diff --git a/.github/workflows/line-endings.yml b/.github/workflows/line-endings.yml new file mode 100644 index 000000000000..5ef81767bd12 --- /dev/null +++ b/.github/workflows/line-endings.yml @@ -0,0 +1,45 @@ +name: Line endings + +# **What it does**: Fails if any committed file violates the repo's `.gitattributes` +# line-ending rules (for example, CRLF in a file declared `eol=lf`). +# **Why we have it**: `.gitattributes` (`*.md text eol=lf`, `* text=auto`) only +# normalizes line endings during a local `git add`/checkout. A server-side +# squash-merge can commit CRLF blobs that bypass it. A file with mixed line endings +# then shows as permanently "modified" on Linux runners, which breaks PR-creating +# sync workflows that use peter-evans/create-pull-request. See +# github/docs-engineering#6657 and github/docs-engineering#6656. +# **Who does it impact**: Docs engineering, open-source engineering contributors. + +on: + workflow_dispatch: + merge_group: + pull_request: + +permissions: + contents: read + +# This allows a subsequently queued workflow run to interrupt previous runs +concurrency: + group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: true + +jobs: + line-endings: + if: github.repository == 'github/docs-internal' || github.repository == 'github/docs' + runs-on: ubuntu-latest + steps: + - name: Check out repo + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + + - name: Check line endings + # Re-stage every file through the `.gitattributes` filters and fail if any + # committed blob disagrees with them (usually CRLF where LF is required). + run: | + git add --renormalize . + if ! git diff --cached --quiet; then + echo "::error::These files violate .gitattributes line-ending rules (usually CRLF that should be LF):" + git diff --cached --name-only + echo "" + echo "Fix locally with: git add --renormalize . && git commit" + exit 1 + fi diff --git a/.github/workflows/sync-sdk-docs.yml b/.github/workflows/sync-sdk-docs.yml index df0fb34b4537..225ed5687897 100644 --- a/.github/workflows/sync-sdk-docs.yml +++ b/.github/workflows/sync-sdk-docs.yml @@ -24,7 +24,7 @@ on: types: [opened, synchronize, reopened] paths: - '.github/workflows/sync-sdk-docs.yml' - - 'src/scripts/sync-sdk-docs/**' + - 'src/workflows/sync-sdk-docs/**' concurrency: group: sync-sdk-docs-${{ github.event_name }} @@ -88,7 +88,7 @@ jobs: - name: Normalize content run: | - npx tsx src/scripts/sync-sdk-docs/normalize-sdk-docs.ts \ + npx tsx src/workflows/sync-sdk-docs/normalize-sdk-docs.ts \ --content-dir content \ --sdk-docs-dir "$SDK_DOCS_TARGET" @@ -98,7 +98,7 @@ jobs: run: | # Puppeteer needs --no-sandbox on GitHub Actions runners echo '{ "args": ["--no-sandbox", "--disable-setuid-sandbox"] }' > /tmp/puppeteer-config.json - npx tsx src/scripts/sync-sdk-docs/convert-mermaid.ts \ + npx tsx src/workflows/sync-sdk-docs/convert-mermaid.ts \ --sdk-docs-dir "$SDK_DOCS_TARGET" \ --assets-dir "$ASSETS_TARGET" \ --repo-root . \ diff --git a/config/moda/secrets/production/secrets.yml b/config/moda/secrets/production/secrets.yml index e1e453ed21a7..421f4edf6075 100644 --- a/config/moda/secrets/production/secrets.yml +++ b/config/moda/secrets/production/secrets.yml @@ -14,6 +14,11 @@ secrets: type: salt owner: '@github/docs-engineering' externally_usable: true + DOCS_BOT_APP_CLIENT_ID: + kind: latest_at_deployment_start + type: github_app + owner: '@github/docs-engineering' + externally_usable: true DOCS_BOT_APP_ID: kind: latest_at_deployment_start type: github_app diff --git a/content/actions/how-tos/manage-runners/use-proxy-servers.md b/content/actions/how-tos/manage-runners/use-proxy-servers.md index 1d7ebd210a62..30723cc23607 100644 --- a/content/actions/how-tos/manage-runners/use-proxy-servers.md +++ b/content/actions/how-tos/manage-runners/use-proxy-servers.md @@ -33,7 +33,7 @@ On Windows machines, the proxy environment variable names are case-insensitive. {% data reusables.actions.self-hosted-runner-ports-protocols %} > [!WARNING] -> Self-hosted runners do not support using IP addresses in the `no_proxy` environment variable. If your {% data variables.product.prodname_ghe_server %} instance uses an IP address and you configure `no_proxy` to bypass the proxy for that address, the runner will still fail to connect. +> Self-hosted runners do not support using IP addresses and CIDR ranges in the `no_proxy` environment variable. If your {% data variables.product.prodname_ghe_server %} instance uses an IP address and you configure `no_proxy` to bypass the proxy for that address, the runner will still fail to connect. > If your {% data variables.product.prodname_ghe_server %} instance is accessed using an IP address and the connection must bypass the proxy, the runner will fail to connect, even if that IP address is listed in `no_proxy`. ### Example configurations diff --git a/content/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/migrating-github-actions-external-storage.md b/content/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/migrating-github-actions-external-storage.md index 2894c1d52b9c..4e360a2bac6e 100644 --- a/content/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/migrating-github-actions-external-storage.md +++ b/content/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/migrating-github-actions-external-storage.md @@ -10,11 +10,11 @@ category: - Enable GitHub features for your enterprise --- -## About migrating {% data variables.product.prodname_actions %} external storage - -You can migrate {% data variables.product.prodname_actions %} external storage to a new bucket, account, or region on the same provider when consolidating cloud accounts, meeting residency requirements, or reorganizing storage tenancy. - -The migration works because {% data variables.product.prodname_actions %} identifies stored objects by their key (path) within a bucket or container, not by the bucket or account name. As long as you preserve the internal key layout and update your configuration to point at the new location, existing workflow logs and artifacts remain accessible without interruption. +## About migrating {% data variables.product.prodname_actions %} external storage + +You can migrate {% data variables.product.prodname_actions %} external storage to a new bucket, account, or region on the same provider when consolidating cloud accounts, meeting residency requirements, or reorganizing storage tenancy. + +The migration works because {% data variables.product.prodname_actions %} identifies stored objects by their key (path) within a bucket or container, not by the bucket or account name. As long as you preserve the internal key layout and update your configuration to point at the new location, existing workflow logs and artifacts remain accessible without interruption. ## Considerations @@ -43,12 +43,12 @@ Before you begin, review the following constraints. Each one shapes the migratio Before performing the migration against production, rehearse the full procedure on a staging instance. Provision a staging {% data variables.product.prodname_ghe_server %} instance from a recent production backup, point it at a throwaway destination that mirrors the intended production destination, and run every step of this article end to end. For more information, see [AUTOTITLE](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance) and [AUTOTITLE](/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/using-a-staging-environment). -A staging rehearsal validates that: - -* Provider-side permissions, network access, and policies on the destination are correct. -* The copy tool you have chosen completes successfully against representative data volumes. -* The expected object count and total size match between source and destination. -* Existing workflow run logs and artifacts are retrievable through the UI after cutover. +A staging rehearsal validates that: + +* Provider-side permissions, network access, and policies on the destination are correct. +* The copy tool you have chosen completes successfully against representative data volumes. +* The expected object count and total size match between source and destination. +* Existing workflow run logs and artifacts are retrievable through the UI after cutover. > [!WARNING] > Your staging instance must use different storage from your production instance. If you do not change the storage configuration, the staging instance may write into your production storage and cause data loss. For more information, see [AUTOTITLE](/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/using-a-staging-environment#configuring-storage). @@ -135,23 +135,23 @@ Work through the following steps in order. {% data variables.product.prodname_ac If validation fails or you encounter issues after cutover, roll back by pointing {% data variables.location.product_location %} back at the source storage location. The source storage is your known-good copy. Do not copy data from the destination back into the source as part of rollback, because data written to the destination during a failed cutover may be partial or inconsistent, and writing it back into the source risks corrupting your only good copy. -> [!WARNING] -> Rolling back will discard any data written or deleted after the cutover. If validation fails, roll back immediately rather than attempting extended troubleshooting. The longer you wait, the more data is at risk. - -If validation fails or you encounter issues: - -1. Enable maintenance mode immediately. -1. In the {% data variables.enterprise.management_console %}, restore the original storage configuration values and click **Test storage settings**, then **Save settings**. -1. Disable maintenance mode and re-run the validation steps with the original storage. - -After a successful rollback, investigate the failure and plan a new migration attempt. +> [!WARNING] +> Rolling back will discard any data written or deleted after the cutover. If validation fails, roll back immediately rather than attempting extended troubleshooting. The longer you wait, the more data is at risk. + +If validation fails or you encounter issues: + +1. Enable maintenance mode immediately. +1. In the {% data variables.enterprise.management_console %}, restore the original storage configuration values and click **Test storage settings**, then **Save settings**. +1. Disable maintenance mode and re-run the validation steps with the original storage. + +After a successful rollback, investigate the failure and plan a new migration attempt. ## {% data variables.product.prodname_registry %} considerations You can apply the same migration approach to {% data variables.product.prodname_registry %} external storage, with the following important differences. Read this section in full before migrating storage on an instance that has {% data variables.product.prodname_registry %} enabled. * **OpenID Connect is not available for {% data variables.product.prodname_registry %}.** {% data variables.product.prodname_registry %} only supports credentials-based authentication for external storage. The authentication-method constraint in this article still applies: keep the authentication method unchanged during migration. -* **{% data variables.product.prodname_registry %} is more sensitive to timing mismatches.** When packages are published during the migration window, the system creates both new storage objects and database records. To prevent inconsistency, keep maintenance mode enabled continuously from the start of the final delta sync through successful validation of the new configuration. +* **{% data variables.product.prodname_registry %} is more sensitive to timing mismatches.** When packages are published during the migration window, the system creates both new storage objects and database records. To prevent inconsistency, keep maintenance mode enabled continuously from the start of the final delta sync through successful validation of the new configuration. * **Update both configurations together if the same provider serves both products.** If you have configured {% data variables.product.prodname_actions %} and {% data variables.product.prodname_registry %} to use the same provider type and you are migrating both, plan the cutover as a single maintenance window and update both configurations before disabling maintenance mode. * **For cross-provider migrations of {% data variables.product.prodname_registry %} storage, contact {% data variables.contact.contact_ent_support %}.** Cross-provider moves are not covered here. diff --git a/content/code-security/concepts/supply-chain-security/index.md b/content/code-security/concepts/supply-chain-security/index.md index 35dcfb9b210d..56a840696725 100644 --- a/content/code-security/concepts/supply-chain-security/index.md +++ b/content/code-security/concepts/supply-chain-security/index.md @@ -10,6 +10,7 @@ redirect_from: - /code-security/supply-chain-security/understanding-your-software-supply-chain children: - supply-chain-security + - open-source-license-compliance - best-practices-for-maintaining-dependencies - dependency-graph - dependency-graph-data diff --git a/content/code-security/concepts/supply-chain-security/open-source-license-compliance.md b/content/code-security/concepts/supply-chain-security/open-source-license-compliance.md new file mode 100644 index 000000000000..529ec1d76150 --- /dev/null +++ b/content/code-security/concepts/supply-chain-security/open-source-license-compliance.md @@ -0,0 +1,60 @@ +--- +title: About open source license compliance +shortTitle: Open Source license compliance +intro: Define and enforce license policy for dependencies in your repositories with open source license compliance. +product: 'Organizations owned by an enterprise account with {% data variables.product.prodname_GH_code_security %} enabled' +versions: + feature: open-source-license-compliance +contentType: concepts +category: + - Secure your dependencies +--- + +{% data reusables.code-security.open-source-license-compliance-public-preview-note %} + +## Overview + +Open source license compliance helps you **track dependency licenses** and **enforce policy** for the open source software in your supply chain. You can use license compliance to reduce legal and operational risk, catching nonconforming dependencies **before** changes are merged. + +## How license policy works + +You can define an enterprise or organization policy that controls which licenses dependencies are allowed to use. + +You can specify licenses from either a built-in list or, if a license is not listed, by manually adding a SPDX license identifier. + +Your policy is applied at the enterprise, organization, and repository scope. You can also add package or license exceptions when an **Enterprise Open Source License Manager** approves requests. + +License evaluation uses dependency data from your repositories, including transitive dependencies detected in the dependency graph. + +## How pull request enforcement works + +Open source license compliance is enforced through branch rulesets. When a pull request changes package manifests, {% data variables.product.github %} compares dependency changes between the base and pull request branches, evaluates detected licenses against policy, and reports violations. + +If there is a ruleset in **Active** mode which uses the "Requires license compliance results before merging" condition, pull requests that introduce noncompliant dependencies are blocked until violations are resolved. An **Evaluate** mode ruleset with that condition will run license checks and annotate the pull request, but not block merges. + +Additionally, a [branch protection rule](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule) that requires comment resolution before merging will track annotations from license checks, so even alerts generated by **Evaluate** rulesets will be subject to the protection. + +## Where results appear + +If a dependency's license isn't in your policy, findings will appear in pull request annotations. The annotations do not automatically generate an exception request, because the developer could decide to modify their code to avoid the noncompliant dependency. If they do want to use the dependency, {% data variables.product.github %} will prompt the developer for more information, then send the closure request to the Enterprise Open Source License Managers, who have permission to modify the policy. + +For Enterprise Open Source License Managers, pending exception requests are available in enterprise security views and sent as email notifications. + +## Scope and governance model + +You can create policy at enterprise scope for a common baseline, then layer repository-specific exceptions where needed. + +For large enterprises, a common pattern is: + +* Define broad policy centrally +* Assign the Enterprise Open Source License Manager role to policy reviewers +* Use a repository custom property to classify repositories as inactive, evaluate, or active +* Use rulesets that target the custom property values to control enforcement mode by repository + +Developers with write access can view the effective policy and exceptions for a repository from the repository's license policy settings page. + +## Next steps + +To get started, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-license-policies). + +For more information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets). diff --git a/content/code-security/how-tos/secure-your-supply-chain/index.md b/content/code-security/how-tos/secure-your-supply-chain/index.md index ec66a1420a7c..2a0ab34ac4ea 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/index.md +++ b/content/code-security/how-tos/secure-your-supply-chain/index.md @@ -17,4 +17,3 @@ children: - secure-your-dependencies - manage-your-dependency-security - establish-provenance-and-integrity ---- diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-license-policies.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-license-policies.md new file mode 100644 index 000000000000..cad9a66f6e40 --- /dev/null +++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-license-policies.md @@ -0,0 +1,129 @@ +--- +title: Configuring open source license policies +shortTitle: Configure license policies +intro: Create and enforce open source license policies to control which licenses your dependencies are allowed to use. +product: 'Organizations owned by a {% data variables.product.prodname_enterprise %} account with {% data variables.product.prodname_GH_code_security %} enabled' +versions: + feature: open-source-license-compliance +contentType: how-tos +category: + - Secure your dependencies +redirect_from: + - /early-access/code-security/supply-chain-security/enforcing-license-policy-across-an-enterprise +--- + +{% data reusables.code-security.open-source-license-compliance-public-preview-note %} + +## Prerequisites + +Before you configure license policies, ensure that: + +* Your organization has {% data variables.product.prodname_GH_code_security %} +* You have access to manage enterprise or organization policy and rulesets +* Dependency graph is enabled for repositories you want to evaluate + +## About license compliance + +Open source license compliance lets you define a policy that specifies which licenses your dependencies are allowed to use. + +When the policy is enforced with rulesets, {% data variables.product.github %} evaluates pull requests that change package manifests, checks direct and transitive dependencies, and compares detected licenses to your policy. Pull requests with noncompliant dependencies remain blocked until violations are resolved. + +Violations are typically resolved by: + +* Updating the pull request to use compliant dependencies +* Approving an exception for a package or license +* Updating policy to allow a license where appropriate + +## Create a license policy + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.policies-tab %} +1. In the sidebar, click **License compliance**. +1. Click **Default policy**. +1. On the **Edit license policy** page, click **Add licenses** and choose **Select from list**. +1. From the license picker, select the licenses you want to permit. The licenses in this list are categorized based on their general risk level for use in corporate environments, but this is purely informational and does not constitute legal advice. **Always check with your organization's legal team for policy guidance**. +1. Save your changes. + +Alternately, if you have an existing license policy from another tool, you can import it as a list of SPDX expressions. +1. On the **Edit license policy** page, click **Add licenses** and choose **Manual input**. +1. Enter one or more SPDX license identifiers, each on a new line. +1. Save your changes. + +The licenses you add form your baseline policy. You can later add package-level exceptions when handling alerts. + +## Configure access for Enterprise Open Source License Managers + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.people-tab %} +1. In the left sidebar, click **{% octicon "globe" aria-hidden="true" aria-label="globe" %} Enterprise roles**. +1. Click **Role assignments**. +1. Click **Assign role**. +1. Select the **Enterprise Open Source License Manager** role. +1. Choose a user or team to assign the role to. +1. Click **Assign role**. + +Assigning this role also subscribes reviewers to request notifications so they can respond to dismissal requests quickly. + +## Optionally use custom properties to control rollout per repository + +If you want gradual rollout, use a repository custom property to control whether each repository is in inactive, evaluate, or active enforcement mode. + +{% data reusables.organizations.navigate-to-org %} +{% data reusables.organizations.org_settings %} +{% data reusables.organizations.access-custom-properties %} +1. Create a single-select repository custom property, for example `open_source_license_compliance`. +1. Add values for `inactive`, `evaluate`, and `active`. +1. Set the default value to `inactive`. +1. Decide who can change the property value. +1. Assign property values to repositories based on their rollout stage. + +## Enforce policy in pull requests with rulesets + +We suggest making two rulesets, one for **Evaluate** mode and one for **Active** mode. If you created custom properties to control the rollout, you can target those properties here. + +1. Go to the rulesets page for the scope where you want enforcement. +1. Create a branch ruleset. +1. Under the ruleset name, set **Enforcement status**: + + * For your first ruleset, select **Evaluate**. + * For your second ruleset, select **Active**. +1. Choose how to target repositories: + + * If you use custom properties, target by `open_source_license_compliance`: + * For the evaluate-mode ruleset, target repositories where the property value is `evaluate`. + * For the active-mode ruleset, target repositories where the property value is `active`. + * If you do not use custom properties, target repositories by repository pattern or explicit repository selection. +1. Enable **Require license compliance results before merging**. +1. Save your changes. + +For more information about rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) and [AUTOTITLE](/organizations/managing-organization-settings/creating-rulesets-for-repositories-in-your-organization#targeting-repositories-by-properties-in-your-organization). + +## Test policy enforcement + +1. In a targeted repository, open a pull request that changes dependency manifests. +1. Confirm that pull request annotations show license compliance results. +1. If a dependency violates policy, review the generated alert and request dismissal if an exception is needed. + +When violations are unresolved, the pull request remains blocked. + +## Review and handle exception requests + +1. As an Enterprise Open Source License Manager, open the list of pending license alert requests in your enterprise security views. +1. Review each request and decide whether to deny or approve it. +1. If you approve, choose whether the exception should apply to a package, a license, or a package pattern. +1. Choose whether to apply the exception at repository scope or enterprise scope. +1. Save the exception. + +After a request is approved, the alert is closed and the pull request is unblocked, as long as no other required checks are failing. + +## Review effective policy for a repository + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +1. In the sidebar, under "Security", click **License policy**. +1. Review the combined policy and exception set in effect for that repository. +1. Update enterprise-level or repository-level policy as needed. + +## Further reading + +* [AUTOTITLE](/code-security/concepts/supply-chain-security/open-source-license-compliance). \ No newline at end of file diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/index.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/index.md index 1f043824e436..338c110e6525 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/index.md +++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/index.md @@ -8,6 +8,7 @@ versions: ghec: '*' contentType: how-tos children: + - /configure-license-policies - /auto-triage-dependabot-alerts - /prioritize-with-preset-rules - /customizing-dependabot-security-prs diff --git a/content/copilot/concepts/agents/copilot-cli/index.md b/content/copilot/concepts/agents/copilot-cli/index.md index ac4c11e6dc77..05782ff81ccb 100644 --- a/content/copilot/concepts/agents/copilot-cli/index.md +++ b/content/copilot/concepts/agents/copilot-cli/index.md @@ -18,8 +18,8 @@ children: - /rubber-duck - /lsp-servers - /context-management + - /tool-search contentType: concepts docsTeamMetrics: - copilot-cli --- - diff --git a/content/copilot/concepts/agents/copilot-cli/tool-search.md b/content/copilot/concepts/agents/copilot-cli/tool-search.md new file mode 100644 index 000000000000..e759b1bea0ae --- /dev/null +++ b/content/copilot/concepts/agents/copilot-cli/tool-search.md @@ -0,0 +1,108 @@ +--- +title: Loading tools on demand with tool search +shortTitle: Tool search +intro: 'Tool search keeps your context small by letting {% data variables.copilot.copilot_cli_short %} load external tools only when a task needs them.' +versions: + feature: copilot +contentType: concepts +category: + - Learn about Copilot # Copilot discovery page + - Learn about Copilot CLI # Copilot CLI bespoke page +docsTeamMetrics: + - copilot-cli +--- + +## Introduction + +Connecting MCP servers and other external tools to {% data variables.copilot.copilot_cli_short %} is powerful, but every tool you add carries a cost: its definition takes up space in the model's context window, and a long menu of tools makes it harder for the agent to pick the right one. On-demand tool loading (or "tool search") prevents the context window from being cluttered by definitions for tools that the agent doesn't use. The agent starts with just its built-in tools and a way to look up the rest, then loads extra tools only when they're needed to complete a task. + +Tool search addresses two problems associated with a growing number of tools: + +* **Wasted context.** A few dozen tool definitions can eat 10–20K tokens before the agent has done any work. +* **Degraded tool selection accuracy.** Once several dozen tools are in view at once, the model is more likely to reach for the wrong one. + +## What happens during a session + +Each time you enter a prompt, the CLI checks the current tool inventory and decides whether to use tool search. Below roughly 30 tools, the savings you get from tool search aren't worth it, so {% data variables.copilot.copilot_cli_short %} skips tool search entirely and just loads everything. + +Initially, when tool search is used, only the CLI's built-in tools are loaded. Everything else—MCP tools and other external tools—is held back. The agent can see that these tools exist and roughly what they're for, but their full definitions aren't loaded yet. + +When the agent hits a step that needs a tool it doesn't have loaded, it runs a quick search over the available tools and pulls the closest matches into context. Those tools then stick around for the rest of the conversation, so the lookup only happens the first time each one is needed. + +That first lookup costs an extra exchange with the model, but you get it back many times over by keeping the context small on every later turn. + +### Tools that are always loaded + +A handful of tools skip tool search and are ready immediately: + +* {% data variables.copilot.copilot_cli_short %}'s built-in tools (grep, glob, bash, edit, and so on). +* Tools from an MCP server you've configured with `deferTools: "never"`. See [Keeping an MCP server's tools always loaded](#keeping-an-mcp-servers-tools-always-loaded) later in this article. +* Tools loaded by a custom agent. See [Configuring tool deferral in custom agents](#configuring-tool-deferral-in-custom-agents) later in this article. + +## Disabling tool search + +Tool search is enabled by default and activates automatically whenever you're on a supported model and have enough connected tools to make it worthwhile. To disable tool search and go back to loading every tool, set `toolSearch: false` in your personal settings. See [AUTOTITLE](/copilot/reference/copilot-cli-reference/cli-config-dir-reference#user-settings-copilotsettingsjson). + +### Supported models + +| Family | Supported versions | +| ------ | ------------------ | +| Claude (Anthropic) | Mythos Preview, Fable, Sonnet 4.0+, Opus 4.0+ (not Haiku) | +| GPT (OpenAI) | GPT-5.4 and later | + +On any other model, all tools are loaded up front. + +### Keeping an MCP server's tools always loaded + +Sometimes you may want a particular MCP server's tools to always be in front of the agent—for example, a server whose tools are used constantly, or one where the extra search step isn't worth it. Each MCP server has a `deferTools` setting that controls this: + +* `"auto"` (the default)—the server's tools behave like any other and may be deferred once you're over the threshold. +* `"never"`—the server's tools are always included in the agent's tool list, even while tool search is active for everything else. + +The easiest way to set it is by using the `/mcp edit` slash command. In the form for editing the MCP server, switch **Defer Tools** to **Never**. You can also set it directly in `~/.copilot/mcp-config.json`: + +```json +{ + "mcpServers": { + "my-server": { + "type": "stdio", + "command": "npx", + "args": ["-y", "@example/mcp-server"], + "deferTools": "never", + "tools": ["*"] + } + } +} +``` + +### Configuring tool deferral in custom agents + +When a custom agent lists its tools by name, those tools are always loaded so the agent can immediately use them. That's usually what you want, but if an agent declares a large set of tools and only touches a few of them in a given run, you can hand that list back to tool search so the tools are discovered as needed rather than all loaded at once. + +For a Markdown agent (`.github/agents/*.md`), add `deferred-tool-loading: true` to the frontmatter: + +```markdown +--- +name: my-agent +description: Works with a large catalog of tools +tools: + - some_mcp_tool + - another_mcp_tool + # ...many more +deferred-tool-loading: true +--- + +Agent instructions here. +``` + +Keep the following in mind regarding the `deferred-tool-loading` setting: + +* It only has an effect when tool search is active (that is, on a supported model with enough tools to cross the threshold). +* It only matters for agents that name their tools. Agents using the `*` wildcard already use tool search. + +## Optimizing tools for tool search + +Tool search matches what the agent is trying to do against each tool's **name**, its **description**, and its **parameter names and descriptions**. Clear, specific wording makes a tool show up for the right requests: + +* Name tools for what they do so that they're easier to find. +* Write descriptions with the words people would actually search for rather than vague ones. diff --git a/content/copilot/how-tos/copilot-cli/index.md b/content/copilot/how-tos/copilot-cli/index.md index 9c0138ec3d28..80791059d146 100644 --- a/content/copilot/how-tos/copilot-cli/index.md +++ b/content/copilot/how-tos/copilot-cli/index.md @@ -35,6 +35,7 @@ children: - /content/copilot/concepts/agents/copilot-cli/chronicle - /content/copilot/concepts/agents/copilot-cli/comparing-cli-features - /content/copilot/concepts/agents/copilot-cli/context-management + - /content/copilot/concepts/agents/copilot-cli/tool-search - /content/copilot/concepts/agents/copilot-cli/fleet - /content/copilot/concepts/agents/copilot-cli/lsp-servers - /content/copilot/concepts/agents/copilot-cli/research diff --git a/content/copilot/reference/ai-models/model-hosting.md b/content/copilot/reference/ai-models/model-hosting.md index 96892c829142..8b537ba1b772 100644 --- a/content/copilot/reference/ai-models/model-hosting.md +++ b/content/copilot/reference/ai-models/model-hosting.md @@ -52,9 +52,9 @@ Used for: * {% data variables.copilot.copilot_claude_sonnet_46 %} * {% data variables.copilot.copilot_claude_opus_45 %} * {% data variables.copilot.copilot_claude_opus_46 %} -* {% data variables.copilot.copilot_claude_opus_46_fast %} * {% data variables.copilot.copilot_claude_opus_47 %} * {% data variables.copilot.copilot_claude_opus_48 %} +* {% data variables.copilot.copilot_claude_opus_48_fast %} * {% data variables.copilot.copilot_claude_fable_5 %} > [!WARNING] diff --git a/content/copilot/reference/ai-models/supported-models.md b/content/copilot/reference/ai-models/supported-models.md index a4530de64ac3..470ee888960b 100644 --- a/content/copilot/reference/ai-models/supported-models.md +++ b/content/copilot/reference/ai-models/supported-models.md @@ -81,9 +81,9 @@ Choosing a larger context window or higher reasoning will impact {% data variabl | --- | --- | --- | | {% data variables.copilot.copilot_claude_sonnet_46 %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | | {% data variables.copilot.copilot_claude_opus_46 %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | -| {% data variables.copilot.copilot_claude_opus_46_fast %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | | {% data variables.copilot.copilot_claude_opus_47 %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | | {% data variables.copilot.copilot_claude_opus_48 %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | +| {% data variables.copilot.copilot_claude_opus_48_fast %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | | {% data variables.copilot.copilot_claude_fable_5 %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | | {% data variables.copilot.copilot_gpt_53_codex %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | | {% data variables.copilot.copilot_gpt_54 %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | diff --git a/content/copilot/reference/copilot-cli-reference/cli-command-reference.md b/content/copilot/reference/copilot-cli-reference/cli-command-reference.md index 03febf0bebba..0e7d6573f834 100644 --- a/content/copilot/reference/copilot-cli-reference/cli-command-reference.md +++ b/content/copilot/reference/copilot-cli-reference/cli-command-reference.md @@ -211,7 +211,7 @@ When diff mode is open (entered via `/diff`): | `/delegate [PROMPT]` | Delegate changes to a remote repository with an AI-generated pull request. See [AUTOTITLE](/copilot/how-tos/copilot-cli/use-copilot-cli/delegate-tasks-to-cca). | | `/diff` | Review changes in the current directory; auto-switches to branch diff when the working tree is clean (experimental). | | `/downgrade VERSION` | Download and restart into a specific CLI version. Available for team accounts. | -| `/env` | Show loaded environment details (instructions, MCP servers, skills, agents, plugins, LSPs, hooks, extensions). | +| `/env` | Show loaded environment details (instructions, MCP servers, skills, agents, hooks, plugins, LSPs, extensions). | | `/every [INTERVAL PROMPT]`, `/every` | Schedule a recurring prompt, skill, or schedulable slash command for the current session (for example, `/every 1h run tests` or `/every 1d /chronicle standup`). With no arguments the schedule manager is displayed. {% data reusables.copilot.experimental %} | | `/exit`, `/quit` | Exit the CLI. | | `/extensions [manage\|mode]`, `/extension` | Manage CLI extensions. | @@ -256,9 +256,10 @@ When diff mode is open (entered via `/diff`): | `/tuikit [colors\|icons\|select\|tabbar]` | Preview TUIkit design-system components and color tokens. | | `/undo`, `/rewind` | Rewind the last turn and revert file changes. File tracking is done via the tool layer and does not require Git. | | `/update`, `/upgrade` | Update the CLI to the latest version. | -| `/usage` | Display session usage metrics and statistics. | +| `/usage` | Display session usage metrics and statistics, including per-model token totals. | | `/user [show\|list\|switch]` | Manage the current {% data variables.product.github %} user. | | `/version` | Display version information and check for updates. | +| `/fork [NAME]`, `/branch [NAME]` | Fork the current session into a new session, optionally with a name. {% data reusables.copilot.experimental %} | | `/worktree [branch]`, `/move [branch]` | Create a new Git worktree and switch to it, moving any uncommitted changes along. If you omit the branch name, a name is auto-generated from the conversation. Requires a Git repository. {% data reusables.copilot.experimental %} | For a complete list of available slash commands enter `/help` in the CLI's interactive interface. @@ -281,7 +282,7 @@ For a complete list of available slash commands enter `/help` in the CLI's inter | `--allow-url=URL ...` | Allow access to specific URLs or domains. For multiple URLs, use a quoted, comma-separated list. | | `--acp` | Start as Agent Client Protocol server. | | `--attachment PATH` | Attach a file to the initial prompt (can be used multiple times). Image files are accepted, but sending them successfully requires the selected model and organization policy to allow vision input. | -| `--autopilot` | Enable autopilot continuation in prompt mode. See [AUTOTITLE](/copilot/concepts/agents/copilot-cli/autopilot). | +| `--autopilot` | Enable autopilot continuation—the agent keeps working until `task_complete` is called, then returns to interactive mode. See [AUTOTITLE](/copilot/concepts/agents/copilot-cli/autopilot). | | `--available-tools=TOOL ...` | Only these tools will be available to the model. For multiple tools, use a quoted, comma-separated list. See [AUTOTITLE](/copilot/how-tos/copilot-cli/allowing-tools). | | `--banner`, `--no-banner` | Show or hide the startup banner. | | `--bash-env` | Enable `BASH_ENV` support for bash shells. | @@ -295,6 +296,7 @@ For a complete list of available slash commands enter `/help` in the CLI's inter | `--disable-builtin-mcps` | Disable all built-in MCP servers (currently: `github-mcp-server`). | | `--disable-mcp-server=SERVER-NAME` | Disable a specific MCP server (can be used multiple times). | | `--disallow-temp-dir` | Prevent automatic access to the system temporary directory. | +| `--dynamic-retrieval=CATEGORY=on\|off` | Enable or disable embeddings-based dynamic retrieval per category and persist the choice. Supported category: `skills`. Repeatable—for example, `--dynamic-retrieval skills=off`. | | `--effort=LEVEL`, `--reasoning-effort=LEVEL` | Set the reasoning effort level (`low`, `medium`, `high`, `xhigh`, `max`). `max` is the highest-depth tier for Anthropic models. | | `--enable-all-github-mcp-tools` | Enable all {% data variables.product.github %} MCP server tools, instead of the default CLI subset. Overrides the `--add-github-mcp-toolset` and `--add-github-mcp-tool` options. | | `--enable-memory` | Enable memory in prompt mode (disabled by default). | @@ -319,12 +321,14 @@ For a complete list of available slash commands enter `/help` in the CLI's inter | `--no-experimental` | Disable experimental features. | | `--no-mouse` | Disable mouse support. | | `--no-remote` | Disable remote access for this session. | +| `--no-remote-export` | Disable exporting your session to {% data variables.product.prodname_dotcom_the_website %} and {% data variables.product.prodname_mobile %} (also disables remote control). | | `--output-format=FORMAT` | FORMAT can be `text` (default) or `json` (outputs JSONL: one JSON object per line). | | `-p PROMPT`, `--prompt=PROMPT` | Execute a prompt programmatically (exits after completion). See [AUTOTITLE](/copilot/how-tos/copilot-cli/automate-copilot-cli/run-cli-programmatically). | | `--plan` | Start in plan mode. Shorthand for `--mode plan`. Cannot be combined with `--mode` or `--autopilot`. | | `--plain-diff` | Disable rich diff rendering (syntax highlighting via the diff tool specified by your Git config). | | `--plugin-dir=DIRECTORY` | Load a plugin from a local directory (can be used multiple times). | | `--remote` | Enable remote access to this session from {% data variables.product.prodname_dotcom_the_website %} and {% data variables.product.prodname_mobile %}. See [AUTOTITLE](/copilot/how-tos/copilot-cli/use-copilot-cli/steer-remotely). | +| `--remote-export` | Export your session to {% data variables.product.prodname_dotcom_the_website %} and {% data variables.product.prodname_mobile %} (read-only; does not enable remote control). | | `-r`, `--resume[=VALUE]` | Resume a previous interactive session by choosing from a list. Optionally specify a session ID, ID prefix, or session name. Name matching is exact and case-insensitive; falls back to the auto-generated summary when no explicit name matches. | | `-s`, `--silent` | Output only the agent response (without usage statistics), useful for scripting with `-p`. | | `--screen-reader` | Enable screen reader optimizations. | @@ -334,17 +338,28 @@ For a complete list of available slash commands enter `/help` in the CLI's inter | `--share-gist` | Share a session to a secret {% data variables.product.github %} gist after completion of a programmatic session. | | `--stream=MODE` | Enable or disable streaming mode, which displays {% data variables.product.prodname_copilot_short %}'s response progressively as it is generated rather than waiting for the full response to arrive (mode choices: `on` or `off`, default: `on`). | `-v`, `--version` | Show version information. | +| `-w`, `--worktree[=NAME]` | Create or reuse an isolated Git worktree under `.worktrees/` and start the session inside it. `NAME` is optional—omit it to auto-generate a branch name. Conflicts with `--resume`, `--continue`, and `--connect`. {% data reusables.copilot.experimental %} | | `--yolo` | Enable all permissions (equivalent to `--allow-all`). | For a complete list of commands and options, run `copilot help`. > [!NOTE] -> The `--remote`, `--no-remote`, and `--connect` options require the remote sessions feature to be available on your account. +> The `--remote`, `--no-remote`, `--remote-export`, `--no-remote-export`, and `--connect` options require the remote sessions feature to be available on your account. You can use `--remote` with `--resume ` to resume a remote task locally. This works even when the task was originally created outside a Git repository. > [!NOTE] -> When `permissions.disableBypassPermissionsMode` is set to `"disable"` in your settings, all allow-all flags (`--allow-all-tools`, `--allow-all-paths`, `--allow-all-urls`, `--allow-all`, `--yolo`) are suppressed at startup and cannot be used to grant elevated permissions. +> When `permissions.disableBypassPermissionsMode` is set to `"disable"`, all allow-all flags (`--allow-all-tools`, `--allow-all-paths`, `--allow-all-urls`, `--allow-all`, `--yolo`) are suppressed at startup and cannot be used to grant elevated permissions. + +Three sources can set this restriction, in increasing order of permanence: + +| Source | Scope | Cleared by account switch? | +|--------|-------|---------------------------| +| User settings (`~/.copilot/settings.json`) | Machine | No — applies to all accounts | +| Managed settings (server-fetched per account) | Account | Yes — cleared when switching to a different account that does not disable bypass mode | +| MDM policy (plist/registry/file) | Device | Never — device-level policy that cannot be overridden by account switches | + +For MDM configuration details, see [AUTOTITLE](/copilot/reference/copilot-cli-reference/cli-config-dir-reference#mdm-managed-settings). ## Supported models @@ -392,6 +407,7 @@ The `--available-tools` and `--excluded-tools` options support these values: | `list_agents` | List available agents | | `read_agent` | Check background agent status | | `task` | Run subagents | +| `write_agent` | Send a message to a running agent | ### Other tools @@ -449,7 +465,7 @@ copilot --allow-tool='MyMCP' | `COPILOT_MODEL` | Set the AI model. | | `COPILOT_PROMPT_FRAME` | Set to `1` to enable the decorative UI frame around the input prompt, or `0` to disable it. Overrides the `PROMPT_FRAME` experimental feature flag for the current session. | | `COPILOT_SKILLS_DIRS` | Comma-separated list of additional directories for skills. | -| `COPILOT_SUBAGENT_MAX_CONCURRENT` | Maximum concurrent subagents across the entire session tree. Default: `32`. Range: `1`–`256`. | +| `COPILOT_SUBAGENT_MAX_CONCURRENT` | Maximum concurrent subagents across the entire session tree. Default varies by plan (see [Subagent limits](#subagent-limits)). Range: `1`–`256`. | | `COPILOT_SUBAGENT_MAX_DEPTH` | Maximum subagent nesting depth. Default: `6`. Range: `1`–`256`. | | `GH_HOST` | {% data variables.product.github %} hostname for both {% data variables.product.prodname_cli %} and {% data variables.copilot.copilot_cli_short %} (default: `github.com`). Set to your {% data variables.product.prodname_ghe_cloud %} with data residency hostname. Override with `COPILOT_GH_HOST` for {% data variables.copilot.copilot_cli_short %} only. | | `GH_TOKEN` | Authentication token. Takes precedence over `GITHUB_TOKEN`. | @@ -503,8 +519,8 @@ Use `copilot mcp` to manage MCP server configurations from the command line with | Subcommand | Description | |------------|-------------| -| `list [--json]` | List all configured MCP servers grouped by source. | -| `get [--json]` | Show configuration and tools for a specific server. | +| `list [--json]` | List all configured MCP servers grouped by source, including plugin-provided servers. | +| `get [--json]` | Show configuration and tools for a specific server. For plugin-provided servers, also shows the source plugin name and version. | | `add ` | Add a server to the user configuration. Writes to `~/.copilot/mcp-config.json`. | | `remove ` | Remove a user-level server. Workspace servers must be edited in their configuration files directly. | @@ -544,6 +560,7 @@ Use `copilot mcp` to manage MCP server configurations from the command line with | `cwd` | No | Working directory for the server. | | `timeout` | No | Tool call timeout in milliseconds. | | `type` | No | `"local"` or `"stdio"`. Default: `"local"`. | +| `deferTools` | No | `"auto"` (default) or `"never"`. Set to `"never"` to keep this server's tools always visible even when tool search is active. | ### Private npm registry @@ -579,6 +596,7 @@ The `--registry` flag and other npm config flags (`--userconfig`, `--globalconfi | `oauthGrantType` | No | OAuth grant type: `"authorization_code"` (default, browser-based flow) or `"client_credentials"` (fully headless, no browser or callback). | | `oidc` | No | Enable OIDC token injection. When `true`, the CLI injects OIDC tokens for any `GITHUB_COPILOT_OIDC_MCP_TOKEN` or `GITHUB_COPILOT_OIDC_MCP_TOKEN_` variable referenced in the server's `env` block (local servers), or sends the token as a `Bearer` `Authorization` header (remote servers). For local servers, prefer suffixed variants (for example, `${GITHUB_COPILOT_OIDC_MCP_TOKEN_MY_SVC}`) to assign a unique variable name per server. | | `timeout` | No | Tool call timeout in milliseconds. | +| `deferTools` | No | `"auto"` (default) or `"never"`. Set to `"never"` to keep this server's tools always visible even when tool search is active. | ### OAuth re-authentication @@ -670,6 +688,18 @@ MCP servers are loaded from multiple sources, each with a different trust level. All MCP tool invocations require explicit permission. This applies even to read-only operations on external services. +### MCP server loading priority + +MCP servers from different sources are merged in priority order (highest first). When servers share a name, the higher-priority source takes precedence. + +1. `--additional-mcp-config` flag (highest) +1. Plugin-provided servers +1. Workspace servers—`.mcp.json` and `.github/mcp.json` loaded from the working directory upward to the Git root; requires the folder to be trusted +1. `~/.copilot/mcp-config.json` (lowest) + +> [!NOTE] +> Workspace MCP servers (`.mcp.json` and `.github/mcp.json`) are loaded in both interactive and SDK server-mode sessions, provided the working directory is trusted. For more information about folder trust, see [AUTOTITLE](/copilot/how-tos/copilot-cli/allowing-tools). + ### Enterprise MCP allowlist {% data variables.product.prodname_enterprise %} organizations can enforce an allowlist of permitted MCP servers. When active, the CLI evaluates each non-default server against the enterprise policy before connecting. @@ -721,6 +751,7 @@ Skills are Markdown files that extend what the CLI can do. Each skill lives in i |-------|------|----------|-------------| | `name` | string | Yes | Unique identifier for the skill. Letters, numbers, and hyphens only. Max 64 characters. | | `description` | string | Yes | What the skill does and when to use it. Max 1024 characters. | +| `argument-hint` | string | No | Freeform hint describing expected arguments, shown in the skill picker (for example, `"[target] [mode]"`). | | `allowed-tools` | string or string[] | No | Comma-separated list or YAML array of tools that are automatically allowed when the skill is active. Use `"*"` for all tools. | | `user-invocable` | boolean | No | Whether users can invoke the skill with `/SKILL-NAME`. Default: `true`. | | `disable-model-invocation` | boolean | No | Prevent the agent from automatically invoking this skill. Default: `false`. | @@ -740,10 +771,13 @@ Skills are loaded from these locations in priority order (first found wins for d | Plugin directories | Plugin | Skills from installed plugins. | | `COPILOT_SKILLS_DIRS` | Custom | Additional directories (comma-separated). | | (bundled with CLI) | Built-in | Skills shipped with the CLI. Lowest priority—overridable by any other source. | +| (org/enterprise) | Remote | Skills hosted by your organization or enterprise, projected via the AHP relay. Content is fetched on demand when the skill is invoked. | + +Remote skills are projected alongside local skills and follow the same name-based priority when a local skill has the same name. ### Commands (alternative skill format) -Commands are an alternative to skills stored as individual `.md` files in `.claude/commands/`. The command name is derived from the filename. Command files use a simplified format (no `name` field required) and support `description`, `allowed-tools`, and `disable-model-invocation`. Commands have lower priority than skills with the same name. +Commands are an alternative to skills stored as individual `.md` files in `.claude/commands/`. The command name is derived from the filename. Command files use a simplified format (no `name` field required) and support `argument-hint`, `description`, `allowed-tools`, and `disable-model-invocation`. Commands have lower priority than skills with the same name. ## Custom agents reference @@ -753,11 +787,12 @@ Custom agents are specialized AI agents defined in Markdown files. The filename | Agent | Default model | Description | |-------|--------------|-------------| -| `code-review` | claude-sonnet-4.5 | High signal-to-noise code review. Analyzes diffs for bugs, security issues, and logic errors. | +| `code-review` | claude-sonnet-4.5 | High signal-to-noise code review. Analyzes diffs for bugs, security issues, and logic errors. Will not modify code. | | `explore` | claude-haiku-4.5 | Fast codebase exploration. Searches files, reads code, and answers questions. Returns focused answers under 300 words. Safe to run in parallel. | | `general-purpose` | claude-sonnet-4.5 | Full-capability agent for complex multi-step tasks. Runs in a separate context window. | -| `research` | claude-sonnet-4.6 | Deep research agent. Generates a report based on information in your codebase, in relevant repositories, and on the web. | +| `research` | claude-haiku-4.5 | Executes thorough searches based on instructions. Searches {% data variables.product.github %} repositories, fetches files, verifies claims, and reports detailed findings with citations. | | `rubber-duck` | complementary model | Use a complementary model to provide a constructive critique of proposals, designs, implementations, or tests. Identifies weak points and suggests improvements. See [AUTOTITLE](/copilot/concepts/agents/copilot-cli/rubber-duck). | +| `security-review` | claude-sonnet-4.5 | Security-focused code review. Analyzes changes for high-confidence vulnerabilities across 11 categories. Only flags issues with >80% confidence of exploitability. Reports severity and confidence scores. Will not modify code. | | `task` | claude-haiku-4.5 | Command execution (tests, builds, lints). Returns brief summary on success, full output on failure. | ### Custom agent frontmatter fields @@ -781,6 +816,58 @@ Custom agents are specialized AI agents defined in Markdown files. The filename For project-scoped agents, the CLI walks upward from your current working directory to the Git root, loading `.github/agents/` and `.claude/agents/` directories at each ancestor level. This means each package or subdirectory in a monorepo can contribute its own agents. When multiple `.github/agents/` directories exist in the path, all are loaded, with the deepest directory taking highest priority. The `.github/agents/` convention takes precedence over `.claude/agents/` at the same level. User-level agents have lower priority than project-level agents. Plugin agents have the lowest priority. +### Agent communication + +Use `list_agents` and `write_agent` inside custom agents to inspect nearby agents and coordinate work in a multi-agent session. + +#### Relation labels in `list_agents` + +Relation labels identify how visible agents relate to the current agent. Labels appear when a subagent runs inside a parent session with shared sibling communication enabled. + +| Label | Meaning | Use it to | +|-------|---------|-----------| +| `"self"` | The current agent | Confirm which entry represents the active agent | +| `"sibling"` | An agent launched by the same parent | Coordinate with peer agents through `write_agent` | +| `"child"` | An agent launched by the current agent | Track follow-up work delegated from the current agent | + +#### Scoped listing + +Use `scope` on `list_agents` to narrow the list before choosing targets. + +| `scope` value | Returns | Use it to | +|---------------|---------|-----------| +| omitted | Nearby agents in the current context | See the default working set for the current workflow | +| `"siblings"` | Only sibling agents | Find peer agents launched by the same parent | +| `"children"` | Only child agents of the current agent | Review work delegated from the current agent | +| `"all"` | All visible agents | Inspect the full session tree without using it for coordination | + +In single-agent sessions, the default view centers on child agents. In multi-agent sessions, the default view shows the immediate local context instead of the entire tree. + +```text +list_agents(scope="siblings") +list_agents(scope="children") +list_agents(scope="all") +``` + +#### Scoped messaging + +Use `scope` on `write_agent` to broadcast one message to multiple related agents. + +Use scoped messaging only from a subagent running inside a parent session with shared sibling communication enabled. In top-level sessions, target agents with explicit `agent_id` values instead. + +| `scope` value | Sends to | Use it to | +|---------------|----------|-----------| +| `"siblings"` | All visible sibling agents | Coordinate peer work in a shared session | +| `"children"` | All child agents of the current agent | Send the same follow-up to delegated work | + +If a scope matches too many agents, `write_agent` returns an error and asks for explicit `agent_id` values from `list_agents` instead. + +```text +write_agent(scope="children", message="Re-check your findings against the updated schema.") +write_agent(scope="siblings", message="Post status when your current check completes.") +write_agent(agent_id="explore-auth", message="Focus on token refresh flow and report only confirmed issues.") +``` + ### Subagent limits The CLI enforces depth and concurrency limits to prevent runaway agent spawning. @@ -788,10 +875,60 @@ The CLI enforces depth and concurrency limits to prevent runaway agent spawning. | Limit | Default | Environment variable | |-------|---------|---------------------| | Max depth | `6` | `COPILOT_SUBAGENT_MAX_DEPTH` | -| Max concurrent | `32` | `COPILOT_SUBAGENT_MAX_CONCURRENT` | **Depth** counts how many agents are nested within one another. When the depth limit is reached, the innermost agent cannot spawn further subagents. **Concurrency** counts how many subagents are running simultaneously across the entire session tree. When the limit is reached, new subagent requests are rejected until an active agent completes. Values are clamped between `1` and `256`. +The default concurrency limit depends on your {% data variables.product.prodname_copilot_short %} plan: + +| Plan | Max concurrent | +|------|---------------| +| Free / Education | `2` | +| Pro / Pro+ | `4` | +| Max | `8` | +| Business | `16` | +| Enterprise | `32` | +| Usage-based billing | `32` | + +Override the concurrency limit by setting the `COPILOT_SUBAGENT_MAX_CONCURRENT` environment variable before starting the CLI. + +## Sidekick agents + +Sidekick agents run automatically in the background and publish context into the session inbox. They respond to session events rather than being explicitly invoked. + +Add a `sidekick:` block to any agent definition to make it a sidekick agent: + +```yaml +--- +name: Context Gatherer +description: Gathers relevant context when the working directory changes +sidekick: + triggers: + - session.context_changed + behavior: persistent + maxSendsPerTurn: 2 +--- + +Gather useful context about the current repository and working directory. +Summarize recent changes and any relevant project structure. +``` + +### Sidekick triggers + +| Event | Description | +|-------|-------------| +| `user.message` | Fires on every user message. | +| `session.context_changed` | Fires when the working directory, repository, or branch changes (for example, after `cd` or switching Git branches). | + +### Sidekick configuration fields + +| Field | Type | Default | Description | +|-------|------|---------|-------------| +| `triggers` | `string[]` | Required | Session event types that launch this agent. At least one trigger is required. | +| `behavior` | `string` | `"restart"` | `"restart"`: cancel any prior run and start fresh on each trigger. `"persistent"`: keep the same long-lived run alive and deliver new messages into the existing loop instead of relaunching. | +| `maxSendsPerTurn` | `number` | `1` | Maximum inbox sends allowed per trigger. In `"persistent"` mode, each delivered user message resets this budget. | + +The `"restart"` behavior is suited to stateless context-gathering agents. The `"persistent"` behavior is suited to agents that accumulate state across turns. + ## Permission approval responses When the CLI prompts for permission to execute an operation, you can respond with the following keys. diff --git a/content/copilot/reference/copilot-cli-reference/cli-config-dir-reference.md b/content/copilot/reference/copilot-cli-reference/cli-config-dir-reference.md index c77393fa5364..d8ecb86927ea 100644 --- a/content/copilot/reference/copilot-cli-reference/cli-config-dir-reference.md +++ b/content/copilot/reference/copilot-cli-reference/cli-config-dir-reference.md @@ -400,7 +400,19 @@ To override the default `~/.copilot` location, set the `COPILOT_HOME` environmen ## Configuration file settings -Settings cascade from user to repository to local, with more specific scopes overriding more general ones. Command-line options and environment variables always take the highest precedence. +Settings are applied in this order (later overrides earlier): + + +1. Built-in defaults +2. Mobile Device Management (MDM) managed settings +3. User settings (`~/.copilot/settings.json`) +4. Repository settings (`.github/copilot/settings.json`) +5. Local settings (`.github/copilot/settings.local.json`) +6. Environment variables +7. Command-line flags + + +MDM managed settings load at startup and merge with user settings as a policy baseline. For most keys, user settings can override that baseline. For `permissions.disableBypassPermissionsMode`, an MDM value of `"disable"` always wins. For more information, see [MDM managed settings](#mdm-managed-settings). | Scope | Location | Purpose | |-------|----------|---------| @@ -436,6 +448,7 @@ These settings apply across all your sessions and repositories. You can use the | `disableAllHooks` | `boolean` | `false` | Disable all hooks (both repository-level and user-level). | | `disabledMcpServers` | `string[]` | `[]` | MCP server names to disable. Listed servers are configured but not started. | | `disabledSkills` | `string[]` | `[]` | Skill names to disable. Listed skills are discovered but not loaded. | +| `dynamicRetrieval` | `{ skills?: boolean }` | unset | Per-category control of embeddings-based dynamic instruction retrieval. Set `skills` to `false` to disable retrieval for skills. Can also be set with `--dynamic-retrieval` (for example, `--dynamic-retrieval skills=off`); using the flag persists the preference to this file. | | `effortLevel` | `string` | `"medium"` | Reasoning effort level for extended thinking: `"low"`, `"medium"`, `"high"`, or `"xhigh"`. Higher levels use more compute. | | `enabledMcpServers` | `string[]` | `[]` | Enable built-in MCP servers that are disabled by default (for example, `"computer-use"`). | | `enabledPlugins` | `Record` | `{}` | Declarative plugin auto-install. Keys are plugin specs; values are `true` (enabled) or `false` (disabled). | @@ -453,11 +466,14 @@ These settings apply across all your sessions and repositories. You can use the | `mouse` | `boolean` | `true` | Enable mouse support. Can also be set with `--mouse` or `--no-mouse`. | | `permissions.disableBypassPermissionsMode` | `string` | — | When set to `"disable"`, all allow-all flags (`--allow-all-tools`, `--allow-all-paths`, `--allow-all-urls`, `--allow-all`, `--yolo`) are suppressed at startup and cannot be used to grant elevated permissions. | | `powershellFlags` | `string[]` | `["-NoProfile", "-NoLogo"]` | Flags passed to PowerShell on startup. On Windows, the CLI prefers PowerShell 7+ (`pwsh`) and falls back to Windows PowerShell (`powershell.exe`) when `pwsh` is unavailable. Windows only. | +| `proxyKerberosServicePrincipal` | `string` | unset | Service principal name (SPN) for Kerberos/Negotiate proxy authentication, overriding the derived `HTTP/`. | +| `proxyUrl` | `string` | unset | Proxy URL for HTTP(S) requests (for example, `http://proxy.corp.example:3128`). Overridden by the `HTTP_PROXY` or `HTTPS_PROXY` environment variables (any casing). | | `remote` | `"on"` \| `"off"` | `"on"` | Controls session syncing and remote access. Set to `"off"` to keep session data local only and disable remote control. Can also be set with `--remote` or `--no-remote`. | | `renderMarkdown` | `boolean` | `true` | Render Markdown in terminal output. | | `remoteExport` | `boolean` | `true` | Export sessions remotely when session sync is available. Set to `false` to opt out of remote export by default. The `remoteSessions` setting when set to `true`, or the `--remote` flag, still enables export and steering regardless of this setting. | | `respectGitignore` | `boolean` | `true` | Exclude gitignored files from the `@` file mention picker. When `false`, the picker includes files normally excluded by `.gitignore`. | | `screenReader` | `boolean` | `false` | Enable screen reader optimizations. | +| `scrollbar` | `boolean` | `true` | Show the scrollbar in scrollable views. Set to `false` to hide it and use the full terminal width. | | `showTipsOnStartup` | `boolean` | `true` | Show a random command tip when the CLI starts. | | `skillDirectories` | `string[]` | `[]` | Additional directories to search for custom skill definitions (in addition to `~/.copilot/skills/`). | | `statusLine` | `object` | — | Custom status line display. `type`: must be `"command"`. `command`: path to an executable script that receives session JSON on stdin and prints status content to stdout. `padding`: optional number of left-padding spaces. | @@ -465,12 +481,13 @@ These settings apply across all your sessions and repositories. You can use the | `stream` | `boolean` | `true` | Enable streaming responses. | | `streamerMode` | `boolean` | `false` | Hide preview model names and quota details. Useful when demonstrating {% data variables.copilot.copilot_cli_short %} or screen sharing. | | `subagents.agents` | `object` | `{}` | Per-agent model configuration, keyed by agent name. Each value is an object with optional `model` (string), `effortLevel` (string), and `contextTier` (`"default"`, `"long_context"`, or `"inherit"`) fields. Set any field to `"inherit"` to use the parent session's value at dispatch time. Use the `/subagents` slash command to configure these settings interactively. | -| `subagents.disabledSubagents` | `string[]` | `[]` | Agent names to prevent from being dispatched. The `explore`, `task`, and `rubber-duck` agents cannot be disabled. | +| `subagents.disabledSubagents` | `string[]` | `[]` | Agent names to prevent from being dispatched. Only the `rubber-duck` agent cannot be disabled via this setting. All other built-in agents—including `explore`, `task`, `code-review`, `general-purpose`, `research`, and `security-review`—can be disabled. | | `tabs.enabled` | `boolean` | `true` | Show the home tab bar. Set to `false` to hide it entirely. | | `tabs.hide` | `string[]` | `[]` | Tab identifiers to hide. Accepted values: `"copilot"`, `"agents"`, `"issues"`, `"pull-requests"`, `"gists"` (matched case-insensitively). | | `tabs.sort` | `string[]` | `[]` | Order in which tabs are displayed. Tabs not listed keep their default relative order after the listed ones. Unknown identifiers are ignored. | | `terminalProgress` | `boolean` | `true` | Emit OSC 9;4 terminal progress indicators while the agent is working. Supported terminals include Windows Terminal, iTerm2, Ghostty, and ConEmu. | | `theme` | `"auto"` \| `"dark"` \| `"light"` | `"auto"` | Terminal color theme. `"auto"` detects the terminal background and chooses accordingly. | +| `toolSearch` | `boolean` | model- and feature-dependent | Controls tool search (deferred tool loading). Set `toolSearch: false` to opt out of tool search. | | `updateTerminalTitle` | `boolean` | `true` | Show the current intent in the terminal tab or window title. | ### Repository settings (`.github/copilot/settings.json`) @@ -497,6 +514,49 @@ Create `.github/copilot/settings.local.json` in the repository for personal over The local configuration file uses the same schema as the repository configuration file (`.github/copilot/settings.json`) and takes precedence over it. +## MDM managed settings + +IT administrators can push baseline policy using Mobile Device Management (MDM) managed settings instead of requiring per-user configuration. These settings apply device-level defaults for supported keys and load before user settings. + +### MDM managed settings sources + +{% data variables.copilot.copilot_cli_short %} reads managed settings from platform-specific MDM or file-based locations. + +| Platform | Source type | Location | +|----------|-------------|---------| +| macOS | MDM plist | `com.github.copilot` | +| macOS | File | `/Library/Application Support/GitHubCopilot/managed-settings.json` | +| Windows | MDM registry | `HKLM\SOFTWARE\Policies\GitHubCopilot` | +| Windows | File | `%ProgramFiles%\GitHubCopilot\managed-settings.json` | +| Linux | File | `/etc/github-copilot/managed-settings.json` | + +> [!NOTE] +> On POSIX systems, {% data variables.copilot.copilot_cli_short %} rejects file-based managed settings that are symlinks, not owned by root, or world-writable. + +### File format + +Write file-based managed settings as JSON. + +```json +{ + "permissions": { + "disableBypassPermissionsMode": "disable" + } +} +``` + +### Supported keys + +Only the following keys are supported in MDM managed settings. + +| Key | Description | +|-----|-------------| +| `enabledPlugins` | Enable or disable specific plugins | +| `extraKnownMarketplaces` | Add trusted plugin marketplaces | +| `model` | Set a default model for all users (overridden by the `--model` flag or a resumed-session model) | +| `permissions` | Set managed permissions, including `disableBypassPermissionsMode` | +| `strictKnownMarketplaces` | Restrict plugins to known marketplaces | + ## Further reading * [AUTOTITLE](/copilot/how-tos/copilot-cli) diff --git a/content/copilot/reference/copilot-cli-reference/cli-plugin-reference.md b/content/copilot/reference/copilot-cli-reference/cli-plugin-reference.md index 95cbb6389ff3..1461723da821 100644 --- a/content/copilot/reference/copilot-cli-reference/cli-plugin-reference.md +++ b/content/copilot/reference/copilot-cli-reference/cli-plugin-reference.md @@ -184,7 +184,7 @@ For more information, see [AUTOTITLE](/copilot/how-tos/copilot-cli/customize-cop | `agents` | string \| string[] | No | Path(s) to agent directories. | | `skills` | string \| string[] | No | Path(s) to skill directories. | | `hooks` | string \| object | No | Path to hooks config or inline hooks object. | -| `mcpServers` | string \| object | No | Path to MCP config or inline server definitions. | +| `mcpServers` | string \| object | No | MCP servers to activate when the plugin is installed. Accepts an inline server map or a path to a JSON config file. Used when the plugin source does not ship its own MCP configuration. | | `lspServers` | string \| object | No | Path to LSP config or inline server definitions. | | `strict` | boolean | No | When `true` (the default), plugins must conform to the full schema and validation rules. When `false`, relaxed validation is used, allowing more flexibility—especially for direct installs or legacy plugins. | diff --git a/content/copilot/reference/hooks-reference.md b/content/copilot/reference/hooks-reference.md index 5dad6354ab14..9089411e6dbc 100644 --- a/content/copilot/reference/hooks-reference.md +++ b/content/copilot/reference/hooks-reference.md @@ -364,7 +364,7 @@ Payloads for PascalCase `PreToolUse` report `tool_name` as the Claude tool name Tools with no Claude equivalent keep their runtime names. > [!IMPORTANT] -> **Command vs HTTP fail behavior for `preToolUse`:** Command `preToolUse` hooks are **fail-closed**—a crash or non-zero exit denies the tool call. HTTP `preToolUse` hooks are **fail-open**—a network error, timeout, or non-2xx response falls through to the default permission flow. Choose the variant that matches your security requirements. +> **Command vs HTTP fail behavior for `preToolUse`:** Command `preToolUse` hooks are **fail-closed** on errors—a crash or non-zero exit denies the tool call. Command hook **timeouts are fail-open**—a timed-out hook surfaces a warning and lets the tool call proceed through the normal permission flow. HTTP `preToolUse` hooks are **fail-open**—a network error, timeout, or non-2xx response falls through to the default permission flow. Choose the variant that matches your security requirements. ### `postToolUse` / `PostToolUse` @@ -460,7 +460,7 @@ Tools with no Claude equivalent keep their runtime names. ### `subagentStart` > [!NOTE] -> The built-in `general-purpose` agent does not emit `subagentStart` or `subagentStop` events. +> The built-in `general-purpose` agent does not emit `subagentStart` or `subagentStop` events. All other built-in YAML-based agents—including `explore`, `task`, `code-review`, `rubber-duck`, `research`, and `security-review`—and user-defined custom agents emit these events. **Input:** @@ -720,7 +720,7 @@ Several events accept an optional `matcher` regex on each hook entry that filter | `view` | Read file contents. | | `web_fetch` | Fetch web pages. | -If multiple hooks of the same type are configured, they execute in order. For `preToolUse`, if any hook returns `"deny"`, the tool is blocked. For most events, hook failures (non-zero exit codes other than `2`, or timeouts) are logged and skipped. **Exception: `preToolUse` is fail-closed**—a crash, non-zero exit (other than exit 2), or timeout denies the tool call rather than silently allowing it. +If multiple hooks of the same type are configured, they execute in order. For `preToolUse`, if any hook returns `"deny"`, the tool is blocked. For most events, hook failures (non-zero exit codes other than `2`, or timeouts) are logged and skipped. **Exception: `preToolUse` command hooks are fail-closed on errors**—a crash or non-zero exit (other than exit 2) denies the tool call. Timeouts for `preToolUse` command hooks are fail-open: a warning is surfaced and the tool call proceeds through the normal permission flow. ## Exit codes for command hooks @@ -729,9 +729,9 @@ If multiple hooks of the same type are configured, they execute in order. For `p | `0` | Success. `stdout` is parsed as the hook output JSON if present. | | `2` | Treated as a warning by default. `stderr` is surfaced to the user but the run continues. For `permissionRequest`, exit `2` is treated as `{"behavior":"deny"}` and any `stdout` JSON is merged in. For `postToolUseFailure`, exit `2` is treated as `additionalContext` and `stdout` is appended to the failure shown to the agent. | | Other non-zero | Logged as a hook failure. The run continues (fail-open). **Exception: `preToolUse` is fail-closed**—a non-zero exit (other than exit 2) denies the tool call with `"Denied by preToolUse hook (hook errored)"`. | -| Timeout | Killed after `timeoutSec`. Error logged, agent continues. **Exception: `preToolUse` is fail-closed**—timeout denies the tool call. | +| Timeout | Killed after `timeoutSec`. Error logged, agent continues. **Exception: `preToolUse` command hooks fail-open on timeout**—a warning is surfaced and the tool call proceeds through the normal permission flow rather than being denied. A crashed or explicitly-denying hook still fails-closed. | -For most events, non-zero exits and timeouts are logged and skipped—agent execution continues. `preToolUse` is the exception: errors, crashes, and timeouts deny the tool call rather than silently allowing it. This prevents a brittle hook from being bypassed when hook input triggers an unexpected crash. Exit 2 is handled per the rules above and does not block execution. +For most events, non-zero exits and timeouts are logged and skipped—agent execution continues. For `preToolUse` command hooks, crashes and non-zero exits (other than exit 2) fail-closed and deny the tool call, but **timeouts fail-open**—a slow or unreachable hook must not silently block tool calls. Exit 2 is handled per the rules above and does not block execution. ## Disable all hooks diff --git a/content/get-started/using-github/supported-browsers.md b/content/get-started/using-github/supported-browsers.md index d1ee961adce1..71f2262261df 100644 --- a/content/get-started/using-github/supported-browsers.md +++ b/content/get-started/using-github/supported-browsers.md @@ -41,3 +41,17 @@ In earlier extended support releases, {% data variables.product.github %} may no ## {% data variables.release-phases.public_preview_caps %} and developer builds You may encounter unexpected bugs in {% data variables.release-phases.public_preview %} and developer builds of our supported browsers. If you encounter a bug on {% data variables.product.github %} in one of these unreleased builds, please verify that it also exists in the stable version of the same browser. If the bug only exists in the unstable version, consider reporting the bug to the browser developer. + +## Troubleshooting browser behavior + +Even when you use a supported browser, software or settings on your device or your network configuration can change how {% data variables.product.github %} behaves. If you experience unexpected behavior, try the following steps to identify possible causes. + +* **Disable browser extensions and plug-ins.** Content blockers, ad blockers, and other third-party extensions can alter or block expected functionality. Disable them, or test in a private or incognito window with extensions turned off. +* **Check for a proxy, firewall, or content filter.** Network devices such as proxies, firewalls, or content filters, including any that inspect Transport Layer Security (TLS) traffic, can modify or block requests to {% data variables.product.github %}. If possible, retest on a network without these devices. +* **Disconnect from your virtual private network (VPN).** A VPN can route your traffic through proxies, firewalls, or inspection services that alter or block requests. If possible, disconnect from the VPN and retest. +* **Check your antivirus or endpoint security software.** Web protection, HTTPS scanning, or similar features in antivirus and endpoint security software can alter page behavior. Temporarily disable these features if your organization's policies allow, and retest. +* **Clear your cache and cookies.** Stale or cached assets from a previous session can cause unexpected behavior. Alternatively, test in a fresh private or incognito window. +* **Retest in a different supported browser.** This helps you determine whether the issue is specific to one browser or environment. +* **Try a different device or network.** Testing from another device, or from a different network such as a mobile connection, helps you determine whether the issue is specific to your device or network. + +If the behavior continues after you rule out these factors, your network or system administrators may be able to provide further assistance, as they manage settings such as proxies, firewalls, and content filters. If the issue persists, contact {% data variables.contact.contact_support %}. diff --git a/data/features/open-source-license-compliance.yml b/data/features/open-source-license-compliance.yml new file mode 100644 index 000000000000..dae8c8b56fd1 --- /dev/null +++ b/data/features/open-source-license-compliance.yml @@ -0,0 +1,4 @@ +# Open source license compliance (public preview) +versions: + fpt: '*' + ghec: '*' diff --git a/data/reusables/code-security/open-source-license-compliance-public-preview-note.md b/data/reusables/code-security/open-source-license-compliance-public-preview-note.md new file mode 100644 index 000000000000..8344f83db946 --- /dev/null +++ b/data/reusables/code-security/open-source-license-compliance-public-preview-note.md @@ -0,0 +1,2 @@ +> [!NOTE] +> Open source license compliance is in {% data variables.release-phases.public_preview %} and subject to change. diff --git a/data/tables/copilot/model-comparison.yml b/data/tables/copilot/model-comparison.yml index 2cdb98ccf8f9..0ab19e0b16db 100644 --- a/data/tables/copilot/model-comparison.yml +++ b/data/tables/copilot/model-comparison.yml @@ -43,11 +43,6 @@ excels_at: Fast, reliable answers to lightweight coding questions further_reading: '[Claude Haiku 4.5 model card](https://assets.anthropic.com/m/99128ddd009bdcb/Claude-Haiku-4-5-System-Card.pdf)' -- name: Claude Opus 4.6 (fast mode) (preview) - task_area: Deep reasoning and debugging - excels_at: Complex problem-solving challenges, sophisticated reasoning - further_reading: 'Not available' - - name: Claude Opus 4.7 task_area: Deep reasoning and debugging excels_at: Complex problem-solving challenges, sophisticated reasoning @@ -58,6 +53,11 @@ excels_at: Complex problem-solving challenges, sophisticated reasoning further_reading: 'Not available' +- name: Claude Opus 4.8 (fast mode) (preview) + task_area: Deep reasoning and debugging + excels_at: Complex problem-solving challenges, sophisticated reasoning + further_reading: 'Not available' + - name: Claude Sonnet 4.5 task_area: General-purpose coding and agent tasks excels_at: Complex problem-solving challenges, sophisticated reasoning diff --git a/data/tables/copilot/model-deprecation-history.yml b/data/tables/copilot/model-deprecation-history.yml index c93d67cfc6c5..b1366710b097 100644 --- a/data/tables/copilot/model-deprecation-history.yml +++ b/data/tables/copilot/model-deprecation-history.yml @@ -11,6 +11,10 @@ # - retirement_date: The official retirement date for the model (YYYY-MM-DD). # - suggested_alternative: The model recommended for migration. +- name: 'Claude Opus 4.6 (fast mode) (preview)' + retirement_date: '2026-06-29' + suggested_alternative: 'Claude Opus 4.8 (fast mode) (preview)' + - name: 'GPT-4.1' retirement_date: '2026-06-01' suggested_alternative: 'GPT-5.5' diff --git a/data/tables/copilot/model-release-status.yml b/data/tables/copilot/model-release-status.yml index 17362c3949e6..b291035bf752 100644 --- a/data/tables/copilot/model-release-status.yml +++ b/data/tables/copilot/model-release-status.yml @@ -52,10 +52,6 @@ provider: 'Anthropic' release_status: 'GA' -- name: 'Claude Opus 4.6 (fast mode) (preview)' - provider: 'Anthropic' - release_status: 'Public preview' - - name: 'Claude Opus 4.7' provider: 'Anthropic' release_status: 'GA' @@ -64,6 +60,10 @@ provider: 'Anthropic' release_status: 'GA' +- name: 'Claude Opus 4.8 (fast mode) (preview)' + provider: 'Anthropic' + release_status: 'GA' + - name: 'Claude Fable 5' provider: 'Anthropic' release_status: 'GA' diff --git a/data/tables/copilot/model-supported-clients.yml b/data/tables/copilot/model-supported-clients.yml index fb6d267fb538..f5f9fbe6c10b 100644 --- a/data/tables/copilot/model-supported-clients.yml +++ b/data/tables/copilot/model-supported-clients.yml @@ -41,15 +41,6 @@ xcode: true jetbrains: true -- name: Claude Opus 4.6 (fast mode) (preview) - dotcom: false - cli: true - vscode: true - vs: false - eclipse: false - xcode: false - jetbrains: false - - name: Claude Opus 4.7 dotcom: true cli: true @@ -68,6 +59,15 @@ xcode: true jetbrains: true +- name: Claude Opus 4.8 (fast mode) (preview) + dotcom: false + cli: true + vscode: true + vs: true + eclipse: true + xcode: true + jetbrains: true + - name: Claude Fable 5 dotcom: true cli: true diff --git a/data/tables/copilot/model-supported-plans.yml b/data/tables/copilot/model-supported-plans.yml index 6af1594d90ba..f3d3e95e7310 100644 --- a/data/tables/copilot/model-supported-plans.yml +++ b/data/tables/copilot/model-supported-plans.yml @@ -33,21 +33,21 @@ business: true enterprise: true -- name: Claude Opus 4.6 (fast mode) (preview) +- name: Claude Opus 4.7 pro: false - pro_plus: false - max: false - business: false + pro_plus: true + max: true + business: true enterprise: true -- name: Claude Opus 4.7 +- name: Claude Opus 4.8 pro: false pro_plus: true max: true business: true enterprise: true -- name: Claude Opus 4.8 +- name: Claude Opus 4.8 (fast mode) (preview) pro: false pro_plus: true max: true diff --git a/data/tables/copilot/models-and-pricing.yml b/data/tables/copilot/models-and-pricing.yml index 2d34cc90d5db..dd6592b523ea 100644 --- a/data/tables/copilot/models-and-pricing.yml +++ b/data/tables/copilot/models-and-pricing.yml @@ -171,6 +171,15 @@ output: $25.00 cache_write: $6.25 +- model: Claude Opus 4.8 (fast mode) (preview) + provider: anthropic + release_status: GA + category: Powerful + input: $10.00 + cached_input: $1.00 + output: $50.00 + cache_write: $12.50 + - model: Claude Fable 5 provider: anthropic release_status: GA diff --git a/data/variables/copilot.yml b/data/variables/copilot.yml index 892964886ae6..2e05c6c4ead3 100644 --- a/data/variables/copilot.yml +++ b/data/variables/copilot.yml @@ -194,6 +194,7 @@ copilot_claude_opus_46: 'Claude Opus 4.6' copilot_claude_opus_46_fast: 'Claude Opus 4.6 (fast mode) (preview)' copilot_claude_opus_47: 'Claude Opus 4.7' copilot_claude_opus_48: 'Claude Opus 4.8' +copilot_claude_opus_48_fast: 'Claude Opus 4.8 (fast mode) (preview)' copilot_claude_fable_5: 'Claude Fable 5' copilot_claude_sonnet: 'Claude Sonnet' copilot_claude_sonnet_35: 'Claude Sonnet 3.5' diff --git a/eslint.config.ts b/eslint.config.ts index 6d8b3b18aae0..0be658ea7314 100644 --- a/eslint.config.ts +++ b/eslint.config.ts @@ -231,7 +231,7 @@ export default [ }, }, - // Allow role="list" on list-style:none
    elements in these TOC components. + // Allow role="list" on list-style:none
      elements in these components. // Chromium drops the implicit `list` role from the accessibility tree when // list-style:none is set, so NVDA/JAWS lose list semantics; role="list" restores // them and is not actually redundant here. See github/accessibility-audits#16815. @@ -239,6 +239,10 @@ export default [ files: [ 'src/frame/components/ui/MiniTocs/MiniTocs.tsx', 'src/landings/components/TableOfContents.tsx', + 'src/frame/components/GenericError.tsx', + 'src/frame/components/page-footer/LegalFooter.tsx', + 'src/landings/components/ProductSelectionCard.tsx', + 'src/release-notes/components/GHESReleaseNotes.tsx', ], rules: { 'jsx-a11y/no-redundant-roles': ['error', { nav: ['navigation'], ul: ['list'] }], diff --git a/src/content-pipelines/state/copilot-cli.sha b/src/content-pipelines/state/copilot-cli.sha index 2a3ead36bf92..ecb47dbfd9f6 100644 --- a/src/content-pipelines/state/copilot-cli.sha +++ b/src/content-pipelines/state/copilot-cli.sha @@ -1 +1 @@ -35dfa8c5f6900218bffb76f6b899a85a4b49534b +d22bd667d8cc283c28bda93ab28a4b8bfd62040c diff --git a/src/code-tabs/lib/languages.ts b/src/content-render/lib/code-languages.ts similarity index 100% rename from src/code-tabs/lib/languages.ts rename to src/content-render/lib/code-languages.ts diff --git a/src/content-render/liquid/codetabs.ts b/src/content-render/liquid/codetabs.ts index 95854a753740..aa7383f085b5 100644 --- a/src/content-render/liquid/codetabs.ts +++ b/src/content-render/liquid/codetabs.ts @@ -1,7 +1,7 @@ import { encode } from 'html-entities' import { TokenizationError, type TagToken, type TopLevelToken } from 'liquidjs' -import { codeLanguages } from '@/code-tabs/lib/languages' +import { codeLanguages } from '@/content-render/lib/code-languages' interface LiquidTemplate { [key: string]: unknown diff --git a/src/events/lib/schema.ts b/src/events/lib/schema.ts index 89447ebdf4b0..cde4a14077b9 100644 --- a/src/events/lib/schema.ts +++ b/src/events/lib/schema.ts @@ -2,7 +2,7 @@ import { languageKeys } from '@/languages/lib/languages-server' import { allVersionKeys } from '@/versions/lib/all-versions' import { productIds } from '@/products/lib/all-products' import { allTools } from '@/tools/lib/all-tools' -import { codeLanguages } from '@/code-tabs/lib/languages' +import { codeLanguages } from '@/content-render/lib/code-languages' import { contentTypesEnum } from '@/frame/lib/frontmatter' const versionPattern = '^\\d+(\\.\\d+)?(\\.\\d+)?$' diff --git a/src/frame/components/CopyButton.tsx b/src/frame/components/CopyButton.tsx new file mode 100644 index 000000000000..f7cc124be2ae --- /dev/null +++ b/src/frame/components/CopyButton.tsx @@ -0,0 +1,68 @@ +import { useCallback, useEffect, useRef, useState } from 'react' +import type { ComponentPropsWithoutRef } from 'react' +import { announce } from '@primer/live-region-element' + +type CopyButtonProps = ComponentPropsWithoutRef<'button'> & { + 'data-clipboard'?: string +} + +// React replacement for the imperative `copy-code.ts` enhancer. The code-block +// header (`content-render/unified/code-header.ts`) emits this button into the +// HTML AST next to a hidden `
      ` holding the raw code.
      +// When the article body is rendered from hast (instead of dangerouslySetInnerHTML),
      +// `MarkdownContent` maps that `
      +  )
      +}
      diff --git a/src/frame/components/GenericError.tsx b/src/frame/components/GenericError.tsx
      index d2b59d47deef..a365375e4a57 100644
      --- a/src/frame/components/GenericError.tsx
      +++ b/src/frame/components/GenericError.tsx
      @@ -67,7 +67,7 @@ export const SimpleFooter = () => {
         return (