Merge pull request #44053 from github/repo-sync

Repo sync

Author: docs-bot

content/actions/concepts/security/openid-connect.md

@@ -166,6 +166,8 @@ You can use the `repo_property_*` claims in your cloud provider's trust conditio
 
 {% endif %}
 
+{% ifversion dependabot-oidc-support %}
+
 ## OIDC support for {% data variables.product.prodname_dependabot %}
 
 {% data variables.product.prodname_dependabot %} can use OIDC to authenticate with private registries, eliminating the need to store long-lived credentials as repository secrets. With OIDC-based authentication, {% data variables.product.prodname_dependabot %} update jobs can dynamically obtain short-lived credentials from your cloud identity provider.
@@ -180,6 +182,8 @@ The benefits of OIDC authentication for {% data variables.product.prodname_depen
 
 For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#using-oidc-for-authentication).
 
+{% endif %}
+
 ## Next steps
 
 For more information about configuring OIDC, see [AUTOTITLE](/actions/how-tos/security-for-github-actions/security-hardening-your-deployments).

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md

@@ -76,6 +76,8 @@ Before you require secure methods of two-factor authentication, we recommend not
 
 You can use a SSH certificate authority (CA) to allow members of any organization owned by your enterprise to access that organization's repositories using SSH certificates you provide. {% ifversion ssh-user-ca %}{% ifversion ghec %}If your enterprise uses {% data variables.product.prodname_emus %}, enterprise{% elsif ghes %}Enterprise{% endif %} members can also be allowed to use the certificate to access personally-owned repositories.{% endif %} {% data reusables.organizations.can-require-ssh-cert %} For more information, see [AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities).
 
+{% data variables.product.github %} uses OpenSSH-format SSH user certificates to authenticate Git operations over SSH by validating the certificate's signature and fields (including its validity period) against a trusted SSH certificate authority (CA) configured at the organization and/or enterprise level.
+
 {% data reusables.organizations.add-extension-to-cert %}
 
 ### Adding an SSH certificate authority
@@ -104,7 +106,9 @@ You can enable or disable access to user-owned repositories with an SSH certific
 
 ### Deleting an SSH certificate authority
 
-Deleting a CA cannot be undone. If you want to use the same CA in the future, you'll need to upload the CA again.
+Deleting an SSH certificate authority (CA) from your enterprise settings on {% data variables.product.github %} can't be undone. If you want to trust the same CA again in the future, you'll need to add the CA back to {% data variables.product.github %} by uploading the CA's public key again in your enterprise's SSH certificate authority settings.
+
+Deleting a CA immediately prevents {% data variables.product.github %} from accepting SSH certificates signed by that CA, including certificates that have not yet expired. For CA rotation guidance, see [AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities#certificate-revocation-and-ca-rotation).
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.settings-tab %}

content/admin/managing-github-actions-for-your-enterprise/enabling-github-actions-for-github-enterprise-server/enabling-github-actions-with-google-cloud-storage.md

@@ -27,6 +27,9 @@ Before enabling {% data variables.product.prodname_actions %}, make sure you hav
 {% data reusables.actions.enterprise-common-prereqs %}
 {% data reusables.actions.enterprise-oidc-prereqs %}
 
+> [!WARNING]
+> The GCS bucket used for {% data variables.product.prodname_actions %} blob storage must use Google-managed encryption keys. Customer-Managed Encryption Keys (CMEK) are not currently supported and will cause {% data variables.product.prodname_actions %} database migrations to fail with a hash mismatch error. This restriction applies only to the {% data variables.product.prodname_actions %} blob storage bucket; CMEK may still be used on VM disks and other GCP resources.
+
 ## Enabling {% data variables.product.prodname_actions %} with Google Cloud Storage using OIDC (recommended)
 
 To configure {% data variables.product.prodname_ghe_server %} to use OIDC with Google Cloud Storage, you must first create a Google Cloud service account, then create a Google Cloud identity pool and identity provider, and finally configure {% data variables.product.prodname_ghe_server %} to use the provider and service account to access your Google Cloud Storage bucket.

content/code-security/concepts/secret-security/about-alerts.md

@@ -20,7 +20,7 @@ contentType: concepts
 
 ## About {% ifversion fpt or ghec %}user alerts {% else %}{% data variables.secret-scanning.alerts %}{% endif %}
 
-{% data reusables.secret-scanning.secret-scanning-about-alerts %} {% data reusables.secret-scanning.repository-alert-location %}
+{% data reusables.secret-scanning.secret-scanning-about-alerts %} {% data reusables.secret-scanning.repository-alert-location %} If the same secret appears multiple times within a single file, only one alert is created.
 
 To help you triage alerts more effectively, {% data variables.product.company_short %} separates alerts into two lists:
 

content/code-security/concepts/supply-chain-security/about-dependabot-alerts.md

@@ -54,9 +54,25 @@ See [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependab
 
 ## Alert ownership and assignments
 
-Users with write access or higher can assign {% data variables.product.prodname_dependabot_alerts %} to repository collaborators, teams, or {% data variables.product.prodname_copilot_short %} to establish clear ownership for vulnerability remediation. Assignments help track who's responsible for each alert and prevent vulnerabilities from being overlooked.
+Users with write access or higher can assign {% data variables.product.prodname_dependabot_alerts %} to repository collaborators, teams, or AI agents to establish clear ownership for vulnerability remediation. Assignments help track who's responsible for each alert and prevent vulnerabilities from being overlooked.
 
-When an alert is assigned, the assignee receives a notification and the alert displays their name in the alert list. You can filter alerts by assignee to track progress. Assigning an alert to {% data variables.product.prodname_copilot_short %} automatically generates a fix and opens a draft pull request for review.
+You can assign alerts to the following types of agents:
+
+* **{% data variables.product.prodname_copilot_short %}**, {% data variables.product.github %}'s built-in AI agent.
+* **Third-party agents**,such as Codex or Claude, when enabled in your repository settings.
+
+When an alert is assigned to a person or team, the assignee receives a notification and the alert displays their name in the alert list. You can filter alerts by assignee to track progress.
+
+When an alert is assigned to an agent, the agent automatically creates a session and opens a draft pull request with a proposed fix. If the agent can't generate a fix, it remains as an assignee, and you can click **View Session** on the alert timeline to review the agent's log.
+
+> [!NOTE]
+> Assignment visibility is currently scoped to the repository-level alerts view. The organization-wide security overview does not display alert assignments.
+
+When an alert's assignees change, {% data variables.product.github %} sends an `assignees_changed` webhook event. You can use this event to trigger workflows or sync assignment data with external systems. For more information, see [AUTOTITLE](/webhooks/webhook-events-and-payloads#dependabot_alert).
+
+### Automation and integrations
+
+You can manage alert assignments programmatically using the REST API. For more information, see [AUTOTITLE](/rest/dependabot/alerts).
 
 For information about assigning alerts, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts#viewing-and-prioritizing-dependabot-alerts).
 

content/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts.md

@@ -38,6 +38,12 @@ By default, alerts are sorted by **Most important**, which helps you prioritize
 
 {% data reusables.dependabot.where-to-view-dependabot-alerts %}
 
+{% ifversion dependabot-alerts-assignees %}
+
+When you assign an alert to an AI agent, the agent automatically creates a session and opens a draft pull request with a proposed fix. If the agent can't generate a fix, it remains as an assignee of the alert. You can click **View Session** on the alert timeline to review the agent's log and understand why no pull request was created. Only a user can remove the agent as an assignee.
+
+{% endif %}
+
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-security %}
 {% data reusables.repositories.sidebar-dependabot-alerts %}
@@ -58,7 +64,14 @@ By default, alerts are sorted by **Most important**, which helps you prioritize
    ![Screenshot showing the "Tags" section in the alert details page.](/assets/images/help/repository/dependabot-alerts-tags-section.png)
 
 {% ifversion dependabot-alerts-assignees %}
-1. On the right panel, select an assignee by using the **Assignees** dropdown list. You can assign the alert to a user or team to establish clear ownership, or assign it to {% data variables.product.prodname_copilot_short %} to automatically generate a fix. This clearly communicates who is responsible for triaging the alert and helps you avoid repetitive analysis. It also ensures that alerts are not missed.
+1. On the right panel, assign ownership for the alert:
+   * Click the {% octicon "gear" aria-label="Show options" %} dropdown menu next to "Assignees" to select a user, team, or AI agent from the list. You can also click **Assign to Agent** to assign directly to an agent.
+
+   When you assign an alert to an agent, a dialog appears where you can optionally:
+   * Add a custom prompt with additional context about the fix.
+   * Select a different repository.
+   * Select the AI model to use.
+   * Select a custom agent you have configured (recommended for specialized tasks).
 {% endif %}
 
 1. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}**. See [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database).

content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot.md

@@ -124,6 +124,8 @@ If your private registry is configured with an IP allow list, you can find the I
 
 {% endif %}
 
+{% ifversion dependabot-oidc-support %}
+
 ## Using OIDC for authentication
 
 {% data variables.product.prodname_dependabot %} can use OpenID Connect (OIDC) to authenticate with private registries, eliminating the need to store long-lived credentials as repository secrets.
@@ -191,6 +193,8 @@ registries:
 
 For more information about how OIDC works, see [AUTOTITLE](/actions/concepts/security/openid-connect).
 
+{% endif %}
+
 ## Allowing external code execution
 
 When you give {% data variables.product.prodname_dependabot %} access to one or more registries, external code execution is automatically disabled to protect your code from compromised packages. However, some version updates may fail.
@@ -430,6 +434,8 @@ registries:
 
 {% endraw %}
 
+{% ifversion dependabot-oidc-support %}
+
 You can also use OIDC authentication to access JFrog Artifactory. {% data reusables.dependabot.dependabot-oidc-credentials %}
 
 {% raw %}
@@ -446,6 +452,8 @@ registries:
 
 {% endraw %}
 
+{% endif %}
+
 ### `npm-registry`
 
 The `npm-registry` type supports username and password, or token. {% data reusables.dependabot.password-definition %}
@@ -516,6 +524,8 @@ registries:
 
 {% endraw %}
 
+{% ifversion dependabot-oidc-support %}
+
 You can also use OIDC authentication to access Azure DevOps Artifacts. {% data reusables.dependabot.dependabot-oidc-credentials %}
 
 {% raw %}
@@ -533,6 +543,8 @@ registries:
 
 The `AZURE_TENANT_ID` and `AZURE_CLIENT_ID` values can be obtained from the overview page of your Entra ID app registration.
 
+{% endif %}
+
 ### `pub-repository`
 
 The `pub-repository` type supports a URL and a token.
@@ -590,6 +602,8 @@ registries:
 
 {% endraw %}
 
+{% ifversion dependabot-oidc-support %}
+
 You can also use OIDC authentication to access Azure DevOps Artifacts. {% data reusables.dependabot.dependabot-oidc-credentials %}
 
 {% raw %}
@@ -606,6 +620,8 @@ registries:
 
 {% endraw %}
 
+{% endif %}
+
 ### `rubygems-server`
 
 The `rubygems-server` type supports username and password, or token. {% data reusables.dependabot.password-definition %}

content/code-security/reference/supply-chain-security/dependabot-options-reference.md

@@ -980,6 +980,8 @@ updates:
 
 The parameters used to provide authentication details for access to a private registry vary according to the registry `type`.
 
+{% ifversion dependabot-oidc-support %}
+
 | Registry `type` | Required authentication parameters |
 |--|--|
 | `cargo-registry` | `token` |
@@ -996,13 +998,37 @@ The parameters used to provide authentication details for access to a private re
 | `rubygems-server` | `username` and `password`<br>or `token`<br>or OIDC with `tenant-id` and `client-id` |
 | `terraform-registry` | `token` |
 
+{% else %}
+
+| Registry `type` | Required authentication parameters |
+|--|--|
+| `cargo-registry` | `token` |
+| `composer-repository` | `username` and `password` |
+| `docker-registry` | `username` and `password` |
+| `git` | `username` and `password` |
+| `hex-organization` | `organization` and `key` |
+| `hex-repository` | `repo` and `auth-key` optionally with the corresponding `public-key-fingerprint` |
+| `maven-repository` | `username` and `password` |
+| `npm-registry` | `username` and `password`<br>or `token` |
+| `nuget-feed` | `username` and `password`<br>or `token` |
+| `pub-registry` | `token` |
+| `python-index` | `username` and `password`<br>or `token` |
+| `rubygems-server` | `username` and `password`<br>or `token` |
+| `terraform-registry` | `token` |
+
+{% endif %}
+
 All sensitive data used for authentication should be stored securely and referenced from that secure location, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot).
 
 > [!TIP]
 > {% data reusables.dependabot.password-definition %}
 
+{% ifversion dependabot-oidc-support %}
+
 For more information about  OIDC support for {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/actions/concepts/security/openid-connect#oidc-support-for-dependabot) and [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#using-oidc-for-authentication).
 
+{% endif %}
+
 ### `url` and `replaces-base`
 
 The `url` parameter defines where to access a registry. When the optional `replaces-base` parameter is enabled (`true`), {% data variables.product.prodname_dependabot %} resolves dependencies using the value of `url` rather than the base URL of that specific ecosystem.

content/copilot/concepts/agents/cloud-agent/about-cloud-agent.md

@@ -40,7 +40,7 @@ With {% data variables.copilot.copilot_cloud_agent %}, {% data variables.product
 When you delegate tasks to {% data variables.copilot.copilot_cloud_agent %}, you can:
 
 * Use the agents panel or other agents entry points on {% data variables.product.prodname_dotcom_the_website %} to have {% data variables.product.prodname_copilot_short %} research, plan, and make code changes on a branch, then iterate before creating a pull request. You can also specify in your prompt that you want a pull request created right away. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/research-plan-iterate).
-* Ask {% data variables.product.prodname_copilot_short %} to open a new pull request from other entry points, including {% data variables.product.prodname_github_issues %} and {% data variables.product.prodname_vscode %}. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/create-a-pr).
+* Ask {% data variables.product.prodname_copilot_short %} to open a new pull request from other entry points, including {% data variables.product.prodname_github_issues %} and {% data variables.product.prodname_vscode %}. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/start-copilot-sessions).
 * Mention `@copilot` in a comment on an existing pull request to ask it to make changes. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/make-changes-to-an-existing-pr).
 {% ifversion security-campaigns-assign-to-cca %}* Assign security alerts to {% data variables.product.prodname_copilot_short %} from security campaigns. See [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/fixing-alerts-in-security-campaign#assigning-alerts-to-copilot-cloud-agent).{% endif %}
 

content/copilot/concepts/agents/cloud-agent/agent-management.md

@@ -34,7 +34,7 @@ To learn more about {% data variables.copilot.copilot_cloud_agent %}, see [AUTOT
 
 From the Agents tab, you can:
 
-* **Kick off new agent tasks**: Select an AI model of your choice, and optionally choose from third-party agents or {% data variables.copilot.custom_agents_short %} best suited for the task. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/create-a-pr).
+* **Kick off new agent tasks**: Select an AI model of your choice, and optionally choose from third-party agents or {% data variables.copilot.custom_agents_short %} best suited for the task. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/start-copilot-sessions).
 * **Monitor live session logs**: Once the agent starts working, you can click any agent session to open the session log and follow its progress and thought process in real time.
 * **Track active sessions**: You can view all active agent sessions that have been started in the repository.
 * **Steer agents mid-session**: If you realize you didn't scope a request correctly, or want the agent to use a specific tool or service, you can step in and provide **steering input** without stopping the run. Steering uses **one premium request** per message. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/track-copilot-sessions#steering-a-copilot-session-from-the-agents-tab).