Repo sync

content/admin/data-residency/network-details-for-ghecom.md

@@ -200,6 +200,8 @@ Japan region:
 #### EU
 
 `*.blob.core.windows.net` can be replaced with:
+* `memoryalphaprodsdc01.blob.core.windows.net`
+* `memoryalphaprodweu01.blob.core.windows.net`
 * `prodsdc01resultssa0.blob.core.windows.net`
 * `prodsdc01resultssa1.blob.core.windows.net`
 * `prodsdc01resultssa2.blob.core.windows.net`
@@ -212,6 +214,7 @@ Japan region:
 #### Australia
 
 `*.blob.core.windows.net` can be replaced with:
+* `memoryalphaprodae01.blob.core.windows.net`
 * `prodae01resultssa0.blob.core.windows.net`
 * `prodae01resultssa1.blob.core.windows.net`
 * `prodae01resultssa2.blob.core.windows.net`
@@ -220,6 +223,7 @@ Japan region:
 #### Japan
 
 `*.blob.core.windows.net` can be replaced with:
+* `memoryalphaprodjpw01.blob.core.windows.net`
 * `prodjpw01resultssa0.blob.core.windows.net`
 * `prodjpw01resultssa1.blob.core.windows.net`
 * `prodjpw01resultssa2.blob.core.windows.net`

content/admin/overview/setting-up-a-trial-of-github-enterprise-cloud.md

@@ -54,7 +54,7 @@ If you invite an existing organization into your trial enterprise, **all of thes
 
 ## Do I need to provide a payment method?
 
-You do not need to provide a payment method to start a trial. If you want to use {% data variables.copilot.copilot_business_short %} during the trial, you can contact {% data variables.contact.github_support %} for approval. Once your request is approved, you will need to provide a credit card for additional validation. You **won't** be charged for using {% data variables.copilot.copilot_business_short %} during the trial.
+You do not need to provide a payment method to start a trial.
 
 ## During the trial
 

content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md

@@ -43,13 +43,17 @@ You need to be an **organization owner** to set up access to private registries
 1. Use the **URL** and **Type** fields to define the location and type of the registry:
    * **URL** is the location where you access the private registry. For example, to use the {% data variables.product.prodname_registry %} registry for NuGet: `https://nuget.pkg.github.com/ORGANIZATION/index.json`, where `ORGANIZATION` is the name of your organization on {% data variables.product.github %}.
    * **Type** is the type of registry.
-1. Select either **Token** or **Username and password**, depending on the authentication method, then enter data into the appropriate fields.
-   Some types of authentication tokens, such as a {% data variables.product.github %} {% data variables.product.pat_generic_title_case %}, are tied to a particular user identity. Select the **Username and password** option for these and enter the relevant username as **Username** and the token as **Password**.
+1. Select the authentication method for the registry:
+   * **Token**: Enter the token used to authenticate with the registry.
+   * **Username and password**: Enter the username and password used to authenticate with the registry. Some types of authentication tokens, such as a {% data variables.product.github %} {% data variables.product.pat_generic_title_case %}, are tied to a particular user identity. Select this option for these and enter the relevant username as **Username** and the token as **Password**.
+   {% ifversion org-private-registry-oidc %}
+   * **OIDC (OpenID Connect)**: Use short-lived credentials from a cloud identity provider instead of storing long-lived secrets. When you select this option, choose a provider and fill in the provider-specific fields. For more information, see [Configuring OIDC authentication for a private registry](#configuring-oidc-authentication-for-a-private-registry).
+   {% endif %}
 1. Define which repositories in the organization can access the private registry using these details: all, private and internal, or selected repositories only.
 1. When you have finished defining the private registry, select **Add Registry** to save the registry information.
 
 > [!TIP]
-> When you add a private registry to an organization the token or password is stored as an encrypted secret. Once the registry is created, the token or password cannot be viewed again.
+> When you add a private registry to an organization using **Token** or **Username and password** authentication, the token or password is stored as an encrypted secret. Once the registry is created, the token or password cannot be viewed again.
 
 ### Enabling {% data variables.product.prodname_code_scanning %} default setup to use a registry definition
 
@@ -77,6 +81,27 @@ Any private registries used by the build must also be accessible to the workflow
 
 When you configure access to one or more private registries, {% data variables.product.prodname_dependabot %} can propose pull requests to upgrade a vulnerable dependency or to maintain a dependency, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot).
 
+{% ifversion org-private-registry-oidc %}
+
+### Configuring OIDC authentication for a private registry
+
+OIDC (OpenID Connect) authentication allows {% data variables.product.prodname_dependabot %} to use short-lived credentials from your cloud identity provider to access private registries, eliminating the need to store long-lived secrets. With OIDC, credentials are generated dynamically for each {% data variables.product.prodname_dependabot %} update job. You must configure a trust relationship between your cloud provider and {% data variables.product.github %} before {% data variables.product.prodname_dependabot %} can authenticate.
+
+> [!NOTE]
+> OIDC authentication for organization-level private registries is currently supported by {% data variables.product.prodname_dependabot %}. It is not supported by {% data variables.product.prodname_code_scanning %} default setup.
+
+When you select **OIDC** as the authentication method for a private registry, choose one of the supported providers and fill in the required fields:
+
+* **Azure**: Enter the **Tenant ID** (Azure AD tenant ID) and **Client ID** (Azure AD application client ID). You must configure a federated credential in Azure AD that trusts {% data variables.product.github %}'s OIDC provider.
+* **AWS CodeArtifact**: Enter the **AWS Region**, **Account ID** (AWS account ID), **Role Name** (IAM role name), **Domain** (CodeArtifact domain), and **Domain Owner** (CodeArtifact domain owner / AWS account ID). You can optionally provide an **Audience**. You must configure an IAM OIDC identity provider in AWS that trusts {% data variables.product.github %}'s OIDC provider.
+* **JFrog Artifactory**: Enter the **OIDC Provider Name**. You can optionally provide an **Audience** and **Identity Mapping Name**.
+
+The authentication type of a private registry cannot be changed after creation. To switch from OIDC to another authentication method, or vice versa, delete the existing registry and create a new one.
+
+For more information about how OIDC works, see [AUTOTITLE](/actions/concepts/security/openid-connect).
+
+{% endif %}
+
 {% ifversion code-quality %}
 
 ## {% data variables.product.prodname_code_quality_short %} access to private registries

content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot.md

@@ -32,7 +32,11 @@ For specific ecosystems, you can configure {% data variables.product.prodname_de
 
 {% ifversion org-private-registry %}
 
-You can configure {% data variables.product.prodname_dependabot %}'s access to private registries at the org-level. For more information on how to configure that, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries).
+You can configure {% data variables.product.prodname_dependabot %}'s access to private registries at the org-level.
+{% ifversion org-private-registry-oidc %}
+Organization-level registries support **Token**, **Username and password**, and **OIDC** authentication.
+{% endif %}
+For more information about configuration, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries).
 
 {% endif %}
 
@@ -126,6 +130,13 @@ If your private registry is configured with an IP allow list, you can find the I
 
 With OIDC-based authentication, {% data variables.product.prodname_dependabot %} update jobs can dynamically obtain short-lived credentials from your cloud identity provider, just like {% data variables.product.prodname_actions %} workflows using OIDC federation.
 
+{% ifversion org-private-registry-oidc %}
+
+> [!TIP]
+> OIDC authentication is also available for **organization-level** private registries, which you can configure through the organization settings UI or the REST API. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#configuring-oidc-authentication-for-a-private-registry).
+
+{% endif %}
+
 {% data variables.product.prodname_dependabot %} supports OIDC authentication for any registry type that uses `username` and `password` authentication, when the registry is hosted on one of the following cloud providers:
 
 * AWS CodeArtifact

content/copilot/reference/copilot-cli-reference/cli-command-reference.md

@@ -317,6 +317,7 @@ Settings cascade from user to repository to local, with more specific scopes ove
 | `compactPaste` | `boolean` | `true` | Collapse large pastes into compact tokens. |
 | `custom_agents.default_local_only` | `boolean` | `false` | Only use local custom agents. |
 | `denied_urls` | `string[]` | `[]` | URLs or domains blocked (takes precedence over `allowed_urls`). |
+| `enabledFeatureFlags` | `object` | — | Enable or disable individual feature flags. Keys are flag names; values are `true` (enable) or `false` (explicitly disable). Takes precedence over the legacy `feature_flags.enabled` array format. See [Feature flag reference](#feature-flag-reference). |
 | `experimental` | `boolean` | `false` | Enable experimental features. |
 | `includeCoAuthoredBy` | `boolean` | `true` | Add a `Co-authored-by` trailer to git commits made by the agent. |
 | `companyAnnouncements` | `string[]` | `[]` | Custom messages shown randomly on startup. |
@@ -969,6 +970,26 @@ MCP servers are loaded from multiple sources, each with a different trust level.
 
 All MCP tool invocations require explicit permission. This applies even to read-only operations on external services.
 
+### Migrating from `.vscode/mcp.json`
+
+If your project uses `.vscode/mcp.json` (VS Code's MCP configuration format), migrate to `.mcp.json` for {% data variables.copilot.copilot_cli %}. The migration remaps the `servers` key to `mcpServers`.
+
+**POSIX shells (bash, zsh, fish, and others):**
+
+```shell
+jq '{mcpServers: .servers}' .vscode/mcp.json > .mcp.json
+```
+
+Requires [`jq`](https://jqlang.github.io/jq/).
+
+**PowerShell:**
+
+```powershell
+pwsh -NoProfile -Command "`$json = Get-Content '.vscode/mcp.json' -Raw | ConvertFrom-Json; `$content = ([pscustomobject]@{ mcpServers = `$json.servers } | ConvertTo-Json -Depth 100); [System.IO.File]::WriteAllText('.mcp.json', `$content, (New-Object System.Text.UTF8Encoding `$false))"
+```
+
+On Windows, replace `pwsh` with `powershell` if you are using Windows PowerShell instead of PowerShell Core.
+
 ## Skills reference
 
 Skills are Markdown files that extend what the CLI can do. Each skill lives in its own directory containing a `SKILL.md` file. When invoked (via `/SKILL-NAME` or automatically by the agent), the skill's content is injected into the conversation.
@@ -1239,7 +1260,23 @@ When content capture is enabled, the following attributes are populated.
 
 ## Feature flag reference
 
-Feature flags enable functionality that is not yet generally available. Enable flags via the `COPILOT_CLI_ENABLED_FEATURE_FLAGS` environment variable (comma-separated list) or by using the `/experimental` slash command.
+Feature flags enable functionality that is not yet generally available. You can enable or disable individual flags in three ways:
+
+* **Environment variable**: Set `COPILOT_CLI_ENABLED_FEATURE_FLAGS` to a comma-separated list of flag names (for example, `"SOME_FEATURE,SOME_OTHER_FEATURE"`).
+* **Slash command**: Use `/experimental on` in an interactive session to enable all experimental-tier flags.
+* **Configuration file**: Add an `enabledFeatureFlags` object to `~/.copilot/config.json`. Set a flag to `true` to enable it or `false` to explicitly disable a flag that would otherwise be enabled by your tier.
+
+```json
+{
+    "enabledFeatureFlags": {
+        "SOME_FEATURE": true,
+        "SOME_OTHER_FEATURE": false
+    }
+}
+```
+
+> [!NOTE]
+> The legacy `feature_flags.enabled` array format is still supported as a fallback, but `enabledFeatureFlags` takes precedence when both are present.
 
 | Flag | Tier | Description |
 |------|------|-------------|

content/enterprise-onboarding/getting-started-with-your-enterprise/setting-up-a-trial-of-github-enterprise.md

@@ -37,7 +37,7 @@ If you invite an existing organization into your trial enterprise, **all of thes
 
 ## Do I need to provide a payment method?
 
-You do not need to provide a payment method to start a trial. If you want to use {% data variables.copilot.copilot_business_short %} during the trial, you need to provide a credit card. You **won't** be charged for using {% data variables.copilot.copilot_business_short %} during the trial.
+You do not need to provide a payment method to start a trial.
 
 ## During the trial
 

data/features/org-private-registry-oidc.yml

@@ -0,0 +1,7 @@
+# Reference: github/github#419577
+# OIDC authentication support for organization-level private registries used by Dependabot.
+# This allows organizations to authenticate with private registries using OpenID Connect
+# instead of storing long-lived secrets.
+versions:
+  fpt: '*'
+  ghec: '*'

src/content-pipelines/state/copilot-cli.sha

@@ -1 +1 @@
-3aa5cd78f969f848b3607863b5f73ba722a3f489
+584832db507d47454ed410791e2d0c53468bea20