GitHub App installation restrictions (#58668)

Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com>

.github/workflows/all-documents.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/article-api-docs.yml

@@ -22,7 +22,7 @@ jobs:
     if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/auto-add-ready-for-doc-review.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Check team membership
         id: membership_check

.github/workflows/check-broken-links-github-github.yml

@@ -24,7 +24,7 @@ jobs:
       REPORT_REPOSITORY: github/docs-content
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # To prevent issues with cloning early access content later
           persist-credentials: 'false'

.github/workflows/close-on-invalid-label.yaml

@@ -37,7 +37,7 @@ jobs:
 
       - name: Check out repo
         if: ${{ failure() && github.event_name != 'pull_request_target' }}
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() && github.event_name != 'pull_request_target' }}

.github/workflows/codeql.yml

@@ -33,7 +33,7 @@ jobs:
     if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: github/codeql-action/init@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
         with:
           languages: javascript # comma separated list of values from {go, python, javascript, java, cpp, csharp, ruby}

.github/workflows/confirm-internal-staff-work-in-docs.yml

@@ -83,7 +83,7 @@ jobs:
 
       - name: Check out repo
         if: ${{ failure() && github.event_name != 'pull_request_target' }}
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() && github.event_name != 'pull_request_target' }}
         with:

.github/workflows/content-lint-markdown.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Set up Node and dependencies
         uses: ./.github/actions/node-npm-setup

.github/workflows/content-linter-rules-docs.yml

@@ -25,7 +25,7 @@ jobs:
     if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/copy-api-issue-to-internal.yml

@@ -73,7 +73,7 @@ jobs:
 
       - name: Check out repo
         if: ${{ failure() && github.event_name != 'workflow_dispatch' && github.repository == 'github/docs-internal' }}
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() && github.event_name != 'workflow_dispatch' && github.repository == 'github/docs-internal' }}
         with:

.github/workflows/count-translation-corruptions.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout English repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # Using a PAT is necessary so that the new commit will trigger the
           # CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.)

.github/workflows/create-changelog-pr.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6.0.0
+      - uses: actions/checkout@v6.0.1
 
       - name: 'Ensure ${{ env.CHANGELOG_FILE }} exists'
         run: |

.github/workflows/delete-orphan-translation-files.yml

@@ -60,10 +60,10 @@ jobs:
             language_repo: github/docs-internal.ko-kr
 
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Checkout the language-specific repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           repository: ${{ matrix.language_repo }}
           token: ${{ secrets.DOCS_BOT_PAT_BASE }}

.github/workflows/docs-review-collect.yml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Check out repo content
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Setup Node.js
         uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0

.github/workflows/dont-delete-assets.yml

@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/dont-delete-features.yml

@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/enterprise-dates.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/enterprise-release-issue.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/first-responder-v2-prs-collect.yml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6.0.0
+        uses: actions/checkout@v6.0.1
 
       # Add to the FR project
       # and set type to "Maintenance"

.github/workflows/generate-code-scanning-query-lists.yml

@@ -33,12 +33,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 
       - name: Checkout codeql repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           repository: github/codeql
           path: codeql
@@ -89,7 +89,7 @@ jobs:
           done
 
       - name: Upload security query lists
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: security-query-lists
           path: data/reusables/code-scanning/codeql-query-tables/
@@ -99,12 +99,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 
       - name: Checkout codeql repo
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           repository: github/codeql
           path: codeql
@@ -151,7 +151,7 @@ jobs:
           done
 
       - name: Upload quality query lists
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: quality-query-lists
           path: data/reusables/code-quality/codeql-query-tables/
@@ -162,10 +162,10 @@ jobs:
     needs: [generate-security-query-lists, generate-quality-query-lists]
     steps:
       - name: Checkout repository code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Checkout codeql repo
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           repository: github/codeql
           path: codeql
@@ -181,13 +181,13 @@ jobs:
           echo "Copied files from github/codeql repo. Commit SHA: $OPENAPI_COMMIT_SHA"
 
       - name: Download security query lists
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: security-query-lists
           path: data/reusables/code-scanning/codeql-query-tables/
 
       - name: Download quality query lists
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: quality-query-lists
           path: data/reusables/code-quality/codeql-query-tables/

.github/workflows/headless-tests.yml

@@ -37,7 +37,7 @@ jobs:
     timeout-minutes: 60
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/setup-elasticsearch
 

.github/workflows/hubber-contribution-help.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - id: membership_check
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd

.github/workflows/index-autocomplete-search.yml

@@ -23,14 +23,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 
       - uses: ./.github/actions/setup-elasticsearch
         if: ${{ github.event_name == 'pull_request' }}
 
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           token: ${{ secrets.DOCS_BOT_PAT_BASE }}
           repository: github/docs-internal-data

.github/workflows/index-general-search-pr.yml

@@ -37,10 +37,10 @@ jobs:
     if: github.repository == 'github/docs-internal'
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Clone docs-internal-data
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           repository: github/docs-internal-data
           # This works because user `docs-bot` has read access to that private repo.

.github/workflows/index-general-search.yml

@@ -87,7 +87,7 @@ jobs:
 
       - name: Check out repo
         if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
@@ -115,10 +115,10 @@ jobs:
         language: ${{ fromJSON(needs.figureOutMatrix.outputs.matrix) }}
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Clone docs-internal-data
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           repository: github/docs-internal-data
           # This works because user `docs-bot` has read access to that private repo.

.github/workflows/keep-caches-warm.yml

@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/link-check-daily.yml

@@ -23,7 +23,7 @@ jobs:
         run: gh --version
 
       - name: Check out repo's default branch
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 
@@ -37,7 +37,7 @@ jobs:
 
       - name: Check out docs-early-access too, if internal repo
         if: ${{ github.repository == 'github/docs-internal' }}
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           repository: github/docs-early-access
           token: ${{ secrets.DOCS_BOT_PAT_BASE }}
@@ -49,7 +49,7 @@ jobs:
         run: src/early-access/scripts/merge-early-access.sh
 
       - name: Restore disk-cache file for external link checking
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: external-link-checker-db.json
           key: external-link-checker-${{ hashFiles('src/links/scripts/rendered-content-link-checker.ts') }}

.github/workflows/link-check-on-pr.yml

@@ -26,7 +26,7 @@ jobs:
     if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/lint-code.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/lint-entire-content-data-markdown.yml

@@ -23,7 +23,7 @@ jobs:
         run: gh --version
 
       - name: Check out repo's default branch
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Set up Node and dependencies
         uses: ./.github/actions/node-npm-setup

.github/workflows/local-dev.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/moda-allowed-ips.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repository
-        uses: actions/checkout@v6.0.0
+        uses: actions/checkout@v6.0.1
 
       - name: Update list of allowed IPs
         run: |

.github/workflows/move-content.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/move-ready-to-merge-pr.yaml

@@ -31,7 +31,7 @@ jobs:
           repo-token: ${{ secrets.DOCS_BOT_PAT_BASE }}
 
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/move-reopened-issues-to-triage.yaml

@@ -45,7 +45,7 @@ jobs:
 
       - name: Check out repo
         if: ${{ failure() }}
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() }}
         with:

.github/workflows/needs-sme-stale-check.yaml

@@ -35,7 +35,7 @@ jobs:
 
       - name: Check out repo
         if: ${{ failure() }}
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() }}
         with:

.github/workflows/needs-sme-workflow.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9
         with:
@@ -41,7 +41,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9
         with:

.github/workflows/no-response.yaml

@@ -57,7 +57,7 @@ jobs:
 
       - name: Check out repo
         if: ${{ failure() }}
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() }}
         with:

.github/workflows/notify-about-deployment.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/orphaned-features-check.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout English repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # Using a PAT is necessary so that the new commit will trigger the
           # CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.)

.github/workflows/orphaned-files-check.yml

@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout English repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # Using a PAT is necessary so that the new commit will trigger the
           # CI in the PR. (Events from GITHUB_TOKEN don't trigger new workflows.)

.github/workflows/os-ready-for-review.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo content
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Check if this run was triggered by a member of the docs team
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd

.github/workflows/package-lock-lint.yml

@@ -25,7 +25,7 @@ jobs:
     if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Setup Node.js
         uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0

.github/workflows/purge-fastly.yml

@@ -32,7 +32,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/readability.yml

@@ -28,7 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo with full history
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
 

.github/workflows/ready-for-doc-review.yml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo content
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           repository: github/docs-internal
           token: ${{ secrets.DOCS_BOT_PAT_BASE }}

.github/workflows/repo-sync.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 

.github/workflows/review-comment.yml

@@ -38,7 +38,7 @@ jobs:
       PR_NUMBER: ${{ github.event.pull_request.number }}
     steps:
       - name: check out repo content
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: ./.github/actions/node-npm-setup
 
       - name: Set APP_URL

.github/workflows/reviewers-content-systems.yml

@@ -36,7 +36,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6.0.0
+        uses: actions/checkout@v6.0.1
 
       - name: Add content systems as a reviewer
         uses: ./.github/actions/retry-command

.github/workflows/reviewers-dependabot.yml

@@ -37,7 +37,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6.0.0
+        uses: actions/checkout@v6.0.1
 
       - name: Add dependabot as a reviewer
         uses: ./.github/actions/retry-command

.github/workflows/reviewers-docs-engineering.yml

@@ -47,7 +47,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6.0.0
+        uses: actions/checkout@v6.0.1
 
       - name: Add docs engineering as a reviewer
         uses: ./.github/actions/retry-command

.github/workflows/reviewers-legal.yml

@@ -32,7 +32,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6.0.0
+        uses: actions/checkout@v6.0.1
 
       - name: Get changed files
         id: changed_files

.github/workflows/site-policy-sync.yml

@@ -27,10 +27,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout docs-internal
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: checkout public site-policy
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           repository: github/site-policy
           token: ${{ secrets.API_TOKEN_SITEPOLICY }}

.github/workflows/stale.yml

@@ -38,7 +38,7 @@ jobs:
 
       - name: Check out repo
         if: ${{ failure() }}
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() }}
         with:

.github/workflows/sync-audit-logs.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/sync-codeql-cli.yml

@@ -30,11 +30,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
         # Check out a nested repository inside of previous checkout
       - name: Checkout semmle-code repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # By default, only the most recent commit of the `main` branch
           # will be checked out

.github/workflows/sync-graphql.yml

@@ -23,7 +23,7 @@ jobs:
       ignored-types: ${{ steps.sync.outputs.ignored-types }}
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: ./.github/actions/node-npm-setup
       - name: Run updater scripts
         id: sync
@@ -82,7 +82,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: ./.github/actions/slack-alert
         with:
           slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}

.github/workflows/sync-openapi.yml

@@ -30,11 +30,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
         # Check out a nested repository inside of previous checkout
       - name: Checkout rest-api-description repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # By default, only the most recent commit of the `main` branch
           # will be checked out
@@ -42,7 +42,7 @@ jobs:
           path: rest-api-description
           ref: ${{ inputs.SOURCE_BRANCH }}
 
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # By default, only the most recent commit of the `main` branch
           # will be checked out

.github/workflows/sync-secret-scanning.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/test-changed-content.yml

@@ -27,7 +27,7 @@ jobs:
       # Each of these ifs needs to be repeated at each step to make sure the required check still runs
       # Even if if doesn't do anything
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/test.yml

@@ -87,7 +87,7 @@ jobs:
       # Each of these ifs needs to be repeated at each step to make sure the required check still runs
       # Even if if doesn't do anything
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/setup-elasticsearch
         if: ${{ matrix.name == 'search' || matrix.name == 'languages' }}

.github/workflows/triage-issue-comments.yml

@@ -43,7 +43,7 @@ jobs:
             }
 
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/triage-issues.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/triage-pull-requests.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/triage-stale-check.yml

@@ -44,7 +44,7 @@ jobs:
 
       - name: Check out repo
         if: ${{ failure() }}
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() }}
         with:
@@ -72,7 +72,7 @@ jobs:
 
       - name: Check out repo
         if: ${{ failure() }}
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() }}
         with:

.github/workflows/triage-unallowed-contributions.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Get files changed
         uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd

.github/workflows/validate-asset-images.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: ./.github/actions/node-npm-setup
 

.github/workflows/validate-github-github-docs-urls.yml

@@ -34,10 +34,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo's default branch
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - uses: ./.github/actions/node-npm-setup
 
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           token: ${{ secrets.DOCS_BOT_PAT_BASE }}
           repository: github/github

.github/workflows/validate-openapi-check.yml

@@ -28,7 +28,7 @@ jobs:
     if: github.repository == 'github/docs-internal'
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

CHANGELOG.md

@@ -1,8 +1,20 @@
 # Docs changelog
 
+**18 December 2025**
+
+The documentation has been updated to reflect the general availability of direct organization billing for premium request usage in Copilot Code Review. Organization members without a Copilot plan can now use Copilot Code Review on GitHub.com, with premium request usage billed directly to their organization or enterprise. See [Copilot code review without a Copilot license](https://docs.github.com/en/copilot/concepts/agents/code-review#copilot-code-review-without-a-copilot-license).
+
+<hr>
+
+**16 December 2025**
+
+We've added [a tutorial](https://docs.github.com/copilot/tutorials/modernize-java-applications) on how Copilot can help modernize and migrate Java applications by assessing your codebase, identifying upgrade paths, and automating remediation and containerization tasks.
+
+<hr>
+
 **9 December 2025**
 
-We published [a guide](https://docs.github.com/en/enterprise-cloud@latest/admin/concepts/enterprise-best-practices/use-innersource) to help customers set up innersource practices in their enterprise. The guide also provides a conceptual introduction to features like internal visibility, organization base permissions, and roles for external collaborators.
+We published [a guide](https://docs.github.com/enterprise-cloud@latest/admin/concepts/enterprise-best-practices/use-innersource) to help customers set up innersource practices in their enterprise. The guide also provides a conceptual introduction to features like internal visibility, organization base permissions, and roles for external collaborators.
 
 <hr>
 
@@ -10,21 +22,21 @@ We published [a guide](https://docs.github.com/en/enterprise-cloud@latest/admin/
 
 We've added a new tutorial on how to use Copilot Chat to write code for you. The tutorial steps you through how to create a time tracking web app using only prompts in Copilot Chat.
 
-[Vibe coding with GitHub Copilot](https://docs.github.com/en/copilot/tutorials/vibe-coding)
+[Vibe coding with GitHub Copilot](https://docs.github.com/copilot/tutorials/vibe-coding)
 
 <hr>
 
 **5 December 2025**
 
-We added documentation for the new Code generation tab, which is part of Copilot usage metrics. The docs now describe how to view code generation insights across your enterprise, compare user-initiated and agent-initiated behavior, and understand differences across models, languages, and modes. We also updated related conceptual and reference content for consistency and scannability. See [Viewing the code generation dashboard](https://docs.github.com/en/copilot/how-tos/administer-copilot/manage-for-enterprise/view-code-generation).
+We added documentation for the new Code generation tab, which is part of Copilot usage metrics. The docs now describe how to view code generation insights across your enterprise, compare user-initiated and agent-initiated behavior, and understand differences across models, languages, and modes. We also updated related conceptual and reference content for consistency and scannability. See [Viewing the code generation dashboard](https://docs.github.com/copilot/how-tos/administer-copilot/manage-for-enterprise/view-code-generation).
 
 <hr>
 
 **2 December 2025**
 
-You can now share Copilot Spaces publicly. See [Collaborating with others using GitHub Copilot Spaces](https://docs.github.com/en/copilot/how-tos/provide-context/use-copilot-spaces/collaborate-with-others#sharing-spaces).
+You can now share Copilot Spaces publicly. See [Collaborating with others using GitHub Copilot Spaces](https://docs.github.com/copilot/how-tos/provide-context/use-copilot-spaces/collaborate-with-others#sharing-spaces).
 
-You can also now add files to a Copilot Space directly from the code view on GitHub, so you don't need to break your flow when building context for your space. See [Creating GitHub Copilot Spaces](https://docs.github.com/en/copilot/how-tos/provide-context/use-copilot-spaces/create-copilot-spaces#adding-context-as-youre-working).
+You can also now add files to a Copilot Space directly from the code view on GitHub, so you don't need to break your flow when building context for your space. See [Creating GitHub Copilot Spaces](https://docs.github.com/copilot/how-tos/provide-context/use-copilot-spaces/create-copilot-spaces#adding-context-as-youre-working).
 
 <hr>
 
@@ -40,7 +52,7 @@ See [About GitHub Copilot code review](https://docs.github.com/copilot/concepts/
 
 We've added a new tutorial on burning down technical debt in a project: 
 
-[Using GitHub Copilot to reduce technical debt](https://docs.github.com/en/copilot/tutorials/reduce-technical-debt)
+[Using GitHub Copilot to reduce technical debt](https://docs.github.com/copilot/tutorials/reduce-technical-debt)
 
 The addition of this tutorial was prompted by a presentation by Brittany Ellich at this year's GitHub Universe conference: [Tackling your tech debt with Copilot coding agent](https://www.youtube.com/watch?v=LafpndhNC_E), and is based on a GitHub community post by Akash Sharma: [Stop Letting Technical Debt Slow You Down](https://github.com/orgs/community/discussions/178975).
 
@@ -163,16 +175,16 @@ This is just a very small selection of the articles that were updated for Univer
 
 To support the enterprise roles and teams public preview, we:
 
-* Created a new concepts category in the [enterprise admin](https://docs.github.com/en/enterprise-cloud@latest/admin) docs aimed at onboarding administrators, including new articles on roles and teams in an enterprise.
-* Built a user journey for setting up roles, teams, and apps to simplify administration, starting with [Identifying the roles required by your enterprise](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/identify-role-requirements).
-* Published how-to content on [creating custom roles](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/create-custom-roles), [creating enterprise teams](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/create-enterprise-teams), and [assigning roles](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/assign-roles).
-* Communicated new conceptual frameworks and best practices for enterprise accounts, including [Best practices for organizing work in your enterprise](https://docs.github.com/en/enterprise-cloud@latest/admin/concepts/best-practices) and [Enterprise accounts](https://docs.github.com/en/enterprise-cloud@latest/admin/concepts/enterprise-fundamentals/enterprise-accounts).
+* Created a new concepts category in the [enterprise admin](https://docs.github.com/enterprise-cloud@latest/admin) docs aimed at onboarding administrators, including new articles on roles and teams in an enterprise.
+* Built a user journey for setting up roles, teams, and apps to simplify administration, starting with [Identifying the roles required by your enterprise](https://docs.github.com/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/identify-role-requirements).
+* Published how-to content on [creating custom roles](https://docs.github.com/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/create-custom-roles), [creating enterprise teams](https://docs.github.com/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/create-enterprise-teams), and [assigning roles](https://docs.github.com/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/assign-roles).
+* Communicated new conceptual frameworks and best practices for enterprise accounts, including [Best practices for organizing work in your enterprise](https://docs.github.com/enterprise-cloud@latest/admin/concepts/best-practices) and [Enterprise accounts](https://docs.github.com/enterprise-cloud@latest/admin/concepts/enterprise-fundamentals/enterprise-accounts).
 
 <hr>
 
 **17 October 2025**
 
-We have updated the [Account and profile](https://docs.github.com/en/account-and-profile) and [Subscriptions and notifications](https://docs.github.com/en/subscriptions-and-notifications) docs for improved usability, scannability, and information architecture.
+We have updated the [Account and profile](https://docs.github.com/account-and-profile) and [Subscriptions and notifications](https://docs.github.com/subscriptions-and-notifications) docs for improved usability, scannability, and information architecture.
 
 To support accomplishing tasks without context switching or sifting through unrelated content, articles are now organized by content type and focused on jobs-to-be-done. Additionally, related information is now linked from content type to content type.
 
@@ -180,13 +192,13 @@ To support accomplishing tasks without context switching or sifting through unre
 
 **14 October 2025**
 
-We've added a new tutorial about how to [Review AI-generated code](https://docs.github.com/en/copilot/tutorials/review-ai-generated-code). The article gives techniques to verify and validate AI-generated code, and also suggests how Copilot can help with reviews.
+We've added a new tutorial about how to [Review AI-generated code](https://docs.github.com/copilot/tutorials/review-ai-generated-code). The article gives techniques to verify and validate AI-generated code, and also suggests how Copilot can help with reviews.
 
 <hr>
 
 **13 October 2025**
 
-To help large enterprises keep their automations secure and consistent across many organizations, we published [Automating app installations in your enterprise's organizations](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-github-apps-for-your-enterprise/automate-installations). This is one of the most requested features from customer feedback.
+To help large enterprises keep their automations secure and consistent across many organizations, we published [Automating app installations in your enterprise's organizations](https://docs.github.com/enterprise-cloud@latest/admin/managing-github-apps-for-your-enterprise/automate-installations). This is one of the most requested features from customer feedback.
 
 The tutorial shows how to manage installations and run automations using enterprise-owned apps and the new apps installation API. Security-conscious enterprises will see that Apps maximize security by providing short-lived, minimally scoped tokens at every stage.
 
@@ -198,8 +210,8 @@ The tutorial shows how to manage installations and run automations using enterpr
 
 We’ve updated the Spark documentation to support the launch for Copilot Enterprise users, making it easier to understand and enable Spark:
 
-* Conceptual article: [About GitHub Spark](https://docs.github.com/en/copilot/concepts/spark#enterprise-considerations) now includes enterprise considerations (governance, billing, infrastructure, and benefits).
-* How-to: [Managing GitHub Spark in your enterprise](https://docs.github.com/en/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-spark) is streamlined to prerequisites and enablement steps, with links to related policies.
+* Conceptual article: [About GitHub Spark](https://docs.github.com/copilot/concepts/spark#enterprise-considerations) now includes enterprise considerations (governance, billing, infrastructure, and benefits).
+* How-to: [Managing GitHub Spark in your enterprise](https://docs.github.com/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-spark) is streamlined to prerequisites and enablement steps, with links to related policies.
 
 <hr>
 
@@ -217,11 +229,11 @@ Claude Sonnet 4.5 has been released as a Public Preview. At the time of launch,
 
 The following articles have been updated: 
 
-- [About GitHub Copilot coding agent](https://docs.github.com/en/copilot/concepts/agents/coding-agent/about-coding-agent)
-- [Supported AI models in GitHub Copilot](https://docs.github.com/en/copilot/reference/ai-models/supported-models)
-- [Hosting of models for GitHub Copilot Chat](https://docs.github.com/en/copilot/reference/ai-models/model-hosting)
-- [AI model comparison](https://docs.github.com/en/copilot/reference/ai-models/model-comparison)
-- [About GitHub Copilot CLI](https://docs.github.com/en/copilot/concepts/agents/about-copilot-cli)
+- [About GitHub Copilot coding agent](https://docs.github.com/copilot/concepts/agents/coding-agent/about-coding-agent)
+- [Supported AI models in GitHub Copilot](https://docs.github.com/copilot/reference/ai-models/supported-models)
+- [Hosting of models for GitHub Copilot Chat](https://docs.github.com/copilot/reference/ai-models/model-hosting)
+- [AI model comparison](https://docs.github.com/copilot/reference/ai-models/model-comparison)
+- [About GitHub Copilot CLI](https://docs.github.com/copilot/concepts/agents/about-copilot-cli)
 
 <hr>
 

Dockerfile

@@ -8,7 +8,7 @@
 # ---------------------------------------------------------------
 # To update the sha:
 # https://github.com/github/gh-base-image/pkgs/container/gh-base-image%2Fgh-base-noble
-FROM ghcr.io/github/gh-base-image/gh-base-noble:20251119-090131-gb27dc275c AS base
+FROM ghcr.io/github/gh-base-image/gh-base-noble:20251217-105955-g05726ec4c AS base
 
 # Install curl for Node install and determining the early access branch
 # Install git for cloning docs-early-access & translations repos

content/README.md

@@ -259,7 +259,9 @@ includeGuides:
   - `id` (required): Unique identifier for the journey. The id only needs to be unique for journeys within a single journey landing page.
   - `title` (required): Display title for the journey (supports Liquid variables)
   - `description` (optional): Description of the journey (supports Liquid variables)
-  - `guides` (required): Array of article paths that make up this journey
+  - `guides` (required): Array of guide objects that make up this journey. Each guide object has:
+    - `href` (required): Path to the article
+    - `alternativeNextStep` (optional): Custom text to guide users to alternative paths in the journey. Supports Liquid variables and `[AUTOTITLE]`.
 - Only applicable when used with `layout: journey-landing`.
 - Optional.
 
@@ -271,15 +273,16 @@ journeyTracks:
     title: 'Getting started with {% data variables.product.prodname_actions %}'
     description: 'Learn the basics of GitHub Actions.'
     guides:
-      - '/actions/quickstart'
-      - '/actions/learn-github-actions'
-      - '/actions/using-workflows'
+      - href: '/actions/quickstart'
+      - href: '/actions/learn-github-actions'
+        alternativeNextStep: 'Want to skip ahead? See [AUTOTITLE](/actions/using-workflows).'
+      - href: '/actions/using-workflows'
   - id: 'advanced'
     title: 'Advanced {% data variables.product.prodname_actions %}'
     description: 'Dive deeper into advanced features.'
     guides:
-      - '/actions/using-workflows/workflow-syntax-for-github-actions'
-      - '/actions/deployment/deploying-with-github-actions'
+      - href: '/actions/using-workflows/workflow-syntax-for-github-actions'
+      - href: '/actions/deployment/deploying-with-github-actions'
 ```
 
 ### `type`

content/account-and-profile/how-tos/organization-membership/index.md

@@ -19,6 +19,7 @@ children:
   - /requesting-organization-approval-for-oauth-apps
   - /publicizing-or-hiding-organization-membership
   - /removing-yourself-from-an-organization
+  - /removing-yourself-from-an-enterprise
 shortTitle: Organization membership
 contentType: how-tos
 ---

content/account-and-profile/how-tos/organization-membership/removing-yourself-from-an-enterprise.md

@@ -0,0 +1,35 @@
+---
+title: Removing yourself from an enterprise
+intro: You can leave an enterprise after removing yourself from every organization in the enterprise.
+versions:
+  fpt: '*'
+  ghec: '*'
+topics:
+  - Accounts
+shortTitle: Leave an enterprise
+contentType: how-tos
+---
+
+If your personal {% data variables.product.github %} account is a member of an enterprise, you can leave the enterprise at any time.
+
+After leaving an enterprise, you will no longer be a member of any organization in the enterprise, and you will lose {% data variables.product.prodname_copilot %} licenses and other privileges granted through the enterprise.
+
+>[!NOTE] If you use a {% data variables.enterprise.prodname_managed_user %} provided by your enterprise, only administrators can remove you from the enterprise. You're using a {% data variables.enterprise.prodname_managed_user %} if all usernames in your enterprise end with a pattern like `_CODE`, or if you access the enterprise at a domain like `{% data variables.enterprise.data_residency_example_domain %}`.
+
+## Leaving an enterprise
+
+To leave an enterprise, you must remove yourself from every organization in the enterprise, then leave the enterprise itself.
+
+1. Leave every organization in the enterprise.
+   1. Go to the [Enterprises](https://github.com/settings/enterprises) page in your settings.
+   1. Click the enterprise you want to leave, then click the **Organizations** tab.
+   1. Use the **Your role** dropdown to see the organizations that you're a member of.
+   1. Leave each organization by following the instructions in [AUTOTITLE](/account-and-profile/how-tos/organization-membership/removing-yourself-from-an-organization).
+1. Go back to the [Enterprises](https://github.com/settings/enterprises) page and check if the enterprise is still listed. If it is **not** listed, you have left the enterprise.
+1. If the enterprise **is** still listed, check your role for the enterprise and take the appropriate action to leave:
+
+   * If you're an **unaffiliated member**, next to the enterprise name, click **Leave**.
+   * If you're an **owner**, you must go to the enterprise settings and remove yourself. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise#removing-an-enterprise-administrator-from-your-enterprise-account).
+   * If you're a **billing manager**, you must ask an enterprise owner to remove you using the instructions in [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise#removing-an-enterprise-administrator-from-your-enterprise-account).
+
+   ![Screenshot of the enterprises page. Next to "unaffilated member", the "Leave" button is highlighted with an orange outline.](/assets/images/help/enterprises/enterprise-self-removal.png)

content/account-and-profile/how-tos/organization-membership/removing-yourself-from-an-organization.md

@@ -30,3 +30,9 @@ contentType: how-tos
 {% data reusables.user-settings.access_settings %}
 {% data reusables.user-settings.organizations %}
 1. Under "Organizations", next to the organization you'd like to remove yourself from, click **Leave**.
+
+{% ifversion fpt or ghec %}
+
+If you remove yourself from every organization in an enterprise, you may also be automatically removed from the enterprise account. If you haven't been removed and want to leave an enterprise, see [AUTOTITLE](/account-and-profile/how-tos/organization-membership/removing-yourself-from-an-enterprise).
+
+{% endif %}

content/actions/concepts/runners/self-hosted-runners.md

@@ -23,11 +23,11 @@ A self-hosted runner is a system that you deploy and manage to execute jobs from
 Self-hosted runners:
 
 {% ifversion fpt or ghec %}
-* Give you more control of hardware, operating system, and software tools than {% data variables.product.prodname_dotcom %}-hosted runners provide. Be aware that you are responsible for updating the operating system and all other software.{% endif %}
+* Give you more control of hardware, operating system, and software tools than {% data variables.product.github %}-hosted runners provide. Be aware that you are responsible for updating the operating system and all other software.
+* Allow you to use machines and services that your company already maintains and pays to use.{% endif %}
 * Are free to use with {% data variables.product.prodname_actions %}, but you are responsible for the cost of maintaining your runner machines.
 * Let you create custom hardware configurations that meet your needs with processing power or memory to run larger jobs, install software available on your local network.
 * Receive automatic updates for the self-hosted runner application only, though you may disable automatic updates of the runner.
-* Can use cloud services or local machines that you already pay for.
 * Don't need to have a clean instance for every job execution.{% ifversion ghec or ghes %}
 * Can be organized into groups to restrict access to specific workflows, organizations, and repositories. See [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups).{% endif %}
 * Can be physical, virtual, in a container, on-premises, or in a cloud.

content/actions/how-tos/manage-runners/use-proxy-servers.md

@@ -22,11 +22,7 @@ contentType: how-tos
 
 If your runner needs to communicate via a proxy server, you can configure proxy settings using environment variables or system-level configurations.
 
-| Variable      | Description                                                                                           | Example                                                                                     |
-| ------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------- |
-| `https_proxy` | Proxy URL for HTTPS traffic. You can include basic authentication if required.                        | `http://proxy.local`<br>`http://192.168.1.1:8080`<br>`http://username:password@proxy.local` |
-| `http_proxy`  | Proxy URL for HTTP traffic. You can include basic authentication if required.                         | `http://proxy.local`<br>`http://192.168.1.1:8080`<br>`http://username:password@proxy.local` |
-| `no_proxy`    | A comma-separated list of hosts or IP addresses that should bypass the proxy. Some clients only honor IP addresses when connections are made directly to the IP rather than a hostname. | `example.com`<br>`example.com,myserver.local:443,example.org`                               |
+{% data reusables.actions.actions-proxy-environment-variables-table %}
 
 The proxy environment variables are read when the runner application starts, so you must set the environment variables before configuring or starting the runner application. If your proxy configuration changes, you must restart the runner application.
 

content/actions/how-tos/reuse-automations/create-workflow-templates.md

@@ -28,7 +28,47 @@ This procedure demonstrates how to create a workflow template and metadata file.
 1. If it doesn't already exist, create a new repository named `.github` in your organization.
 1. Create a directory named `workflow-templates`.
 1. Create your new workflow file inside the `workflow-templates` directory.
-1. Create a metadata file inside the `workflow-templates` directory.
+
+   If you need to refer to a repository's default branch, you can use the `$default-branch` placeholder. When a workflow is created the placeholder will be automatically replaced with the name of the repository's default branch.
+
+   {% ifversion ghes %}
+
+   > [!NOTE]
+   > The following values in the `runs-on` key are also treated as placeholders:
+   >
+   > * `ubuntu-latest` is replaced with `[ self-hosted ]`
+   > * `windows-latest` is replaced with `[ self-hosted, windows ]`
+   > * `macos-latest` is replaced with `[ self-hosted, macOS ]`
+   {% endif %}
+
+   For example, this file named `octo-organization-ci.yml` demonstrates a basic workflow.
+
+   ```yaml copy
+   name: Octo Organization CI
+
+   on:
+     push:
+       branches: [ $default-branch ]
+     pull_request:
+       branches: [ $default-branch ]
+
+   jobs:
+     build:
+       runs-on: ubuntu-latest
+
+       steps:
+         - uses: {% data reusables.actions.action-checkout %}
+
+         - name: Run a one-line script
+           run: echo Hello from Octo Organization
+   ```
+
+1. Create a metadata file inside the `workflow-templates` directory. The metadata file must have the same name as the workflow file, but instead of the `.yml` extension, it must be appended with `.properties.json`. For example, this file named `octo-organization-ci.properties.json` contains the metadata for a workflow file named `octo-organization-ci.yml`:
+
+   {% data reusables.actions.workflow-templates-metadata-example %}
+
+   {% data reusables.actions.workflow-templates-metadata-keys %}
+
 1. To add another workflow template, add your files to the same `workflow-templates` directory.
 
 ## Next steps

content/actions/reference/runners/github-hosted-runners.md

@@ -46,17 +46,11 @@ Workflow logs list the runner used to run a job. For more information, see [AUTO
 
 ### Single-CPU runners
 
-> [!NOTE]
-> * Single-CPU runners are in {% data variables.release-phases.public_preview %} and subject to change.{% ifversion ghec %}
-> * Single-CPU runners are not available in {% data variables.product.prodname_ghe_cloud %} with Data Residency (`ghe.com`).
-
-{% endif %}
-
 Single-CPU {% data variables.product.github %}-hosted runners are available in both public and private repositories. These runners—specified using the workflow label `ubuntu-slim`—offer a lower-cost option for running lightweight operations. This type of runner is optimized for automation tasks, issue operations and short-running jobs. They are not suitable for typical heavyweight CI/CD builds.
 
 `ubuntu-slim` runners execute Actions workflows in Ubuntu Linux, inside a container rather than a full VM instance. When the job begins, {% data variables.product.github %} automatically provisions a new container for that job. All steps in the job execute in the container, allowing the steps in that job to share information using the runner's file system. When the job has finished, the container is automatically decommissioned. Each container provides hypervisor level 2 isolation.
 
-A minimal set of tools is installed on the `ubuntu-slim` runner image, appropriate for lightweight tasks.
+A minimal set of tools is installed on the `ubuntu-slim` runner image, appropriate for lightweight tasks. For details on what software is installed on the `ubuntu-slim` image, see the [README file](https://github.com/actions/runner-images/blob/main/images/ubuntu-slim/ubuntu-slim-Readme.md) in the `actions/runner-images` repository.
 
 #### Usage limits
 

content/actions/reference/workflows-and-actions/reusing-workflow-configurations.md

@@ -170,33 +170,9 @@ jobs:
 
 The metadata file must have the same name as the workflow file, but instead of the `.yml` extension, it must be appended with `.properties.json`. For example, this file named `octo-organization-ci.properties.json` contains the metadata for a workflow file named `octo-organization-ci.yml`:
 
-   ```json copy
-   {
-       "name": "Octo Organization Workflow",
-       "description": "Octo Organization CI workflow template.",
-       "iconName": "example-icon",
-       "categories": [
-           "Go"
-       ],
-       "filePatterns": [
-           "package.json$",
-           "^Dockerfile",
-           ".*\\.md$"
-       ]
-   }
-   ```
+{% data reusables.actions.workflow-templates-metadata-example %}
 
-* `name` - **Required.** The name of the workflow. This is displayed in the list of available workflows.
-* `description` - **Required.** The description of the workflow. This is displayed in the list of available workflows.
-* `iconName` - _Optional._ Specifies an icon for the workflow that is displayed in the list of workflows. `iconName` can one of the following types:
-  * An SVG file that is stored in the `workflow-templates` directory. To reference a file, the value must be the file name without the file extension. For example, an SVG file named `example-icon.svg` is referenced as `example-icon`.
-  * An icon from {% data variables.product.prodname_dotcom %}'s set of [Octicons](https://primer.style/octicons/). To reference an octicon, the value must be `octicon <icon name>`. For example, `octicon smiley`.
-* `categories` - **Optional.** Defines the categories that the workflow is shown under. You can use category names from the following lists:
-  * General category names from the [starter-workflows](https://github.com/actions/starter-workflows/blob/main/README.md#categories) repository.
-  * Linguist languages from the list in the [linguist](https://github.com/github-linguist/linguist/blob/main/lib/linguist/languages.yml) repository.
-  * Supported tech stacks from the list in the [starter-workflows](https://github.com/github-starter-workflows/repo-analysis-partner/blob/main/tech_stacks.yml) repository.
-
-* `filePatterns` - **Optional.** Allows the workflow to be used if the user's repository has a file in its root directory that matches a defined regular expression.
+{% data reusables.actions.workflow-templates-metadata-keys %}
 
 {% ifversion fpt or ghec %}
 

content/actions/tutorials/index.md

@@ -10,6 +10,7 @@ children:
   - /create-an-example-workflow
   - /build-and-test-code
   - /authenticate-with-github_token
+  - /migrate-to-github-runners
   - /create-actions
   - /publish-packages
   - /manage-your-work

content/actions/tutorials/migrate-to-github-actions/manual-migrations/migrate-from-azure-pipelines.md

@@ -216,7 +216,7 @@ jobs:
     dependsOn: initial
     steps:
       - script: echo "This job will run after the initial job, in parallel with fanout1."
-  - job: fanin:
+  - job: fanin
     pool:
       vmImage: 'ubuntu-latest'
     dependsOn: [fanout1, fanout2]

content/actions/tutorials/migrate-to-github-runners.md

@@ -0,0 +1,150 @@
+---
+title: 'Migrating from self-hosted runners to GitHub-hosted runners'
+intro: 'Learn how to assess your current CI infrastructure and migrate workflows from self-hosted runners to {% data variables.product.github %}-hosted runners.'
+shortTitle: 'Migrate to GitHub runners'
+versions:
+  fpt: '*'
+  ghec: '*'
+contentType: tutorials
+audience:
+  - driver
+---
+
+You can run workflows on {% data variables.product.github %}-hosted or self-hosted runners, or use a mixture of runner types.
+
+This tutorial shows you how to assess your current use of runners, then migrate workflows from self-hosted runners to {% data variables.product.github %}-hosted runners efficiently.
+
+## 1. Assess your current CI infrastructure
+
+Migrating from self-hosted runners to {% data variables.product.github %}-hosted larger runners begins with a thorough assessment of your current CI infrastructure. If you take the time to match specifications and environments carefully, you will minimize the time spent fixing problems when you start running workflows on different runners.
+
+1. Create an inventory of each machine specification used to run workflows, including CPU cores, RAM, storage, chip architecture, and operating system.
+1. Note if any of the runners are part of a runner group or have a label. You can use this information to simplify migration of workflows to new runners.
+1. Document any custom images and pre-installed dependencies that workflows rely on, as these will influence your migration strategy.
+1. Identify which workflows currently target self-hosted runners, and why. For example, in {% data variables.product.prodname_actions %} usage metrics, use the **Jobs** tab and filter by runner label (such as `self-hosted` or a custom label) to see which repositories and jobs are using that label. If you need to validate specific workflow files, you can also use code search to find workflow files that reference `runs-on: self-hosted` or other self-hosted labels.
+1. Identify workflows that access private network resources (for example, internal package registries, private APIs, databases, or on-premises services), since these may require additional networking configuration.
+
+## 2. Map your processing requirements to {% data variables.product.github %}-hosted runner types
+
+{% data variables.product.github %} offers managed runners in multiple operating systems—Linux, Windows, and macOS—with options for GPU-enabled machines. See [AUTOTITLE](/actions/reference/runners/larger-runners).
+
+1. Map each distinct machine specification in your inventory to a suitable {% data variables.product.github %}-hosted runner specification.
+1. Make a note of any self-hosted runners where there is no suitable {% data variables.product.github %}-hosted runner.
+1. Exclude any workflows that must continue to run on self-hosted runners from your migration plans.
+
+## 3. Estimate capacity requirements
+
+Before you provision {% data variables.product.github %}-hosted runners, estimate how much compute capacity your workflows will need. Reviewing your current self-hosted runner usage helps you choose appropriate runner sizes, set concurrency limits, and forecast potential cost changes.
+
+{% data reusables.profile.access_org %}
+{% data reusables.user-settings.access_org %}
+{% data reusables.organizations.insights %}
+1. In the "Insights" navigation menu, click **Actions Usage Metrics**.
+1. Click on the tab that contains the metrics you would like to view. See [AUTOTITLE](/actions/concepts/metrics).
+1. Review the following data points to estimate hosted runner capacity:
+
+   * **Total minutes consumed**: Helps you estimate baseline compute demand.
+   * **Number of workflow runs**: Identifies peak activity times that may require more concurrency.
+   * **Job distribution across OS types**: Ensures you provision the right mix of Linux, Windows, and macOS runners.
+   * **Runner labels (Jobs tab)**: Filter by a runner label to understand where a label is used.
+
+1. Convert your findings into a capacity plan:
+
+   * Match high-usage workflows to larger runner sizes where appropriate.
+   * Identify workflows that may benefit from pre-built or custom images to reduce runtime.
+   * Estimate concurrency by determining how many jobs typically run simultaneously.
+
+1. Make a note of any gaps:
+
+   * Workflows with hard dependencies your current hosted runner images do not support.
+   * Jobs with unusually long runtimes or bespoke environment needs. (You may need custom images for these.)
+
+Your capacity plan will guide how many runners to provision, which machine types to use, and how to configure runner groups and policies in the next steps.
+
+## 4. Configure runner groups and policies
+
+After estimating your capacity needs, configure runner groups and access policies so your {% data variables.product.github %}-hosted runners are available to the right organizations and workflows.
+
+Configuring runner groups before provisioning runners helps ensure that migration doesn’t accidentally open access too broadly or create unexpected cost increases.
+
+1. Create runner groups at the enterprise level to define who can use your hosted runners. See [AUTOTITLE](/enterprise-cloud@latest/actions/how-tos/manage-runners/larger-runners/control-access#creating-a-runner-group-for-an-enterprise).
+
+   Use runner groups to scope access by organization, repository, or workflow. If you are migrating from self-hosted runners, consider reusing existing runner group names or labels where possible. This allows workflows to continue working without changes when you switch to {% data variables.product.github %}-hosted runners.
+
+1. Add new {% data variables.product.github %}-hosted runners to the appropriate group and set concurrency limits based on the usage patterns you identified in step 3. For details on automatic scaling, see [AUTOTITLE](/actions/how-tos/manage-runners/larger-runners/manage-larger-runners#configuring-autoscaling-for-larger-runners).
+1. Review policy settings to ensure runners are only used by the intended workflows. For example, restricting use to specific repositories or preventing untrusted workflows from accessing more powerful machine types.
+
+>[!NOTE] macOS larger runners cannot be added to runner groups and must be referenced directly in your workflow files.
+
+## 5. Set up {% data variables.product.github %}-hosted runners
+
+Next, provision your {% data variables.product.github %}-hosted runners based on the machine types and capacity you identified earlier.
+
+1. Choose the machine size and operating system that match your workflow requirements. For available images and specifications, see [AUTOTITLE](/actions/reference/runners/larger-runners#runner-images).
+1. Assign each runner to a runner group and configure concurrency limits to control how many jobs can run at the same time.
+1. Select an image type:
+
+   * Use {% data variables.product.github %}-managed images for a maintained, frequently updated environment.
+   * Use custom images when you need pre-installed dependencies to reduce setup time. See [AUTOTITLE](/actions/how-tos/manage-runners/larger-runners/use-custom-images).
+
+1. Apply any required customizations, such as environment variables, software installation, or startup scripts. For more examples, see [AUTOTITLE](/actions/how-tos/manage-runners/github-hosted-runners/customize-runners).
+1. Optionally, configure private networking if runners must access internal resources. See [AUTOTITLE](/enterprise-cloud@latest/actions/concepts/runners/private-networking).
+
+### Configure private connectivity options
+
+If your workflows need access to private resources (for example, internal package registries, private APIs, databases, or on-premises services), choose an approach that fits your network and security requirements. 
+
+#### Configure Azure Private Networking
+
+Run {% data variables.product.github %}-hosted runners inside an Azure Virtual Network (VNET) for secure access to internal resources.
+
+1. Create an Azure Virtual Network (VNET) and configure subnets and network security groups for your runners.
+1. Enable Azure private networking for your runner group. See [AUTOTITLE](/admin/configuring-settings/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise#1-add-a-new-network-configuration-for-your-enterprise)
+1. Apply network configuration, such as NSGs and firewall rules, to control ingress and egress traffic.
+1. Update workflow targeting to use the runner group that is configured for private networking.
+
+For detailed instructions, see:
+
+* [AUTOTITLE](/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization)
+* [AUTOTITLE](/admin/configuring-settings/configuring-private-networking-for-hosted-compute-products/configuring-private-networking-for-github-hosted-runners-in-your-enterprise)
+
+#### Connect using a WireGuard overlay network
+
+If Azure private networking is not applicable (for example, because your target network is on-premises or in another cloud), you can use a VPN overlay such as WireGuard to provide network-level access to private resources.
+
+For detailed instructions and examples, see [AUTOTITLE](/actions/how-tos/manage-runners/github-hosted-runners/connect-to-a-private-network/connect-with-wireguard).
+
+#### Use OIDC with an API gateway for trusted access to private resources
+
+If you don’t need the runner to join your private network, you can use OIDC to establish trusted, short-lived access to a service you expose via an API gateway. This approach can reduce the need for long-lived secrets and limits network access to the specific endpoints your workflow needs.
+
+For detailed instructions and examples, see [AUTOTITLE](/actions/how-tos/manage-runners/github-hosted-runners/connect-to-a-private-network/connect-with-oidc).
+
+## 6. Update workflows to use the new runners
+
+After your {% data variables.product.github %}-hosted runners are configured, update your workflow files to target them.
+
+1. Reuse existing labels if you assigned your new runners to the same runner group names your self-hosted runners used. In this case, workflows will automatically use the new runners without changes.
+1. If you created new runner groups or labels, update the runs-on field in your workflow YAML files. For example:
+
+   ```yaml
+   jobs:
+     build:
+       runs-on: [github-larger-runner, linux-x64]
+       steps:
+         - name: Checkout code
+           uses: {% data reusables.actions.action-checkout %}
+         - name: Build project
+           run: make build
+   ```
+
+1. Check for hard-coded references to self-hosted labels (such as `self-hosted`, `linux-x64`, or custom labels) and replace them with the appropriate {% data variables.product.github %}-hosted runner labels.
+1. Test each updated workflow to ensure it runs correctly on the new runners. Monitor for any issues related to environment differences or missing dependencies.
+
+## 7. Remove unused self-hosted runners
+
+After your workflows have been updated and tested on {% data variables.product.github %}-hosted runners, remove any self-hosted runners that are no longer needed. This prevents jobs from accidentally targeting outdated infrastructure. See [AUTOTITLE](/actions/how-tos/manage-runners/self-hosted-runners/remove-runners).
+
+Before you remove self-hosted runners, verify that you have fully migrated:
+
+* In {% data variables.product.prodname_actions %} usage metrics, use the **Jobs** tab and filter by runner label (for example, `self-hosted` or your custom labels) to confirm no repositories or jobs are still using self-hosted runners.

content/admin/data-residency/network-details-for-ghecom.md

@@ -12,14 +12,18 @@ redirect_from:
 
 To access your enterprise on {% data variables.enterprise.data_residency_site %}, client systems must:
 
-* Trust the following SSH key fingerprints
-* Have access to the following hostnames and IP addresses
+* Trust {% data variables.product.github %}'s SSH key fingerprints
+* Have access to {% data variables.product.github %}'s hostnames and IP addresses
 
 ## {% data variables.product.github %}'s SSH key fingerprints
 
-* `SHA256:PYES2CtancLX+w0+VvwWRQclfulUkqj6hpZmcKFAO3w` (RSA)
-* `SHA256:TKoEXigNsj5b6XaSOSf20L0y3cuNx41WWM+l4AAK9k4` (ECDSA)
-* `SHA256:LqPvjvQugr3MmzVYw9M3gT7won8/lUPZCSvmNydl7vU` (Ed25519)
+To find these details, use the `/meta` API endpoint for your instance. For example, using the {% data variables.product.prodname_cli %}:
+
+```shell
+gh api /meta --hostname octocorp.ghe.com
+```
+
+For more information, see [AUTOTITLE](/rest/meta/meta).
 
 ## {% data variables.product.github %}'s hostnames
 
@@ -36,8 +40,6 @@ To access your enterprise on {% data variables.enterprise.data_residency_site %}
 
 ### The EU
 
-These are {% data variables.product.company_short %}'s IP address ranges for enterprises hosted in the EU.
-
 | Ranges for egress traffic | Ranges for ingress traffic |
 |--------------------------|---------------------------|
 | 108.143.221.96/28        | 108.143.197.176/28        |
@@ -49,8 +51,6 @@ These are {% data variables.product.company_short %}'s IP address ranges for ent
 
 ### Australia
 
-These are {% data variables.product.company_short %}'s IP address ranges for enterprises hosted in Australia.
-
 | Ranges for egress traffic | Ranges for ingress traffic |
 |--------------------------|---------------------------|
 | 20.5.34.240/28           | 4.237.73.192/28           |
@@ -59,14 +59,20 @@ These are {% data variables.product.company_short %}'s IP address ranges for ent
 
 ### US
 
-These are {% data variables.product.company_short %}'s IP address ranges for enterprises hosted in the US.
-
 | Ranges for egress traffic | Ranges for ingress traffic |
 |--------------------------|---------------------------|
 | 20.221.76.128/28         | 74.249.180.192/28         |
 | 135.233.115.208/28       | 48.214.149.96/28          |
 | 20.118.27.192/28         | 172.202.123.176/28        |
 
+### Japan
+
+| Ranges for egress traffic | Ranges for ingress traffic |
+|--------------------------|-----------------------------|
+| 74.226.88.192/28         | 74.226.88.240/28            |
+| 40.81.180.112/28         | 40.81.176.224/28            |
+| 4.190.169.192/28         | 4.190.169.240/28            |
+
 ## Supported regions for Azure private networking
 
 If you use Azure private networking for {% data variables.product.company_short %}-hosted runners, the supported Azure regions on {% data variables.enterprise.data_residency_site %} differ from those on {% data variables.product.prodname_dotcom_the_website %}.
@@ -95,6 +101,14 @@ If you use Azure private networking for {% data variables.product.company_short
 | arm64 | `centralus`, `eastus2`, `westus3` |
 | GPU | `centralus`, `eastus2`, `westus3` |
 
+### Supported regions in Japan
+
+| Runner type | Supported regions |
+| ----------- | ----------------- |
+| x64 | `japaneast`, `japanwest` |
+| arm64 | `japaneast`, `japanwest` |
+| GPU | `japaneast` |
+
 ### IP ranges for Azure private networking
 
 #### EU
@@ -113,17 +127,30 @@ EU region:
 * 20.240.220.192/28
 * 20.240.211.208/28
 
-#### Austrailia
+#### Australia
 
 Actions IPs:
 * 4.147.140.77
 * 20.53.114.78
 
-Austraila region:
+Australia region:
 * 4.237.73.192/28
 * 20.5.226.112/28
 * 20.248.163.176/28
 
+#### Japan
+
+Actions IPs:
+
+* 20.63.233.164
+* 172.192.153.164
+
+Japan region:
+
+74.226.88.241
+40.81.176.225
+4.190.169.240
+
 #### Required for all regions
 
 * `Storage` service tag
@@ -160,35 +187,3 @@ Austraila region:
 ## IP ranges for {% data variables.product.prodname_importer_proper_name %}
 
 If you're running a migration to your enterprise with {% data variables.product.prodname_importer_proper_name %}, you may need to add certain ranges to an IP allow list. See [AUTOTITLE](/migrations/using-github-enterprise-importer/migrating-between-github-products/managing-access-for-a-migration-between-github-products#configuring-ip-allow-lists-for-migrations).
-
-### Required in the EU
-
-* 4.231.155.80/29
-* 4.225.9.96/29
-* 51.12.152.184/29
-* 20.199.6.80/29
-* 51.12.144.32/29
-* 20.199.1.232/29
-* 51.12.152.240/29
-* 20.19.101.136/29
-* 74.241.131.48/28
-* 51.12.252.16/28
-* 20.240.211.176/28
-* 108.143.221.96/28
-* 20.61.46.32/28
-* 20.224.62.160/28
-
-### Required in Australia
-
-* 20.213.241.72/29
-* 20.11.90.48/29
-* 20.5.34.240/28
-* 20.5.146.128/28
-* 68.218.155.16/28
-
-### Required in the US
-
-* 130.213.245.128/28
-* 20.171.204.144/28
-* 20.171.204.176/28
-* 4.150.167.192/28

content/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/troubleshooting-service-hooks.md

@@ -31,7 +31,7 @@ You can find information for the last response of all service hooks deliveries o
 
 ## Viewing past deliveries
 
-Deliveries are stored for 15 days.
+Deliveries are stored for {% data variables.webhooks.retention %} days.
 
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_user_management.service-hooks-sidebar-navigation %}

content/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/abilities-of-roles.md

@@ -124,12 +124,17 @@ If a user is a member or owner of any organization, they are listed as an **orga
 
 ### Unaffiliated users
 
-If a user is not a member of any organization, they are listed as an **unaffiliated user**. These users:
+If a user is not a member of any organization, and doesn't have the enterprise owner or billing manager role, the user is listed as an unaffiliated user.
 
-* Do not consume a {% data variables.product.prodname_enterprise %} license.
+Unaffiliated users:
+
+* Do not consume a {% data variables.product.prodname_enterprise %} license, unless they meet another criterion listed in [AUTOTITLE](/billing/reference/github-license-users#organizations-on-github-enterprise-cloud).
 * Cannot access private or internal repositories.
 * Can be added as members of enterprise teams.
-* Can receive a {% data variables.product.prodname_copilot_short %} license directly from your enterprise.
+* Can receive a {% data variables.product.prodname_copilot_short %} license or custom role directly from your enterprise.
+* Can remove themselves from the enterprise at any time, unless you use {% data variables.product.prodname_emus %}.
+
+If you have an enterprise with personal accounts, you can disable this role. See [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/control-offboarding).
 
 {% endif %}
 

content/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise.md

@@ -69,7 +69,8 @@ When creating a security configuration, keep in mind that:
       > When both "{% data variables.product.prodname_code_security %}" and Dependency graph are enabled, this enables dependency review, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).{%- ifversion maven-transitive-dependencies %}
    * **Automatic dependency submission**. To learn about automatic dependency submission, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository).{%- endif %}
    * **{% data variables.product.prodname_dependabot %} alerts**. To learn about {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).
-   * **Security updates**. To learn about security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).{% ifversion fpt or ghec %}
+   * **Security updates**. To learn about security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).{% ifversion dependabot-delegated-alert-dismissal %}
+   * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/enable-delegated-alert-dismissal).{% endif %}{% ifversion fpt or ghec %}
 1. For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository).{% endif %}
 1. Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied:
    * **Use as default for newly created repositories**. Select the **None** {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %} dropdown menu, then click **Public**, **Private and internal**, or **All repositories**.
@@ -108,7 +109,8 @@ When creating a security configuration, keep in mind that:
       > When both "{% data variables.product.prodname_GHAS %}" and Dependency graph are enabled, this enables dependency review, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).{%- ifversion maven-transitive-dependencies %}
    * **Automatic dependency submission**. To learn about automatic dependency submission, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository).{%- endif %}
    * **{% data variables.product.prodname_dependabot %} alerts**. To learn about {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).
-   * **Security updates**. To learn about security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).{% ifversion fpt or ghec %}
+   * **Security updates**. To learn about security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).{% ifversion dependabot-delegated-alert-dismissal %}
+   * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/enable-delegated-alert-dismissal).{% endif %}{% ifversion fpt or ghec %}
 1. For "Private vulnerability reporting", choose whether you want to enable, disable, or keep the existing settings. To learn about private vulnerability reporting, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository).{% endif %}
 1. Optionally, in the "Policy" section, you can use additional options to control how the configuration is applied:
    * **Use as default for newly created repositories**. Select the **None** {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %} dropdown menu, then click **Public**, **Private and internal**, or **All repositories**.

content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-cloud.md

@@ -29,8 +29,6 @@ You can use policies to control how enterprise members use {% data variables.pro
 
 To run {% data variables.product.prodname_actions %} workflows, you need to use runners. {% data reusables.actions.about-runners %} If you use {% data variables.product.company_short %}-hosted runners, you will be billed based on consumption after exhausting the minutes included in your plan, whereas self-hosted runners are free. For more information, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions).
 
-For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners).
-
 If you choose self-hosted runners, you can add runners at the enterprise, organization, or repository levels. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners).
 
 {% ifversion custom-org-roles %}

content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md

@@ -130,6 +130,4 @@ You can view both usage and performance data for your enterprise under the "Insi
 
 For more detailed usage data at a per job or per workflow level, you{% else %}You{% endif %} can use webhooks to subscribe to information about workflow jobs and workflow runs. For more information, see [AUTOTITLE](/webhooks-and-events/webhooks/about-webhooks).
 
-Make a plan for how your enterprise can pass the information from these webhooks into a data archiving system. You can consider using "CEDAR.GitHub.Collector", an open source tool that collects and processes webhook data from {% data variables.product.prodname_dotcom %}. For more information, see the [`Microsoft/CEDAR.GitHub.Collector` repository](https://github.com/microsoft/CEDAR.GitHub.Collector/).
-
-You should also plan how you'll enable your teams to get the data they need from your archiving system.
+Make a plan for how your enterprise can pass the information from these webhooks into a data archiving system, and plan how you'll enable your teams to get the data they need from your archiving system.

content/admin/monitoring-and-managing-your-instance/monitoring-your-instance/opentelemetry-metrics/about-opentelemetry-metrics.md

@@ -15,8 +15,12 @@ shortTitle: OpenTelemetry metrics
 
 {% data reusables.enterprise.opentelemetry-migration %}
 
+{% ifversion ghes = 3.18 %}
+
 {% data reusables.enterprise.opentelemetry-preview %}
 
+{% endif %}
+
 ## About OpenTelemetry metrics
 
 The OpenTelemetry monitoring stack is based on industry-standard observability tools and includes various components for collecting, processing, and storing metrics. This comprehensive approach provides a complete view of your system's performance and health across all components of your {% data variables.product.prodname_ghe_server %} instance.

content/admin/monitoring-and-managing-your-instance/monitoring-your-instance/opentelemetry-metrics/configuring-opentelemetry-for-your-instance.md

@@ -15,8 +15,12 @@ shortTitle: Configure OpenTelemetry
 
 {% data reusables.enterprise.opentelemetry-migration %}
 
+{% ifversion ghes = 3.18 %}
+
 {% data reusables.enterprise.opentelemetry-preview %}
 
+{% endif %}
+
 ## Prerequisites
 
 * {% data variables.product.prodname_ghe_server %} 3.18 or later
@@ -25,6 +29,12 @@ shortTitle: Configure OpenTelemetry
 
 ## Enabling OpenTelemetry metrics
 
+{% ifversion ghes > 3.18 %}
+
+OpenTelemetry metrics are enabled by default for **new installations** of {% data variables.product.prodname_ghe_server %} 3.19 and later. Upgrades to {% data variables.product.prodname_ghe_server %} 3.19 will still have `collectd` metrics enabled by default, but you can choose to switch to OpenTelemetry metrics.
+
+{% else %}
+
 OpenTelemetry metrics are disabled by default. You can enable them through the {% data variables.enterprise.management_console %} or command line.
 
 ### Using the {% data variables.enterprise.management_console %}
@@ -47,6 +57,8 @@ OpenTelemetry metrics are disabled by default. You can enable them through the {
 
 {% data reusables.enterprise.apply-configuration %}
 
+{% endif %}
+
 ## Performance considerations
 
 When configuring OpenTelemetry metrics, consider the following performance factors:

content/admin/monitoring-and-managing-your-instance/monitoring-your-instance/opentelemetry-metrics/enable-advanced-dashboards.md

@@ -15,8 +15,12 @@ shortTitle: Enable advanced dashboards
 
 {% data reusables.enterprise.opentelemetry-migration %}
 
+{% ifversion ghes = 3.18 %}
+
 {% data reusables.enterprise.opentelemetry-preview %}
 
+{% endif %}
+
 ## Additional dashboards
 
 When OpenTelemetry metrics are enabled, you can turn on advanced Grafana dashboards with enhanced visualization and monitoring capabilities.

content/admin/monitoring-and-managing-your-instance/monitoring-your-instance/opentelemetry-metrics/index.md

@@ -15,4 +15,8 @@ shortTitle: OpenTelemetry metrics
 
 {% data reusables.enterprise.opentelemetry-migration %}
 
+{% ifversion ghes = 3.18 %}
+
 {% data reusables.enterprise.opentelemetry-preview %}
+
+{% endif %}

content/admin/monitoring-and-managing-your-instance/monitoring-your-instance/opentelemetry-metrics/setting-up-external-monitoring-with-opentelemetry.md

@@ -13,8 +13,12 @@ type: how_to
 shortTitle: External monitoring OpenTelemetry
 ---
 
+{% ifversion ghes = 3.18 %}
+
 {% data reusables.enterprise.opentelemetry-preview %}
 
+{% endif %}
+
 ## External monitoring approaches
 
 External monitoring with OpenTelemetry allows you to integrate your {% data variables.product.prodname_ghe_server %} instance with existing monitoring infrastructure and tools. {% data variables.product.prodname_ghe_server %} provides two primary approaches for external monitoring:
@@ -126,7 +130,7 @@ scrape_configs:
     scheme: https
     tls_config:
       # Set `true` only when testing with self-signed certificates
-      insecure_skip_verify: false  
+      insecure_skip_verify: false
 ```
 
 #### Other monitoring tools

content/admin/overview/establishing-a-governance-framework-for-your-enterprise.md

@@ -122,7 +122,10 @@ You may want to set up an approval process for better control over who in your e
 
 Approval processes are available for:
 * Bypasses of push protection—You can choose who is allowed to bypass push protection, and add a review and approval cycle for pushes containing secrets from all other contributors. For more information about **delegated bypass for push protection**, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection).{% ifversion security-delegated-alert-dismissal %}
-* Dismissals of alerts for {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_secret_scanning %}—You can provide additional control and visibility over alert assessment by ensuring that only designated individuals can dismiss (or close) alerts. For more information about **delegated alert dismissal**, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning) and [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning).
+* Dismissals of alerts for {% data variables.product.prodname_code_scanning %}{% ifversion dependabot-delegated-alert-dismissal %}, {% data variables.product.prodname_dependabot %},{% endif %} and {% data variables.product.prodname_secret_scanning %}—You can provide additional control and visibility over alert assessment by ensuring that only designated individuals can dismiss (or close) alerts. For more information about **delegated alert dismissal**, see the following articles:
+  * [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning){% ifversion dependabot-delegated-alert-dismissal %}
+  * [AUTOTITLE](/code-security/dependabot/dependabot-alerts/enable-delegated-alert-dismissal){% endif %}
+  * [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning)
 
 {% endif %}
 

content/apps/using-github-apps/installing-a-github-app-from-a-third-party.md

@@ -45,9 +45,9 @@ Organization owners can install {% data variables.product.prodname_github_apps %
 Enterprise owners can install {% data variables.product.prodname_github_apps %} on their enterprise accounts, if the application requests enterprise permissions and is owned by the enterprise or one of its organizations.
 {% endif %}
 
-Admins of repositories that are owned by an organization can also install {% data variables.product.prodname_github_apps %} on the organization if they only grant the app access to repositories that they are an admin of and if the app does not request any organization permissions or the "repository administration" permission. Organization owners can prevent outside collaborators who are repository admins from installing {% data variables.product.prodname_github_apps %}.
+{% data reusables.apps.repo-admin-install-restriction %}
 
-Organization members who are not organization owners or repository admins can still select the organization during the install process. Instead of installing the app, {% data variables.product.company_short %} will send a notification to the organization owner to request the organization owner to install the app.
+Organization members and outside collaborators that cannot install an app on the organization can still select the organization during the install process. Instead of installing the app, {% data variables.product.company_short %} will send a notification to the organization owner to request the organization owner to install the app. The ability to make these requests can be controlled using app access request policies. See [AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests).
 
 The "app manager" role does not give a person the ability to install a {% data variables.product.prodname_github_app %} on the organization{% ifversion enterprise-app-manager %}  or enterprise{% endif %}. See [AUTOTITLE](/apps/maintaining-github-apps/about-github-app-managers).
 

content/apps/using-github-apps/installing-a-github-app-from-github-marketplace-for-your-organizations.md

@@ -46,7 +46,7 @@ Organization owners can install {% data variables.product.prodname_github_apps %
 
 For enterprises that pay by credit card, enterprise owners who are also organization owners can install {% data variables.product.prodname_github_apps %} on organizations within their enterprise.
 
-Admins of repositories that are owned by an organization can also install {% data variables.product.prodname_github_apps %} on the organization if they only grant the app access to repositories that they are an admin of and if the app does not request any organization permissions or the "repository administration" permission. Organization owners can prevent outside collaborators who are repository admins from installing {% data variables.product.prodname_github_apps %}.
+{% data reusables.apps.repo-admin-install-restriction %}
 
 The "app manager" role does not give a person the ability to install a {% data variables.product.prodname_github_app %} in the organization{% ifversion enterprise-app-manager %} or enterprise{% endif %}. For more information, see [AUTOTITLE](/apps/maintaining-github-apps/about-github-app-managers).
 

content/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses.md

@@ -19,13 +19,7 @@ topics:
 shortTitle: GitHub's IP addresses
 ---
 
-You can retrieve a list of the IP addresses for {% data variables.product.prodname_dotcom_the_website %} from the [meta](https://api.github.com/meta) API endpoint. For more information, see [AUTOTITLE](/rest/meta).
-
-{% ifversion ghec %}
-
-If you access {% data variables.product.github %} on a subdomain of {% data variables.enterprise.data_residency_site %}, the meta endpoint does not return IP ranges for your subdomain. See [AUTOTITLE](/admin/data-residency/network-details-for-ghecom#githubs-ip-addresses).
-
-{% endif %}
+You can retrieve a list of the IP addresses for your {% data variables.product.github %} environment from the [meta](https://api.github.com/meta) API endpoint. For more information, see [AUTOTITLE](/rest/meta).
 
 > [!NOTE]
 > The list of {% data variables.product.prodname_dotcom %} IP addresses returned by the Meta API is not intended to be an exhaustive list. For example, IP addresses for some {% data variables.product.prodname_dotcom %} services might not be listed, such as LFS or {% data variables.product.prodname_registry %}.