Merge branch 'main' into patch-1

Author: Sharra-writes

assets/images/help/copilot/copilot-creates-sub-issues-workbench.png

@@ -93,13 +93,15 @@ Once the custom resources are installed, you can deploy ARC into your Kubernetes
 
 This image contains the least amount of packages necessary for the container runtime and the runner binaries. To install additional software, you can create your own runner image. You can use ARC's runner image as a base, or use the corresponding setup actions. For instance, `actions/setup-java` for Java or `actions/setup-node` for Node.
 
-You can find the definition of ARC's runner image in [this Dockerfile](https://github.com/actions/runner/blob/main/images/Dockerfile) and the definition of the base image in [this Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile).
+You can find the definition of ARC's runner image in [this Dockerfile](https://github.com/actions/runner/blob/main/images/Dockerfile). To view the current base image, check the `FROM` line in the runner image Dockerfile, then search for that tag in the [`dotnet/dotnet-docker`](https://github.com/dotnet/dotnet-docker/tree/main/src/runtime-deps) repository.
+
+For example, if the `FROM` line in the runner image Dockerfile is `mcr.microsoft.com/dotnet/runtime-deps:8.0-jammy AS build`, then you can find the base image in [`https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/jammy/amd64/Dockerfile`](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/jammy/amd64/Dockerfile).
 
 #### Creating your own runner image
 
 You can create your own runner image that meets your requirements. Your runner image must fulfill the following conditions.
 
-* Use a base image that can run the self-hosted runner application. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners).
+* Use a base image that can run the self-hosted runner application. See [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners).
 
 * The [runner binary](https://github.com/actions/runner/releases) must be placed under `/home/runner/` and launched using `/home/runner/run.sh`.
 * If you use Kubernetes mode, the [runner container hooks](https://github.com/actions/runner-container-hooks/releases) must be placed under `/home/runner/k8s`.
@@ -175,6 +177,6 @@ The supported runner image is released as a separate container image, which you
 
 When you're ready to use ARC to execute workflows, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow).
 
-{% data reusables.actions.actions-runner-controller-labels %} For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow).
+{% data reusables.actions.actions-runner-controller-labels %} See [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-self-hosted-runners-in-a-workflow).
 
-You can scale runners statically or dynamically depending on your needs. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#scaling-runners).
+You can scale runners statically or dynamically depending on your needs. See [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#scaling-runners).

assets/images/help/copilot/copilot-creates-sub-issues.png

@@ -191,7 +191,7 @@ You can control the maximum number of jobs allowed to run concurrently for speci
 > [!NOTE]
 > To use static IP addresses, your organization must use {% data variables.product.prodname_ghe_cloud %}. {% data reusables.enterprise.link-to-ghec-trial %}
 
-You can enable static IP addresses for {% data variables.actions.hosted_runner %}s. When you do this, the {% data variables.actions.hosted_runner %}s are assigned static IP address ranges. All IP addresses in the range assigned are usable and not in CIDR notation. By default, you can configure up to 10 different {% data variables.actions.hosted_runner %}s with IP ranges for your account. {% data reusables.actions.larger-runner-static-ip-contact-support %}
+You can enable static IP addresses for {% data variables.actions.hosted_runner %}s. When you do this, the {% data variables.actions.hosted_runner %}s are assigned static IP address ranges. All IP addresses in the range assigned are usable. By default, you can configure up to 10 different {% data variables.actions.hosted_runner %}s with IP ranges for your account. {% data reusables.actions.larger-runner-static-ip-contact-support %}
 
 The number of available IP addresses in the assigned ranges does not restrict number of concurrent jobs specified for autoscaling. Within a runner pool, there is a load balancer which allows for high reuse of the IP addresses in the assigned ranges. This ensures your workflows can run concurrently at scale while each machine is assigned a static IP address.
 

content/actions/concepts/runners/actions-runner-controller.md

@@ -91,7 +91,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Az CLI login'
-        uses: azure/login@v2
+        uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}

content/actions/how-tos/manage-runners/larger-runners/manage-larger-runners.md

@@ -114,6 +114,8 @@ When you configure CAS, LDAP, or SAML authentication (without SCIM), {% data var
 
 1. {% data variables.product.github %} will normalize any non-alphanumeric character in your account's username into a dash. For example, a username of `mona.the.octocat` will be normalized to `mona-the-octocat`. Note that normalized usernames also can't start or end with a dash. They also can't contain two consecutive dashes.
 
+1. The letter casing in the value provided by the IdP is preserved in the normalized username.
+
 1. Usernames created from email addresses are created from the normalized characters that precede the `@` character.
 
 1. Usernames created from domain accounts are created from the normalized characters after the `\\` separator.
@@ -124,12 +126,12 @@ When you configure CAS, LDAP, or SAML authentication (without SCIM), {% data var
 
 | Identifier on provider | Normalized username on {% data variables.product.prodname_dotcom_the_website %} | Result |
 | :- | :- | :- |
-| The.Octocat | `the-octocat{% ifversion ghec %}_SHORT-CODE{% endif %}` | This username is created successfully. |
-| !The.Octocat | `-the-octocat{% ifversion ghec %}_SHORT-CODE{% endif %}` | This username is not created, because it starts with a dash. |
-| The!!Octocat | `the--octocat{% ifversion ghec %}_SHORT-CODE{% endif %}` | This username is not created, because it contains two consecutive dashes. |
-| The!Octocat | `the-octocat{% ifversion ghec %}_SHORT-CODE{% endif %}` | This username is not created. Although the normalized username is valid, it already exists. |
-| `The.Octocat@example.com` | `the-octocat{% ifversion ghec %}_SHORT-CODE{% endif %}` | This username is not created. Although the normalized username is valid, it already exists. |
-| `internal\\The.Octocat` | `the-octocat{% ifversion ghec %}_SHORT-CODE{% endif %}` | This username is not created. Although the normalized username is valid, it already exists. |
+| The.Octocat | `The-Octocat{% ifversion ghec %}_SHORT-CODE{% endif %}` | This username is created successfully. |
+| !The.Octocat | `-The-Octocat{% ifversion ghec %}_SHORT-CODE{% endif %}` | This username is not created, because it starts with a dash. |
+| The!!Octocat | `The--Octocat{% ifversion ghec %}_SHORT-CODE{% endif %}` | This username is not created, because it contains two consecutive dashes. |
+| The!Octocat | `The-Octocat{% ifversion ghec %}_SHORT-CODE{% endif %}` | This username is not created. Although the normalized username is valid, it already exists. |
+| `The.Octocat@example.com` | `The-Octocat{% ifversion ghec %}_SHORT-CODE{% endif %}` | This username is not created. Although the normalized username is valid, it already exists. |
+| `internal\\The.Octocat` | `The-Octocat{% ifversion ghec %}_SHORT-CODE{% endif %}` | This username is not created. Although the normalized username is valid, it already exists. |
 | `mona.lisa.the.octocat.from.github.united.states@example.com` | `mona-lisa-the-octocat-from-github-united-states{% ifversion ghec %}_SHORT-CODE{% endif %}` | This username is not created, because it exceeds the 39-character limit. |
 
 {% ifversion ghes %}

content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md

@@ -99,6 +99,9 @@ For more detailed information about how to enable SAML using Okta, see [AUTOTITL
 1. Optionally, in the **Issuer** field, type your SAML issuer URL to verify the authenticity of sent messages.
 1. Under **Public Certificate**, paste a certificate to verify SAML responses. This is the public key corresponding to the private key used to sign SAML responses.
 
+   > [!NOTE]
+   > {% data variables.product.github %} does not enforce the expiration of this SAML IdP certificate. This means that even if this certificate expires, your SAML authentication will continue to work. However, if your IdP administrator regenerates the SAML certificate, and you don't update it on the {% data variables.product.github %} side, users will encounter a `digest mismatch` error during SAML authentication attempts due to the certificate mismatch. See [Error: Digest mismatch](/admin/managing-iam/using-saml-for-enterprise-iam/troubleshooting-saml-authentication#error-digest-mismatch).
+
    To find the certificate, refer to the documentation for your IdP. Some IdPs call this an X.509 certificate.
 
 {% data reusables.saml.edit-signature-and-digest-methods %}

content/admin/managing-iam/iam-configuration-reference/username-considerations-for-external-authentication.md

@@ -12,6 +12,7 @@ topics:
 children:
   - /about-your-exposure-to-vulnerable-dependencies
   - /prioritizing-dependabot-alerts-using-metrics
+  - /prioritizing-dependabot-alerts-using-production-context
 redirect_from:
   - /code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilites
 ---

content/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise.md

@@ -0,0 +1,60 @@
+---
+title: Prioritizing Dependabot alerts using production context
+shortTitle: Dependabot production context
+intro: 'You can focus remediation on real risk by prioritizing {% data variables.product.prodname_dependabot_alerts %} for artifacts actually present in production, using metadata from external registries like JFrog Artifactory or your own CI/CD workflows.'
+product: '{% data reusables.gated-features.dependabot-alerts %}'
+versions:
+  fpt: '*'
+  ghec: '*'
+type: how_to
+topics:
+  - Code Security
+  - Dependabot
+  - Organizations
+  - Security
+---
+
+> [!NOTE] Production context is in {% data variables.release-phases.public_preview %} and subject to change.
+
+## Prioritizing {% data variables.product.prodname_dependabot_alerts %} using production context
+
+Application Security (AppSec) managers are often overwhelmed by a high volume of {% data variables.product.prodname_dependabot_alerts %}, many of which may not represent real risk because the affected code never makes it to production. By associating production context with your alerts, you can filter and prioritize vulnerabilities that impact artifacts actually approved for production environments. This enables your team to focus remediation efforts on the vulnerabilities that matter most, reducing noise and improving your security posture.
+
+## Associating production context with {% data variables.product.prodname_dependabot_alerts %}
+
+{% data variables.product.github %} enables production context for your {% data variables.product.prodname_dependabot_alerts %} by providing a Storage Record API. This API allows package registries or GitOps workflows to send artifact lifecycle data to {% data variables.product.github %}. The API should be called whenever an artifact is promoted to a production-approved package repository.
+
+{% data variables.product.github %} processes this metadata and uses it to power new alert filters, such as `artifact-registry-url` and `artifact-registry`. For more information, see [Create artifact metadata storage record](/rest/orgs/artifact-metadata?apiVersion=2022-11-28#create-artifact-metadata-storage-record) in the REST API documentation.
+
+## Steps to prioritize alerts
+
+Follow these steps to enable and use production context for alert prioritization:
+
+### Step 1: Detect and report production artifact promotions
+
+In your CI/CD or GitOps workflow, whenever an artifact is promoted to a production-approved package repository, call the Storage Record API to to send the artifact's metadata to {% data variables.product.github %}. This includes information such as the artifact's registry, repository, and version. See [AUTOTITLE](/rest/orgs/artifact-metadata?apiVersion=2022-11-28#create-artifact-metadata-storage-record).
+
+If you use JFrog Artifactory, you do not need to perform any custom integration. Artifactory natively integrates with the Storage Record API. You only need to enable the integration in your Artifactory settings, and Artifactory will automatically emit production promotion events to {% data variables.product.github %}.
+
+The `artifact-registry:jfrog-artifactory` filter will work out of the box with no further setup in {% data variables.product.github %}. For setup instructions, see [JFrog and GitHub Integration: JFrog for [{% data variables.product.github %} {% data variables.product.prodname_dependabot %}]](https://jfrog.com/help/r/jfrog-and-github-integration-guide/jfrog-for-github-dependabot) in the JFrog documentation.
+
+### Step 2: Use production context filters
+
+{% data reusables.dependabot.where-to-view-dependabot-alerts %}. For information about accessing this tab, see [Viewing {% data variables.product.prodname_dependabot_alerts %}](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts#viewing-dependabot-alerts).
+
+Once the alert list is displayed, use the `artifact-registry-url` or `artifact-registry` filters to focus on vulnerabilities affecting artifacts present in production. For example:
+
+```text
+artifact-registry-url:my-registry.example.com
+artifact-registry:jfrog-artifactory
+```
+
+You can also combine these with other filters, such as EPSS.
+
+```text
+epss > 0.5 AND artifact-registry-url:my-registry.example.com
+```
+
+## Further reading
+
+* [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/prioritizing-dependabot-alerts-using-metrics)

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilities/index.md

@@ -13,9 +13,13 @@ redirect_from:
 contentType: concepts
 ---
 
-> [!TIP] If you're looking for a more flexible way to organize context for {% data variables.product.prodname_copilot_short %}, you can also try {% data variables.copilot.copilot_spaces %}.
->
-> {% data variables.copilot.copilot_spaces_short %} let you combine code and free-text content—like transcripts or specs—and can be created by any {% data variables.product.prodname_copilot_short %} user, not just organization owners. They’re a good option for more focused or task-specific use cases. See [AUTOTITLE](/copilot/using-github-copilot/copilot-spaces/about-organizing-and-sharing-context-with-copilot-spaces).
+<!-- expires 2025-09-11 -->
+
+<!-- When this expires, check with the stakeholder for release #6165 if the knowledge bases content can be deleted -->
+
+>[!IMPORTANT] Beginning September 12, 2025, knowledge bases will be {% data variables.release-phases.retired %} and fully replaced by {% data variables.copilot.copilot_spaces %}. {% data variables.copilot.copilot_spaces_short %} let you combine code and free-text content—like transcripts or specs—and can be created by any {% data variables.product.prodname_copilot_short %} user, not just organization owners. They’re a good option for more focused or task-specific use cases. See [AUTOTITLE](/copilot/using-github-copilot/copilot-spaces/about-organizing-and-sharing-context-with-copilot-spaces).
+
+<!-- end expires 2025-09-11 -->
 
 ## About knowledge bases
 
@@ -26,4 +30,4 @@ When you ask a question in {% data variables.copilot.copilot_chat_short %} with
 ## Next steps
 
 * To learn how to create and manage knowledge bases, see [AUTOTITLE](/copilot/how-tos/context/creating-and-managing-copilot-knowledge-bases).
-* To learn how to use knowledge bases in {% data variables.copilot.copilot_chat_short %}, see [AUTOTITLE](/copilot/how-tos/chat/asking-github-copilot-questions-in-github#asking-copilot-chat-questions-about-a-knowledge-base) and [AUTOTITLE](/copilot/how-tos/chat/asking-github-copilot-questions-in-your-ide#asking-a-question-about-a-knowledge-base).
+* To learn how to use knowledge bases, see [AUTOTITLE](/copilot/how-tos/provide-context/use-knowledge-bases).