Repo sync

content/account-and-profile/how-tos/email-preferences/setting-your-commit-email-address.md

@@ -86,4 +86,4 @@ You can change the email address associated with commits you make in a single re
 
 For reference information, see [AUTOTITLE](/account-and-profile/reference/email-addresses-reference).
 
-To learn more about using a private email address, see [AUTOTITLE](/account-and-profile/reference/email-addresses-reference#your-noreply-email-address).
+For more information about setting your Git username, see [AUTOTITLE](/get-started/git-basics/setting-your-username-in-git).

content/actions/concepts/security/openid-connect.md

@@ -166,6 +166,8 @@ You can use the `repo_property_*` claims in your cloud provider's trust conditio
 
 {% endif %}
 
+{% ifversion dependabot-oidc-support %}
+
 ## OIDC support for {% data variables.product.prodname_dependabot %}
 
 {% data variables.product.prodname_dependabot %} can use OIDC to authenticate with private registries, eliminating the need to store long-lived credentials as repository secrets. With OIDC-based authentication, {% data variables.product.prodname_dependabot %} update jobs can dynamically obtain short-lived credentials from your cloud identity provider.
@@ -180,6 +182,8 @@ The benefits of OIDC authentication for {% data variables.product.prodname_depen
 
 For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#using-oidc-for-authentication).
 
+{% endif %}
+
 ## Next steps
 
 For more information about configuring OIDC, see [AUTOTITLE](/actions/how-tos/security-for-github-actions/security-hardening-your-deployments).

content/actions/reference/workflows-and-actions/contexts.md

@@ -174,7 +174,7 @@ The `github` context contains information about the workflow run and the event t
 |---------------|------|-------------|
 | `github` | `object` | The top-level context available during any job or step in a workflow. This object contains all the properties listed below. |
 | `github.action` | `string` | The name of the action currently running, or the [`id`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsid) of a step. {% data variables.product.prodname_dotcom %} removes special characters, and uses the name `__run` when the current step runs a script without an `id`. If you use the same action more than once in the same job, the name will include a suffix with the sequence number with underscore before it. For example, the first script you run will have the name `__run`, and the second script will be named `__run_2`. Similarly, the second invocation of `actions/checkout` will be `actionscheckout2`. |
-| `github.action_path` | `string` | The path where an action is located. This property is only supported in composite actions. You can use this path to access files located in the same repository as the action, for example by changing directories to the path (using the corresponding enviroment variable): {% raw %} `cd "$GITHUB_ACTION_PATH"` {% endraw %}. For more information on evironment variables, see [AUTOTITLE](/actions/reference/security/secure-use#use-an-intermediate-environment-variable). |
+| `github.action_path` | `string` | The path where an action is located. This property is only supported in composite actions. You can use this path to access files located in the same repository as the action, for example by changing directories to the path (using the corresponding environment variable): {% raw %} `cd "$GITHUB_ACTION_PATH"` {% endraw %}. For more information on environment variables, see [AUTOTITLE](/actions/reference/security/secure-use#use-an-intermediate-environment-variable). |
 | `github.action_ref` | `string` | For a step executing an action, this is the ref of the action being executed. For example, `v2`.<br><br>{% data reusables.actions.composite-actions-unsupported-refs %} |
 | `github.action_repository` | `string` | For a step executing an action, this is the owner and repository name of the action. For example, `actions/checkout`.<br><br>{% data reusables.actions.composite-actions-unsupported-refs %} |
 | `github.action_status` | `string` | For a composite action, the current result of the composite action. |

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md

@@ -76,6 +76,8 @@ Before you require secure methods of two-factor authentication, we recommend not
 
 You can use a SSH certificate authority (CA) to allow members of any organization owned by your enterprise to access that organization's repositories using SSH certificates you provide. {% ifversion ssh-user-ca %}{% ifversion ghec %}If your enterprise uses {% data variables.product.prodname_emus %}, enterprise{% elsif ghes %}Enterprise{% endif %} members can also be allowed to use the certificate to access personally-owned repositories.{% endif %} {% data reusables.organizations.can-require-ssh-cert %} For more information, see [AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities).
 
+{% data variables.product.github %} uses OpenSSH-format SSH user certificates to authenticate Git operations over SSH by validating the certificate's signature and fields (including its validity period) against a trusted SSH certificate authority (CA) configured at the organization and/or enterprise level.
+
 {% data reusables.organizations.add-extension-to-cert %}
 
 ### Adding an SSH certificate authority
@@ -104,7 +106,9 @@ You can enable or disable access to user-owned repositories with an SSH certific
 
 ### Deleting an SSH certificate authority
 
-Deleting a CA cannot be undone. If you want to use the same CA in the future, you'll need to upload the CA again.
+Deleting an SSH certificate authority (CA) from your enterprise settings on {% data variables.product.github %} can't be undone. If you want to trust the same CA again in the future, you'll need to add the CA back to {% data variables.product.github %} by uploading the CA's public key again in your enterprise's SSH certificate authority settings.
+
+Deleting a CA immediately prevents {% data variables.product.github %} from accepting SSH certificates signed by that CA, including certificates that have not yet expired. For CA rotation guidance, see [AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities#certificate-revocation-and-ca-rotation).
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.settings-tab %}

content/admin/managing-github-actions-for-your-enterprise/enabling-github-actions-for-github-enterprise-server/enabling-github-actions-with-google-cloud-storage.md

@@ -27,6 +27,9 @@ Before enabling {% data variables.product.prodname_actions %}, make sure you hav
 {% data reusables.actions.enterprise-common-prereqs %}
 {% data reusables.actions.enterprise-oidc-prereqs %}
 
+> [!WARNING]
+> The GCS bucket used for {% data variables.product.prodname_actions %} blob storage must use Google-managed encryption keys. Customer-Managed Encryption Keys (CMEK) are not currently supported and will cause {% data variables.product.prodname_actions %} database migrations to fail with a hash mismatch error. This restriction applies only to the {% data variables.product.prodname_actions %} blob storage bucket; CMEK may still be used on VM disks and other GCP resources.
+
 ## Enabling {% data variables.product.prodname_actions %} with Google Cloud Storage using OIDC (recommended)
 
 To configure {% data variables.product.prodname_ghe_server %} to use OIDC with Google Cloud Storage, you must first create a Google Cloud service account, then create a Google Cloud identity pool and identity provider, and finally configure {% data variables.product.prodname_ghe_server %} to use the provider and service account to access your Google Cloud Storage bucket.

content/code-security/concepts/secret-security/about-alerts.md

@@ -20,7 +20,7 @@ contentType: concepts
 
 ## About {% ifversion fpt or ghec %}user alerts {% else %}{% data variables.secret-scanning.alerts %}{% endif %}
 
-{% data reusables.secret-scanning.secret-scanning-about-alerts %} {% data reusables.secret-scanning.repository-alert-location %}
+{% data reusables.secret-scanning.secret-scanning-about-alerts %} {% data reusables.secret-scanning.repository-alert-location %} If the same secret appears multiple times within a single file, only one alert is created.
 
 To help you triage alerts more effectively, {% data variables.product.company_short %} separates alerts into two lists:
 

content/code-security/concepts/supply-chain-security/about-dependabot-alerts.md

@@ -54,9 +54,25 @@ See [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependab
 
 ## Alert ownership and assignments
 
-Users with write access or higher can assign {% data variables.product.prodname_dependabot_alerts %} to repository collaborators, teams, or {% data variables.product.prodname_copilot_short %} to establish clear ownership for vulnerability remediation. Assignments help track who's responsible for each alert and prevent vulnerabilities from being overlooked.
+Users with write access or higher can assign {% data variables.product.prodname_dependabot_alerts %} to repository collaborators, teams, or AI agents to establish clear ownership for vulnerability remediation. Assignments help track who's responsible for each alert and prevent vulnerabilities from being overlooked.
 
-When an alert is assigned, the assignee receives a notification and the alert displays their name in the alert list. You can filter alerts by assignee to track progress. Assigning an alert to {% data variables.product.prodname_copilot_short %} automatically generates a fix and opens a draft pull request for review.
+You can assign alerts to the following types of agents:
+
+* **{% data variables.product.prodname_copilot_short %}**, {% data variables.product.github %}'s built-in AI agent.
+* **Third-party agents**,such as Codex or Claude, when enabled in your repository settings.
+
+When an alert is assigned to a person or team, the assignee receives a notification and the alert displays their name in the alert list. You can filter alerts by assignee to track progress.
+
+When an alert is assigned to an agent, the agent automatically creates a session and opens a draft pull request with a proposed fix. If the agent can't generate a fix, it remains as an assignee, and you can click **View Session** on the alert timeline to review the agent's log.
+
+> [!NOTE]
+> Assignment visibility is currently scoped to the repository-level alerts view. The organization-wide security overview does not display alert assignments.
+
+When an alert's assignees change, {% data variables.product.github %} sends an `assignees_changed` webhook event. You can use this event to trigger workflows or sync assignment data with external systems. For more information, see [AUTOTITLE](/webhooks/webhook-events-and-payloads#dependabot_alert).
+
+### Automation and integrations
+
+You can manage alert assignments programmatically using the REST API. For more information, see [AUTOTITLE](/rest/dependabot/alerts).
 
 For information about assigning alerts, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts#viewing-and-prioritizing-dependabot-alerts).
 

content/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts.md

@@ -38,6 +38,12 @@ By default, alerts are sorted by **Most important**, which helps you prioritize
 
 {% data reusables.dependabot.where-to-view-dependabot-alerts %}
 
+{% ifversion dependabot-alerts-assignees %}
+
+When you assign an alert to an AI agent, the agent automatically creates a session and opens a draft pull request with a proposed fix. If the agent can't generate a fix, it remains as an assignee of the alert. You can click **View Session** on the alert timeline to review the agent's log and understand why no pull request was created. Only a user can remove the agent as an assignee.
+
+{% endif %}
+
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-security %}
 {% data reusables.repositories.sidebar-dependabot-alerts %}
@@ -58,7 +64,14 @@ By default, alerts are sorted by **Most important**, which helps you prioritize
    ![Screenshot showing the "Tags" section in the alert details page.](/assets/images/help/repository/dependabot-alerts-tags-section.png)
 
 {% ifversion dependabot-alerts-assignees %}
-1. On the right panel, select an assignee by using the **Assignees** dropdown list. You can assign the alert to a user or team to establish clear ownership, or assign it to {% data variables.product.prodname_copilot_short %} to automatically generate a fix. This clearly communicates who is responsible for triaging the alert and helps you avoid repetitive analysis. It also ensures that alerts are not missed.
+1. On the right panel, assign ownership for the alert:
+   * Click the {% octicon "gear" aria-label="Show options" %} dropdown menu next to "Assignees" to select a user, team, or AI agent from the list. You can also click **Assign to Agent** to assign directly to an agent.
+
+   When you assign an alert to an agent, a dialog appears where you can optionally:
+   * Add a custom prompt with additional context about the fix.
+   * Select a different repository.
+   * Select the AI model to use.
+   * Select a custom agent you have configured (recommended for specialized tasks).
 {% endif %}
 
 1. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}**. See [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database).

content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot.md

@@ -124,6 +124,8 @@ If your private registry is configured with an IP allow list, you can find the I
 
 {% endif %}
 
+{% ifversion dependabot-oidc-support %}
+
 ## Using OIDC for authentication
 
 {% data variables.product.prodname_dependabot %} can use OpenID Connect (OIDC) to authenticate with private registries, eliminating the need to store long-lived credentials as repository secrets.
@@ -191,6 +193,8 @@ registries:
 
 For more information about how OIDC works, see [AUTOTITLE](/actions/concepts/security/openid-connect).
 
+{% endif %}
+
 ## Allowing external code execution
 
 When you give {% data variables.product.prodname_dependabot %} access to one or more registries, external code execution is automatically disabled to protect your code from compromised packages. However, some version updates may fail.
@@ -430,6 +434,8 @@ registries:
 
 {% endraw %}
 
+{% ifversion dependabot-oidc-support %}
+
 You can also use OIDC authentication to access JFrog Artifactory. {% data reusables.dependabot.dependabot-oidc-credentials %}
 
 {% raw %}
@@ -446,6 +452,8 @@ registries:
 
 {% endraw %}
 
+{% endif %}
+
 ### `npm-registry`
 
 The `npm-registry` type supports username and password, or token. {% data reusables.dependabot.password-definition %}
@@ -516,6 +524,8 @@ registries:
 
 {% endraw %}
 
+{% ifversion dependabot-oidc-support %}
+
 You can also use OIDC authentication to access Azure DevOps Artifacts. {% data reusables.dependabot.dependabot-oidc-credentials %}
 
 {% raw %}
@@ -533,6 +543,8 @@ registries:
 
 The `AZURE_TENANT_ID` and `AZURE_CLIENT_ID` values can be obtained from the overview page of your Entra ID app registration.
 
+{% endif %}
+
 ### `pub-repository`
 
 The `pub-repository` type supports a URL and a token.
@@ -590,6 +602,8 @@ registries:
 
 {% endraw %}
 
+{% ifversion dependabot-oidc-support %}
+
 You can also use OIDC authentication to access Azure DevOps Artifacts. {% data reusables.dependabot.dependabot-oidc-credentials %}
 
 {% raw %}
@@ -606,6 +620,8 @@ registries:
 
 {% endraw %}
 
+{% endif %}
+
 ### `rubygems-server`
 
 The `rubygems-server` type supports username and password, or token. {% data reusables.dependabot.password-definition %}

content/code-security/reference/supply-chain-security/dependabot-options-reference.md

@@ -980,6 +980,8 @@ updates:
 
 The parameters used to provide authentication details for access to a private registry vary according to the registry `type`.
 
+{% ifversion dependabot-oidc-support %}
+
 | Registry `type` | Required authentication parameters |
 |--|--|
 | `cargo-registry` | `token` |
@@ -996,13 +998,37 @@ The parameters used to provide authentication details for access to a private re
 | `rubygems-server` | `username` and `password`<br>or `token`<br>or OIDC with `tenant-id` and `client-id` |
 | `terraform-registry` | `token` |
 
+{% else %}
+
+| Registry `type` | Required authentication parameters |
+|--|--|
+| `cargo-registry` | `token` |
+| `composer-repository` | `username` and `password` |
+| `docker-registry` | `username` and `password` |
+| `git` | `username` and `password` |
+| `hex-organization` | `organization` and `key` |
+| `hex-repository` | `repo` and `auth-key` optionally with the corresponding `public-key-fingerprint` |
+| `maven-repository` | `username` and `password` |
+| `npm-registry` | `username` and `password`<br>or `token` |
+| `nuget-feed` | `username` and `password`<br>or `token` |
+| `pub-registry` | `token` |
+| `python-index` | `username` and `password`<br>or `token` |
+| `rubygems-server` | `username` and `password`<br>or `token` |
+| `terraform-registry` | `token` |
+
+{% endif %}
+
 All sensitive data used for authentication should be stored securely and referenced from that secure location, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot).
 
 > [!TIP]
 > {% data reusables.dependabot.password-definition %}
 
+{% ifversion dependabot-oidc-support %}
+
 For more information about  OIDC support for {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/actions/concepts/security/openid-connect#oidc-support-for-dependabot) and [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#using-oidc-for-authentication).
 
+{% endif %}
+
 ### `url` and `replaces-base`
 
 The `url` parameter defines where to access a registry. When the optional `replaces-base` parameter is enabled (`true`), {% data variables.product.prodname_dependabot %} resolves dependencies using the value of `url` rather than the base URL of that specific ecosystem.

content/copilot/concepts/agents/cloud-agent/about-cloud-agent.md

@@ -20,7 +20,7 @@
 category:
   - Learn about Copilot
 ---
 <!-- expires 2026-04-21 -->
 <!-- When this expires, search all references to {% data variables.copilot.copilot_cloud_agent_tmp %} in docs-internal and replace with {% data variables.copilot.copilot_cloud_agent %} -->
 ## Overview of {% data variables.copilot.copilot_cloud_agent_tmp %}
 <!-- end expires 2026-04-21 -->
@@ -40,7 +40,7 @@
 When you delegate tasks to {% data variables.copilot.copilot_cloud_agent %}, you can:
 
 * Use the agents panel or other agents entry points on {% data variables.product.prodname_dotcom_the_website %} to have {% data variables.product.prodname_copilot_short %} research, plan, and make code changes on a branch, then iterate before creating a pull request. You can also specify in your prompt that you want a pull request created right away. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/research-plan-iterate).
-* Ask {% data variables.product.prodname_copilot_short %} to open a new pull request from other entry points, including {% data variables.product.prodname_github_issues %} and {% data variables.product.prodname_vscode %}. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/create-a-pr).
+* Ask {% data variables.product.prodname_copilot_short %} to open a new pull request from other entry points, including {% data variables.product.prodname_github_issues %} and {% data variables.product.prodname_vscode %}. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/start-copilot-sessions).
 * Mention `@copilot` in a comment on an existing pull request to ask it to make changes. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/make-changes-to-an-existing-pr).
 {% ifversion security-campaigns-assign-to-cca %}* Assign security alerts to {% data variables.product.prodname_copilot_short %} from security campaigns. See [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign#assigning-alerts-to-copilot-cloud-agent).{% endif %}