Merge pull request #42294 from github/repo-sync

Repo sync

Author: docs-bot

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Docs changelog
 
+**8 January 2026**
+
+We've added information about permissions to the article [Using GitHub Copilot CLI](https://docs.github.com/copilot/how-tos/use-copilot-agents/use-copilot-cli#permissions).
+
+<hr>
+
 **18 December 2025**
 
 The documentation has been updated to reflect the general availability of direct organization billing for premium request usage in Copilot Code Review. Organization members without a Copilot plan can now use Copilot Code Review on GitHub.com, with premium request usage billed directly to their organization or enterprise. See [Copilot code review without a Copilot license](https://docs.github.com/en/copilot/concepts/agents/code-review#copilot-code-review-without-a-copilot-license).

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/control-offboarding.md

@@ -14,14 +14,17 @@ type: how_to
 
 By default, when a user loses access to all organizations in your enterprise, the user remains in your enterprise as an unaffiliated user. This can happen when you remove a user from organizations explicitly or remove an organization from your enterprise.
 
-Unaffiliated users retain team membership, enterprise roles, and {% data variables.product.prodname_copilot %} licenses granted directly from the enterprise account.
+Unaffiliated users retain enterprise-level team membership, enterprise roles, and {% data variables.product.prodname_copilot %} licenses granted directly from the enterprise account.
 
-You can set a policy to instead remove users from the enterprise completely when they are removed from every organization. Removed users will lose all privileges and licenses granted from the enterprise. This is useful if you have an offboarding process that depends on removing users from organizations, for example using team synchronization from an identity provider.
+You can set a policy to instead remove users from the enterprise completely when they are removed from every organization. Removed users will lose all privileges and licenses granted from the enterprise. This is useful if your enterprise offboarding process involves removing users from organizations, whether through organization-level SCIM deprovisioning, the GitHub web UI, or a non-SCIM REST API endpoint. For more information, see the link that corresponds to your use case:
+- [AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)
+- [Revoking the user's membership](/organizations/managing-membership-in-your-organization/removing-a-member-from-your-organization#revoking-the-users-membership)
+- [Remove organization membership for a user](/rest/orgs/members?apiVersion=2022-11-28#remove-organization-membership-for-a-user) in the REST API documentation.
 
 This policy:
 
-* Applies regardless of how users lose their organization membership (through direct removal, a team, or removing an organization).
-* Does **not** apply to users with the enterprise owner or enterprise billing manager role. These users remain in the enterprise regardless of their organization membership and the policy setting.
+* Applies regardless of how users are removed from an organization.
+* Does **not** apply to users with the enterprise owner or enterprise billing manager role. These users remain in the enterprise regardless of their organization membership and the policy setting. For more details on how to remove an enterprise owner or enterprise billing manager from the enterprise, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/removing-a-member-from-your-enterprise#removing-a-member-from-your-enterprise) and [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise#removing-an-enterprise-administrator-from-your-enterprise-account).
 
 ## Setting the policy
 

content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md

@@ -107,7 +107,8 @@ You can recommend that repositories in your organization use the "Extended" quer
 You can customize several {% data variables.product.prodname_global_settings %} for {% data variables.product.prodname_code_scanning %}:
 
 {% ifversion code-scanning-autofix %}* [Enabling {% data variables.copilot.copilot_autofix_short %} for {% data variables.product.prodname_codeql %}](#enabling-copilot-autofix-for-codeql){% endif %}
-* [Recommending the extended query suite for default setup](#recommending-the-extended-query-suite-for-default-setup){% ifversion ghes < 3.17 %}
+* [Recommending the extended query suite for default setup](#recommending-the-extended-query-suite-for-default-setup)
+* [Expanding {% data variables.product.prodname_codeql %} analysis](#expanding-codeql-analysis){% ifversion ghes < 3.17 %}
 * [Setting a failure threshold for {% data variables.product.prodname_code_scanning %} checks in pull requests](#setting-a-failure-threshold-for-code-scanning-checks-in-pull-requests).{% endif %}
 
 {% endif %}
@@ -124,6 +125,10 @@ You can select **{% data variables.copilot.copilot_autofix_short %}** to enable
 
 {% endif %}
 
+### Expanding {% data variables.product.prodname_codeql %} analysis
+
+You can expand {% data variables.product.prodname_codeql %} analysis coverage for all repositories in your organization that use default setup by configuring {% data variables.product.prodname_codeql %} model packs. Model packs extend the {% data variables.product.prodname_codeql %} analysis to recognize additional frameworks and libraries that are not included in the standard {% data variables.product.prodname_codeql %} libraries. This global configuration applies to repositories using default setup and allows you to specify model packs published via the container registry. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-coverage-for-all-repositories-in-an-organization).
+
 {% ifversion ghes < 3.17 %}
 
 ### Setting a failure threshold for {% data variables.product.prodname_code_scanning %} checks in pull requests

content/copilot/how-tos/use-copilot-agents/use-copilot-cli.md

@@ -74,6 +74,40 @@ Install {% data variables.copilot.copilot_cli_short %}. See [AUTOTITLE](/copilot
 
    For example, if you ask {% data variables.product.prodname_copilot_short %} to create a bash script but you do not want to use the script {% data variables.product.prodname_copilot_short %} suggests, you can stop the current operation and enter a new prompt, such as: `Continue the previous task but include usage instructions in the script`.
 
+## Permissions
+
+{% data variables.copilot.copilot_cli_short %} uses a permissions system to control access to paths and URLs. At times, path and URL permission checks utilize heuristic-based detection, which has limitations to be aware of.
+
+### Path permissions
+
+Path permissions control which directories and files {% data variables.product.prodname_copilot_short %} can access. By default, {% data variables.copilot.copilot_cli_short %} can access the current working directory, its subdirectories, and the system temp directory.
+
+Path permissions apply to shell commands, file operations (create, edit, view), and search tools (such as `grep` and glob patterns). For shell commands, paths are heuristically extracted by tokenizing command text and identifying tokens that look like paths.
+
+> [!WARNING]
+> Path detection for shell commands has limitations:
+>
+> * Paths embedded in complex shell constructs may not be detected.
+> * Only a specific set of environment variables are expanded (`HOME`, `TMPDIR`, `PWD`, and similar). Custom variables like `$MY_PROJECT_DIR` are not expanded and may not be validated correctly.
+> * Symlinks are resolved for existing files, but not for files being created.
+
+To disable path verification, use the `--allow-all-paths` flag when starting {% data variables.copilot.copilot_cli_short %}.
+
+### URL permissions
+
+URL permissions control which external URLs {% data variables.product.prodname_copilot_short %} can access. By default, all URLs require approval before access is granted.
+
+URL permissions apply to the `web_fetch` tool and a curated list of shell commands that access the network (such as `curl`, `wget`, and `fetch`). For shell commands, URLs are extracted using regex patterns.
+
+> [!WARNING]
+> URL detection for shell commands has limitations:
+>
+> * URLs in file contents, config files, or environment variables read by commands are not detected.
+> * Obfuscated URLs (such as split strings or escape sequences) may not be detected.
+> * HTTP and HTTPS are treated as different protocols and require separate approval.
+
+To disable URL verification, use the `--allow-all-urls` flag. To pre-approve specific domains, use `--allow-url <domain>` (for example, `--allow-url github.com`).
+
 ## Tips
 
 Optimize your experience with {% data variables.copilot.copilot_cli_short %} with the following tips.

content/copilot/tutorials/use-custom-instructions.md

@@ -125,7 +125,7 @@ Use `copilot-instructions.md` for:
 
 **Example structure for `copilot-instructions.md`**:
 
-```markdown
+```markdown copy
 # General Code Review Standards
 
 ## Code Quality Essentials
@@ -160,7 +160,7 @@ Use `*.instructions.md` files with the `applyTo` frontmatter property for:
 
 Create a file called `python.instructions.md` in the `.github/instructions` directory:
 
-````markdown
+````text copy
 ---
 applyTo: "**/*.py"
 ---
@@ -201,7 +201,7 @@ with open('data.txt') as file:
 
 Create a file called `frontend.instructions.md` in the `.github/instructions` directory:
 
-````markdown
+````text copy
 ---
 applyTo: "src/components/**/*.{tsx,jsx}"
 ---
@@ -248,7 +248,7 @@ Each file should have a clear, specific purpose and appropriate `applyTo` frontm
 
 Based on what works well with {% data variables.copilot.copilot_code-review_short %}, here's a recommended template for structuring your instructions:
 
-````markdown
+````text copy
 ---
 applyTo: "**/*.{js,ts}"  # If this is a path-specific file
 ---
@@ -365,7 +365,7 @@ Here's a complete example that incorporates all the best practices from this tut
 
 **File: `.github/copilot-instructions.md`**
 
-```markdown
+```markdown copy
 # General Code Review Standards
 
 ## Purpose
@@ -412,7 +412,7 @@ Always prioritize security vulnerabilities and performance issues that could imp
 
 **File: `.github/instructions/typescript.instructions.md`**
 
-````markdown
+````text copy
 ---
 applyTo: "**/*.{ts,tsx}"
 ---

data/reusables/dependabot/supported-package-managers.md

@@ -49,7 +49,7 @@ poetry         | `pip`            | v1               | {% octicon "check" aria-l
 | {% endif %} |
 [Swift](#swift)      | `swift`      | v5  | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} (git only) | {% octicon "x" aria-label="Not supported" %} |
 [Terraform](#terraform)      | `terraform`      | >= 0.13, <= 1.13.x  | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Not applicable |
-uv        | `uv`            | v0               | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Not applicable |
+uv        | `uv`            | v0               | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Not applicable |
 | {% ifversion dependabot-vcpkg-support %} |
 [vcpkg](#vcpkg) | `vcpkg`          | Not applicable   | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | Not applicable |
 | {% endif %} |