Merge branch 'main' into patch-15

Author: clarencepenz

content/actions/concepts/runners/github-hosted-runners.md

@@ -27,6 +27,8 @@ contentType: concepts
 
 ## Overview of {% data variables.product.prodname_dotcom %}-hosted runners
 
+{% data reusables.actions.enterprise-github-hosted-runners %}
+
 Runners are the machines that execute jobs in a {% data variables.product.prodname_actions %} workflow. For example, a runner can clone your repository locally, install testing software, and then run commands that evaluate your code.
 
 {% data variables.product.prodname_dotcom %} provides runners that you can use to run your jobs, or you can [host your own runners](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). {% data reusables.actions.single-cpu-runners %}

content/actions/concepts/security/github_token.md

@@ -29,11 +29,6 @@ The token is also available in the `github.token` context. For more information,
 
 {% data reusables.actions.actions-do-not-trigger-workflows %}
 
-{% ifversion actions-github-token-pull-request-approval %}
-> [!NOTE]
-> If you need workflow runs from workflow-created pull requests to execute without requiring approval, use a {% data variables.product.prodname_github_app %} installation access token or a {% data variables.product.pat_generic %} instead of `GITHUB_TOKEN` when creating or updating the pull request.
-{% endif %}
-
 {% data reusables.actions.actions-do-not-trigger-pages-rebuilds %}
 
 ## Next steps

content/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow.md

@@ -25,7 +25,7 @@ To learn more about workflows and triggering workflows, see [AUTOTITLE](/actions
 
 {% data reusables.actions.actions-do-not-trigger-workflows %} For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication).
 
-If you do want to trigger a workflow from within a workflow run, you can use a {% data variables.product.prodname_github_app %} installation access token or a {% data variables.product.pat_generic %} instead of `GITHUB_TOKEN` to trigger events that require a token.{% ifversion actions-github-token-pull-request-approval %} Using one of these alternatives also lets `pull_request` workflows run automatically (without the approval prompt described above) when the pull request is created or updated by automation.{% endif %}
+If you do want to trigger a workflow from within a workflow run, you can use a {% data variables.product.prodname_github_app %} installation access token or a {% data variables.product.pat_generic %} instead of `GITHUB_TOKEN` to trigger events that require a token.
 
 If you use a {% data variables.product.prodname_github_app %}, you'll need to create a {% data variables.product.prodname_github_app %} and store the app ID and private key as secrets. For more information, see [AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow). If you use a {% data variables.product.pat_generic %}, you'll need to create a {% data variables.product.pat_generic %} and store it as a secret. For more information about creating a {% data variables.product.pat_generic %}, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). For more information about storing secrets, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions).
 

content/actions/reference/workflows-and-actions/events-that-trigger-workflows.md

@@ -510,8 +510,7 @@ on:
 > [!NOTE]
 > * {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request). By default, a workflow only runs when a `pull_request` event's activity type is `opened`, `synchronize`, or `reopened`. To trigger workflows by different activity types, use the `types` keyword. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onevent_nametypes).
 > * Workflows will not run on `pull_request` activity if the pull request has a merge conflict. The merge conflict must be resolved first. Conversely, workflows with the `pull_request_target` event will run even if the pull request has a merge conflict. Before using the `pull_request_target` trigger, you should be aware of the security risks. For more information, see [`pull_request_target`](#pull_request_target).
-> * The `pull_request` webhook event payload is empty for merged pull requests and pull requests that come from forked repositories.{% ifversion actions-github-token-pull-request-approval %}
-> * When a pull request is created or updated by a workflow using `GITHUB_TOKEN`, `pull_request` events with the `opened`, `synchronize`, or `reopened` activity types create workflow runs that require approval. A user with write access to the repository can approve these runs from the pull request page. With the exception of `workflow_dispatch` and `repository_dispatch`, other `GITHUB_TOKEN`-triggered events do not create workflow runs at all.{% endif %}
+> * The `pull_request` webhook event payload is empty for merged pull requests and pull requests that come from forked repositories.
 > * The value of `GITHUB_REF` varies for a closed pull request depending on whether the pull request has been merged or not. If a pull request was closed but not merged, it will be `refs/pull/PULL_REQUEST_NUMBER/merge`. If a pull request was closed as a result of being merged, it will be the fully qualified `ref` of the branch it was merged into, for example `/refs/heads/main`.
 
 Runs your workflow when activity on a pull request in the workflow's repository occurs. For example, if no activity types are specified, the workflow runs when a pull request is opened or reopened or when the head branch of the pull request is updated. For activity related to pull request reviews, pull request review comments, or pull request comments, use the [`pull_request_review`](#pull_request_review), [`pull_request_review_comment`](#pull_request_review_comment), or [`issue_comment`](#issue_comment) events instead. For information about the pull request APIs, see [AUTOTITLE](/graphql/reference/objects#pullrequest) in the GraphQL API documentation or [AUTOTITLE](/rest/pulls).

content/billing/concepts/product-billing/github-actions.md

@@ -112,7 +112,6 @@ The use of standard {% data variables.product.github %}-hosted runners is free:
 * In public repositories
 * For {% data variables.product.prodname_pages %}
 * For {% data variables.product.prodname_dependabot %}
-* For the agentic features ({% data variables.release-phases.public_preview %}) in {% data variables.copilot.copilot_code-review %}
 
 > [!NOTE]
 >

content/billing/concepts/product-billing/github-copilot-licenses.md

@@ -15,6 +15,12 @@ category:
   - Understand product costs
 ---
 
+<!-- expires 2026-06-01 -->
+
+{% data reusables.copilot.ubb-announcement-cfi-cb-ce %}
+
+<!-- end expires 2026-06-01 -->
+
 Usage of {% data variables.product.prodname_copilot %} is measured through a combination of licenses and monthly usage tracking. For more information about how usage costs in {% data variables.product.prodname_copilot_short %} work, see [AUTOTITLE](/billing/concepts/product-billing/github-copilot-premium-requests).
 
 ## Licenses for {% data variables.product.prodname_copilot_short %}

content/billing/concepts/product-billing/github-copilot-premium-requests.md

@@ -8,6 +8,12 @@ category:
   - Understand product costs
 ---
 
+<!-- expires 2026-06-01 -->
+
+{% data reusables.copilot.ubb-announcement-cfi-cb-ce %}
+
+<!-- end expires 2026-06-01 -->
+
 Usage of {% data variables.product.prodname_copilot_short %} is measured through a combination of licenses and monthly usage tracking. For more information about how license costs in {% data variables.product.prodname_copilot_short %} work, see [AUTOTITLE](/billing/concepts/product-billing/github-copilot-licenses).
 
 > [!IMPORTANT]

content/code-security/tutorials/remediate-leaked-secrets/assessing-ghsp-impact.md

@@ -0,0 +1,149 @@
+---
+title: Assessing the impact of GitHub Secret Protection
+intro: 'Measure how {% data variables.product.prodname_GH_secret_protection_always %} reduces secret exposure across your organization, so you can demonstrate value and identify areas to strengthen your security posture.'
+allowTitleToDifferFromFilename: true
+shortTitle: Assess GHSP impact
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '*'
+contentType: tutorials
+category:
+  - Protect your secrets
+---
+
+## Introduction
+
+After enabling {% data variables.product.prodname_GH_secret_protection_always %} (GHSP) for your organization, you'll want to assess its impact and understand how it's protecting your organization. This tutorial walks you through accessing secret-related data and interpreting the results to measure GHSP performance.
+
+ In this tutorial, you'll learn how to:
+ * Access your organization's security overview to view {% data variables.product.prodname_secret_scanning %} data
+ * Review the {% data variables.product.prodname_secret_risk_assessment %} (SRA) report
+ * Compare and analyze the data to assess GHSP's impact
+
+If you don't have a historic SRA report from before your GHSP rollout, you can still assess GHSP's effectiveness. Skip ahead to [Step 4: Analyze security overview data trends](#step-4-analyze-security-overview-data-trends).
+
+## Prerequisites
+
+* You need to have the organization owner or security manager role.
+* {% data variables.product.prodname_secret_protection %} must be enabled for your organization.
+
+## Step 1: Access the organization-level security overview
+
+The security overview provides real-time data about {% data variables.secret-scanning.alerts %} across your organization.
+
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.security-overview %}
+1. On the security overview page, click the **Risk** tab to view secret scanning data.
+   The overview shows:
+    * Total number of open {% data variables.secret-scanning.alerts %}
+    * Alert trends over time
+    * Breakdown by repository
+    * Alert severity distribution
+
+## Step 2: View your {% data variables.product.prodname_secret_risk_assessment %} report
+
+If you previously ran a SRA report, you can access the report to establish a baseline.
+
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.security-overview %}
+{% data reusables.security-overview.open-assessments-view %}
+1. Review the key metrics from the assessment, including:
+   * Number of exposed secrets detected
+   * Types of secrets found
+   * Repositories with the highest risk
+   * Recommended remediation actions
+
+> [!NOTE] The SRA report represents a point-in-time snapshot of your secret exposure before or during your GHSP implementation.
+
+## Step 3: Compare SRA data with current security overview
+
+The SRA report is a **point-in-time** snapshot taken before or during your GHSP rollout, while the security overview shows **real-time** data that updates as alerts are opened and resolved. To make a meaningful comparison, you need to ensure both datasets cover the same secret types.
+
+### Filter to comparable pattern types
+
+The SRA report only detects **provider patterns** and **generic patterns**. The security overview, however, may also include results from custom patterns you've configured since enabling GHSP. To ensure an accurate comparison, filter the security overview to the same pattern types the SRA covers.
+
+#### Using the UI
+
+In the security overview **Risk** tab, use the filter bar to narrow results to provider and generic patterns only, excluding any custom patterns.
+
+#### Using the API
+
+Alternatively, you can use the REST API to programmatically retrieve alerts filtered by secret type. For example, to list only default (provider) {% data variables.secret-scanning.alerts %} for a repository:
+
+```shell copy
+gh api \
+  -H "Accept: application/vnd.github+json" \
+  /orgs/ORG/secret-scanning/alerts --paginate
+```
+
+This returns alerts for default patterns only. To also include generic patterns in your results, pass the specific token names using the `secret_type` parameter.
+
+For more information, see [AUTOTITLE](/rest/secret-scanning/secret-scanning).
+
+### Build your comparison
+
+1. Using the filtered data, create a comparison table with these key metrics:
+
+   | Metric | SRA report (Baseline) | Current security overview (Filtered) | Change |
+   |--------|----------------------|--------------------------------------|--------|
+   | Total exposed secrets | [SRA number] | [Current number] | [Difference] |
+   | Critical alerts | [SRA number] | [Current number] | [Difference] |
+   | Affected repositories | [SRA number] | [Current number] | [Difference] |
+
+1. Calculate the percentage change for each metric:
+   * **Positive impact indicators:** Reduction in total exposed secrets, fewer critical alerts
+   * **Areas for improvement:** New alerts appearing, specific repositories with increasing trends
+
+1. Note any significant differences in:
+   * Secret types being detected
+   * Repository coverage
+   * Alert resolution rates
+
+## Step 4: Analyze security overview data trends
+
+Even without an SRA report, you can assess GHSP effectiveness by analyzing trends in the security overview.
+
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.security-overview %}
+1. In the security overview **Risk** tab, look at the trend graph showing {% data variables.secret-scanning.alerts %} over time.
+1. Identify patterns:
+   * **Declining trend:** Indicates successful remediation and prevention
+   * **Plateau:** May suggest steady state or need for increased awareness
+   * **Rising trend:** May indicate increased detection coverage or new secret introduction
+
+1. Click on individual repositories to drill down into specific alert details.
+1. Review the alert resolution rate:
+   * Navigate to the **{% data variables.product.prodname_security_and_quality_tab %}** tab for your organization.
+   * Under "Findings", Click **{% data variables.product.prodname_secret_scanning_caps %}**.
+   * Check how many alerts have been closed versus the number of alerts that remain open.
+   * Select the alert type you're interested in.
+   * Assess average time to resolution.
+
+## Step 5: Interpret the results and take action
+
+Based on your analysis, determine the next steps.
+
+### If you're seeing positive trends
+
+* Document the improvement to demonstrate GHSP value
+* Identify successful practices to replicate across other repositories
+* Consider expanding GHSP coverage to additional repositories or organizations
+
+### If you're seeing areas for improvement
+
+* Review repositories with increasing alerts or slow resolution times
+* Provide additional training to development teams
+* Assess whether custom patterns need to be configured
+* Check if push protection is enabled to prevent new secrets from being introduced
+
+### Ongoing monitoring
+
+* Schedule regular reviews (weekly or monthly) of the security overview
+* Set up notifications for new {% data variables.secret-scanning.alerts %}
+* Track metrics over time to demonstrate continuous improvement
+
+## Further reading
+
+* To understand {% data variables.product.prodname_secret_scanning %} metrics in detail, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights).

content/code-security/tutorials/remediate-leaked-secrets/index.md

@@ -8,7 +8,7 @@ versions:
 contentType: tutorials
 children:
   - /calculating-the-cost-savings-of-push-protection
+  - /assessing-ghsp-impact
   - /evaluating-alerts
   - /remediating-a-leaked-secret
 ---
-

content/copilot/concepts/agents/about-agent-skills.md

@@ -25,7 +25,7 @@ You can also use `gh skill` in {% data variables.product.prodname_cli %} to disc
 {% data variables.product.prodname_copilot_short %} supports:
 
 * Project skills, stored in your repository (`.github/skills`, `.claude/skills`, or `.agents/skills`)
-* Personal skills, stored in your home directory and shared across projects (`~/.copilot/skills`, `~/.claude/skills`, or `~/.agents/skills`)
+* Personal skills, stored in your home directory and shared across projects (`~/.copilot/skills` or `~/.agents/skills`)
 
 Support for organization-level and enterprise-level skills is coming soon.