product.prodname_GH_secret_protection %}, {% data variables.product.prodname_GH_code_security %}, and {% data variables.product.prodname_code_quality %} are initially available for repository owners to use across all organizations.
For an existing enterprise, {% data variables.product.prodname_code_quality %} is available to repository owners if the {% data variables.product.prodname_AS %} policy already allows the use of {% data variables.product.prodname_GH_code_security %}.
## Allowing repository owners to enable {% data variables.product.prodname_code_quality_short %}
1. Navigate to your enterprise. For example, from [https://github.com/settings/enterprises](https://github.com/settings/enterprises?ref_product=ghec&ref_type=engagement&ref_style=text&utm_source=docs-web-settings-code-quality&utm_medium=docs&utm_campaign=universe25).
{% data reusables.enterprise-accounts.policies-tab %}
{% data reusables.enterprise-accounts.code-security-and-analysis-policies %}
1. Under "General", select **Allow for all organizations**, or **Allow for selected organizations**.
1. If you choose "Allow for selected organizations", for each organization of interest ensure that the policy is **All plans** or **{% data variables.product.prodname_code_security %} and {% data variables.product.prodname_code_quality_short %} only**.
1. In the "{% data variables.product.prodname_code_security %} and {% data variables.product.prodname_code_quality_short %}" section, set the "Repository administrators can enable or disable {% data variables.product.prodname_code_security %} and {% data variables.product.prodname_code_quality_short %}" option to **All repositories: Allowed**.
For more information about policies for {% data variables.product.prodname_AS %}, see [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise).
## Next steps
To see {% data variables.product.prodname_code_quality_short %} in action, turn the feature on for one or more repositories, [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality).

43
content/code-security/code-quality/how-tos/enable-code-quality.md Normal file
View File

@@ -0,0 +1,43 @@
---
title: Enabling {% data variables.product.prodname_code_quality %}
shortTitle: Enable Code Quality
intro: 'Use {% data variables.product.prodname_code_quality_short %} to automatically catch, fix, and report on code quality issues in pull requests and on your default branch.'
versions:
feature: code-quality
product: '{% data reusables.gated-features.code-quality-availability %}'
permissions: '{% data reusables.permissions.code-quality-repo-enable %}'
topics:
- Code Quality
contentType: how-tos
---
{% data reusables.code-quality.code-quality-preview-note %}
## Prerequisites
* {% data variables.product.prodname_actions %} must be enabled because {% data variables.product.prodname_code_quality_short %} uses actions to run each {% data variables.product.prodname_codeql %} analysis.
* To get the full benefit of the feature, your repository should include one of the languages supported for quality analysis by {% data variables.product.prodname_codeql %}. See [Supported languages](/code-security/code-quality/concepts/about-code-quality#supported-languages).
## Enabling {% data variables.product.prodname_code_quality_short %} for a repository
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
1. In the sidebar, under "Security", click **{% data variables.code-quality.code_quality_ui_settings %}** to display the "{% data variables.code-quality.code_quality_ui %}" page.
1. Click **Enable code quality**.
> [!NOTE]
> If **Enable code quality** is missing from this view, your enterprise owner has disabled the use of {% data variables.product.prodname_code_security %} and {% data variables.product.prodname_code_quality_short %} for your organization. See [AUTOTITLE](/code-security/code-quality/how-tos/allow-in-enterprise).
1. Review the information on the Code quality page:
* **Languages:** If you want to disable {% data variables.product.prodname_codeql %} analysis for any of the languages, clear the associated check box.
* **Runner type:** If you want to use a different runner, choose **Labeled runner** and define the **Runner label**. See [AUTOTITLE](/actions/how-tos/manage-runners/github-hosted-runners/use-github-hosted-runners) and [AUTOTITLE](/actions/how-tos/manage-runners/self-hosted-runners/apply-labels).
1. Click **Save changes** to save your configuration for {% data variables.product.prodname_code_quality_short %}.
> [!TIP]
> If your organization has configured caching of private registries, these will be available for code quality analysis to use to resolve dependencies. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-quality-access-to-private-registries).
## Next steps
* Learn about the code quality backlog for your repository. See [AUTOTITLE](/code-security/code-quality/how-tos/interpret-results).
* Find and fix code quality issues before they reach your default branch. See [AUTOTITLE](/code-security/code-quality/tutorials/fix-findings-in-prs).

16
content/code-security/code-quality/how-tos/index.md Normal file
View File

@@ -0,0 +1,16 @@
---
title: How-to guides for GitHub Code Quality
shortTitle: How-to guides
intro: 'Learn how to use {% data variables.product.prodname_code_quality %} with these detailed guides.'
versions:
feature: code-quality
topics:
- Code Quality
contentType: how-tos
children:
- /enable-code-quality
- /interpret-results
- /set-pr-thresholds
- /unblock-your-pr
- /allow-in-enterprise
---

56
content/code-security/code-quality/how-tos/interpret-results.md Normal file
View File

@@ -0,0 +1,56 @@
---
title: Interpreting the code quality results for your repository
shortTitle: Interpret results
allowTitleToDifferFromFilename: true
intro: 'View {% data variables.product.prodname_code_quality %} findings for your default branch and fix them to improve your quality rating.'
versions:
feature: code-quality
product: '{% data reusables.gated-features.code-quality-availability %}'
permissions: '{% data reusables.permissions.code-quality-see-repo-findings %}'
topics:
- Code Quality
contentType: how-tos
---
{% data reusables.code-quality.code-quality-preview-note %}
## Prerequisites
* {% data variables.product.prodname_code_quality_short %} is enabled, see [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality).
## Viewing the full backlog of code quality results
{% data reusables.code-quality.dashboard-navigation-repo %}
{% data reusables.code-quality.dashboard-all-findings %}
Alternatively, if you want to view AI-powered findings for the most recently changed files, see [AUTOTITLE](/code-security/code-quality/tutorials/improve-recent-merges).
## Exploring the backlog for your repository
The "{% data variables.code-quality.all_findings %}" dashboard shows all the results found by {% data variables.product.prodname_codeql %} analysis on the default branch of your repository. This view helps you visualize the full backlog of quality results and prioritize work to fix specific types of problems.
The overview, at the top of the page, summarizes the maintainability and reliability of the codebase.
![Screenshot of the "{% data variables.code-quality.all_findings %}" dashboard for code quality results. The summary is outlined in dark orange.](/assets/images/help/code-quality/all-findings-overview-repo.png)
Underneath the overview, the full list of results is shown with a header with filters that you can use to focus on a specific set of findings. The results are:
* Grouped by the rule that detected each finding
* Within each rule, ordered by file path alphabetically
Explore the results by expanding a rule to list the affected files and clicking on the name of a rule to see full details of the findings.
![Screenshot of the Rules table on the "{% data variables.code-quality.all_findings %}" dashboard for code quality. The "Overwritten property" rule name is outlined in dark orange.](/assets/images/help/code-quality/all-findings-rules-repo.png)
## Interpreting ratings and metrics
Code quality results should always be interpreted in the context of your repository. For example:
* Small repositories, or repositories with only a small amount of code written in supported languages, tend to have few results and good ratings.
* Repositories with a lot of generated code may have many maintenance results, lowering the rating for maintainability. This is not a problem if the source code itself is maintainable.
* Large repositories with a lot of code in a fully supported language often have many results even if the majority of the code has good maintainability and reliability standards.
## Next steps
* Remediate quality findings in your default branch and improve the maintainability and reliability rating for your repository. See [AUTOTITLE](/code-security/code-quality/tutorials/improve-your-codebase).
* Stop your repository from accumulating more code quality problems by setting a quality threshold for pull requests using rulesets. See [AUTOTITLE](/code-security/code-quality/how-tos/set-pr-thresholds).

56
content/code-security/code-quality/how-tos/set-pr-thresholds.md Normal file
View File

@@ -0,0 +1,56 @@
---
title: Setting code quality thresholds for pull requests
shortTitle: Set PR thresholds
intro: 'Create a {% data variables.product.prodname_code_quality_short %} gate for pull requests to increase the quality of code merged into your repository.'
versions:
feature: code-quality
product: '{% data reusables.gated-features.code-quality-availability %}'
permissions: '{% data reusables.permissions.code-quality-repo-enable %}'
topics:
- Code Quality
contentType: how-tos
---
{% data reusables.code-quality.code-quality-preview-note %}
## Introduction
You can block pull requests that don't meet your code quality standards by adding the **Require code quality results** branch rule to a ruleset and specifying the severity level you require. If a pull request doesn't reach this threshold, it can't be merged.
## Prerequisites
* {% data variables.product.prodname_code_quality_short %} is enabled. See [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality)
* Code in a supported language. See [Supported languages](/code-security/code-quality/concepts/about-code-quality#supported-languages).
> [!NOTE]
> The threshold will have an impact only if the repository has code in one or more of the supported languages, see [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality).
## Confirming {% data variables.product.prodname_code_quality_short %} runs successfully on pull requests
Before you add or update a ruleset to include a threshold for {% data variables.product.prodname_code_quality_short %}, confirm that the {% data variables.code-quality.workflow_name_actions %} workflow is running and reporting results back to pull requests. Otherwise, the ruleset could block the merging of **all** pull requests.
1. Open a recent pull request and scroll to the "Checks" summary at the bottom of the pull request.
1. Confirm that the "{% data variables.code-quality.check_status_name %}" check ran successfully and reported its status.
For more information, see [AUTOTITLE](/code-security/code-quality/reference/codeql-detection).
## Adding or updating a ruleset to include {% data variables.product.prodname_code_quality_short %}
1. Navigate to the "Settings" tab of your repository.
1. In the left sidebar, under "Code and automation", expand {% octicon "repo-push" aria-hidden="true" aria-label="repo-push" %} **Rules**, then click **Rulesets**.
1. If you don't already have a ruleset to protect your default branch, expand **New ruleset** and click **New branch ruleset**. Alternatively, open your existing ruleset for the default branch and move to step 5.
1. If you are creating a new ruleset:
* Define a name for the ruleset.
* Set the "Enforcement status" to "Active."
* Under "Target branches" add a target of "Include default branch."
1. Under "Branch rules", enable "Require code quality results".
1. Set "Severity" to define the lowest severity of code quality results that must be resolved before a pull request can be merged into the default branch. For example:
* Set "Errors" to block pull requests with unresolved code quality **errors** being merged.
* Set "Warnings and higher" to block pull requests with unresolved code quality **warnings** or **errors** being merged.
* Set "Notes and higher" to block pull requests with unresolved code quality **notes**, **warnings** or **errors** being merged.
* Set "All" to block pull requests with **any** unresolved code quality results being merged.
1. When you have finished defining or editing the ruleset, click **Create** or **Save changes**.
## Next steps
Learn how {% data variables.product.prodname_code_quality %} works on pull requests to prevent code quality issues from reaching your default branch. See [AUTOTITLE](/code-security/code-quality/tutorials/fix-findings-in-prs).

67
content/code-security/code-quality/how-tos/unblock-your-pr.md Normal file
View File

@@ -0,0 +1,67 @@
---
title: Resolving a block on your pull request
shortTitle: Unblock your PR
intro: 'Learn how to identify and resolve a code quality block on your pull request so you can merge your changes.'
versions:
feature: code-quality
permissions: '{% data reusables.permissions.code-quality-see-repo-findings %}'
topics:
- Code Quality
contentType: how-tos
---
{% data reusables.code-quality.code-quality-preview-note %}
## Understanding why your pull request is blocked
Repository administrators can set code quality gates for maintainability and reliability using {% data variables.product.prodname_code_quality %}. When you open a pull request, a scan automatically runs to check your changes against these standards.
If your pull request introduces code that falls below the required quality threshold, youll see a merge block banner at the bottom of the pull request in the Checks section:
"Merging is blocked: Code quality findings were detected."
![Screenshot of the merge block banner in the Checks section of a pull request.](/assets/images/help/code-quality/code-quality-merge-block.png)
These checks help maintain a healthy, maintainable codebase and prevent technical debt from accumulating.
## Viewing scan results and their severity levels
The results of the scan are reported as comments on your pull request, left by the `{% data variables.code-quality.pr_commenter %}`. Each comment corresponds to a specific code quality problem that was detected in your changes.
Comments are labeled by severity (**Error**, **Warning**, **Note**). To learn more about what the severity levels mean, see [Severity levels](/code-security/code-quality/reference/metrics-and-ratings#severity-levels).
## Determining which findings are blocking your pull request
The quality gate set by repository administrators defines the **minimum severity level** that will block merging.
The merge block banner may specify the minimum severity level. All findings at that severity level or higher must be addressed before you can merge your pull request.
![Screenshot of the merge block banner in the Checks section of a pull request.](/assets/images/help/code-quality/merge-block-warnings.png)
> [!NOTE]
> If you don't see a severity level defined in the merge block banner, it means that your repository is using the most stringent code quality thresholds, which require **all findings** to be addressed before merging.
## Fixing or dismissing each finding
In order to unblock your pull request, you need to resolve each required finding by deciding whether to **fix** the issue in your code or **dismiss** the comment.
### Leveraging {% data variables.copilot.copilot_autofix_short %} and {% data variables.copilot.copilot_coding_agent %} to fix findings
#### {% data variables.copilot.copilot_autofix_short %}
{% data reusables.code-quality.fix-findings-with-copilot-autofix %}
#### {% data variables.copilot.copilot_coding_agent %}
{% data reusables.code-quality.fix-findings-with-coding-agent %}
### Dismissing the finding
{% data reusables.code-quality.dismiss-irrelevant-findings %}
## Verifying that you've met the requirements
To see if you've met the code quality requirements, look at the "Checks" section at the bottom of your pull request. The merge block banner should no longer be present, and you should be able to merge your changes as usual.
## Next steps
Reduce technical debt by fixing findings in recently changed files. See [AUTOTITLE](/code-security/code-quality/tutorials/improve-recent-merges).

16
content/code-security/code-quality/index.md Normal file
View File

@@ -0,0 +1,16 @@
---
title: GitHub Code Quality documentation
shortTitle: GitHub Code Quality
intro: '{% data variables.product.prodname_code_quality %} helps you catch and fix code health risks, maintain high standards, and track code quality within your {% data variables.product.github %} workflow.'
versions:
feature: code-quality
topics:
- Code Quality
children:
- /get-started
- /concepts
- /how-tos
- /reference
- /tutorials
- /responsible-use
---

45
content/code-security/code-quality/reference/codeql-detection.md Normal file
View File

@@ -0,0 +1,45 @@
---
title: CodeQL detection of code quality problems
shortTitle: CodeQL detection
intro: 'Information on how CodeQL-powered analysis for {% data variables.product.prodname_code_quality_short %} works, the workflow used, and the status checks reported on pull requests.'
versions:
feature: code-quality
topics:
- Code Quality
contentType: reference
---
{% data reusables.code-quality.code-quality-preview-note %}
## {% data variables.product.prodname_codeql %} detection
{% data variables.product.prodname_code_quality_short %} performs rule-based analysis of pull requests and your default branch using {% data variables.product.prodname_codeql %}. Each rule is written as a query in {% data variables.product.prodname_codeql %} and then run using {% data variables.product.prodname_actions %}.
The rules are continually refined by both {% data variables.product.github %} and open source developers. See [https://github.com/github/codeql](https://github.com/github/codeql?utm_source=docs-codeql-code-quality&utm_medium=docs&utm_campaign=universe25).
## Workflow used for code quality analysis
You can see all the workflow runs for {% data variables.product.prodname_code_quality_short %} on the **Actions** tab for your repository. The dynamic workflow is called "{% data variables.code-quality.workflow_name_actions %}".
By default, the {% data variables.code-quality.workflow_name_actions %} workflow runs on standard {% data variables.product.github %} runners but you can configure {% data variables.product.prodname_code_quality_short %} to use runners with a specific label. These may be hosted by {% data variables.product.github %} or self-hosted.
If your organization has configured caching of private registries, these will be available for code quality analysis to use to resolve dependencies.
For more information, see:
* [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality)
* [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-quality-access-to-private-registries)
## Pull request status checks
When code quality analysis runs on a pull request, the check result is reported in the "Checks" section at the bottom of the pull request.
Any code problems identified by the scan are reported in comments on the pull request. The comment is made by the `{% data variables.code-quality.pr_commenter %}` and includes a {% data variables.copilot.copilot_autofix_short %} suggestion.
### Status check failures
The workflow failed to run. For example, your budget for actions minutes is exhausted. See [Viewing logs to diagnose failures](/actions/how-tos/monitor-workflows/use-workflow-run-logs#viewing-logs-to-diagnose-failures).
### Merging is blocked: Code quality findings were detected
The scan found problems in the code that exceed the quality gate set by a code quality branch rule for the repository. You need to resolve these problems before you can merge the pull request. See [AUTOTITLE](/code-security/code-quality/how-tos/unblock-your-pr).

13
content/code-security/code-quality/reference/index.md Normal file
View File

@@ -0,0 +1,13 @@
---
title: Reference for GitHub Code Quality
shortTitle: Reference
intro: 'Reference documentation for {% data variables.product.prodname_code_quality %}.'
versions:
feature: code-quality
topics:
- Code Quality
contentType: reference
children:
- metrics-and-ratings
- codeql-detection
---

51
content/code-security/code-quality/reference/metrics-and-ratings.md Normal file
View File

@@ -0,0 +1,51 @@
---
title: Metrics and ratings reference
shortTitle: Metrics and ratings
intro: 'Understand the terminology used by {% data variables.product.github %} to assess the quality of your repository''s code.'
versions:
feature: code-quality
topics:
- Code Quality
contentType: reference
---
{% data reusables.code-quality.code-quality-preview-note %}
This article provides definitions for the metrics and ratings used by {% data variables.product.prodname_code_quality_short %}.
You can see the rule-based results for your repository on your **Security** tab, in the **{% data variables.code-quality.all_findings %}** tab under "{% data variables.code-quality.code_quality_ui_views %}".
## Metric definitions
The following table provides definitions for each metric that is reported for your repository.
| Metric | Definition | Example findings |
|----------------|-----------------|----------------------|
| **Reliability** | Assess whether the code performs its intended function correctly, predictably, and consistently. Reliable code is free from bugs, handles errors safely, and operates as expected under normal and edge-case conditions. | Issues with performance, concurrency, error handling, correctness, API design, accessibility, internationalization, or security |
| **Maintainability** | Assess how easy it is to understand, modify, and extend the code over time. Maintainable code follows best practices, avoids unnecessary complexity, and is organized for ease of future changes and collaboration. | Not using best practices, unused/dead code, duplicate code, complexity, logical redundancies, inadequate documentation, dependency issues |
## Severity levels
Severity levels are used to indicate the potential impact or urgency of a code quality finding. They help users prioritize remediation efforts and communicate risks to stakeholders. Severity is determined by the rule that detected the issue, following conventions from {% data variables.product.prodname_codeql %} and industry standards.
| Severity | Definition |
|-----------|--------------------|
| **Error** | Indicates a high-severity issue that is likely to cause bugs, failures, or major maintainability risks. |
| **Warning** | Indicates a moderate-severity issue that may impact code quality or reliability, but is not immediately critical. |
| **Note** | Indicates a low-severity issue, minor improvement, or recommendation. These findings are useful for ongoing code health and maintainability. |
## Ratings definitions
These ratings are used to summarize the overall reliability and maintainability of a repository based on the severity of rule-based results found by {% data variables.product.prodname_codeql %} scans of the full default branch:
| Rating | Definition | Criteria (based on findings) |
|----------------------|--------------|-------------------------------|
| **Excellent** | Codebase demonstrates best practices for reliability and maintainability. | No code quality findings detected |
| **Good** | Codebase has low-severity issues or minor improvements are suggested. | ≥1 "Note" level finding |
| **Fair** | Codebase has moderate-severity issues that may impact quality, but are not critical. | ≥1 "Warning" level finding |
| **Needs Improvement**| Codebase has high-severity issues, including bugs or major maintainability risks. | ≥1 "Error" level finding |
## Further reading
* [AUTOTITLE](/code-security/code-quality/concepts/about-code-quality)
* [AUTOTITLE](/code-security/code-quality/how-tos/interpret-results)

100
content/code-security/code-quality/responsible-use/code-quality.md Normal file
View File

@@ -0,0 +1,100 @@
---
title: Responsible use of GitHub Code Quality
shortTitle: Code quality
intro: 'Learn how to use {% data variables.product.prodname_code_quality %} responsibly by understanding its purposes, capabilities, and limitations.'
product: '{% data reusables.gated-features.code-quality-availability %}'
versions:
feature: code-quality
topics:
- Code Quality
- CodeQL
- AI
contentType: rai
---
{% data reusables.code-quality.code-quality-preview-note %}
## About {% data variables.product.prodname_code_quality %}
{% data variables.product.prodname_code_quality %} helps users improve code reliability, maintainability, and overall project health by surfacing actionable feedback and offering automatic fixes for any findings in pull requests and on the default branch.
When you enable {% data variables.product.prodname_code_quality_short %}, two types of analysis run:
* **{% data variables.product.prodname_codeql %} quality queries** run using {% data variables.product.prodname_code_scanning %} analysis and identify problems with the maintainability, reliability, or style of code. This runs on changed code in all pull requests against the default branch. It also runs periodically on the full default branch.
* **Large Language Model (LLM)-powered analysis** provides additional insights into potential quality concerns beyond what is covered by deterministic engines like {% data variables.product.prodname_codeql %}. This runs automatically on files changed in recent pushes to the default branch. These findings are displayed in {% data variables.product.prodname_code_quality_short %}'s **{% data variables.code-quality.recent_suggestions %}** dashboard, under the Security tab of the repository.
When a quality issue is detected by either type of analysis, **{% data variables.copilot.copilot_autofix_short %}** suggests a relevant fix that can be reviewed and applied by developers.
On pull requests, {% data variables.product.prodname_code_quality_short %} results are displayed as comments left by the `github-code-quality` bot, which includes a suggested autofix wherever possible.
## LLM-powered analysis for recent pushes
After each push to the default branch, the LLM analyzes recently changed files for maintainability, reliability, and other quality issues. {% data variables.product.prodname_code_quality_short %} inspects your code and provides feedback using a combination of natural language processing and machine learning.
### Input processing
The code changes are combined with other relevant, contextual information to form a prompt, and that prompt is sent to a large language model.
### Language model analysis
The prompt is then passed through the {% data variables.product.prodname_copilot_short %} language model, which is a neural network that has been trained on a large body of text data. The language model analyzes the input prompt.
### Response generation
The language model generates a response based on its analysis of the input prompt. This response can take the form of natural language suggestions and code suggestions.
### Output formatting
The response generated by {% data variables.product.prodname_code_quality_short %} is presented to the user directly, providing code feedback linked to specific lines of specific files. Where {% data variables.product.prodname_code_quality_short %} has provided a code suggestion, the suggestion is presented as a suggested change, which can be applied with a couple of clicks.
## {% data variables.copilot.copilot_autofix %} suggestions
On pull requests, {% data variables.product.prodname_code_quality_short %} results found by {% data variables.product.prodname_code_scanning %} analysis send input to the LLM. If the LLM can generate a potential fix, the `github-code-quality` bot posts a comment with a suggested change directly in the pull request.
In addition, users can request autofix generation for results in the default branch.
For more information on the suggestion generation process for {% data variables.copilot.copilot_autofix %}, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning).
## Use case for {% data variables.product.prodname_code_quality %}
The goal of {% data variables.product.prodname_code_quality %} is to:
* Surface code quality issues across your repository, so developers and repository administrators can quickly identify, prioritize and report on areas of risk.
* Accelerate remediation work by offering {% data variables.copilot.copilot_autofix_short %} suggestions for results found by scans of the default branch, as well as for findings in recent pushes to the default branch.
* Quickly provide actionable feedback on a developer's code. On pull requests, {% data variables.product.prodname_code_quality_short %} combines information on best practices with details of the codebase and findings to suggest a potential fix to the developer.
## Improving the performance of {% data variables.product.prodname_code_quality %}
If you encounter any issues or limitations with suggested fixes on pull requests, we recommend that you provide feedback by using the thumbs up and thumbs down buttons on the `github-code-quality` bot's comments. This can help {% data variables.product.github %} to improve the tool and address any concerns or limitations.
## Limitations of {% data variables.product.prodname_code_quality %}
### Limitations of {% data variables.product.prodname_code_quality_short %}'s LLM-powered analysis
{% data variables.product.prodname_code_quality_short %}'s LLM-powered analysis uses the same underlying language model and analysis engine as {% data variables.copilot.copilot_code-review %}. Therefore, it shares similar limitations when analyzing code quality. Key considerations include:
* Incomplete detection
* False positives
* Code suggestion accuracy
* Potential biases
For detailed information about these limitations, see [AUTOTITLE](/copilot/responsible-use/code-review).
You should always review the findings surfaced by {% data variables.product.prodname_code_quality %}'s LLM-powered analysis to verify their accuracy and applicability to your codebase.
### Limitations of {% data variables.copilot.copilot_autofix_short %}
{% data variables.copilot.copilot_autofix_short %} for {% data variables.product.prodname_code_quality_short %} findings won't be able to generate a fix for every finding in every situation. The feature operates on a best-effort basis and is not guaranteed to succeed 100% of the time.
When you review a suggestion from {% data variables.copilot.copilot_autofix_short %}, you must always consider the limitations of AI and edit the changes as needed before you accept the changes. You should always carefully review and verify {% data variables.copilot.copilot_autofix_short %} suggestions before applying them.
For more information on the limitations of {% data variables.copilot.copilot_autofix_short %}, the quality of {% data variables.copilot.copilot_autofix_short %} suggestions, and the best way to mitigate its limitations, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning)
## Provide feedback
You can provide feedback on {% data variables.product.prodname_code_quality %} in the [community discussion](https://github.com/orgs/community/discussions/177488?utm_source=docs-discussions-code-quality&utm_medium=docs&utm_campaign=universe25).
## Next steps
See how {% data variables.product.prodname_code_quality %} works on your default branch to surface code quality issues and help you understand your repository's code health at a glance. See [AUTOTITLE](/code-security/code-quality/get-started/quickstart).

12
content/code-security/code-quality/responsible-use/index.md Normal file
View File

@@ -0,0 +1,12 @@
---
title: Responsible use of GitHub Code Quality
shortTitle: Responsible use
intro: 'Learn how to use {% data variables.product.prodname_code_quality %} responsibly by understanding its purposes, capabilities, and limitations.'
versions:
feature: code-quality
topics:
- Code Quality
children:
- code-quality
contentType: rai
---

75
content/code-security/code-quality/tutorials/fix-findings-in-prs.md Normal file
View File

@@ -0,0 +1,75 @@
---
title: Fixing code quality findings before merging your pull request
shortTitle: Fix findings in PRs
intro: 'Learn how {% data variables.product.prodname_code_quality %} helps you catch and fix quality issues before they reach your default branch, and how {% data variables.copilot.copilot_autofix_short %} and {% data variables.copilot.copilot_coding_agent %} can help you quickly address any findings.'
versions:
feature: code-quality
product: '{% data reusables.gated-features.code-quality-availability %}'
permissions: '{% data reusables.permissions.code-quality-see-repo-findings %}'
topics:
- Code Quality
contentType: tutorials
---
{% data reusables.code-quality.code-quality-preview-note %}
## Introduction
This tutorial shows you how to work with {% data variables.product.prodname_code_quality %} on pull requests to identify code quality issues that your changes may otherwise inadvertently introduce, and how to address and resolve code quality findings with {% data variables.copilot.copilot_autofix_short %} and {% data variables.copilot.copilot_coding_agent %}.
### Benefits of catching issues early
Catching code quality issues early keeps your team's codebase in shape. {% data variables.product.prodname_code_quality %} checks your code for:
* **Reliability**: For example, logic errors, unsafe error handling, or race conditions that could cause your app to crash or behave unpredictably. By addressing this type of issue early, you make your software more robust and dependable for users.
* **Maintainability**: For example, duplicated code, overly complex logic, unused variables, or violations of coding best practices. Fixing these issues makes your code cleaner and easier to read, so future changes are faster and less risky.
## 1. Understand how {% data variables.product.prodname_code_quality %} works on pull requests
When you open a pull request, {% data variables.product.prodname_code_quality %} automatically scans your changes for quality issues like those described above.
The results of the scan are reported as comments on your pull request, left by the `{% data variables.code-quality.pr_commenter %}`. Each comment corresponds to a specific code quality problem that was detected in your changes, and comes with a suggested autofix.
Comments are labeled by severity (**Error**, **Warning**, **Note**), so you can see which findings are the most critical to address.
## 2. Prioritize fixes based on severity
Scan through the comments and identify the findings that have the highest severity level ("Error") first.
If there are no "Error" findings, look for findings of the next severity level ("Warning"), and so on.
High severity findings indicate more serious code quality issues that are more likely to introduce reliability or maintainability problems in your codebase. By resolving high severity findings, you're doing the most impactful work to maintain the quality of your team's code.
> [!NOTE]
> A repository administrator may have set a code quality gate that **blocks** merging on your pull request, if the pull request contains {% data variables.product.prodname_code_quality_short %} findings of a particular severity level or above. See [AUTOTITLE](/code-security/code-quality/how-tos/unblock-your-pr).
## 3. Leverage {% data variables.copilot.copilot_autofix_short %} or {% data variables.copilot.copilot_coding_agent %} to fix findings
### {% data variables.copilot.copilot_autofix_short %}
{% data reusables.code-quality.fix-findings-with-copilot-autofix %}
### {% data variables.copilot.copilot_coding_agent %}
{% data reusables.code-quality.fix-findings-with-coding-agent %}
## 4. Dismiss irrelevant findings
{% data reusables.code-quality.dismiss-irrelevant-findings %}
## 5. Push changes and wait for the scan
After fixing or dismissing findings, push your changes to the branch associated with your pull request. {% data variables.product.prodname_code_quality %} will automatically re-scan your changes and update the comments on your pull request accordingly.
## 6. Check your repository's code quality ratings
Anyone with write access can view the overall code quality ratings for a repository, which summarize the state of the code's reliability and maintainability across the default branch.
To view your repository's ratings, navigate to the **Security** tab of your repository, expand **{% data variables.code-quality.code_quality_ui_views %}** in the sidebar, then click **{% data variables.code-quality.all_findings %}**.
By resolving issues before merging your pull request, you've directly contributed to maintaining these ratings.
## Next steps
* Address code quality findings in your default branch and understand your repositorys reliability and maintainability ratings. See [AUTOTITLE](/code-security/code-quality/tutorials/improve-your-codebase).
* Provide feedback on {% data variables.product.prodname_code_quality %} in the [community discussion](https://github.com/orgs/community/discussions/177488?utm_source=docs-discussions-code-quality&utm_medium=docs&utm_campaign=universe25).

112
content/code-security/code-quality/tutorials/improve-recent-merges.md Normal file
View File

@@ -0,0 +1,112 @@
---
title: Improving the quality of recently merged code with AI
shortTitle: Improve recent merges
intro: Learn how to assess and remediate issues detected by {% data variables.product.prodname_code_quality %} in your most recently changed code, so you can maintain high standards of code health across your default branch.
versions:
feature: code-quality
product: '{% data reusables.gated-features.code-quality-availability %}'
permissions: '{% data reusables.permissions.code-quality-see-repo-findings %}'
topics:
- Code Quality
contentType: other
redirect_from:
- /code-security/code-quality/tutorials/improve-active-code
---
{% data reusables.code-quality.code-quality-preview-note %}
## Introduction
This tutorial shows you how to explore and remediate quality issues that have been detected by {% data variables.product.prodname_code_quality_short %}'s analysis of code that was recently merged into your default branch.
When you improve quality of recently merged files, you reduce technical debt in the repository and make it easier for other developers to work on files that are under active development.
### {% data variables.product.prodname_code_quality_short %} has two lines of defense
{% data variables.product.prodname_code_quality_short %} scans pull requests and comments on quality concerns, **then runs a second AI scan** after the pull request is merged. The two types of scan use complementary technologies:
* **Pull request scans** use {% data variables.product.prodname_codeql %} rules to identify problems. This analysis is thoroughly tested, good at identifying where code doesn't match the quality rules, and can analyze many files. However, it supports a subset of coding languages and cannot identify problems where there is no rule.
* **Recently merged file scans** use a large language model to analyze your most recently changed files and report findings for up to {% data variables.code-quality.num_ai_findings %} files. This analysis examines your code across all languages, without being limited by rules, and provides contextual insights and suggestions that can go beyond what {% data variables.product.prodname_codeql %} rules offer.
### Prerequisites
* {% data variables.product.prodname_code_quality_short %} is enabled, see [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality).
* At least one pull request has been merged since {% data variables.product.prodname_code_quality_short %} was enabled.
## 1. View the AI suggestions for your repository
After a {% data variables.product.prodname_code_quality_short %} scan of the recently merged files on your default branch, you can see the results under the **{% data variables.code-quality.recent_suggestions %}** view, which displays findings for up to {% data variables.code-quality.num_ai_findings %} files.
{% data reusables.code-quality.dashboard-navigation-repo %}
{% data reusables.code-quality.dashboard-recent-suggestions %}
> [!NOTE]
> This view is empty if the repository is inactive or if LLM analysis could not suggest ways to improve code quality in recent pushes to the default branch.
## 2. Explore suggested improvements for your repository
On the **{% data variables.code-quality.recent_suggestions %}** page, each file is listed with the number of quality problems identified and when the file was pushed to the default branch.
* Click a file name to view details of the quality problems detected and the suggested fixes.
![Screenshot of the "{% data variables.code-quality.recent_suggestions %}" view for code quality.](/assets/images/help/code-quality/ai-suggestions-repo.png)
## 3. Delegate remediation work or open pull requests yourself
You can open a pull request to apply the suggested autofixes to a file or delegate the remediation work to {% data variables.copilot.copilot_coding_agent %}. You need a {% data variables.product.prodname_copilot_short %} license to assign work to {% data variables.copilot.copilot_coding_agent %}.
<br><a href="https://github.com/features/copilot/plans?ref_product=copilot&ref_type=purchase&ref_style=button&utm_source=docs-signup-copilot&utm_medium=docs&utm_campaign=universe25" target="_blank" class="btn btn-primary mt-3 mr-3 no-underline"><span>Sign up for {% data variables.product.prodname_copilot_short %}</span> {% octicon "link-external" height:16 aria-label="link-external" %}</a>
### Delegate work to {% data variables.copilot.copilot_coding_agent %}
You can ask {% data variables.copilot.copilot_coding_agent_short %} to open pull requests to make improvements to files using the suggested changes as a prompt. This is the best option if the suggested changes look good to you and you want to open a pull request that applies fixes to more than one file.
To delegate pull request creation:
* **Multiple files:** Select the files you want to include, then click **Assign selected to {% data variables.product.prodname_copilot_short %}** in the header for the list of files.
* **One file:** Click **Assign to {% data variables.product.prodname_copilot_short %}** for the file.
There is a delay while the {% data variables.copilot.copilot_coding_agent_short %} sets up the work. When the pull request is open and work is in progress, a banner is displayed with a link to the pull request.
You can track {% data variables.copilot.copilot_coding_agent %}'s work:
* In the pull request, the summary is updated as work progresses.
* Using the [agents page](https://github.com/copilot/agents?ref_product=copilot&ref_type=engagement&ref_style=text&utm_source=docs-web-agents-page&utm_medium=docs&utm_campaign=universe25) or session logs. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/coding-agent/track-copilot-sessions).
### Open your own pull requests
You can open pull requests yourself to apply autofix suggestions. This is the best option if:
* You want to work on the changes locally or in {% data variables.product.prodname_desktop %} before opening a pull request
* You do not have access to {% data variables.copilot.copilot_coding_agent %}
> [!NOTE]
> When you open a pull request yourself, you can only commit fixes to one file at a time. To fix multiple files at once, you must use {% data variables.copilot.copilot_coding_agent %}.
#### Opening a pull request
1. Click the file name to view details of the quality problems detected.
1. Review the problems and suggested fixes.
1. Expand the **Assign to {% data variables.product.prodname_copilot_short %}** drop-down and then click {% octicon "git-pull-request" aria-hidden="true" aria-label="Pull request" %} **Open pull request** to change the default option to "Open pull request". Your preference is remembered.
![Screenshot of the "{% data variables.code-quality.recent_suggestions %}" view for code quality.](/assets/images/help/code-quality/ai-suggestions-repo-fixes.png)
1. Click **Open pull request** to open a dialog of commit options.
1. Click **Commit change** to create a pull request with the fixes.
## 4. Provide pull request reviewers with context
Providing context on why you are proposing changes to code is the best way to encourage team members to review your pull request. If you used {% data variables.copilot.copilot_coding_agent %}, the pull request summary already includes full details of the problems fixed by the pull request.
If you opened the pull request directly from the {% data variables.product.prodname_code_quality %} view, the pull request summary links to the "{% data variables.code-quality.recent_suggestions %}" view. You may want to copy some of the explanations from the {% data variables.code-quality.recent_suggestions %} view into the pull request summary.
![Screenshot of a pull request summary created by {% data variables.product.prodname_code_quality %}.](/assets/images/help/code-quality/user-pr-ai-findings.png)
## 5. See your changes make an impact on {% data variables.code-quality.recent_suggestions %}
When you return to the "{% data variables.code-quality.recent_suggestions %}" view after merging your pull request, the findings you fixed are no longer listed.
## Next steps
* Learn more about how {% data variables.copilot.copilot_coding_agent %} can help expedite development tasks. See [AUTOTITLE](/copilot/tutorials/coding-agent/get-the-best-results).
* Provide feedback on {% data variables.product.prodname_code_quality %} in the [community discussion](https://github.com/orgs/community/discussions/177488?utm_source=docs-discussions-code-quality&utm_medium=docs&utm_campaign=universe25).

110
content/code-security/code-quality/tutorials/improve-your-codebase.md Normal file
View File

@@ -0,0 +1,110 @@
---
title: Improving the quality of your repository's code
shortTitle: Improve your codebase
intro: 'Learn how to assess and remediate code quality issues detected on your default branch so you can improve the quality of your codebase. As you progress, you''ll see your repository''s code quality rating rise as a result.'
versions:
feature: code-quality
product: '{% data reusables.gated-features.code-quality-availability %}'
permissions: '{% data reusables.permissions.code-quality-see-repo-findings %}'
topics:
- Code Quality
contentType: tutorials
---
{% data reusables.code-quality.code-quality-preview-note %}
## Introduction
This tutorial guides you through using {% data variables.product.prodname_code_quality %} to review, prioritize, and remediate code health issues across your repository — helping you systematically reduce technical debt, improve reliability and maintainability, and communicate your impact to stakeholders.
### Prerequisites
* {% data variables.product.prodname_code_quality_short %} is enabled for your repository. See [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality).
* A full scan of the default branch has completed.
## 1. Assess your repository's overall code health
1. Navigate to the "Security" tab of your repository, then under "{% data variables.code-quality.code_quality_ui_views %}", click **{% data variables.code-quality.all_findings %}**.
1. The overview on the "{% data variables.code-quality.all_findings %}" dashboard gives you an immediate assessment of the state of your default branch today:
* **Maintainability rating** reflects the presence and severity of findings for dead code, duplication, complexity, missing documentation, and failure to follow best practices.
* **Reliability rating** reflects the presence and severity of findings for correctness, performance, error handling, concurrency, and accessibility of your code.
![Screenshot of code quality ratings in the "{% data variables.code-quality.all_findings %}" view for {% data variables.product.prodname_code_quality_short %}.](/assets/images/help/code-quality/all-findings-overview-repo.png)
## 2. Identify and prioritize the most impactful findings
On the "{% data variables.code-quality.all_findings %}" view, you'll see the list of results from {% data variables.product.prodname_code_quality_short %}'s last scan of the default branch of the repository. These findings are:
* Grouped by **rule**, so you can see which types of problem most affect your codebase.
* Assigned a **severity** level ("Error", "Warning", "Note").
### Focus on high severity findings
Use the dashboard **filters** to focus on the highest-severity results first ("Errors"), and review which rules generate the most issues.
![Screenshot showing the dashboard filters for the "{% data variables.code-quality.all_findings %}" view.](/assets/images/help/code-quality/standard-findings-filters.png)
To improve your repository's maintainability or reliability rating, you must resolve (fix or dismiss) all findings with the highest severity level for that metric.
For example, to improve your repository's "Reliability" metric from **Needs improvement** to **Fair**, you would need to address and resolve all **error-level findings** that impact reliability. If you have one or more error-level findings, your rating cannot be higher than "Needs improvement". See [AUTOTITLE](/code-security/code-quality/reference/metrics-and-ratings).
## 3. Investigate a group of findings and understand context
Once you've identified a rule with multiple results that you want to address, you can investigate further to understand the underlying problems.
1. Click the rule name to be taken to a detailed view of all findings for that rule.
![Screenshot showing a rule in the "{% data variables.code-quality.all_findings %}" view. The rule name is highlighted in dark orange.](/assets/images/help/code-quality/click-rule-name.png)
1. Click **Show more**, then review the explanation of the rule, what the recommended fix is, supporting code examples and references.
![Screenshot showing the results for a code quality rule. The text "Show more" is highlighted in dark orange.](/assets/images/help/code-quality/click-show-more.png)
## 4. Choose remediation options
Evaluate all the highlighted findings for validity, impact, and risk. To improve your quality rating, you need to resolve each finding by either choosing to fix or dismiss it.
### Generate an autofix
If the finding looks valid and relevant for your codebase, you can generate a suggested fix.
1. To the right of an individual finding, click **{% octicon "copilot" aria-hidden="true" aria-label="copilot" %} Generate fix**.
1. Review carefully the diff of the proposed change, and if you agree with it, click **Open pull request**.
1. In the "Commit autofix to branch" dialog box, select "Open a pull request", then click **Commit change**.
> [!TIP]
> It's not currently possible to generate autofixes for a group of findings in bulk.
>
> If you want to address multiple findings with a single pull request, repeat steps 1 and 2 above, then in the "Commit autofix to branch" dialog box, use the branch name you already created for the first autofix, then select "Open pull request" and **Commit change**.
>
> The fix will be added to the existing draft pull request for your branch.
1. When you're ready, change the pull request status from "Draft" to "Ready for review", and carefully review the proposed changes. Wait for any CI checks and automated tests to complete and pass before merging the pull request.
### Dismiss a finding
{% data reusables.code-quality.dismiss-irrelevant-findings %}
1. To dismiss a finding, click **{% octicon "shield-slash" aria-label="Dismiss" %}**.
1. The finding will disappear from the list of open findings. You can still review and reopen dismissed findings from under the "Dismissed" tab at the top of the page.
## 5. Measure improvement and communicate impact
After remediation work is complete, return to the "{% data variables.code-quality.all_findings %}" dashboard to review the updated reliability and maintainability metrics.
When communicating your impact to stakeholders, highlight:
* Any **reduction** in the number of findings for "Reliability" or "Maintainability".
* Any **change in rating** for the Reliability or Maintainability ratings.
* The requirement(s) that has been met to achieve the change in rating. For example, the remediation of all "Warning"-level findings caused the rating to change from "Fair" to "Good".
Use the improvements in quality ratings and reduction in number of findings to demonstrate progress.
## 6. Enforce code quality standards for pull requests
If you haven't already, set up quality thresholds for pull requests, to block any changes to the codebase that will reduce the health of your codebase. See [AUTOTITLE](/code-security/code-quality/how-tos/set-pr-thresholds).
## Next steps
* Reduce technical debt further by fixing findings in recently changed files. See [AUTOTITLE](/code-security/code-quality/tutorials/improve-recent-merges).
* Provide feedback on {% data variables.product.prodname_code_quality %} in the [community discussion](https://github.com/orgs/community/discussions/177488?utm_source=docs-discussions-code-quality&utm_medium=docs&utm_campaign=universe25).

14
content/code-security/code-quality/tutorials/index.md Normal file
View File

@@ -0,0 +1,14 @@
---
title: Tutorials for GitHub Code Quality
shortTitle: Tutorials
intro: Build skills and knowledge about {% data variables.product.prodname_code_quality %} through examples.
versions:
feature: code-quality
topics:
- Code Quality
contentType: tutorials
children:
- /fix-findings-in-prs
- /improve-your-codebase
- /improve-recent-merges
---

8
content/code-security/code-scanning/managing-code-scanning-alerts/best-practices-for-participating-in-a-security-campaign.md
View File

@@ -85,6 +85,14 @@ When fixing security alerts as part of a campaign, it may be helpful to group an
{% data variables.copilot.copilot_autofix_short %} is automatically triggered for alerts that are included in a campaign, meaning that where possible, fixes are automatically generated for you. You can commit the suggested fix to resolve the alert and then verify that continuous integration testing (CI) for the codebase is still passing. See [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign).
{% ifversion security-campaigns-assign-to-cca %}
If {% data variables.copilot.copilot_coding_agent %} is enabled in the repository, you can also assign alerts to {% data variables.product.prodname_copilot_short %}. See [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign#assigning-alerts-to-copilot-coding-agent).
By assigning multiple alerts, {% data variables.copilot.copilot_coding_agent %} will apply the fixes and iterate on the code to validate the changes, check for any new security issues, and ensure there are no merge conflicts.
{% endif %}
### {% data variables.copilot.copilot_chat_short %}
{% endif %}

21
content/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning.md
View File

@@ -1,8 +1,8 @@
---
title: Disabling Copilot Autofix for code scanning
title: Disabling Copilot Autofix for code scanning security alerts
shortTitle: Disable Copilot Autofix
allowTitleToDifferFromFilename: true
intro: You can choose to disallow {% data variables.copilot.copilot_autofix %} for an enterprise or disable {% data variables.copilot.copilot_autofix %} at the organization and repository level.
intro: You can block availability of {% data variables.copilot.copilot_autofix %} for security alerts for an enterprise or disable {% data variables.copilot.copilot_autofix %} at the organization and repository level.
product: '{% data reusables.rai.code-scanning.gated-feature-autofix %}'
versions:
feature: code-scanning-autofix
@@ -20,17 +20,20 @@ topics:
{% data reusables.rai.code-scanning.copilot-autofix-note %}
{% data variables.copilot.copilot_autofix_short %} is allowed by default and enabled for every repository that uses {% data variables.product.prodname_codeql %}, regardless of whether it uses default or advanced setup for {% data variables.product.prodname_code_scanning %}. Administrators at the enterprise, organization and repository levels can choose to opt out and disable {% data variables.copilot.copilot_autofix_short %}.
{% data variables.copilot.copilot_autofix_short %} is allowed by default and enabled for every repository that uses {% data variables.product.prodname_codeql %}, regardless of whether it uses default or advanced setup for {% data variables.product.prodname_code_scanning %}. Administrators at the enterprise, organization and repository levels can choose to opt out and disable {% data variables.copilot.copilot_autofix_short %} for security alerts.
Note that disabling {% data variables.copilot.copilot_autofix_short %} at any level will close all open {% data variables.copilot.copilot_autofix_short %} comments. If {% data variables.copilot.copilot_autofix_short %} is disabled and then subsequently enabled, {% data variables.copilot.copilot_autofix_short %} won't automatically suggest fixes for any pull requests that are already open. The suggestions will only be generated for any pull requests that are opened after {% data variables.copilot.copilot_autofix_short %} is enabled, or after re-running {% data variables.product.prodname_code_scanning %} analysis on existing pull requests.
Note that disabling {% data variables.copilot.copilot_autofix_short %} at any level will close all open {% data variables.copilot.copilot_autofix_short %} suggestions on security comments. If {% data variables.copilot.copilot_autofix_short %} is disabled and then subsequently enabled, {% data variables.copilot.copilot_autofix_short %} won't automatically suggest fixes for any pull requests that are already open. The suggestions will only be generated for any pull requests that are opened after {% data variables.copilot.copilot_autofix_short %} is enabled, or after re-running {% data variables.product.prodname_code_scanning %} security analysis on existing pull requests.
> [!NOTE]
> {% data variables.copilot.copilot_autofix_short %} is an integral part of {% data variables.product.prodname_code_quality %} and will continue to run on code quality results even when it is disabled for code security results.
## Blocking use of {% data variables.copilot.copilot_autofix_short %} for an enterprise
Enterprise administrators can disallow {% data variables.copilot.copilot_autofix_short %} for their enterprise. If you disallow {% data variables.copilot.copilot_autofix_short %} for an enterprise, {% data variables.copilot.copilot_autofix_short %} cannot be enabled for any organizations or repositories within the enterprise.
Enterprise administrators can disallow {% data variables.copilot.copilot_autofix_short %} for security results in their enterprise. If you disallow {% data variables.copilot.copilot_autofix_short %} for an enterprise, {% data variables.copilot.copilot_autofix_short %} cannot be enabled for any organizations or repositories within the enterprise.
Note that allowing {% data variables.copilot.copilot_autofix_short %} for an enterprise does not enforce enablement of {% data variables.copilot.copilot_autofix_short %}, but means that organization and repository administrators will have the option to enable or disable {% data variables.copilot.copilot_autofix_short %}.
Note that allowing {% data variables.copilot.copilot_autofix_short %} for an enterprise does not enforce enablement of {% data variables.copilot.copilot_autofix_short %}, but means that organization and repository administrators will have the option to enable or disable {% data variables.copilot.copilot_autofix_short %} for security results.
Disallowing {% data variables.copilot.copilot_autofix_short %} at the enterprise level will remove all open {% data variables.copilot.copilot_autofix_short %} comments across all repositories of all organizations within the enterprise.
Disallowing {% data variables.copilot.copilot_autofix_short %} at the enterprise level will remove all open {% data variables.copilot.copilot_autofix_short %} suggestions on security comments across all repositories of all organizations within the enterprise.
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.policies-tab %}
@@ -41,7 +44,7 @@ Disallowing {% data variables.copilot.copilot_autofix_short %} at the enterprise
If {% data variables.copilot.copilot_autofix_short %} is allowed at the enterprise level, organization administrators have the option to disable {% data variables.copilot.copilot_autofix_short %} for an organization. If you disable {% data variables.copilot.copilot_autofix_short %} for an organization, {% data variables.copilot.copilot_autofix_short %} cannot be enabled for any repositories within the organization.
Note that disabling {% data variables.copilot.copilot_autofix_short %} at the organization level will remove all open {% data variables.copilot.copilot_autofix_short %} comments across all repositories in the organization.
Note that disabling {% data variables.copilot.copilot_autofix_short %} at the organization level will remove all open {% data variables.copilot.copilot_autofix_short %} suggestions on security comments across all repositories in the organization.
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
@@ -52,7 +55,7 @@ For more information about configuring global {% data variables.product.prodname
## Disabling {% data variables.copilot.copilot_autofix_short %} for a repository
If {% data variables.copilot.copilot_autofix_short %} is allowed at the enterprise level and enabled at the organization level, repository administrators have the option to disable {% data variables.copilot.copilot_autofix_short %} for a repository. Disabling {% data variables.copilot.copilot_autofix_short %} at the repository level will remove all open {% data variables.copilot.copilot_autofix_short %} comments across the repository.
If {% data variables.copilot.copilot_autofix_short %} is allowed at the enterprise level and enabled at the organization level, repository administrators have the option to disable {% data variables.copilot.copilot_autofix_short %} for a repository. Disabling {% data variables.copilot.copilot_autofix_short %} at the repository level will remove all open {% data variables.copilot.copilot_autofix_short %} suggestions on security comments across the repository.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}

17
content/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign.md
View File

@@ -45,6 +45,23 @@ If you want to see the code that triggered the security alert and the suggested
> [!TIP] If you have write permission for more than one repository in the campaign, click the link in the "Campaign progress" box in your repository to show the organization-level view of the campaign. When you open a repository from this view, the campaign alerts view is displayed.
{% ifversion security-campaigns-assign-to-cca %}
## Assigning alerts to {% data variables.copilot.copilot_coding_agent %}
>[!NOTE] This option is currently in public preview and is subject to change. {% data variables.copilot.copilot_coding_agent %} must be available in the repository.
If an autofix has been generated, you can assign one or more alerts to {% data variables.product.prodname_copilot_short %}. {% data variables.product.prodname_copilot_short %} will create pull requests, apply the autofixes, and add you as a requested reviewer.
By assigning multiple alerts, {% data variables.copilot.copilot_coding_agent %} will apply the fixes and iterate on the code to validate the changes, check for any new security issues, and ensure there are no merge conflicts.
1. In the campaign view for the repository, select the alerts that you want to assign.
1. Above the list of alerts, click **{% octicon "copilot" aria-hidden="true" aria-label="copilot" %} Assign to Copilot**.
Within 30 seconds, {% data variables.product.prodname_copilot_short %} will open a pull request to address the security vulnerabilities assigned to {% data variables.product.prodname_copilot_short %} and yourself. The pull request will include a summary of the fixes and details of the changes made. Once created, the pull request is shown next to the alert.
{% endif %}
{% ifversion copilot %}
## Using {% data variables.copilot.copilot_chat %} for secure coding

Some files were not shown because too many files have changed in this diff Show More