Merge branch 'main' into intel_macos14

Author: tqpcharlie

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Docs changelog
 
+**18 December 2025**
+
+The documentation has been updated to reflect the general availability of direct organization billing for premium request usage in Copilot Code Review. Organization members without a Copilot plan can now use Copilot Code Review on GitHub.com, with premium request usage billed directly to their organization or enterprise. See [Copilot code review without a Copilot license](https://docs.github.com/en/copilot/concepts/agents/code-review#copilot-code-review-without-a-copilot-license).
+
+<hr>
+
 **16 December 2025**
 
 We've added [a tutorial](https://docs.github.com/copilot/tutorials/modernize-java-applications) on how Copilot can help modernize and migrate Java applications by assessing your codebase, identifying upgrade paths, and automating remediation and containerization tasks.

content/actions/how-tos/reuse-automations/create-workflow-templates.md

@@ -28,7 +28,47 @@ This procedure demonstrates how to create a workflow template and metadata file.
 1. If it doesn't already exist, create a new repository named `.github` in your organization.
 1. Create a directory named `workflow-templates`.
 1. Create your new workflow file inside the `workflow-templates` directory.
-1. Create a metadata file inside the `workflow-templates` directory.
+
+   If you need to refer to a repository's default branch, you can use the `$default-branch` placeholder. When a workflow is created the placeholder will be automatically replaced with the name of the repository's default branch.
+
+   {% ifversion ghes %}
+
+   > [!NOTE]
+   > The following values in the `runs-on` key are also treated as placeholders:
+   >
+   > * `ubuntu-latest` is replaced with `[ self-hosted ]`
+   > * `windows-latest` is replaced with `[ self-hosted, windows ]`
+   > * `macos-latest` is replaced with `[ self-hosted, macOS ]`
+   {% endif %}
+
+   For example, this file named `octo-organization-ci.yml` demonstrates a basic workflow.
+
+   ```yaml copy
+   name: Octo Organization CI
+
+   on:
+     push:
+       branches: [ $default-branch ]
+     pull_request:
+       branches: [ $default-branch ]
+
+   jobs:
+     build:
+       runs-on: ubuntu-latest
+
+       steps:
+         - uses: {% data reusables.actions.action-checkout %}
+
+         - name: Run a one-line script
+           run: echo Hello from Octo Organization
+   ```
+
+1. Create a metadata file inside the `workflow-templates` directory. The metadata file must have the same name as the workflow file, but instead of the `.yml` extension, it must be appended with `.properties.json`. For example, this file named `octo-organization-ci.properties.json` contains the metadata for a workflow file named `octo-organization-ci.yml`:
+
+   {% data reusables.actions.workflow-templates-metadata-example %}
+
+   {% data reusables.actions.workflow-templates-metadata-keys %}
+
 1. To add another workflow template, add your files to the same `workflow-templates` directory.
 
 ## Next steps

content/actions/reference/workflows-and-actions/reusing-workflow-configurations.md

@@ -170,33 +170,9 @@ jobs:
 
 The metadata file must have the same name as the workflow file, but instead of the `.yml` extension, it must be appended with `.properties.json`. For example, this file named `octo-organization-ci.properties.json` contains the metadata for a workflow file named `octo-organization-ci.yml`:
 
-   ```json copy
-   {
-       "name": "Octo Organization Workflow",
-       "description": "Octo Organization CI workflow template.",
-       "iconName": "example-icon",
-       "categories": [
-           "Go"
-       ],
-       "filePatterns": [
-           "package.json$",
-           "^Dockerfile",
-           ".*\\.md$"
-       ]
-   }
-   ```
-
-* `name` - **Required.** The name of the workflow. This is displayed in the list of available workflows.
-* `description` - **Required.** The description of the workflow. This is displayed in the list of available workflows.
-* `iconName` - _Optional._ Specifies an icon for the workflow that is displayed in the list of workflows. `iconName` can one of the following types:
-  * An SVG file that is stored in the `workflow-templates` directory. To reference a file, the value must be the file name without the file extension. For example, an SVG file named `example-icon.svg` is referenced as `example-icon`.
-  * An icon from {% data variables.product.prodname_dotcom %}'s set of [Octicons](https://primer.style/octicons/). To reference an octicon, the value must be `octicon <icon name>`. For example, `octicon smiley`.
-* `categories` - **Optional.** Defines the categories that the workflow is shown under. You can use category names from the following lists:
-  * General category names from the [starter-workflows](https://github.com/actions/starter-workflows/blob/main/README.md#categories) repository.
-  * Linguist languages from the list in the [linguist](https://github.com/github-linguist/linguist/blob/main/lib/linguist/languages.yml) repository.
-  * Supported tech stacks from the list in the [starter-workflows](https://github.com/github-starter-workflows/repo-analysis-partner/blob/main/tech_stacks.yml) repository.
-
-* `filePatterns` - **Optional.** Allows the workflow to be used if the user's repository has a file in its root directory that matches a defined regular expression.
+{% data reusables.actions.workflow-templates-metadata-example %}
+
+{% data reusables.actions.workflow-templates-metadata-keys %}
 
 {% ifversion fpt or ghec %}
 

content/apps/using-github-apps/installing-a-github-app-from-a-third-party.md

@@ -45,9 +45,9 @@ Organization owners can install {% data variables.product.prodname_github_apps %
 Enterprise owners can install {% data variables.product.prodname_github_apps %} on their enterprise accounts, if the application requests enterprise permissions and is owned by the enterprise or one of its organizations.
 {% endif %}
 
-Admins of repositories that are owned by an organization can also install {% data variables.product.prodname_github_apps %} on the organization if they only grant the app access to repositories that they are an admin of and if the app does not request any organization permissions or the "repository administration" permission. Organization owners can prevent outside collaborators who are repository admins from installing {% data variables.product.prodname_github_apps %}.
+{% data reusables.apps.repo-admin-install-restriction %}
 
-Organization members who are not organization owners or repository admins can still select the organization during the install process. Instead of installing the app, {% data variables.product.company_short %} will send a notification to the organization owner to request the organization owner to install the app.
+Organization members and outside collaborators that cannot install an app on the organization can still select the organization during the install process. Instead of installing the app, {% data variables.product.company_short %} will send a notification to the organization owner to request the organization owner to install the app. The ability to make these requests can be controlled using app access request policies. See [AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests).
 
 The "app manager" role does not give a person the ability to install a {% data variables.product.prodname_github_app %} on the organization{% ifversion enterprise-app-manager %}  or enterprise{% endif %}. See [AUTOTITLE](/apps/maintaining-github-apps/about-github-app-managers).
 

content/apps/using-github-apps/installing-a-github-app-from-github-marketplace-for-your-organizations.md

@@ -46,7 +46,7 @@ Organization owners can install {% data variables.product.prodname_github_apps %
 
 For enterprises that pay by credit card, enterprise owners who are also organization owners can install {% data variables.product.prodname_github_apps %} on organizations within their enterprise.
 
-Admins of repositories that are owned by an organization can also install {% data variables.product.prodname_github_apps %} on the organization if they only grant the app access to repositories that they are an admin of and if the app does not request any organization permissions or the "repository administration" permission. Organization owners can prevent outside collaborators who are repository admins from installing {% data variables.product.prodname_github_apps %}.
+{% data reusables.apps.repo-admin-install-restriction %}
 
 The "app manager" role does not give a person the ability to install a {% data variables.product.prodname_github_app %} in the organization{% ifversion enterprise-app-manager %} or enterprise{% endif %}. For more information, see [AUTOTITLE](/apps/maintaining-github-apps/about-github-app-managers).
 

content/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning.md

@@ -22,7 +22,7 @@ redirect_from:
 
 {% data reusables.rai.code-scanning.copilot-autofix-note %}
 
-{% data variables.copilot.copilot_autofix_short %} generates potential fixes that are relevant to the existing source code and translates the description and location of an alert into code changes that may fix the alert. {% data variables.copilot.copilot_autofix_short %} uses internal {% data variables.product.prodname_copilot %} APIs interfacing with the large language model {% data variables.copilot.copilot_gpt_41 %} from OpenAI, which has sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes.
+{% data variables.copilot.copilot_autofix_short %} generates potential fixes that are relevant to the existing source code and translates the description and location of an alert into code changes that may fix the alert. {% data variables.copilot.copilot_autofix_short %} uses internal {% data variables.product.prodname_copilot %} APIs interfacing with the large language model {% data variables.copilot.copilot_gpt_51 %} from OpenAI, which has sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes.
 
 {% data variables.copilot.copilot_autofix_short %} is allowed by default and enabled for every repository using {% data variables.product.prodname_codeql %}, but you can choose to opt out and disable {% data variables.copilot.copilot_autofix_short %}. To learn how to disable {% data variables.copilot.copilot_autofix_short %} at the enterprise, organization and repository levels, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning).
 

content/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites.md

@@ -44,7 +44,7 @@ The built-in {% data variables.product.prodname_codeql %} query suites, `default
 * Relative to the `default` query suite, the `security-extended` suite may return a greater number of false positive {% data variables.product.prodname_code_scanning %} results.
 * This query suite is available for use with default setup for {% data variables.product.prodname_code_scanning %}, and is referred to as the "Extended" query suite on {% data variables.product.prodname_dotcom %}.
 
-For a complete list of queries included in each query suite for every language, see [AUTOTITLE](/code-security/code-scanning/reference).
+For a complete list of queries included in each query suite for every language, see [AUTOTITLE](/code-security/code-scanning/reference/code-ql-built-in-queries).
 
 ## Further reading
 

content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md

@@ -69,6 +69,57 @@ Once enabled, automatic dependency submission jobs will run on the self-hosted r
 
 >[!NOTE] For Maven or Gradle projects that use self-hosted runners with private Maven registries, you need to modify the Maven server settings file to allow the dependency submission workflows to connect to the registries. For more information about the Maven server settings file, see [Security and Deployment Settings](https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#transitive-dependencies) in the Maven documentation.
 
+### Configuring network access for self-hosted runners
+
+If your self-hosted runners operate behind a firewall with restricted outbound internet access, you must add certain URLs to the allowlist for automatic dependency submission. The required URLs depend on the ecosystems your repositories use.
+
+#### Required URLs for all ecosystems
+
+These URLs are required for all automatic dependency submission workflows:
+
+* `https://github.com`—Required for accessing {% data variables.product.github %} and downloading actions.
+* `https://api.github.com`—Required for {% data variables.product.github %} API access.
+* `https://*.githubusercontent.com`—Required for downloading action source code and releases (including `raw.githubusercontent.com`, `github-releases.githubusercontent.com`, and `objects.githubusercontent.com`).
+
+#### Ecosystem-specific URLs
+
+Depending on the ecosystems you use, you may need to allowlist additional URLs.
+
+##### Go
+
+* `https://go.dev`—For downloading the Go toolchain.
+* `https://golang.org`—Alternate domain for Go downloads.
+* `https://proxy.golang.org`—Official Go module proxy for downloading Go modules during dependency detection.
+
+> [!NOTE]
+> The `actions/go-versions` repository is accessed via `https://raw.githubusercontent.com`, which is already covered in the general requirements.
+
+##### Java (Maven and Gradle)
+
+* `https://repo.maven.apache.org`—Maven Central repository for downloading dependencies.
+* `https://api.adoptium.net`—For downloading Adoptium/Temurin JDK distributions (default distribution used by `actions/setup-java`).
+
+If you use a different JDK distribution, you may also need:
+* `https://aka.ms` and `https://download.microsoft.com`—For Microsoft Build of OpenJDK (note: `aka.ms` is also used for .NET downloads).
+* `https://download.oracle.com`—For Oracle JDK.
+* `https://api.azul.com`—For Azul Zulu OpenJDK.
+
+##### .NET (C#, F#, Visual Basic)
+
+* `https://aka.ms`—Microsoft URL shortener that redirects to .NET download locations.
+* `https://builds.dotnet.microsoft.com`—Primary feed for .NET SDK and runtime downloads.
+* `https://ci.dot.net`—Secondary feed for .NET builds.
+
+> [!NOTE]
+> The `microsoft/component-detection` tool used by .NET autosubmission is downloaded from  {% data variables.product.github %}  releases, which is already covered in the general requirements (`https://github.com` and `https://*.githubusercontent.com`).
+
+##### Python
+
+* `https://python.org`—For downloading Python interpreters.
+
+> [!NOTE]
+> The `actions/python-versions` repository and `microsoft/component-detection` releases are accessed via URLs already covered in the general requirements (`https://*.githubusercontent.com` and `https://github.com`).
+
 ## Using {% data variables.product.company_short %}-hosted {% data variables.actions.hosted_runners %} for automatic dependency submission
 
 {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} users can use {% data variables.actions.hosted_runners %} to run automatic dependency submissions jobs.

content/copilot/how-tos/use-copilot-agents/coding-agent/customize-the-agent-environment.md

@@ -180,16 +180,6 @@ You can run {% data variables.copilot.copilot_coding_agent %} on self-hosted run
 
     You can set these environment variables by following the [instructions above](#setting-environment-variables-in-copilots-environment), or by baking the environment variables into your custom runner image. For more information on building a custom image, see [AUTOTITLE](/actions/concepts/runners/actions-runner-controller#creating-your-own-runner-image).
 
-### Security considerations for self-hosted runners
-
-When using self-hosted runners, especially with the firewall disabled, ensure your hosting environment has strict network communication controls. The following endpoints must be reachable from your runners:
-
-* `api.githubcopilot.com`
-* `uploads.github.com`
-* `user-images.githubusercontent.com`
-
-For a comprehensive list of other hosts that must also be allowlisted for {% data variables.product.prodname_actions %} self-hosted runners, see [AUTOTITLE](/actions/reference/runners/self-hosted-runners#accessible-domains-by-function).
-
 ## Enabling Git Large File Storage (LFS)
 
 If you use Git Large File Storage (LFS) to store large files in your repository, you will need to customize {% data variables.product.prodname_copilot_short %}'s environment to install Git LFS and fetch LFS objects.

content/organizations/managing-programmatic-access-to-your-organization/about-programmatic-access-in-your-organization.md

@@ -20,9 +20,11 @@ versions:
 
 ## {% data variables.product.prodname_github_apps %}
 
-Organization owners can install {% data variables.product.prodname_github_apps %} on their organization. Repository admins can also install a {% data variables.product.prodname_github_app %} on the organization if the app does not request organization resources and if they only grant the app access to repositories where they are an admin. Organization members can submit a request for their organization owner to install a {% data variables.product.prodname_github_app %} on the organization. For more information, see {% ifversion fpt or ghec %}[AUTOTITLE](/apps/using-github-apps/installing-an-app-in-your-organization).{% else %}[AUTOTITLE](/apps/maintaining-github-apps/installing-github-apps).{% endif %}
+Organization owners can install {% data variables.product.prodname_github_apps %} on their organization. Repository admins can also install a {% data variables.product.prodname_github_app %} on the organization if the app does not request organization resources and if they only grant the app access to repositories where they are an admin. Organization members and outside collaborators can submit a request for their organization owner to install a {% data variables.product.prodname_github_app %} on the organization. For more information, see {% ifversion fpt or ghec %}[AUTOTITLE](/apps/using-github-apps/installing-an-app-in-your-organization).{% else %}[AUTOTITLE](/apps/maintaining-github-apps/installing-github-apps).{% endif %}
 
-Organization owners can prevent outside collaborators from requesting {% data variables.product.prodname_github_apps %} or from installing a {% data variables.product.prodname_github_app %} even if the collaborator is a repository admin. For more information, see [AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests).
+{% ifversion fpt or ghec or ghes > 3.19 %}Organization owners can restrict {% data variables.product.prodname_github_app %} installation to only organization owners. When this restriction is enabled, repository admins cannot install {% data variables.product.prodname_github_apps %} for their repositories and must instead use the request flow to ask organization owners to install apps.{% endif %}
+
+Organization owners can prevent users from requesting {% data variables.product.prodname_github_apps %} or from installing a {% data variables.product.prodname_github_app %} even if they are a repository admin. For more information, see [AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests).
 
 Organization owners can review the {% data variables.product.prodname_github_apps %} that are installed on their organization and modify the repositories that each app can access. For more information, see [AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/reviewing-github-apps-installed-in-your-organization).
 
@@ -32,7 +34,7 @@ To help maintain {% data variables.product.prodname_github_apps %} owned by thei
 
 ## {% data variables.product.prodname_oauth_apps %}
 
-Organization managers can restrict {% data variables.product.prodname_oauth_apps %} from accessing organization resources. When these restrictions are enabled, organization members and outside collaborators can still request approval for individual {% data variables.product.prodname_oauth_apps %}. For more information, see [AUTOTITLE](/organizations/managing-oauth-access-to-your-organizations-data/about-oauth-app-access-restrictions).
+Organization managers must approve {% data variables.product.prodname_oauth_apps %} that users would like to use in their organization. When this requirement is enabled, organization members and outside collaborators must request approval for individual {% data variables.product.prodname_oauth_apps %}. For more information, see [AUTOTITLE](/organizations/managing-oauth-access-to-your-organizations-data/about-oauth-app-access-restrictions) and [AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests).
 
 {% endif %}