From 0fcb2280ed99011190b68751051250ba4435a711 Mon Sep 17 00:00:00 2001 From: "docs-engineering-bot[bot]" <285023527+docs-engineering-bot[bot]@users.noreply.github.com> Date: Wed, 8 Jul 2026 16:58:42 +0000 Subject: [PATCH 1/7] GraphQL schema update (#62193) Co-authored-by: github-merge-queue <118344674+github-merge-queue@users.noreply.github.com> --- src/graphql/data/fpt/category-map.json | 2 + src/graphql/data/fpt/changelog.json | 21 ++++++++ src/graphql/data/fpt/schema-issues.json | 4 +- src/graphql/data/fpt/schema-pulls.json | 62 +++++++++++++++++++++++ src/graphql/data/fpt/schema.docs.graphql | 44 +++++++++++++++- src/graphql/data/ghec/category-map.json | 2 + src/graphql/data/ghec/schema-issues.json | 4 +- src/graphql/data/ghec/schema-pulls.json | 62 +++++++++++++++++++++++ src/graphql/data/ghec/schema.docs.graphql | 44 +++++++++++++++- 9 files changed, 237 insertions(+), 8 deletions(-) diff --git a/src/graphql/data/fpt/category-map.json b/src/graphql/data/fpt/category-map.json index 103ffb6f1d4b..cb4132f5104b 100644 --- a/src/graphql/data/fpt/category-map.json +++ b/src/graphql/data/fpt/category-map.json @@ -806,6 +806,7 @@ "converttodraftevent": "pulls", "convertedfromdraftevent": "pulls", "copilotcodereviewparameters": "pulls", + "dismissalrestriction": "pulls", "headrefdeletedevent": "pulls", "headrefforcepushedevent": "pulls", "headrefrestoredevent": "pulls", @@ -1685,6 +1686,7 @@ "dequeuepullrequestinput": "pulls", "disablepullrequestautomergeinput": "pulls", "dismisspullrequestreviewinput": "pulls", + "dismissalrestrictioninput": "pulls", "draftpullrequestreviewcomment": "pulls", "draftpullrequestreviewthread": "pulls", "enablepullrequestautomergeinput": "pulls", diff --git a/src/graphql/data/fpt/changelog.json b/src/graphql/data/fpt/changelog.json index 2dc883fa6fb3..327dd1641520 100644 --- a/src/graphql/data/fpt/changelog.json +++ b/src/graphql/data/fpt/changelog.json @@ -1,4 +1,25 @@ [ + { + "schemaChanges": [ + { + "title": "The GraphQL schema includes these changes:", + "changes": [ + "

Type DismissalRestriction was added

", + "

Field allowedActors was added to object type DismissalRestriction

", + "

Field enabled was added to object type DismissalRestriction

", + "

Type DismissalRestrictionInput was added

", + "

Input field allowedActors of type '[ID!]was added to input object typeDismissalRestrictionInput'

", + "

Input field enabled of type Boolean! was added to input object type DismissalRestrictionInput

", + "

Input field AddAssigneesToAssignableInput.assigneeIds changed type from '[ID!]!to[ID!]'

", + "

Field dismissalRestriction was added to object type PullRequestParameters

", + "

Input field dismissalRestriction of type DismissalRestrictionInput was added to input object type PullRequestParametersInput

" + ] + } + ], + "previewChanges": [], + "upcomingChanges": [], + "date": "2026-07-08" + }, { "schemaChanges": [ { diff --git a/src/graphql/data/fpt/schema-issues.json b/src/graphql/data/fpt/schema-issues.json index 21d82e7343f3..64be41755e4e 100644 --- a/src/graphql/data/fpt/schema-issues.json +++ b/src/graphql/data/fpt/schema-issues.json @@ -10224,8 +10224,8 @@ }, { "name": "assigneeIds", - "description": "

The ids of actors (users or bots) to add as assignees.

", - "type": "[ID!]!", + "description": "

The ids of actors (users or bots) to add as assignees. Mutually exclusive with assignees.

", + "type": "[ID!]", "id": "id", "href": "/graphql/reference/other#scalar-id", "isDeprecated": false diff --git a/src/graphql/data/fpt/schema-pulls.json b/src/graphql/data/fpt/schema-pulls.json index 7df86ded970d..957084a2015d 100644 --- a/src/graphql/data/fpt/schema-pulls.json +++ b/src/graphql/data/fpt/schema-pulls.json @@ -1961,6 +1961,30 @@ ], "category": "pulls" }, + { + "name": "DismissalRestriction", + "id": "dismissalrestriction", + "href": "/graphql/reference/pulls#object-dismissalrestriction", + "description": "

Specify people, teams, or apps allowed to dismiss pull request reviews.

", + "isDeprecated": false, + "fields": [ + { + "name": "allowedActors", + "description": "

Specify people, teams, or apps allowed to dismiss pull request reviews.

", + "type": "[ID!]", + "id": "id", + "href": "/graphql/reference/other#scalar-id" + }, + { + "name": "enabled", + "description": "

Whether to restrict review dismissal to specific actors.

", + "type": "Boolean!", + "id": "boolean", + "href": "/graphql/reference/other#scalar-boolean" + } + ], + "category": "pulls" + }, { "name": "HeadRefDeletedEvent", "id": "headrefdeletedevent", @@ -5055,6 +5079,13 @@ "id": "boolean", "href": "/graphql/reference/other#scalar-boolean" }, + { + "name": "dismissalRestriction", + "description": "

Specify people, teams, or apps allowed to dismiss pull request reviews.

", + "type": "DismissalRestriction", + "id": "dismissalrestriction", + "href": "/graphql/reference/pulls#object-dismissalrestriction" + }, { "name": "requireCodeOwnerReview", "description": "

Require an approving review in pull requests that modify files that have a designated code owner.

", @@ -9310,6 +9341,30 @@ ], "category": "pulls" }, + { + "name": "DismissalRestrictionInput", + "id": "dismissalrestrictioninput", + "href": "/graphql/reference/pulls#input-object-dismissalrestrictioninput", + "description": "

Specify people, teams, or apps allowed to dismiss pull request reviews.

", + "isDeprecated": false, + "inputFields": [ + { + "name": "allowedActors", + "description": "

Specify people, teams, or apps allowed to dismiss pull request reviews.

", + "type": "[ID!]", + "id": "id", + "href": "/graphql/reference/other#scalar-id" + }, + { + "name": "enabled", + "description": "

Whether to restrict review dismissal to specific actors.

", + "type": "Boolean!", + "id": "boolean", + "href": "/graphql/reference/other#scalar-boolean" + } + ], + "category": "pulls" + }, { "name": "DraftPullRequestReviewComment", "id": "draftpullrequestreviewcomment", @@ -9708,6 +9763,13 @@ "id": "boolean", "href": "/graphql/reference/other#scalar-boolean" }, + { + "name": "dismissalRestriction", + "description": "

Specify people, teams, or apps allowed to dismiss pull request reviews.

", + "type": "DismissalRestrictionInput", + "id": "dismissalrestrictioninput", + "href": "/graphql/reference/pulls#input-object-dismissalrestrictioninput" + }, { "name": "requireCodeOwnerReview", "description": "

Require an approving review in pull requests that modify files that have a designated code owner.

", diff --git a/src/graphql/data/fpt/schema.docs.graphql b/src/graphql/data/fpt/schema.docs.graphql index 0899afab7911..1302ecf172f0 100644 --- a/src/graphql/data/fpt/schema.docs.graphql +++ b/src/graphql/data/fpt/schema.docs.graphql @@ -376,9 +376,9 @@ input AddAssigneesToAssignableInput { assignableId: ID! @possibleTypes(concreteTypes: ["Issue", "PullRequest"], abstractType: "Assignable") """ - The ids of actors (users or bots) to add as assignees. + The ids of actors (users or bots) to add as assignees. Mutually exclusive with `assignees`. """ - assigneeIds: [ID!]! + assigneeIds: [ID!] @possibleTypes( concreteTypes: ["Bot", "EnterpriseUserAccount", "Mannequin", "Organization", "User"] abstractType: "Actor" @@ -13559,6 +13559,36 @@ type DismissRepositoryVulnerabilityAlertPayload { repositoryVulnerabilityAlert: RepositoryVulnerabilityAlert } +""" +Specify people, teams, or apps allowed to dismiss pull request reviews. +""" +type DismissalRestriction @docsCategory(name: "pulls") { + """ + Specify people, teams, or apps allowed to dismiss pull request reviews. + """ + allowedActors: [ID!] + + """ + Whether to restrict review dismissal to specific actors. + """ + enabled: Boolean! +} + +""" +Specify people, teams, or apps allowed to dismiss pull request reviews. +""" +input DismissalRestrictionInput @docsCategory(name: "pulls") { + """ + Specify people, teams, or apps allowed to dismiss pull request reviews. + """ + allowedActors: [ID!] + + """ + Whether to restrict review dismissal to specific actors. + """ + enabled: Boolean! +} + """ A draft issue within a project. """ @@ -44339,6 +44369,11 @@ type PullRequestParameters @docsCategory(name: "pulls") { """ dismissStaleReviewsOnPush: Boolean! + """ + Specify people, teams, or apps allowed to dismiss pull request reviews. + """ + dismissalRestriction: DismissalRestriction + """ Require an approving review in pull requests that modify files that have a designated code owner. """ @@ -44382,6 +44417,11 @@ input PullRequestParametersInput @docsCategory(name: "pulls") { """ dismissStaleReviewsOnPush: Boolean! + """ + Specify people, teams, or apps allowed to dismiss pull request reviews. + """ + dismissalRestriction: DismissalRestrictionInput + """ Require an approving review in pull requests that modify files that have a designated code owner. """ diff --git a/src/graphql/data/ghec/category-map.json b/src/graphql/data/ghec/category-map.json index 103ffb6f1d4b..cb4132f5104b 100644 --- a/src/graphql/data/ghec/category-map.json +++ b/src/graphql/data/ghec/category-map.json @@ -806,6 +806,7 @@ "converttodraftevent": "pulls", "convertedfromdraftevent": "pulls", "copilotcodereviewparameters": "pulls", + "dismissalrestriction": "pulls", "headrefdeletedevent": "pulls", "headrefforcepushedevent": "pulls", "headrefrestoredevent": "pulls", @@ -1685,6 +1686,7 @@ "dequeuepullrequestinput": "pulls", "disablepullrequestautomergeinput": "pulls", "dismisspullrequestreviewinput": "pulls", + "dismissalrestrictioninput": "pulls", "draftpullrequestreviewcomment": "pulls", "draftpullrequestreviewthread": "pulls", "enablepullrequestautomergeinput": "pulls", diff --git a/src/graphql/data/ghec/schema-issues.json b/src/graphql/data/ghec/schema-issues.json index 21d82e7343f3..64be41755e4e 100644 --- a/src/graphql/data/ghec/schema-issues.json +++ b/src/graphql/data/ghec/schema-issues.json @@ -10224,8 +10224,8 @@ }, { "name": "assigneeIds", - "description": "

The ids of actors (users or bots) to add as assignees.

", - "type": "[ID!]!", + "description": "

The ids of actors (users or bots) to add as assignees. Mutually exclusive with assignees.

", + "type": "[ID!]", "id": "id", "href": "/graphql/reference/other#scalar-id", "isDeprecated": false diff --git a/src/graphql/data/ghec/schema-pulls.json b/src/graphql/data/ghec/schema-pulls.json index 7df86ded970d..957084a2015d 100644 --- a/src/graphql/data/ghec/schema-pulls.json +++ b/src/graphql/data/ghec/schema-pulls.json @@ -1961,6 +1961,30 @@ ], "category": "pulls" }, + { + "name": "DismissalRestriction", + "id": "dismissalrestriction", + "href": "/graphql/reference/pulls#object-dismissalrestriction", + "description": "

Specify people, teams, or apps allowed to dismiss pull request reviews.

", + "isDeprecated": false, + "fields": [ + { + "name": "allowedActors", + "description": "

Specify people, teams, or apps allowed to dismiss pull request reviews.

", + "type": "[ID!]", + "id": "id", + "href": "/graphql/reference/other#scalar-id" + }, + { + "name": "enabled", + "description": "

Whether to restrict review dismissal to specific actors.

", + "type": "Boolean!", + "id": "boolean", + "href": "/graphql/reference/other#scalar-boolean" + } + ], + "category": "pulls" + }, { "name": "HeadRefDeletedEvent", "id": "headrefdeletedevent", @@ -5055,6 +5079,13 @@ "id": "boolean", "href": "/graphql/reference/other#scalar-boolean" }, + { + "name": "dismissalRestriction", + "description": "

Specify people, teams, or apps allowed to dismiss pull request reviews.

", + "type": "DismissalRestriction", + "id": "dismissalrestriction", + "href": "/graphql/reference/pulls#object-dismissalrestriction" + }, { "name": "requireCodeOwnerReview", "description": "

Require an approving review in pull requests that modify files that have a designated code owner.

", @@ -9310,6 +9341,30 @@ ], "category": "pulls" }, + { + "name": "DismissalRestrictionInput", + "id": "dismissalrestrictioninput", + "href": "/graphql/reference/pulls#input-object-dismissalrestrictioninput", + "description": "

Specify people, teams, or apps allowed to dismiss pull request reviews.

", + "isDeprecated": false, + "inputFields": [ + { + "name": "allowedActors", + "description": "

Specify people, teams, or apps allowed to dismiss pull request reviews.

", + "type": "[ID!]", + "id": "id", + "href": "/graphql/reference/other#scalar-id" + }, + { + "name": "enabled", + "description": "

Whether to restrict review dismissal to specific actors.

", + "type": "Boolean!", + "id": "boolean", + "href": "/graphql/reference/other#scalar-boolean" + } + ], + "category": "pulls" + }, { "name": "DraftPullRequestReviewComment", "id": "draftpullrequestreviewcomment", @@ -9708,6 +9763,13 @@ "id": "boolean", "href": "/graphql/reference/other#scalar-boolean" }, + { + "name": "dismissalRestriction", + "description": "

Specify people, teams, or apps allowed to dismiss pull request reviews.

", + "type": "DismissalRestrictionInput", + "id": "dismissalrestrictioninput", + "href": "/graphql/reference/pulls#input-object-dismissalrestrictioninput" + }, { "name": "requireCodeOwnerReview", "description": "

Require an approving review in pull requests that modify files that have a designated code owner.

", diff --git a/src/graphql/data/ghec/schema.docs.graphql b/src/graphql/data/ghec/schema.docs.graphql index 0899afab7911..1302ecf172f0 100644 --- a/src/graphql/data/ghec/schema.docs.graphql +++ b/src/graphql/data/ghec/schema.docs.graphql @@ -376,9 +376,9 @@ input AddAssigneesToAssignableInput { assignableId: ID! @possibleTypes(concreteTypes: ["Issue", "PullRequest"], abstractType: "Assignable") """ - The ids of actors (users or bots) to add as assignees. + The ids of actors (users or bots) to add as assignees. Mutually exclusive with `assignees`. """ - assigneeIds: [ID!]! + assigneeIds: [ID!] @possibleTypes( concreteTypes: ["Bot", "EnterpriseUserAccount", "Mannequin", "Organization", "User"] abstractType: "Actor" @@ -13559,6 +13559,36 @@ type DismissRepositoryVulnerabilityAlertPayload { repositoryVulnerabilityAlert: RepositoryVulnerabilityAlert } +""" +Specify people, teams, or apps allowed to dismiss pull request reviews. +""" +type DismissalRestriction @docsCategory(name: "pulls") { + """ + Specify people, teams, or apps allowed to dismiss pull request reviews. + """ + allowedActors: [ID!] + + """ + Whether to restrict review dismissal to specific actors. + """ + enabled: Boolean! +} + +""" +Specify people, teams, or apps allowed to dismiss pull request reviews. +""" +input DismissalRestrictionInput @docsCategory(name: "pulls") { + """ + Specify people, teams, or apps allowed to dismiss pull request reviews. + """ + allowedActors: [ID!] + + """ + Whether to restrict review dismissal to specific actors. + """ + enabled: Boolean! +} + """ A draft issue within a project. """ @@ -44339,6 +44369,11 @@ type PullRequestParameters @docsCategory(name: "pulls") { """ dismissStaleReviewsOnPush: Boolean! + """ + Specify people, teams, or apps allowed to dismiss pull request reviews. + """ + dismissalRestriction: DismissalRestriction + """ Require an approving review in pull requests that modify files that have a designated code owner. """ @@ -44382,6 +44417,11 @@ input PullRequestParametersInput @docsCategory(name: "pulls") { """ dismissStaleReviewsOnPush: Boolean! + """ + Specify people, teams, or apps allowed to dismiss pull request reviews. + """ + dismissalRestriction: DismissalRestrictionInput + """ Require an approving review in pull requests that modify files that have a designated code owner. """ From c82f7d2d324b4f33da4342ecce34b06ffe41991b Mon Sep 17 00:00:00 2001 From: Kevin Heis Date: Wed, 8 Jul 2026 09:59:18 -0700 Subject: [PATCH 2/7] Handle top-level array REST request bodies in gh CLI code samples (#62191) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- src/rest/components/get-rest-code-samples.ts | 20 +++--- src/rest/components/types.ts | 7 +- src/rest/tests/get-rest-code-samples-2.ts | 30 +++++++++ src/rest/tests/get-rest-code-samples.ts | 69 ++++++++++++++++++++ 4 files changed, 115 insertions(+), 11 deletions(-) diff --git a/src/rest/components/get-rest-code-samples.ts b/src/rest/components/get-rest-code-samples.ts index 7213f7d4410e..455a61433dd4 100644 --- a/src/rest/components/get-rest-code-samples.ts +++ b/src/rest/components/get-rest-code-samples.ts @@ -200,18 +200,16 @@ export function getGHExample( // and the type is a string. const { bodyParameters } = codeSample.request if (bodyParameters) { - // There should not be a case in a REST API where only an array is sent - if (Array.isArray(bodyParameters)) { - throw new Error('Array of arrays found in body parameters') - } - if (typeof bodyParameters === 'object') { // Special handling for gist endpoints - use --input for nested file structures const isGistEndpoint = + !Array.isArray(bodyParameters) && operation.requestPath.includes('/gists') && (operation.title === 'Create a gist' || operation.title === 'Update a gist') - // For complex objects with arrays, use --input with JSON + // For top-level arrays or complex objects with arrays, use --input with JSON. + // The gh CLI -f/-F flags can't represent a request body that is itself an array, + // so we fall back to piping the JSON body via --input. const hasArrays = hasNestedArrays(bodyParameters as NestedObjectParameter) if (hasArrays || isGistEndpoint) { const jsonBody = JSON.stringify( @@ -233,7 +231,7 @@ export function getGHExample( requestBodyParams += handleObjectParameter(bodyParameters as NestedObjectParameter) } } else { - requestBodyParams += handleSingleParameter('', bodyParameters) + requestBodyParams += handleSingleParameter('', bodyParameters as NestedObjectParameter) } } @@ -388,11 +386,13 @@ export function getJSExample( if (codeSample.request) { Object.assign(parameters, codeSample.request.parameters) // Most of the time the example body parameters have a name and value - // and are included in an object. But, some cases are a single value - // and the type is a string. + // and are included in an object. But some cases are a single scalar value + // or a top-level JSON array, both of which Octokit sends as the raw + // request body via the `data` option. if ( codeSample.request.bodyParameters && - typeof codeSample.request.bodyParameters !== 'object' + (typeof codeSample.request.bodyParameters !== 'object' || + Array.isArray(codeSample.request.bodyParameters)) ) { parameters.data = codeSample.request.bodyParameters } else { diff --git a/src/rest/components/types.ts b/src/rest/components/types.ts index 3833a096dfed..3ff2cbc3a910 100644 --- a/src/rest/components/types.ts +++ b/src/rest/components/types.ts @@ -51,7 +51,12 @@ export interface CodeSample { request: { contentType: string acceptHeader: string - bodyParameters: Record> + // Most request bodies are an object of named parameters, but some REST + // operations take a single scalar value or a top-level JSON array. + bodyParameters: + | Record> + | Array + | string parameters: Record description: string } diff --git a/src/rest/tests/get-rest-code-samples-2.ts b/src/rest/tests/get-rest-code-samples-2.ts index 26b9d92392b4..7aa265003a1d 100644 --- a/src/rest/tests/get-rest-code-samples-2.ts +++ b/src/rest/tests/get-rest-code-samples-2.ts @@ -447,6 +447,36 @@ describe('REST code samples authentication header handling', () => { expect(result).toContain("await octokit.request('POST /credentials/revo") expect(result).toContain("'X-GitHub-Api-Version': '2022-11-28'") }) + + test('sends a top-level array body via the data option', () => { + const arrayBodyCodeSample: CodeSample = { + request: { + contentType: 'application/json', + description: 'Example', + acceptHeader: 'application/vnd.github+json', + bodyParameters: [{ id: 'MVS-2026-001', summary: 'Example summary' }], + parameters: {}, + }, + response: { + statusCode: '200', + contentType: 'application/json', + description: 'Response', + example: {}, + }, + } + + const result = getJSExample( + standardOperation, + arrayBodyCodeSample, + 'free-pro-team@latest', + mockVersions, + ) + + // The array must be nested under `data`, not spread as numeric keys ("0", "1"). + expect(result).toContain('data: [') + expect(result).toContain("id: 'MVS-2026-001'") + expect(result).not.toMatch(/["']0["']\s*:/) + }) }) describe('edge cases and special scenarios', () => { diff --git a/src/rest/tests/get-rest-code-samples.ts b/src/rest/tests/get-rest-code-samples.ts index 65ec61f02610..309729a2f829 100644 --- a/src/rest/tests/get-rest-code-samples.ts +++ b/src/rest/tests/get-rest-code-samples.ts @@ -229,4 +229,73 @@ describe('getGHExample - GitHub CLI code generation', () => { expect(result).toContain('"tag2"') expect(result).toContain('"tag3"') }) + + test('handles a top-level array body via --input', () => { + const operation: Operation = { + serverUrl: 'https://api.github.com', + verb: 'post', + requestPath: '/enterprises/{enterprise}/innersource-vulnerabilities/sync', + title: 'Sync InnerSource vulnerabilities', + descriptionHTML: '

Sync vulnerabilities

', + previews: [], + statusCodes: [], + bodyParameters: [], + category: 'enterprise-admin', + subcategory: 'security-advisories', + parameters: [ + { + name: 'enterprise', + in: 'path', + required: true, + description: 'The enterprise slug', + schema: { type: 'string' }, + }, + ], + codeExamples: [], + progAccess: { + permissions: [], + userToServerRest: true, + serverToServer: true, + fineGrainedPat: true, + }, + } + + const codeSample: CodeSample = { + request: { + contentType: 'application/json', + description: 'Example', + acceptHeader: 'application/vnd.github+json', + bodyParameters: [ + { + id: 'MVS-2026-001', + summary: 'Example vulnerability summary', + aliases: ['GHSA-xxxx-xxxx-xxxx'], + }, + ], + parameters: { enterprise: 'octo-enterprise' }, + }, + response: { + statusCode: '200', + contentType: 'application/json', + description: 'Response', + example: {}, + }, + } + + const currentVersion = 'enterprise-cloud@latest' + const allVersions: Record = { + 'enterprise-cloud@latest': { + version: 'enterprise-cloud@latest', + versionTitle: 'Enterprise Cloud', + apiVersions: ['2022-11-28'], + latestApiVersion: '2022-11-28', + }, + } + + const result = getGHExample(operation, codeSample, currentVersion, allVersions) + + expect(result).toContain('--input - <<<') + expect(result).toContain('"MVS-2026-001"') + expect(result).toContain('"GHSA-xxxx-xxxx-xxxx"') + }) }) From 7ed8824bb9b4da1dc566b01d8c4e46d66aa3a0af Mon Sep 17 00:00:00 2001 From: Eric Sorenson Date: Wed, 8 Jul 2026 11:40:50 -0700 Subject: [PATCH 3/7] Add documentation for Innersource Advisories (#61561) Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> Co-authored-by: grconm <167924715+grconm@users.noreply.github.com> --- .../dependabot-alerts.md | 12 +- .../github-advisory-database.md | 24 +- .../index.md | 1 + .../innersource-advisories.md | 30 +++ .../secure-your-dependencies/index.md | 1 + .../manage-innersource-advisories.md | 235 ++++++++++++++++++ .../repositories/a-vulnerability-is.md | 1 - 7 files changed, 290 insertions(+), 14 deletions(-) create mode 100644 content/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories.md create mode 100644 content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/manage-innersource-advisories.md delete mode 100644 data/reusables/repositories/a-vulnerability-is.md diff --git a/content/code-security/concepts/supply-chain-security/dependabot-alerts.md b/content/code-security/concepts/supply-chain-security/dependabot-alerts.md index 7bbedb59776f..bbd448feafdd 100644 --- a/content/code-security/concepts/supply-chain-security/dependabot-alerts.md +++ b/content/code-security/concepts/supply-chain-security/dependabot-alerts.md @@ -28,7 +28,8 @@ Software often relies on packages from various sources, creating dependency rela {% ifversion fpt or ghec %} * A new vulnerability is added to the {% data variables.product.prodname_advisory_database %}{% else %} -* New advisory data is synchronized to {% data variables.product.prodname_dotcom %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %} +* New advisory data is synchronized to {% data variables.product.prodname_dotcom %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %}{% ifversion ghec %} +* Your enterprise publishes an innersource advisory for a component you depend on. For more information, see [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories).{% endif %} * Your dependency graph changes—for example, when you push commits that update packages or versions For supported ecosystems, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems). @@ -41,7 +42,9 @@ When {% data variables.product.github %} detects a vulnerable dependency, a {% d * Details about the vulnerability and its severity * Information about a fixed version (when available) -For information about viewing and managing alerts, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts). +{% ifversion ghec %}Alerts generated from an innersource advisory carry a distinct "Innersource" label, distinguishing them from alerts based on public advisories. + +{% endif %}For information about viewing and managing alerts, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts). ## Who can enable alerts? @@ -102,7 +105,7 @@ Alternatively, you can opt into the weekly email digest, or even completely turn * Alerts can't catch every security issue. Always review your dependencies and keep manifest and lock files up to date for accurate detection. * New vulnerabilities may take time to appear in the {% data variables.product.prodname_advisory_database %} and trigger alerts. -* Only advisories reviewed by {% data variables.product.github %} trigger alerts. +* Only advisories reviewed by {% data variables.product.github %}{% ifversion ghec %} or published by your enterprise as innersource advisories{% endif %} trigger alerts. * {% data variables.product.prodname_dependabot %} doesn't scan archived repositories.{% ifversion dependabot-malware-alerts %}{% else %} * {% data variables.product.prodname_dependabot %} doesn't generate alerts for malware.{% endif %} * {% data reusables.dependabot.dependabot-alert-actions-semver %} @@ -120,7 +123,8 @@ With a {% data variables.copilot.copilot_enterprise %} license, you can ask {% d ## Further reading {% ifversion dependabot-malware-alerts %} -* [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-malware-alerts){% endif %} +* [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-malware-alerts){% endif %}{% ifversion ghec %} +* [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories){% endif %} * [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) * [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) * [AUTOTITLE](/code-security/getting-started/auditing-security-alerts) diff --git a/content/code-security/concepts/vulnerability-reporting-and-management/github-advisory-database.md b/content/code-security/concepts/vulnerability-reporting-and-management/github-advisory-database.md index 3576365801ce..8e27f99f1219 100644 --- a/content/code-security/concepts/vulnerability-reporting-and-management/github-advisory-database.md +++ b/content/code-security/concepts/vulnerability-reporting-and-management/github-advisory-database.md @@ -1,6 +1,6 @@ --- title: GitHub Advisory database -intro: 'The {% data variables.product.prodname_advisory_database %} contains a list of known security vulnerabilities and malware, grouped in three categories: {% data variables.product.company_short %}-reviewed advisories, unreviewed advisories, and malware advisories.' +intro: 'Research known security vulnerabilities and malware in open source packages, so you can understand and remediate the risks in your dependencies.' versions: fpt: '*' ghec: '*' @@ -17,19 +17,25 @@ category: ## About the {% data variables.product.prodname_advisory_database %} -{% data reusables.repositories.tracks-vulnerabilities %} - Security advisories are published as JSON files in the Open Source Vulnerability (OSV) format. For more information about the OSV format, see [Open Source Vulnerability format](https://ossf.github.io/osv-schema/). ## Types of security advisories -Each advisory in the {% data variables.product.prodname_advisory_database %} is for a vulnerability in open source projects or for malicious open source software. +Each advisory in the {% data variables.product.prodname_advisory_database %} relates to a specific security problem in a software component. These problems come in several varieties. + +A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use it. Vulnerabilities in code are usually introduced by accident and fixed soon after they are discovered. Vulnerability advisories contain information about the range of released package versions where the problem exists, and the earliest version where the problem was fixed. This helps downstream users of the software address the vulnerability by updating their dependencies to use a fixed version as soon as it is available. + +In contrast, malicious software, or malware, is code that is intentionally designed to perform unwanted or harmful functions. The malware may target hardware, software, confidential data, or users of any application that uses the malware. You need to remove the malware from your project and find an alternative, more secure replacement for the dependency. Malware alerts do not contain a fix version, because the defining characteristic of a malware alert is that there are no safe versions—the only safe course of action is not to use the package at all. -{% data reusables.repositories.a-vulnerability-is %} Vulnerabilities in code are usually introduced by accident and fixed soon after they are discovered. You should update your code to use the fixed version of the dependency as soon as it is available. +{% ifversion ghec %} -In contrast, malicious software, or malware, is code that is intentionally designed to perform unwanted or harmful functions. The malware may target hardware, software, confidential data, or users of any application that uses the malware. You need to remove the malware from your project and find an alternative, more secure replacement for the dependency. +Both of these advisory types are public information about open source packages. Users with {% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GHAS %} can also create innersource advisories, which restrict visibility to just their organization or enterprise. Innersource advisories use the same OSV format as public advisories but can be associated with either public or internal, private projects. This allows enterprises to use the familiar {% data variables.product.prodname_dependabot %} alert and update features to provide fixes to internal software consumers. For more information about innersource advisories, see [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories). -### {% data variables.product.company_short %}-reviewed advisories +{% endif %} + +### {% data variables.product.company_short %}-reviewed vulnerability advisories + +{% data reusables.repositories.tracks-vulnerabilities %} {% data reusables.advisory-database.github-reviewed-overview %} @@ -52,7 +58,7 @@ If you have a suggestion for a new ecosystem we should support, please open an [ If you enable {% data variables.product.prodname_dependabot_alerts %} for your repositories, you are automatically notified when a new {% data variables.product.company_short %}-reviewed advisory reports a vulnerability for a package you depend on. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). -### Unreviewed advisories +### Unreviewed vulnerability advisories {% data reusables.advisory-database.unreviewed-overview %} @@ -64,7 +70,7 @@ If you enable {% data variables.product.prodname_dependabot_alerts %} for your r {% data variables.product.prodname_dependabot %} doesn't generate alerts when malware is detected as most of the vulnerabilities cannot be resolved by downstream users. You can view malware advisories by searching for `type:malware` in the {% data variables.product.prodname_advisory_database %}. -Our malware advisories are mostly about substitution attacks. During this type of attack, an attacker publishes a package to the public registry with the same name as a dependency that users rely on from a third party or private registry, with the hope that the malicious version is consumed. {% data variables.product.prodname_dependabot %} doesn’t look at project configurations to determine if the packages are coming from a private registry, so we aren't sure if you're using the malicious version or a non-malicious version. Users who have their dependencies appropriately scoped should not be affected by malware. +Our malware advisories are mostly about substitution attacks. During this type of attack, an attacker publishes a package to the public registry with the same name as a dependency that users rely on from a third party or private registry, with the hope that the malicious version is consumed. {% data variables.product.prodname_dependabot %} doesn't look at project configurations to determine if the packages are coming from a private registry, so we can't determine whether you're using the malicious version or a non-malicious version that has the same name. Users who have their dependencies appropriately scoped should not be affected by malware. ## Information in security advisories diff --git a/content/code-security/concepts/vulnerability-reporting-and-management/index.md b/content/code-security/concepts/vulnerability-reporting-and-management/index.md index 96e4c138a7c3..c2ead6f7851c 100644 --- a/content/code-security/concepts/vulnerability-reporting-and-management/index.md +++ b/content/code-security/concepts/vulnerability-reporting-and-management/index.md @@ -8,6 +8,7 @@ versions: contentType: concepts children: - /github-advisory-database + - /innersource-advisories - /repository-security-advisories - /global-security-advisories - /coordinated-disclosure diff --git a/content/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories.md b/content/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories.md new file mode 100644 index 000000000000..9d69f3b07a2c --- /dev/null +++ b/content/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories.md @@ -0,0 +1,30 @@ +--- +title: Innersource advisories +shortTitle: Innersource advisories +intro: Enterprises can alert their internal repositories to vulnerabilities and ship automated fixes with {% data variables.product.prodname_dependabot %}, using advisories that stay private to a single enterprise. +versions: + fpt: '*' + ghec: '*' +contentType: concepts +category: + - Secure your dependencies +--- + +## About innersource advisories + +The {% data variables.product.prodname_advisory_database %} provides a centralized source of alert information for security vulnerabilities. When an advisory about a vulnerable open source component is published, {% data variables.product.prodname_dependabot %} uses {% data variables.product.company_short %}'s dependency graph to find repositories that are using that component, then sends alerts and pull requests to notify the repository's owners and update the affected code to a newer version that fixes the vulnerability. + +Enterprises can use the same mechanism to create alerts and send updates about internally discovered vulnerabilities. Innersource advisories use a similar Open Source Vulnerability (OSV) data format to public advisories, but are not publicly visible. They are scoped to a single enterprise and therefore only propagate alerts to repositories inside that enterprise. The subject of an innersource advisory can be either an internal or open source component, enabling enterprises to push fixes independent of public disclosure and alerting. + +## Who can create innersource advisories + +Innersource advisories can only be created in enterprises that have an active {% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GHAS %} license. If your license expires or {% data variables.product.prodname_GH_code_security %} is disabled, advisories will no longer be visible and will not propagate alerts. However, the underlying data will not be deleted, and re-activating the license will restore any pre-existing advisories. + +## Limitations of innersource advisories + +* Currently, advisories can only be scoped to an entire enterprise. You cannot target individual organizations or groups of organizations inside the enterprise. +* Each enterprise is limited to 2,000 active advisories. Attempts to create new advisories once that limit is reached will result in an error. If you reach this limit, you can withdraw old or outdated advisories. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/manage-innersource-advisories#withdrawing-innersource-advisories). + +## Next steps + +To create, distribute, and withdraw innersource advisories, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/manage-innersource-advisories). diff --git a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/index.md b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/index.md index cfb8439900db..c1f2d1b760bb 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/index.md +++ b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/index.md @@ -12,6 +12,7 @@ children: - /configure-malware-alerts - /configure-security-updates - /configure-version-updates + - /manage-innersource-advisories - /auto-update-actions - /configuring-multi-ecosystem-updates - /enable-dependency-graph diff --git a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/manage-innersource-advisories.md b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/manage-innersource-advisories.md new file mode 100644 index 000000000000..62fa6a5c713f --- /dev/null +++ b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/manage-innersource-advisories.md @@ -0,0 +1,235 @@ +--- +title: Managing innersource advisories +shortTitle: Manage innersource advisories +intro: Create, distribute, and withdraw enterprise-scoped advisories to alert your internal repositories to vulnerabilities and ship fixes automatically. +versions: + fpt: '*' + ghec: '*' +contentType: how-tos +category: + - Secure your dependencies +--- + +For background on how innersource advisories work and who can create them, see [AUTOTITLE](/code-security/concepts/vulnerability-reporting-and-management/innersource-advisories). + +## Prerequisites + +Innersource advisories can only be created in enterprises with an active {% data variables.product.prodname_GH_code_security %} or {% data variables.product.prodname_GHAS %} license. + +## Creating innersource advisories + +To create an innersource advisory: + +1. Create and install a {% data variables.product.prodname_github_app %} with the `enterprise_innersource_vulnerabilities` permission. +1. Generate a token associated with the app that has `write` access to this permission. +1. Create a description of the vulnerability using the OSV format, and `POST` it to the REST API endpoint `/enterprises/{enterprise}/innersource-vulnerabilities/sync`. + +Each of these steps is described in more detail below. + +### Step 1: Create a {% data variables.product.prodname_github_app %} + +Register a {% data variables.product.prodname_github_app %} that is owned by your enterprise, and grant it the `enterprise_innersource_vulnerabilities` permission with `read and write` access. See [AUTOTITLE](/apps/creating-github-apps/registering-a-github-app/registering-a-github-app). + +After registering the app, install it on your enterprise so that it can act on the enterprise's behalf. + +### Step 2: Generate an access token + +Authenticate as the {% data variables.product.prodname_github_app %} installation to generate an installation access token. This token carries the `enterprise_innersource_vulnerabilities` permission and is used to authenticate your requests to the REST API. See [AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app). + +### Step 3: Upload an advisory description + +Describe the vulnerability using the OSV format, then `POST` the payload to `/enterprises/{enterprise}/innersource-vulnerabilities/sync`, using the installation access token to authenticate. The payload identifies the affected package and the range of vulnerable versions. If a fixed version is available, include a `fixed` field with the version number so that {% data variables.product.prodname_dependabot %} can open pull requests to update affected repositories. + +For detailed information on the advisory schema, see [AUTOTITLE](/rest/enterprise-admin/security-advisories#sync-innersource-vulnerabilities-for-an-enterprise). + +## Using innersource advisories + +After you create an innersource advisory, repositories in the enterprise that use the affected component will receive alerts and updates. + +1. Ensure that the repositories in your enterprise have {% data variables.product.prodname_dependabot_alerts %} and updates enabled. You can enforce this at scale using a security configuration. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration). +1. Watch the dependent repositories' {% data variables.product.prodname_dependabot_alerts %} page for a new alert about the affected component. The alert will have a distinct "Innersource" label on it to distinguish it from open source advisory alerts. +1. If your advisory payload included a `fixed` field with a version number that matches an available package, {% data variables.product.prodname_dependabot %} will also create a pull request that updates the package manager's manifest file. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configure-version-updates). + +## Withdrawing innersource advisories + +When there are no more vulnerable versions of an affected component in use, or if an advisory is superseded, it can be helpful to withdraw it. + +To withdraw an advisory, use the same REST API endpoint as the creation step, but adjust the payload to include a `withdrawn` key, whose value is a `date-time` field indicating when the vulnerability was withdrawn. + +## OSV format support and limitations + +{% data variables.product.prodname_dotcom %} accepts vulnerabilities in the [Open Source Vulnerability (OSV) format](https://ossf.github.io/osv-schema/) through the innersource vulnerability sync API. While {% data variables.product.prodname_dotcom %} strives for compatibility with the OSV specification, there are differences between the standard OSV schema and what {% data variables.product.prodname_dotcom %} requires or supports. + +### Supported OSV schema version + +{% data variables.product.prodname_dotcom %} supports OSV schema versions compatible with `~> 1.0` (i.e., `1.0.0` through `1.x.x`). The recommended schema version is `1.4.0`. + +### Affected entry formatting + +The OSV specification allows a single `affected` entry to contain multiple `ranges` and multiple `versions` for the same package. {% data variables.product.prodname_dotcom %} normalizes these internally by splitting them into separate entries: + +| OSV standard | {% data variables.product.prodname_dotcom %} behavior | +|---|---| +| A single `affected` entry can contain multiple `ranges` | Accepted. Each range is processed as a separate vulnerable version range. | +| A single `affected` entry can contain multiple `versions` | Accepted. Each version is treated as an exact match (`= x.y.z`) and processed as a separate vulnerable version range. | +| A single `affected` entry can mix `ranges` and `versions` | Accepted. Ranges and versions are split into separate entries internally. | +| A `SEMVER` range can contain multiple `introduced`/`fixed` pairs | Accepted. Multiple disjoint intervals (e.g., `[1.0.0, 1.0.2)` and `[3.0.0, 3.2.5)`) within a single range are supported. | + +### Supported range types + +| Range type | Support | +|---|---| +| `ECOSYSTEM` | **Fully supported.** Supports `introduced`, `fixed`, and `last_affected` events. | +| `SEMVER` | **Fully supported.** Supports `introduced`, `fixed`, and `last_affected` events. The `last_affected` event is parsed as a `<=` upper-bound comparator. | +| `GIT` | **Not supported.** Git commit-based ranges are not processed. | + +> [!NOTE] +> - For `ECOSYSTEM` ranges, only one `introduced` and one `fixed` (or `last_affected`) event per range is supported. If you need to express multiple disjoint version ranges for the same package, use separate `affected` entries or separate ranges. +> - `SEMVER` ranges support multiple `introduced`/`fixed` pairs within a single range (e.g., `[1.0.0, 1.0.2)` and `[3.0.0, 3.2.5)` in one events array). +> - `fixed` and `last_affected` **cannot appear together** in the same range. Use one or the other, with preference for `fixed`. + +### Required fields + +The OSV specification treats several fields as optional, but {% data variables.product.prodname_dotcom %} requires them. Requests missing these fields are **rejected with a 422 error**. + +| Field | OSV spec | {% data variables.product.prodname_dotcom %} requirement | +|---|---|---| +| `id` | Required | Required. Used as the external identifier for the vulnerability. | +| `severity` array | Optional | **Required.** Must contain at least one `CVSS_V3` or `CVSS_V4` entry with a non-empty `score` string (e.g., `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`). Requests without a valid CVSS entry are rejected. | +| `affected[].package.ecosystem` | Required | Must be a [supported ecosystem](#ecosystem-mapping) | +| `affected[].ranges` or `affected[].versions` | At least one required | At least one range or version must be present for alert matching | + +### Optional fields with automatic derivation + +| Field | Behavior | +|---|---| +| `database_specific.severity` | If provided, used as the qualitative severity label (`critical`, `high`, `moderate`, or `low`). If absent, the severity is **automatically derived** from the CVSS vector score. | +| `summary` | If absent, falls back to the `id` field. | +| `details` | If absent, falls back to `summary` or `id`. | + +### Supported severity types + +| Severity type | Support | +|---|---| +| `CVSS_V3` | **Supported.** Must be a valid CVSS 3.1 vector string. | +| `CVSS_V4` | **Supported.** Must be a valid CVSS 4.0 vector string. | +| Other types | **Not supported.** Will cause a parsing error. | + +### Supported reference types + +| Reference type | Support | +|---|---| +| `ADVISORY` | Supported | +| `WEB` | Supported | +| `FIX` | Supported | +| `ARTICLE` | Supported | +| `REPORT` | Supported | +| `PACKAGE` | Supported (mapped to source code location) | +| `EVIDENCE` | Supported (ignored during processing) | +| `DETECTION` | **Not supported.** Stripped during processing. | + +### Alias support + +| Alias format | Support | +|---|---| +| `CVE-YYYY-NNNNN` | **Supported.** Extracted as the CVE identifier. Only the first CVE alias is used. | +| Other formats (GHSA, PYSEC, etc.) | **Not supported.** Stripped during processing. | + +> [!NOTE] +> If the vulnerability `id` field starts with `GHSA-`, it is recognized as a GHSA identifier. However, GHSA entries in the `aliases` array are stripped and not preserved. + +### Field size constraints + +The OSV specification does not define maximum string lengths for any field — all strings are unbounded. However, {% data variables.product.prodname_dotcom %} enforces field size limits based on its internal database schema. These limits cannot be relaxed without breaking synchronization with {% data variables.product.prodname_ghe_server %}, which maintains its own compatible schema. + +Submissions exceeding these limits are rejected with a descriptive 422 error indicating which field exceeded the limit and the actual length provided (e.g., `affected[0].first_patched_version is 63 characters (max 50)`). + +| OSV field | Maps to | OSV standard limit | {% data variables.product.prodname_dotcom %} limit | Unit | +|---|---|---|---|---| +| `summary` | `vulnerabilities.summary` | No limit (recommended ≤120 chars) | **1,024** | bytes | +| `id` | `vulnerabilities.external_id` | No limit | **2,048** | characters | +| `aliases[]` (CVE entry) | `vulnerabilities.cve_id` | No limit | **20** | characters | +| `severity[].score` (CVSS v3) | `vulnerabilities.cvss_v3` | No limit | **255** | bytes | +| `severity[].score` (CVSS v4) | `vulnerabilities.cvss_v4` | No limit | **255** | characters | +| `affected[].package.ecosystem` | `vulnerable_version_ranges.ecosystem` | No limit | **20** | characters | +| `affected[].package.name` | `vulnerable_version_ranges.affects` | No limit | **255** | characters | +| `affected[].ranges[].events[].fixed` | `vulnerable_version_ranges.fixed_in` | No limit | **50** | characters | +| Computed vulnerable version range | `vulnerable_version_ranges.requirements` | No limit | **65,535** | bytes | + +> [!NOTE] +> - The `fixed_in` (first patched version) limit of 50 characters is the most commonly encountered constraint. Some ecosystems use long pre-release version strings (e.g., `1.0.0-alpha.gamma.delta.epsilon.zeta.eta.theta`) that exceed this limit. +> - `varchar` columns are validated by character count; `varbinary` and `text` columns are validated by byte size (relevant for multi-byte UTF-8 characters). +> - These limits are constrained by {% data variables.product.prodname_ghe_server %} schema compatibility. Widening columns on {% data variables.product.prodname_dotcom %} without matching GHES changes would cause advisory sync failures between environments. + +### Ecosystem mapping + +{% data variables.product.prodname_dotcom %} maps OSV ecosystem names to its internal ecosystem identifiers. The following ecosystems are supported: + +| OSV ecosystem | {% data variables.product.prodname_dotcom %} ecosystem | +|---|---| +| `npm` | npm | +| `PyPI` | pip | +| `RubyGems` | RubyGems | +| `Maven` | Maven | +| `NuGet` | NuGet | +| `Packagist` | Composer | +| `Go` | Go | +| `crates.io` | Rust | +| `Hex` | Erlang | +| `Pub` | Pub | +| `SwiftURL` | Swift | +| `GitHub Actions` | GitHub Actions | + +### Example: minimal OSV payload for alert generation + +The following is a minimal OSV payload that contains all required fields for {% data variables.product.prodname_dotcom %} to create a {% data variables.product.prodname_dependabot %} alert: + +```json +{ + "schema_version": "1.4.0", + "id": "EXAMPLE-2024-001", + "modified": "2024-01-15T10:00:00Z", + "summary": "Example vulnerability in example-package", + "details": "A detailed description of the vulnerability.", + "aliases": ["CVE-2024-12345"], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "example-package" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { "introduced": "0" }, + { "fixed": "1.2.3" } + ] + } + ] + } + ], + "database_specific": { + "severity": "Critical" + }, + "references": [ + { "type": "ADVISORY", "url": "https://example.com/advisory" } + ], + "published": "2024-01-15T10:00:00Z" +} +``` + +### Known limitations + +* **Maximum 100 vulnerabilities per request.** The sync API accepts at most 100 vulnerabilities in a single request. +* **No `GIT` range type.** Git commit-based version ranges are not supported. +* **Single event types per ECOSYSTEM range.** Each `ECOSYSTEM` range supports one `introduced` and one upper-bound event (`fixed` or `last_affected`). Multiple `introduced`/`fixed` pairs in a single `ECOSYSTEM` range are not supported — use separate ranges or separate `affected` entries instead. (This limitation does not apply to `SEMVER` ranges, which support multiple event pairs.) +* **`fixed` and `last_affected` are mutually exclusive.** A single range cannot contain both `fixed` and `last_affected` events. Use one or the other. +* **GHES sync compatibility.** Field size limits (such as `fixed_in` at 50 characters) are constrained by {% data variables.product.prodname_ghe_server %} schema compatibility requirements. + diff --git a/data/reusables/repositories/a-vulnerability-is.md b/data/reusables/repositories/a-vulnerability-is.md deleted file mode 100644 index 2433f7cd6552..000000000000 --- a/data/reusables/repositories/a-vulnerability-is.md +++ /dev/null @@ -1 +0,0 @@ -A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack. From 2d42689c0f4b229e9ba1ecc9b933532c834b857c Mon Sep 17 00:00:00 2001 From: Evan Bonsignori Date: Wed, 8 Jul 2026 11:54:34 -0700 Subject: [PATCH 4/7] Migrate Label to @primer/react-brand (#62081) --- src/graphql/components/GraphqlItem.tsx | 6 +++--- src/landings/components/CookBookArticleCard.module.scss | 1 + src/landings/components/CookBookArticleCard.tsx | 9 +++++---- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/src/graphql/components/GraphqlItem.tsx b/src/graphql/components/GraphqlItem.tsx index 42c0f5361e5c..c15af9d85014 100644 --- a/src/graphql/components/GraphqlItem.tsx +++ b/src/graphql/components/GraphqlItem.tsx @@ -1,5 +1,5 @@ import React, { type JSX } from 'react' -import { Label } from '@primer/react' +import { Label } from '@primer/react-brand' import { HeadingLink } from '@/frame/components/article/HeadingLink' import type { GraphqlT } from './types' import { Notice } from './Notice' @@ -41,9 +41,9 @@ export function GraphqlItem({ item, heading, children, headingLevel = 2, kind }: {item.name} -
+
{kindLabel && ( -
From 4a6a9e0b67a3dcb504ca5fe06b61bbb8c528327b Mon Sep 17 00:00:00 2001 From: Evan Bonsignori Date: Wed, 8 Jul 2026 13:30:35 -0700 Subject: [PATCH 5/7] Migrate Breadcrumbs to @primer/react-brand (#62084) Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- src/fixtures/tests/breadcrumbs.ts | 2 +- .../page-header/Breadcrumbs.module.scss | 3 - .../components/page-header/Breadcrumbs.tsx | 103 ++++++++++-------- 3 files changed, 57 insertions(+), 51 deletions(-) delete mode 100644 src/frame/components/page-header/Breadcrumbs.module.scss diff --git a/src/fixtures/tests/breadcrumbs.ts b/src/fixtures/tests/breadcrumbs.ts index 9356ec762215..ce435f85f3ab 100644 --- a/src/fixtures/tests/breadcrumbs.ts +++ b/src/fixtures/tests/breadcrumbs.ts @@ -24,7 +24,7 @@ describe('breadcrumbs', () => { test('short titles are preferred', async () => { const $ = await getDOM('/get-started/foo/bar') - const links = $('[data-testid=breadcrumbs-in-article] a:last-child') + const links = $('[data-testid=breadcrumbs-in-article] li:last-child a') expect(links.text()).toBe('Bar') }) diff --git a/src/frame/components/page-header/Breadcrumbs.module.scss b/src/frame/components/page-header/Breadcrumbs.module.scss deleted file mode 100644 index ba389ad73f02..000000000000 --- a/src/frame/components/page-header/Breadcrumbs.module.scss +++ /dev/null @@ -1,3 +0,0 @@ -.breadcrumbs { - clip-path: inset(-0.5rem -0.5rem -0.5rem 0); -} diff --git a/src/frame/components/page-header/Breadcrumbs.tsx b/src/frame/components/page-header/Breadcrumbs.tsx index e3dbac632635..a2a6c44442f5 100644 --- a/src/frame/components/page-header/Breadcrumbs.tsx +++ b/src/frame/components/page-header/Breadcrumbs.tsx @@ -1,9 +1,9 @@ +import type { MouseEvent } from 'react' +import { useRouter } from 'next/router' import cx from 'classnames' +import { Breadcrumbs as BrandBreadcrumbs } from '@primer/react-brand' import { useMainContext } from '../context/MainContext' -import { Link } from '@/frame/components/Link' - -import styles from './Breadcrumbs.module.scss' type Props = { inHeader?: boolean @@ -16,55 +16,64 @@ export type BreadcrumbT = { export const Breadcrumbs = ({ inHeader }: Props) => { const { breadcrumbs } = useMainContext() + const router = useRouter() + + // BrandBreadcrumbs.Item renders a plain , so intercept clicks to restore + // next/link-style client-side navigation. Modifier/middle clicks fall through + // to the browser so open-in-new-tab still works, and the keeps the + // links crawlable for SSR. + const handleClick = (event: MouseEvent, href: string) => { + if ( + event.defaultPrevented || + event.button !== 0 || + event.metaKey || + event.ctrlKey || + event.shiftKey || + event.altKey || + !href.startsWith('/') + ) { + return + } + event.preventDefault() + // hrefs already include the locale prefix (e.g. /en/...), so disable + // Next.js locale handling to avoid double-prefixing. + router.push(href, undefined, { locale: false }) + } return ( - /* - NOTE: The breadcrumbs class and the nav tag are used by the - Lunr search scripts. The a tag generated by the Link is also used. - If these change, please also change - updating src/search/scripts/parse-page-sections-into-records.ts. - */ - + {Object.values(breadcrumbs) + .filter(Boolean) + .map((breadcrumb, i, arr) => { + const title = `${breadcrumb.title}` + if (!breadcrumb.href) { + return ( +
  • + {breadcrumb.title} +
  • + ) + } + return ( + handleClick(event, breadcrumb.href!)} + className={cx( + // Show the last breadcrumb if it's in the header, but not if it's in the article. + // If there's only 1 breadcrumb, show it. + !inHeader && i === arr.length - 1 && arr.length !== 1 && 'd-none', + )} + > + {breadcrumb.title} + + ) + })} + ) } From 01ba79d4e517e670fe9145d416e0de9e8c8a691e Mon Sep 17 00:00:00 2001 From: Jared Fine Date: Wed, 8 Jul 2026 17:02:31 -0400 Subject: [PATCH 6/7] Update data-not-migrated.md with new entries (#62181) Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Vanessa --- data/reusables/enterprise-migration-tool/data-not-migrated.md | 1 + 1 file changed, 1 insertion(+) diff --git a/data/reusables/enterprise-migration-tool/data-not-migrated.md b/data/reusables/enterprise-migration-tool/data-not-migrated.md index 0bba91d51f0f..40b9eb3e5c7e 100644 --- a/data/reusables/enterprise-migration-tool/data-not-migrated.md +++ b/data/reusables/enterprise-migration-tool/data-not-migrated.md @@ -10,6 +10,7 @@ * {% data variables.product.prodname_actions %} secrets, variables, environments, self-hosted runners, {% data variables.actions.hosted_runner %}s, workflow artifacts, or workflow run history * GitHub Apps and GitHub App installations * {% data variables.large_files.product_name_short %} objects and large binaries (repositories using {% data variables.large_files.product_name_short %} are still supported, see [Limitations of {% data variables.product.prodname_importer_proper_name %}](#limitations-of-github-enterprise-importer)) +* Links from comment bodies to specific comments or events within issues, pull requests, or discussions (the original link is retained) * Links from commits to pull requests that were rebase merged * Mentions of users, teams, and organizations in pull request, issue, release, and comment bodies (the username originally mentioned is retained) * Packages in {% data variables.product.prodname_registry %} From 9434639dbc93d388b372aee9324c81114f8e7384 Mon Sep 17 00:00:00 2001 From: Joe Clark <31087804+jc-clark@users.noreply.github.com> Date: Wed, 8 Jul 2026 16:05:20 -0700 Subject: [PATCH 7/7] Add MDM and file-based deployment docs for enterprise managed settings (#61937) Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Sophie <29382425+sophietheking@users.noreply.github.com> Co-authored-by: Harald Kirschner Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com> --- .../configure-enterprise-managed-settings.md | 78 ++++++++++++---- .../enterprise-managed-settings-reference.md | 89 +++++++++++++++++++ content/copilot/reference/index.md | 1 + .../copilot/create-managed-settings.md | 4 +- 4 files changed, 154 insertions(+), 18 deletions(-) create mode 100644 content/copilot/reference/enterprise-managed-settings-reference.md diff --git a/content/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/configure-enterprise-managed-settings.md b/content/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/configure-enterprise-managed-settings.md index 9e9733c36572..f5d9bbfce10b 100644 --- a/content/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/configure-enterprise-managed-settings.md +++ b/content/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/configure-enterprise-managed-settings.md @@ -1,8 +1,8 @@ --- -title: Configuring enterprise managed settings +title: Configuring enterprise-managed settings shortTitle: Enterprise managed settings allowTitleToDifferFromFilename: true -intro: Configure enterprise managed settings by defining a `{% data variables.copilot.managed_setting_file %}` file in your enterprise's `.github-private` repository to centrally control {% data variables.product.prodname_copilot_short %} client configurations. +intro: Configure enterprise managed settings to centrally control {% data variables.product.prodname_copilot_short %} client behavior across your enterprise using server-managed, MDM-managed, or file-based deployment. permissions: Enterprise owners redirect_from: - /copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/disable-automatic-commands @@ -15,7 +15,45 @@ category: - Manage Copilot for a team --- -With enterprise managed settings, enterprise owners can centrally define and distribute configuration settings to {% data variables.copilot.copilot_cli_short %} and {% data variables.product.prodname_vscode_shortname %} for users on your enterprise's {% data variables.product.prodname_copilot_short %} plan, ensuring every member works within the same guardrails. Additional client support will follow. The `{% data variables.copilot.managed_setting_file %}` takes precedence over file-based configuration set by users in their clients for the supported keys. +With enterprise managed settings, enterprise owners can centrally define and distribute configuration settings to {% data variables.copilot.copilot_cli_short %} and {% data variables.product.prodname_vscode_shortname %} for users on your enterprise's {% data variables.product.prodname_copilot_short %} plan, ensuring every member works within the same guardrails. Additional client support will follow. + +These settings apply enterprise-wide, with no organization-level override. For each supported key, the `{% data variables.copilot.managed_setting_file %}` value takes precedence over any file-based configuration a user sets in their client. + +Managed settings are loaded locally when the client starts, even if the device has no network connection. This means controls such as disabled bypass mode and restricted plugin configuration still apply before sign in or any server round trip, and remain active when users switch accounts. + +## Choosing a deployment method + +There are multiple ways to deploy enterprise managed settings. Use the following guidelines to choose the right method for you. For any method, pilot on a small device group before broad deployment. + +* **Server-managed**: Default for most enterprises and best for review workflows and audit history +* **MDM-managed**: Best when IT teams need device-group targeting through existing MDM tooling on macOS and Windows +* **File-based**: Available on all platforms, and useful when server-managed and MDM-managed deployment are not available, including developer environments such as containers and {% data variables.product.prodname_codespaces %} + +## Deploying server-managed settings + +1. Create and configure your `.github-private` repository. See [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/create-github-private-repo). +1. In the repository, create or update `copilot/{% data variables.copilot.managed_setting_file %}`. +1. Add your enterprise policy keys and values in JSON format. +1. Commit and push your changes to the default branch. +1. Confirm that enterprise users are running a supported client. Updated settings are applied automatically within about an hour, or immediately after the client restarts or the user signs in again. + +## Deploying MDM-managed settings + +1. Create or update your `{% data variables.copilot.managed_setting_file %}` payload using the same JSON schema used for server-managed settings. +1. Deploy the payload using your enterprise MDM platform and standard rollout process. +1. Assign the policy to the target device groups. + + Clients do not need to restart, and check for updated policies on an hourly basis. In {% data variables.product.prodname_vscode_shortname %}, an administrator can force a check for testing by running the `Developer: Sync Account Policy` command. + +1. Confirm the settings took effect. See [Verifying the configuration has applied](#verifying-the-configuration-has-applied). + +## Deploying file-based settings + +1. Create or update a `{% data variables.copilot.managed_setting_file %}` file with the policy keys and values you want to enforce. +1. Distribute the file to managed machines using your standard device management process. Machines that don't receive the file are not restricted by this policy, so file-based deployment only provides coverage for the machines you actively distribute to. +1. Apply file permissions according to your enterprise security requirements. +1. Ask users to restart supported clients so the updated policy is loaded at startup. +1. Confirm the settings took effect. See [Verifying the configuration has applied](#verifying-the-configuration-has-applied). ## Consolidated schema reference @@ -41,25 +79,24 @@ The `{% data variables.copilot.managed_setting_file %}` file supports the follow "PLUGIN-NAME@MARKETPLACE-NAME": true }, "permissions": { - "disableBypassPermissionsMode": "disable", - "model": "auto" - } + "disableBypassPermissionsMode": "disable" + }, + "model": "auto" } ``` * `extraKnownMarketplaces`: Defines additional plugin marketplaces available to users. Each entry is a named marketplace object containing a `source` property that specifies the provider (`"github"`) and the repository in `OWNER/REPO` format. * `strictKnownMarketplaces`: Restricts plugin installation to only the marketplaces explicitly defined by the enterprise. Each entry is a marketplace object containing a `source` property. The `source` specifies the provider as either `"github"` with a `repo` in `OWNER/REPO` format, or `"git"` with a `url` pointing to a git repository. * `enabledPlugins`: Defines plugins that are automatically installed for all enterprise users. Each entry uses the format `PLUGIN-NAME@MARKETPLACE-NAME` as the key, with a boolean value of `true` to enable the plugin. -* `permissions`: Controls whether users can bypass command approval. - * Set `model` to `"auto"` so new conversations start with Copilot auto model selection by default. Users can still switch to a different model on a per-conversation basis. - * Set `disableBypassPermissionsMode` to `"disable"` to prevent users from turning on bypass mode. See [Disabling bypass mode for your enterprise](#disabling-bypass-mode-for-your-enterprise) further in this article for more information. +* `permissions`: Controls whether users can bypass command approval. Set `disableBypassPermissionsMode` to `"disable"` to prevent users from turning on bypass mode. See [Disabling bypass mode for your enterprise](#disabling-bypass-mode-for-your-enterprise) further in this article for more information. +* `model`: Controls default model governance settings. Set to `"auto"` so new conversations start with Copilot auto model selection by default. Users can still switch to a different model on a per-conversation basis. ## Configuring enterprise plugin standards You can apply settings to control users' available plugin marketplaces and default-installed plugins. See [AUTOTITLE](/copilot/concepts/agents/about-enterprise-plugin-standards). {% data reusables.copilot.create-managed-settings %} -1. Add your plugin policy configuration to the file, using the `extraKnownMarketplaces`, `strictKnownMarketplaces`, and `enabledPlugins` properties described in [Consolidated schema reference](#consolidated-schema-reference). +1. Add the `extraKnownMarketplaces`, `strictKnownMarketplaces`, and `enabledPlugins` properties you need to the file. See the example and property descriptions in [Consolidated schema reference](#consolidated-schema-reference). Merge these properties into an existing file rather than overwriting it, so you don't remove settings configured for other policies, such as `permissions`. ```json copy { @@ -85,19 +122,30 @@ You can apply settings to control users' available plugin marketplaces and defau 1. Commit and push your changes to the default branch of the `.github-private` repository. -## Setting Copilot auto model selection as the default +## Setting {% data variables.product.prodname_copilot_short %} auto model selection as the default You can set auto model selection as the default model for new conversations in {% data variables.copilot.copilot_cli_short %} and {% data variables.product.prodname_vscode_shortname %}. To learn more see [AUTOTITLE](/copilot/concepts/auto-model-selection). By setting it as the default for your enterprise, you ensure new conversations start with Auto model selected. ### What setting Auto model as the default does -When you set `model` to `"auto"` under `permissions`, new conversations start with Auto model selected in both clients: +When you `model` to `"auto"`, new conversations start with Auto model selected in both clients: * In {% data variables.copilot.copilot_cli_short %}, new sessions use Auto model unless the user specifies a different model. * In {% data variables.product.prodname_vscode_shortname %}, the model picker defaults to Auto model when a user starts a new conversation. Users can still switch to a different model on a per-conversation basis. +### Configuring the setting + +{% data reusables.copilot.create-managed-settings %} +1. Add the `model` property to the file, set to `"auto"`. + + ```json copy + { + "model": "auto" + } + ``` + ## Disabling bypass mode for your enterprise You can prevent users from enabling bypass mode (also known as "YOLO mode") in {% data variables.copilot.copilot_cli_short %} and {% data variables.product.prodname_vscode_shortname %}. Bypass mode lets an agent run commands, access files, and fetch URLs without asking for approval. By disabling it for your enterprise, you ensure that a person reviews each of these actions. @@ -112,7 +160,7 @@ When you set `disableBypassPermissionsMode` to `"disable"`, users cannot turn on ### Configuring the setting {% data reusables.copilot.create-managed-settings %} -1. Add the `permissions` property to the file, with `disableBypassPermissionsMode` set to `"disable"`. +1. Add the `permissions` property to the file, with `disableBypassPermissionsMode` set to `"disable"`. If the file already has a `permissions` object (for example, from other permission settings), merge this key into it rather than replacing the object. ```json copy { @@ -122,10 +170,8 @@ When you set `disableBypassPermissionsMode` to `"disable"`, users cannot turn on } ``` -1. Commit and push your changes to the default branch of the `.github-private` repository. - ## Verifying the configuration has applied -Once the configuration is committed, users will see the specified settings the next time they authenticate from a supported client. Clients pull the latest configuration once per hour. +Once the configuration is committed, users on a supported client see the specified settings within about an hour, since clients periodically check the server for updated configuration. Restarting the client or signing in again applies the latest settings immediately. If a user does not see these settings, ensure they receive access to {% data variables.product.prodname_copilot_short %} through your enterprise or one of its organizations. If a user receives a license from multiple billing entities, ensure they have selected your enterprise in the "Usage billed to" dropdown in their [personal {% data variables.product.prodname_copilot_short %} settings](https://github.com/settings/copilot/features). diff --git a/content/copilot/reference/enterprise-managed-settings-reference.md b/content/copilot/reference/enterprise-managed-settings-reference.md new file mode 100644 index 000000000000..8a3eb6e01506 --- /dev/null +++ b/content/copilot/reference/enterprise-managed-settings-reference.md @@ -0,0 +1,89 @@ +--- +title: Enterprise managed settings reference +shortTitle: Managed settings reference +intro: 'Reference for the enterprise managed settings schema used by {% data variables.product.prodname_copilot_short %} clients.' +versions: + feature: copilot +contentType: reference +category: + - Configure Copilot +--- + +> [!NOTE] +> This feature is in {% data variables.release-phases.public_preview %} and subject to change. + +Use this reference to understand the currently supported keys in `{% data variables.copilot.managed_setting_file %}`. + +For deployment methods, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/configure-enterprise-managed-settings#choosing-a-deployment-method). + +## Precedence rules + +When multiple settings sources are present, clients apply settings in this order: + +1. Server-managed settings +1. MDM-managed settings +1. File-based settings +1. User-level settings + +MDM-managed settings take precedence. If MDM-managed settings are not available, clients apply server-managed settings before file-based settings. + +## Supported keys + +{% rowheaders %} + +| Key | Type | Accepted values | Purpose | +| --- | --- | --- | --- | +| `permissions.disableBypassPermissionsMode` | `string` | `"disable"` | Disables bypass or YOLO-style allow-all behavior | +| `enabledPlugins` | `object` | Key format: `PLUGIN-NAME@MARKETPLACE-NAME`; value: `true` | Enables specific plugins by key | +| `extraKnownMarketplaces` | `object` | Named marketplace object with `source.source` (`"github"`) and `source.repo` (`OWNER/REPO`) | Adds plugin marketplaces that users can access | +| `strictKnownMarketplaces` | `array` | Array of marketplace objects with `source` values (`"github"` with `repo`, or `"git"` with `url`) | Restricts plugin installation to explicitly listed marketplaces | +| `model` | `object` | `default` set to a supported model name | Defines default model governance settings | +| `telemetry` | `object` | `enabled` (`boolean`), `endpoint` (`string`), `protocol` (`"otlp-http"` or `"otlp-grpc"`), `captureContent` (`boolean`), `lockCaptureContent` (`boolean`), `serviceName` (`string`), `resourceAttributes` (`object`), `headers` (`object`) | Configures OpenTelemetry export for {% data variables.product.prodname_vscode_shortname %} | + +{% endrowheaders %} + +## Example configuration + +The following example shows these keys in one managed settings file. + +```json +{ + "permissions": { + "disableBypassPermissionsMode": "disable" + }, + "enabledPlugins": { + "my-plugin@agent-skills": true + }, + "extraKnownMarketplaces": { + "agent-skills": { + "source": { + "source": "github", + "repo": "OWNER/REPO" + } + } + }, + "strictKnownMarketplaces": [ + { + "source": "github", + "repo": "OWNER/REPO" + } + ], + "model": { + "default": "MODEL-NAME" + }, + "telemetry": { + "enabled": true, + "endpoint": "https://otel-collector.example.com", + "protocol": "otlp-http", + "captureContent": false, + "lockCaptureContent": true, + "serviceName": "copilot", + "resourceAttributes": { + "deployment.environment": "production" + }, + "headers": { + "Authorization": "Bearer TOKEN" + } + } +} +``` diff --git a/content/copilot/reference/index.md b/content/copilot/reference/index.md index 359c7f1c288f..48c6ac17b73c 100644 --- a/content/copilot/reference/index.md +++ b/content/copilot/reference/index.md @@ -16,6 +16,7 @@ children: - /hooks-reference - /policy-conflicts - /supported-surfaces-for-policies + - /enterprise-managed-settings-reference - /copilot-allowlist-reference - /mcp-allowlist-enforcement - /metrics-data diff --git a/data/reusables/copilot/create-managed-settings.md b/data/reusables/copilot/create-managed-settings.md index 902fef0ed869..16580384896a 100644 --- a/data/reusables/copilot/create-managed-settings.md +++ b/data/reusables/copilot/create-managed-settings.md @@ -1,3 +1,3 @@ -1. In your enterprise's `.github-private` repository, create the managed settings file at `copilot/{% data variables.copilot.managed_setting_file %}`. If you haven't set a `.github-private` repository as your enterprise's source of agent configuration, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/create-github-private-repo). +1. Create or update your enterprise managed settings file using your preferred deployment method. For a comparison of deployment methods, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/configure-enterprise-managed-settings#choosing-a-deployment-method). - The legacy path (`.github/copilot/settings.json`) is also supported. + For server-managed deployment in a `.github-private` repository, create the file at `copilot/{% data variables.copilot.managed_setting_file %}`. The legacy path (`.github/copilot/settings.json`) is also supported.