Merge pull request #44590 from github/repo-sync

Repo sync

Author: docs-bot

.github/workflows/link-check-internal.yml

@@ -134,27 +134,28 @@ jobs:
               return
             }
 
-            const tableRows = redirectGroups.map(g => {
+            const directives = redirectGroups.map(g => {
               const occ = g.occurrences[0]
               const redirectTarget = occ?.redirectTarget ?? 'unknown'
               const file = occ?.file ?? 'unknown'
-              const lines = (occ?.lines ?? []).join(', ')
-              return `| \`${g.target}\` | \`${redirectTarget}\` | \`${file}\` | ${lines} |`
+              const lines = (occ?.lines ?? []).join(', ') || 'unknown'
+              return `- Update \`${g.target}\` to \`${redirectTarget}\` in \`${file}\` (line(s): ${lines})`
             }).join('\n')
 
             const artifactsUrl = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}/artifacts`
 
             const bodyLines = [
-              'Copilot please fix the redirected internal links listed in the table below. All changes should be made within the `github/docs-internal` repository. For each entry, open the source file and replace the **Current Link** with the **Update To** path.',
+              'Copilot, fix the redirected internal links listed below. All changes should be made within the `github/docs-internal` repository.',
+              '',
+              'For each directive below, open the specified file and find the old link path. Replace it with the new link path exactly as shown. Do not invent or guess link paths — only use the exact paths provided in each directive.',
+              '',
               'When all changes are made, open a pull request in `github/docs-internal` with the fixes. The pull request description should reference this issue to create a link between them. When the pull request is open, leave a comment on this issue with a link to it.',
               '',
               `These are the first ${redirectGroups.length} of ${allRedirectGroups.length} redirects found.`,
               '',
-              '## Redirects to fix',
+              '## Redirects to update',
               '',
-              '| Current Link | Update To | File | Line(s) |',
-              '|---|---|---|---|',
-              tableRows,
+              directives,
             ]
 
             const MAX_ISSUE_BODY_LENGTH = 65536
@@ -179,7 +180,7 @@ jobs:
               agent_assignment: {
                 target_repo: 'github/docs-internal',
                 base_branch: 'main',
-                custom_instructions: 'For each entry in the table, open the source file in the github/docs-internal repository and replace the Current Link with the Update To path. When all changes are made, open a pull request in github/docs-internal with the fixes. When the pull request is open, leave a comment on this issue with a link to it.',
+                custom_instructions: 'Follow each directive in the issue exactly. Each directive specifies a file, the old link to find, and the new link to replace it with. Use only the exact paths provided — do not invent or guess any link paths. When all changes are made, open a pull request in github/docs-internal with the fixes. When the pull request is open, leave a comment on this issue with a link to it.',
               },
             })
 

.github/workflows/sync-secret-scanning.yml

@@ -37,61 +37,44 @@ jobs:
         run: |
           npm run sync-secret-scanning
 
-      - name: Create a pull request
+      - name: Create pull request
+        id: create-pull-request
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # pin @v8.0.0
         env:
-          # Needed for gh
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
-        run: |
-          # If nothing to commit, exit now. It's fine.
-          changes=$(git diff --name-only | wc -l)
-          untracked=$(git status --untracked-files --short | wc -l)
-          if [[ $changes -eq 0 ]] && [[ $untracked -eq 0 ]]; then
-            echo "There are no changes to commit. Exiting..."
-            exit 0
-          fi
-
-          git config --global user.name "docs-bot"
-          git config --global user.email "77750099+docs-bot@users.noreply.github.com"
-
-          branchname=sync-secret-scanning-`date +%Y%m%d%H%M%S`
-
-          remotesha=$(git ls-remote --heads origin $branchname)
-          if [ -n "$remotesha" ]; then
-            # output is not empty, it means the remote branch exists
-            echo "Branch $branchname already exists in 'github/docs-internal'. Exiting..."
-            exit 0
-          fi
-
-          git checkout -b $branchname
-          git add .
-          git commit -m "Add updated secret scanning data"
-          git push origin $branchname
-
-          echo "Creating pull request..."
-          gh pr create \
-            --title "Sync secret scanning data" \
-            --body '👋 humans. This PR updates the secret scanning data with the latest changes from github/token-scanning-service.
+          # Disable pre-commit hooks; they don't play nicely here
+          HUSKY: '0'
+        with:
+          # need to use a token with repo and workflow scopes for this step
+          token: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          commit-message: 'Add updated secret scanning data'
+          title: Sync secret scanning data
+          body: |
+            👋 humans. This PR updates the secret scanning data with the latest changes from github/token-scanning-service.
 
             If CI passes, this PR will be auto-merged. :green_heart:
 
-            If CI does not pass or other problems arise, contact #docs-engineering on Slack.' \
-            --repo github/docs-internal \
-            --label secret-scanning-pipeline,'skip FR board',workflow-generated \
-            --head=$branchname
+            If CI does not pass or other problems arise, contact #docs-engineering on Slack.
+
+            This automated PR was created by [this workflow](https://github.com/github/docs-internal/blob/main/.github/workflows/sync-secret-scanning.yml).
+          branch: sync-secret-scanning-data
+          labels: |
+            secret-scanning-pipeline
+            skip FR board
+            workflow-generated
 
-          # can't approve your own PR, approve with Actions
-          echo "Approving pull request..."
-          unset GITHUB_TOKEN
-          gh auth login --with-token <<< "${{ secrets.GITHUB_TOKEN }}"
-          gh pr review --approve
-          echo "Approved pull request"
+      - name: Enable GitHub auto-merge
+        if: ${{ steps.create-pull-request.outputs.pull-request-number }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
+          AUTOMERGE_PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
+        run: npm run enable-automerge
 
-          # Actions can't merge the PR so back to docs-bot to merge
-          echo "Setting pull request to auto merge..."
-          unset GITHUB_TOKEN
-          gh auth login --with-token <<< "${{ secrets.DOCS_BOT_PAT_BASE }}"
-          gh pr merge --auto --merge
-          echo "Set pull request to auto merge"
+      - if: ${{ steps.create-pull-request.outputs.pull-request-number }}
+        name: Approve
+        uses: juliangruber/approve-pull-request-action@dcc4effb325c0b503408619918d56e40653dcc91
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          number: ${{ steps.create-pull-request.outputs.pull-request-number }}
 
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() && github.event_name != 'workflow_dispatch' }}

content/actions/reference/workflows-and-actions/events-that-trigger-workflows.md

@@ -315,7 +315,7 @@ jobs:
 
 | Webhook event payload | Activity types | `GITHUB_SHA` | `GITHUB_REF` |
 | --------------------- | -------------- | ------------ | -------------|
-| [`issues`](/webhooks-and-events/webhooks/webhook-events-and-payloads#issues) | - `opened`<br/>- `edited`<br/>- `deleted`<br/>- `transferred`<br/>- `pinned`<br/>- `unpinned`<br/>- `closed`<br/>- `reopened`<br/>- `assigned`<br/>- `unassigned`<br/>- `labeled`<br/>- `unlabeled`<br/>- `locked`<br/>- `unlocked`<br/>- `milestoned`<br/> - `demilestoned`<br/> - `typed`<br/> - `untyped` | Last commit on default branch | Default branch |
+| [`issues`](/webhooks-and-events/webhooks/webhook-events-and-payloads#issues) | - `opened`<br/>- `edited`<br/>- `deleted`<br/>- `transferred`<br/>- `pinned`<br/>- `unpinned`<br/>- `closed`<br/>- `reopened`<br/>- `assigned`<br/>- `unassigned`<br/>- `labeled`<br/>- `unlabeled`<br/>- `locked`<br/>- `unlocked`<br/>- `milestoned`<br/> - `demilestoned`<br/> - `typed`<br/> - `untyped`{% ifversion issue-fields %}<br/> - `field_added`<br/> - `field_removed`{% endif %} | Last commit on default branch | Default branch |
 
 > [!NOTE]
 > * {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#issues). {% data reusables.developer-site.limit_workflow_to_activity_types %}
@@ -331,6 +331,18 @@ on:
     types: [opened, edited, milestoned]
 ```
 
+{% ifversion issue-fields %}
+
+You can also run a workflow when an issue field value is set, changed, or cleared. The `field_added` activity type fires both when a field value is initially set and when an existing value is updated. The `field_removed` activity type fires when a field value is cleared.
+
+```yaml
+on:
+  issues:
+    types: [field_added, field_removed]
+```
+
+{% endif %}
+
 ## `label`
 
 | Webhook event payload | Activity types | `GITHUB_SHA` | `GITHUB_REF` |

content/billing/concepts/product-billing/github-code-quality.md

@@ -15,23 +15,35 @@ category:
 
 ## How use of {% data variables.product.prodname_code_quality %} is measured
 
-### For general availability
-
-When {% data variables.product.prodname_code_quality_short %} is generally available, scanning repositories will incur two types of costs for an organization:
-
-* {% data variables.product.prodname_ai_credits_short %}
-* {% data variables.product.prodname_actions %} minutes needed to run the scans unless you use self-hosted runners
+{% data variables.product.prodname_code_quality_short %} billing depends on whether the product is generally available or in {% data variables.release-phases.public_preview %}. The product is anticipated to move from public preview to generally available in July, 2026, and this page will be updated accordingly.
 
 ### For the {% data variables.release-phases.public_preview %}
 
-When you scan private repositories during the {% data variables.release-phases.public_preview %}, you **will not be billed** for {% data variables.product.prodname_ai_credits_short %} usage, but {% data variables.product.prodname_actions %} minutes **will be consumed**.
+When you scan private repositories during the {% data variables.release-phases.public_preview %}, you **will not be billed** for {% data variables.product.prodname_ai_credits_short %} or active committer usage, but {% data variables.product.prodname_actions %} minutes **will be consumed**.
 
 To view consumption of actions by the `{% data variables.code-quality.workflow_name_billing %}` workflow, download a detailed usage report from the "Billing and licensing" tab. See [AUTOTITLE](/billing/how-tos/products/view-productlicense-use).
 
 > [!NOTE]
 > {% data reusables.code-quality.shared-workflow-preview %}
 
+### For general availability
+
+When {% data variables.product.prodname_code_quality_short %} is generally available, use of the product will incur three types of costs for an organization:
+* **{% data variables.product.prodname_actions %} minutes** — {% data variables.product.prodname_code_quality_short %} scans run as {% data variables.product.prodname_actions %} workflows and consume {% data variables.product.prodname_actions %} minutes, unless you use self-hosted runners. For more information, see [AUTOTITLE](/billing/concepts/product-billing/github-actions).
+* **{% data variables.product.prodname_ai_credits %}** — {% data variables.product.prodname_code_quality_short %} features that use AI models consume {% data variables.product.prodname_ai_credits_short %}. Each interaction is priced based on the number of tokens consumed, where 1 {% data variables.product.prodname_ai_credit_singular %} = {% data variables.product.prodname_ai_credits_value %}. {% data reusables.code-quality.model-usage %} For more information about how {% data variables.product.prodname_ai_credits_short %} work, see [AUTOTITLE](/copilot/concepts/billing/usage-based-billing-for-organizations-and-enterprises).
+* **Active committers** — Your license usage is calculated based on the number of unique, active committers to repositories with {% data variables.product.prodname_code_quality_short %} enabled. {% data variables.product.prodname_github_app %} bots are ignored. For information about differences between bot and machine accounts, see [AUTOTITLE](/apps/creating-github-apps/setting-up-a-github-app/differences-between-github-apps-and-oauth-apps#machine-vs-bot-accounts).
+
+#### Active and unique committers
+
+Each **active committer** to at least one repository with {% data variables.product.prodname_code_quality_short %} enabled uses **one license**. A committer is considered active if one of their commits has been pushed to the repository within the last 90 days, regardless of when it was originally authored.
+
+* **Active committers** are committers who contributed to at least one repository and have a {% data variables.product.prodname_team %} or {% data variables.product.prodname_enterprise %} license with your organization or enterprise. That is, they are also a member, an enterprise-managed user, an external collaborator, or have a pending invitation to join your organization or enterprise.
+* **Unique committers** is the number of active committers who contributed only to one repository, or only to repositories in one organization. You can free up this number of licenses by disabling {% data variables.product.prodname_code_quality_short %} for that repository or organization.
+
+Users can contribute to multiple repositories or organizations. Usage is measured across the whole organization or enterprise to ensure that each member uses one license regardless of how many repositories or organizations the user contributes to.
+
 ## Further reading
 
 * [AUTOTITLE](/code-security/code-quality/get-started/quickstart)
-* [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality)
+* [AUTOTITLE](/billing/concepts/product-billing/github-actions)
+* [AUTOTITLE](/copilot/concepts/billing/usage-based-billing-for-organizations-and-enterprises)

content/code-security/concepts/secret-security/about-push-protection.md

@@ -89,16 +89,3 @@ After you enable push protection for repositories, you can customize it by:
 * Designating contributors who can bypass push protection and approve bypass requests for other contributors{% ifversion push-protection-org-enterprise-exemptions %}, or are exempt from push protection entirely{% endif %}{% ifversion push-protected-pattern-configuration %}
 * Configuring which secret patterns are included in push protection at the enterprise or organization level{% endif %}
 
-## Next steps
-
-To enable push protection:
-* **For a repository**, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository).
-{% ifversion security-configurations-cloud -%}
-* **For an organization or enterprise**, you need to apply a {% data variables.product.prodname_security_configuration %}. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/applying-the-github-recommended-security-configuration-in-your-organization) and [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/applying-the-github-recommended-security-configuration-to-your-enterprise).
-{% elsif security-configuration-enterprise-level -%}
-* **For an organization or enterprise**, you need to apply a {% data variables.product.prodname_security_configuration %}. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/creating-a-custom-security-configuration) and [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/creating-a-custom-security-configuration-for-your-enterprise).
-{% else -%}
-* **For an organization**, you need to apply a {% data variables.product.prodname_security_configuration %}. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/creating-a-custom-security-configuration).
-{% endif %}
-
-For a list of secrets and service providers supported by push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets).

content/code-security/concepts/secret-security/about-secret-scanning.md

@@ -76,14 +76,3 @@ Validity checks are separate from {% data variables.product.prodname_secret_scan
 ## How can I access this feature?
 
 {% data reusables.gated-features.secret-scanning %}
-
-## Next steps
-
-* **If you've received an alert**, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning) to learn how to review, resolve, and remediate exposed secrets.
-{%- ifversion secret-risk-assessment %}
-* **If you're securing an organization**, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/assess-your-secret-risk) to determine your organization's exposure to leaked secrets.
-{% endif %}
-
-## Further reading
-
-* For a complete list of supported secrets and service providers, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets).

content/code-security/concepts/secret-security/push-protection-metrics.md

@@ -34,7 +34,3 @@ You can see {% data variables.product.prodname_secret_scanning %} metrics for a
 * The `admin` role for the repository
 * A custom repository role with the "View {% data variables.product.prodname_secret_scanning %} alerts" fine-grained permissions for the repository
 * Access to alerts for the repository
-
-## Next steps
-
-To find your push protection metrics, see [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-metrics-for-secret-scanning-push-protection).

content/code-security/concepts/secret-security/secret-leakage-risks.md

@@ -86,17 +86,3 @@ Encourage individual developers to enable push protection for their personal acc
 ### 2. Detect existing secrets
 
 Use **{% data variables.product.prodname_secret_scanning %}** to continuously monitor your repositories for hardcoded secrets and generate alerts when credentials are detected, enabling you to revoke and rotate compromised credentials quickly. Beyond default detection of provider patterns, you can expand scanning to non-provider patterns and define custom patterns for organization-specific secrets. This helps you gain visibility into secret sprawl across your organization.
-
-## Next steps
-
-To protect your organization from secret leakage:
-{% ifversion secret-risk-assessment %}
-1. Run a free secret risk assessment to understand your current exposure. {% data variables.secret-scanning.secret-risk-assessment-cta-product %}
-{% endif %}
-1. Enable push protection to prevent new secrets from being committed.
-1. Enable {% data variables.product.prodname_secret_scanning %} to begin detecting existing secret leaks.
-1. Establish secure credential management practices for your development teams.
-
-{% ifversion secret-risk-assessment %}
-For an overview of {% data variables.product.github %}'s secret security features, see [AUTOTITLE](/code-security/concepts/secret-security/about-secret-security-with-github).
-{% endif %}