Repo sync

content/actions/reference/security/securely-using-pull_request_target.md

@@ -71,8 +71,6 @@ If you have confirmed you need `pull_request_target`, apply these controls to li
 
 * **Ensure the underlying compute is isolated and ephemeral.** If self-hosted runners are used, you must confirm that the runner environment is properly restricted from internal resources and is not reused across {% data variables.product.prodname_actions %} runs. For more information, see [AUTOTITLE](/actions/reference/security/secure-use#hardening-for-self-hosted-runners).
 
-* **Gate runs behind approval.** `pull_request_target` workflows can be gated behind a required `label` that only users with write access can add. This is detailed in the {% data variables.product.prodname_security %} [guidance on preventing pwn requests](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/#preventing-pwn-requests).
-
 * **Enforce {% data variables.product.prodname_actions %} security best practices.** In addition to the specific risks of pwn requests, other common vulnerabilities, such as command injection, can exist and impact the code executed in this privileged event. For more information, see [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/resources/github-actions-untrusted-input/) from the {% data variables.product.prodname_security %}. To identify and proactively protect against common {% data variables.product.prodname_actions %} vulnerabilities, enable {% data variables.product.prodname_codeql %} for {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configure-code-scanning).
 
 ## Opting out of built-in protections
@@ -81,6 +79,10 @@ If you have worked through the questions above and confirmed your workflow requi
 
 This protection only covers fork pull request refs. Checking out other untrusted code, such as an unrelated third-party repository, fetching code with `git fetch` or `gh pr checkout`, or running a downloaded artifact, is not covered by the `actions/checkout` checks.
 
+{% ifversion fpt or ghec %}
+
 ## Restricting the use of pull_request_target
 
-Repository, organization, and enterprise administrators can use Workflow execution protections to control which events and actors can trigger workflows. If a repository has no legitimate use for `pull_request_target`, restricting it removes the risk regardless of how individual workflows are written.
+If a repository has no legitimate use for `pull_request_target`, restricting the event removes the risk regardless of how individual workflows are written. Administrators can use workflow execution protections to control which events and actors can trigger workflows. For more information, see the workflow execution protections documentation for repositories ([AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/actions-policies/workflow-execution-protections)){% ifversion ghec %}, organizations ([AUTOTITLE](/organizations/managing-organization-settings/actions-policies/workflow-execution-protections)), and across your enterprise ([AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/actions-policies/workflow-execution-protections)){% else %} and organizations ([AUTOTITLE](/organizations/managing-organization-settings/actions-policies/workflow-execution-protections)){% endif %}.
+
+{% endif %}

content/copilot/how-tos/administer-copilot/manage-for-enterprise/use-your-own-api-keys.md

@@ -11,7 +11,10 @@ category:
   - Manage Copilot for a team
 ---
 
-{% data reusables.copilot.byok-intro %} {% data reusables.copilot.byok-no-subscription-required %}
+{% data reusables.copilot.byok-intro %}
+
+> [!NOTE]
+> This article covers custom models configured by enterprise owners. {% data variables.copilot.copilot_cli_short %} and {% data variables.product.prodname_vscode_shortname %} users can also use their own LLM keys locally. See [AUTOTITLE](/copilot/how-tos/copilot-cli/customize-copilot/use-byok-models) and [Add a model from a built in provider](https://code.visualstudio.com/docs/agent-customization/language-models#_add-a-model-from-a-built-in-provider) in the {% data variables.product.prodname_vscode_shortname %} documentation.
 
 ## Why bring your own API keys?
 

content/copilot/how-tos/administer-copilot/manage-for-organization/use-your-own-api-keys.md

@@ -11,7 +11,10 @@ category:
   - Manage Copilot for a team
 ---
 
-{% data reusables.copilot.byok-intro %} {% data reusables.copilot.byok-no-subscription-required %}
+{% data reusables.copilot.byok-intro %}
+
+> [!NOTE]
+> This article covers custom models configured by organization owners. {% data variables.copilot.copilot_cli_short %} and {% data variables.product.prodname_vscode_shortname %} users can also configure their own LLM provider locally, without any administrator setup. See [AUTOTITLE](/copilot/how-tos/copilot-cli/customize-copilot/use-byok-models) and [Add a model from a built in provider](https://code.visualstudio.com/docs/agent-customization/language-models#_add-a-model-from-a-built-in-provider) in the {% data variables.product.prodname_vscode_shortname %} documentation.
 
 ## Why bring your own API keys?
 

content/copilot/how-tos/copilot-cli/administer-copilot-cli-for-your-enterprise.md

@@ -37,6 +37,10 @@ You can enable or disable {% data variables.copilot.copilot_cli_short %} at the
 
 Users can only access AI models that are enabled at the enterprise level. When you enable or disable models in your enterprise settings, those changes are reflected in {% data variables.copilot.copilot_cli_short %}. Users can view which models are available to them using the `/model` command.
 
+Enterprise and organization owners can provide keys for custom models. Users can select these like any other model: with the {% data variables.copilot.copilot_cli_short %} model selector, the `--model` flag, or environment variables. See [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/use-your-own-api-keys).
+
+Separately, users can also provide their own LLM keys locally. This is not controlled by enterprise policies. See [AUTOTITLE](/copilot/how-tos/copilot-cli/customize-copilot/use-byok-models).
+
 ### Custom agents
 
 Enterprise-configured custom agents are available to use with {% data variables.copilot.copilot_cli_short %}.
@@ -63,7 +67,6 @@ All other controls do **not** affect {% data variables.copilot.copilot_cli_short
 
 * **IDE-specific policies**: Policies configured for specific IDEs or editor extensions
 * **Content exclusions**: File path-based content exclusions
-* **User-configured model providers (BYOK)**: Users can configure {% data variables.copilot.copilot_cli_short %} to use their own model providers via environment variables. This is configured at the _user level_ and cannot be controlled by enterprise policies.
 
 ## Why can't my developers access {% data variables.copilot.copilot_cli_short %}?
 

content/copilot/how-tos/copilot-cli/customize-copilot/use-byok-models.md

@@ -15,6 +15,9 @@ docsTeamMetrics:
 
 You can configure {% data variables.copilot.copilot_cli_short %} to use your own LLM provider, also called BYOK (Bring Your Own Key), instead of {% data variables.product.github %}-hosted models. This lets you connect to OpenAI-compatible endpoints, Azure OpenAI, or Anthropic, including locally running models such as Ollama.
 
+> [!NOTE]
+> This article is for users who want to configure their own LLM provider API key on their local machine. To set up custom models for users in an enterprise, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/use-your-own-api-keys).
+
 ## Prerequisites
 
 * {% data variables.copilot.copilot_cli_short %} is installed. See [AUTOTITLE](/copilot/how-tos/copilot-cli/set-up-copilot-cli/install-copilot-cli).
@@ -82,7 +85,7 @@ Use the following steps if you are connecting to OpenAI, Ollama, vLLM, Foundry L
    export COPILOT_PROVIDER_API_KEY=YOUR-AZURE-API-KEY
    export COPILOT_MODEL=YOUR-DEPLOYMENT-NAME
    ```
-   
+
    Replace the following placeholders:
 
      * `YOUR-RESOURCE-NAME`: your Azure OpenAI resource name
@@ -110,7 +113,7 @@ Use the following steps if you are connecting to OpenAI, Ollama, vLLM, Foundry L
 
 You can run {% data variables.copilot.copilot_cli_short %} in offline mode to prevent it from contacting {% data variables.product.github %}'s servers. This is designed for isolated environments where the CLI should communicate only with your local or on-premises model provider.
 
-> [!IMPORTANT] 
+> [!IMPORTANT]
 > Offline mode only guarantees full network isolation if your provider is also local or within the same isolated environment. If `COPILOT_PROVIDER_BASE_URL` points to a remote endpoint, your prompts and code context are still sent over the network to that provider.
 
 1. Configure your provider environment variables as described in Configuring your provider.

content/copilot/reference/supported-surfaces-for-policies.md

@@ -22,7 +22,7 @@ A dedicated policy exists to enable or disable each supported feature or surface
 | --- | --- | --- | --- | --- | --- | --- | --- |
 | Editor preview features | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
 | {% data variables.product.prodname_copilot_short %} can search the web | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
-| Enable custom models | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
+| Enable custom models | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
 | Suggestions matching public code | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %}[^1] | {% octicon "check" aria-label="Supported" %}[^1] | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
 | MCP servers in {% data variables.product.prodname_copilot_short %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
 | Restrict MCP access to registry servers | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |

data/reusables/copilot/byok-why.md

@@ -2,4 +2,3 @@
 * **Cost management:** Align with your existing payment methods, contracts, credits, or negotiated rates, and avoid usage overages.
 * **Visibility and control:** Manage which models your team can access, and monitor usage through your provider's existing dashboards and billing.
 * **Flexibility:** Support custom or specialized models that your organization already uses.
-* **Air-gapped environments:** Use {% data variables.product.prodname_copilot_short %} in isolated networks without any dependency on {% data variables.product.github %}'s REST API in either {% data variables.product.prodname_vscode_shortname %} or {% data variables.copilot.copilot_cli_short %}.

data/reusables/enterprise-migration-tool/data-not-migrated.md

@@ -14,6 +14,7 @@
 * Mentions of users, teams, and organizations in pull request, issue, release, and comment bodies (the username originally mentioned is retained)
 * Packages in {% data variables.product.prodname_registry %}
 * {% data variables.product.prodname_projects_v2 %} (the new projects experience)
+* Reciprocal links from mentions of issues, pull requests, discussions, teams, or milestones
 * References between pull requests and issues in different repositories (see [AUTOTITLE](/get-started/writing-on-github/working-with-advanced-formatting/autolinked-references-and-urls))
 * Remediation states of {% data variables.product.prodname_secret_scanning %} results
 * Repositories owned by user accounts

src/audit-logs/lib/config.json

@@ -9,5 +9,5 @@
     "git": "Note: Git events have special access requirements and retention policies that differ from other audit log events. For GitHub Enterprise Cloud, access Git events via the REST API only with 7-day retention. For GitHub Enterprise Server, Git events must be enabled in audit log configuration and are not included in search results.",
     "sso_redirect": "Note: Automatically redirecting users to sign in is currently in beta for Enterprise Managed Users and subject to change."
   },
-  "sha": "ad0dc7ebe4a70afe77bb03487060481fe7a9f13a"
+  "sha": "3ed92647ffda0d571b4be3620e9f39d9da7086b3"
 }