Merge pull request #43659 from github/repo-sync

docs-bot · web-flow · commit 4f9c7eab5055 · 2026-04-03T13:37:22.000-07:00
Repo sync
diff --git a/content/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/index.md b/content/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/index.md
@@ -8,6 +8,7 @@ children:
   - /backing-up-and-restoring-github-enterprise-server-with-github-actions-enabled
   - /using-a-staging-environment
   - /troubleshooting-github-actions-for-your-enterprise
+  - /updating-the-credentials-for-github-actions-storage
 shortTitle: HA & troubleshooting
 redirect_from:
   - /admin/github-actions/advanced-configuration-and-troubleshooting
diff --git a/content/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/updating-the-credentials-for-github-actions-storage.md b/content/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/updating-the-credentials-for-github-actions-storage.md
@@ -0,0 +1,45 @@
+---
+title: Updating the credentials for GitHub Actions storage
+shortTitle: Updating credentials for Actions storage
+intro: If your credentials for connecting to GitHub Actions storage change, you must update the credentials in the configuration on GitHub Enterprise Server.
+versions:
+  ghes: '*'
+contentType: how-tos
+category:
+  - Enable GitHub features for your enterprise
+---
+
+## Updating the credential secret for your storage provider
+To update the credential secret for your {% data variables.product.prodname_actions %} storage provider on {% data variables.product.prodname_ghe_server %}, you have two options.
+
+> [!WARNING]
+> This process is only for updating the secret key used to authenticate to your existing external storage provider. It assumes that your networking configuration, storage provider, and storage account remain unchanged.
+>
+> Do not use this process to switch between credential-based and OIDC-based authentication in the management console. Changing the authentication method for {% data variables.product.prodname_actions %} storage may result in data loss.
+
+1. Enable maintenance mode on the server. 
+1. Update the secret or obtain the updated secret from the storage provider.
+1. Use the UI or CLI option below to update the {% data variables.product.prodname_actions %} storage provider credential for {% data variables.product.prodname_ghe_server %}.
+
+### Updating the credential secret using the management console
+1. Navigate to the Actions section of the **Management Console**. For more information, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-web-ui/accessing-the-management-console).
+1. Update the secret, or in the case of Azure Blob storage, the secret within the connection string, and then click `Test storage settings` to confirm that {% data variables.product.prodname_ghe_server %} is still able to successfully connect to the storage.
+1. Click `Save settings` and wait for the services to fully restart.
+
+### Updating the credential secret using the command line
+1. Run the `ghe-actions-precheck` command to test the new Actions storage credentials and update the configuration on your {% data variables.product.prodname_ghe_server %}. For more information, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-actions-precheck)
+1. After the Actions storage connection test is successful, you'll prompted to type `Yes` or `No` to configure Actions storage with these settings. Type `Yes` and Enter.
+1. You'll see a prompt about overwriting the existing Actions storage configuration. Type `Yes` and Enter.
+
+## Identifying authentication failures for {% data variables.product.prodname_actions %} storage
+If {% data variables.product.prodname_ghe_server %} can't connect to your {% data variables.product.prodname_actions %} storage provider because of an incorrect secret or connection string, you'll see an `Access Denied` or authentication-related exception. This exception can appear in two situations:
+
+* When running `ghe-check-blob-connection`, the command will report the authentication failure directly in its output.
+* When `ghe-config-apply` runs, either triggered by clicking "Save settings" in the management console, or by running `ghe-config-apply` manually from the command line. The exception will appear in the `/data/user/common/ghe-config.log` file. When this occurs, `ghe-config-apply` won't complete, which can cause an unexpected outage of services on your appliance.
+
+Once the storage provider configuration on {% data variables.product.prodname_ghe_server %} is updated with the correct secret or connection string, you can run `ghe-config-apply` to ensure the job re-runs and completes successfully.
+
+> [!NOTE] Connection failures can also result from other causes, such as network issues or misconfigured storage endpoints. If the error doesn't appear to be authentication-related, review the full error output for additional details.
+
+For more information on `ghe-check-blob-connection`, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-check-blob-connection).
+For more information on `ghe-config-apply`, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-config-apply).
diff --git a/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users.md b/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users.md
@@ -88,7 +88,7 @@ To configure SAML SSO for your {% data variables.enterprise.prodname_emu_enterpr
     | :- | :- | :- |
     | IdP Sign-On URL | Login URL, IdP URL | Application's URL on your IdP |
     | IdP Identifier URL | Issuer | IdP's identifier to service providers for SAML authentication |
-    | Signing certificate, Base64-encoded | Public certificate | Public certificate that IdP uses to sign authentication requests |
+    | Signing certificate, PEM-encoded | Public certificate | Public certificate that IdP uses to sign authentication requests |
 
 ### Configure your enterprise
 
diff --git a/content/copilot/how-tos/administer-copilot/manage-for-organization/add-copilot-coding-agent.md b/content/copilot/how-tos/administer-copilot/manage-for-organization/add-copilot-coding-agent.md
@@ -57,6 +57,7 @@ Organization owners can configure the {% data variables.copilot.copilot_coding_a
 ## Next steps
 
 * Tell the members of repositories where {% data variables.copilot.copilot_coding_agent %} is available that they can delegate work to the {% data variables.copilot.copilot_coding_agent_short %}.
+* Configure the default runner type for {% data variables.copilot.copilot_coding_agent %} in your organization. For more information, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-organization/configure-runner-for-coding-agent).
 * Encourage members to educate themselves about setting up their repository to get the most from {% data variables.copilot.copilot_coding_agent %}. Useful resources:
 
    * [AUTOTITLE](/copilot/tutorials/coding-agent/best-practices)
diff --git a/content/copilot/how-tos/administer-copilot/manage-for-organization/configure-runner-for-coding-agent.md b/content/copilot/how-tos/administer-copilot/manage-for-organization/configure-runner-for-coding-agent.md
@@ -0,0 +1,52 @@
+---
+title: Configuring runners for GitHub Copilot cloud agent in your organization
+shortTitle: Configure agent runners
+allowTitleToDifferFromFilename: true
+intro: 'Configure the {% data variables.product.prodname_actions %} runners used by {% data variables.copilot.copilot_coding_agent %} and control whether repositories can customize the runner type.'
+permissions: Organization owners
+product: '{% data reusables.gated-features.copilot-coding-agent %}<br><a href="https://github.com/github-copilot/purchase?ref_product=copilot&ref_type=trial&ref_style=button&ref_plan=enterprise" target="_blank" class="btn btn-primary mt-3 mr-3 no-underline"><span>Sign up for {% data variables.product.prodname_copilot_short %}</span> {% octicon "link-external" height:16 %}</a>'
+versions:
+  feature: copilot
+contentType: how-tos
+category:
+  - Manage Copilot for a team
+---
+
+## About organization-level runner controls
+
+By default, {% data variables.copilot.copilot_coding_agent %} runs on a standard {% data variables.product.prodname_dotcom %}-hosted {% data variables.product.prodname_actions %} runner (`ubuntu-latest`). As an organization owner, you can change the default runner type for all repositories in your organization, and choose whether individual repositories are allowed to override this default.
+
+This is useful if your organization requires all {% data variables.copilot.copilot_coding_agent %} sessions to run on specific runners—for example, to use larger runners for better performance, or to use self-hosted runners that have access to internal resources.
+
+You can configure:
+
+* **Runner type**: Choose between a standard {% data variables.product.prodname_dotcom %}-hosted runner or a labeled runner from a specific runner group.
+* **Allow repositories to customize the runner type**: Control whether repositories can override the organization default using a {% data variables.product.prodname_copilot_short %} setup steps workflow defined at `.github/workflows/copilot-setup-steps.yml`.
+
+## Configuring the default runner type
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.copilot.coding-agent-settings %}
+1. Next to "Runner type," click the pencil icon ({% octicon "pencil" aria-label="Edit" %}).
+1. Select the runner type to use by default for {% data variables.copilot.copilot_coding_agent %} across your organization.
+   * **Standard {% data variables.product.prodname_dotcom %} runner**: {% data variables.copilot.copilot_coding_agent %} will use `ubuntu-latest`.
+   * **Labeled runner**: {% data variables.copilot.copilot_coding_agent %} will use a runner matching the group name and/or label you specify. Enter values in the **Runner group name** and/or **Runner label** fields.
+1. Click **Save runner selection**.
+
+## Preventing repositories from customizing the runner type
+
+By default, repositories can override the organization-level runner configuration using a {% data variables.product.prodname_copilot_short %} setup steps workflow located at `.github/workflows/copilot-setup-steps.yml`. If you want to enforce a consistent runner type across all repositories, you can disable this option.
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.copilot.coding-agent-settings %}
+1. Under "Allow repositories to customize the runner type," toggle the setting to enable or disable repository-level customization.
+   * When enabled, repositories can override the default runner by setting the `runs-on` field in the `copilot-setup-steps` job of `copilot-setup-steps.yml`. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/coding-agent/customize-the-agent-environment#configure-the-runner).
+   * When disabled, all repositories in your organization will use the organization-level runner type.
+1. Click **Save**.
+
+## Further reading
+
+* [AUTOTITLE](/copilot/how-tos/use-copilot-agents/coding-agent/customize-the-agent-environment)
+* [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-organization/add-copilot-coding-agent)
diff --git a/content/copilot/how-tos/administer-copilot/manage-for-organization/index.md b/content/copilot/how-tos/administer-copilot/manage-for-organization/index.md
@@ -15,6 +15,7 @@ children:
   - /manage-access
   - /manage-policies
   - /add-copilot-coding-agent
+  - /configure-runner-for-coding-agent
   - /prepare-for-custom-agents
   - /review-activity
   - /use-your-own-api-keys
diff --git a/content/copilot/how-tos/use-copilot-agents/coding-agent/customize-the-agent-environment.md b/content/copilot/how-tos/use-copilot-agents/coding-agent/customize-the-agent-environment.md
@@ -33,6 +33,9 @@ In addition, you can:
 * [Set environment variables in {% data variables.product.prodname_copilot_short %}'s environment](#setting-environment-variables-in-copilots-environment)
 * [Disable or customize the agent's firewall](/copilot/customizing-copilot/customizing-or-disabling-the-firewall-for-copilot-coding-agent).
 
+> [!NOTE]
+> Organization owners can configure the default runner type for {% data variables.copilot.copilot_coding_agent %} across all repositories in their organization, and choose whether repositories are allowed to override this default. For more information, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-organization/configure-runner-for-coding-agent).
+
 ## Customizing {% data variables.product.prodname_copilot_short %}'s development environment with {% data variables.product.prodname_copilot_short %} setup steps
 
 You can customize {% data variables.product.prodname_copilot_short %}'s environment by creating a special {% data variables.product.prodname_actions %} workflow file, located at `.github/workflows/copilot-setup-steps.yml` within your repository.
