Skip to content

Commit df4329a

Browse files
authored
Merge pull request #45187 from github/repo-sync
Repo sync
2 parents b15cafc + 79a710d commit df4329a

21 files changed

Lines changed: 676 additions & 2049 deletions

File tree

.github/workflows/link-check-on-pr.yml

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -59,14 +59,12 @@ jobs:
5959
6060
- name: Check links in changed files
6161
if: steps.changed-files.outputs.any_changed == 'true'
62-
# Work in progress: never fail the PR. The comment is informational only.
63-
continue-on-error: true
6462
env:
6563
FILES_CHANGED: ${{ steps.changed-files.outputs.all_changed_files }}
6664
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
6765
ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
6866
SHOULD_COMMENT: ${{ secrets.DOCS_BOT_APP_ID != '' }}
69-
FAIL_ON_FLAW: false
67+
FAIL_ON_FLAW: true
7068
ENABLED_LANGUAGES: en
7169
run: npm run check-links-pr
7270

content/admin/managing-iam/provisioning-user-accounts-with-scim/troubleshooting-team-membership-with-identity-provider-groups.md

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,3 +78,59 @@ If synchronization of team membership with a group on your IdP fails due to a pr
7878
{% data variables.product.prodname_dotcom %} will try to resolve this problem automatically during the next sync, which occurs at least once daily. You may be able to resolve the problem by unlinking the impacted team from the IdP group and then linking it to the same group again. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups#managing-the-connection-between-an-existing-organization-team-and-an-idp-group).
7979

8080
If the problem persists, contact {% data variables.contact.contact_ent_support %} and provide details about the organization, team, and the IdP group you're experiencing problems with.
81+
82+
## SCIM API incomplete events
83+
84+
If you see an `external_identity.scim_api_incomplete` or `external_group.scim_api_incomplete` event in your enterprise audit log, a SCIM request from your identity provider was received by {% data variables.product.github %} but did not complete successfully. No response was sent back to your identity provider, which may report the operation as failed or timed out.
85+
86+
### Resolving the issue
87+
88+
Re-trigger provisioning from your identity provider for the affected user or group. SCIM operations are idempotent, so re-provisioning will not create duplicates.
89+
90+
* **Entra ID:** In the Microsoft Entra admin center, go to **Enterprise Applications** > your SCIM app > **Provisioning**, and use **Provision on demand** for the affected user or group, or **Restart provisioning** for a full sync. For more information, see [On-demand provisioning in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/provision-on-demand) in the Microsoft documentation.
91+
* **Okta:** Re-push the affected group from **Push Groups**, or re-assign the app to the affected user. For more information, see [Push Groups](https://help.okta.com/en-us/content/topics/users-groups/usgr-push-groups.htm) in the Okta documentation.
92+
* **Other identity providers:** Consult your identity provider's documentation for how to re-trigger SCIM provisioning for a specific user or group.
93+
94+
### Checking if the change was applied
95+
96+
If you have audit log streaming configured, you can search your streamed logs for other events with the same `request_id` value from the `scim_api_incomplete` event. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise).
97+
98+
A single group SCIM API call can trigger any of the following events during processing:
99+
100+
| Audit log event | Description |
101+
| --- | --- |
102+
| `external_group.provision` | Group was created |
103+
| `external_group.delete` | Group was deleted |
104+
| `external_group.update` | Group metadata was updated |
105+
| `external_group.update_display_name` | Display name was changed |
106+
| `external_group.add_member` | A specific member was added |
107+
| `external_group.remove_member` | A specific member was removed |
108+
109+
To determine which member changes were applied before the interruption, the `add_member` and `remove_member` events are the most useful. They identify the specific member affected. If you find fewer member events than the request intended, the remaining members were not processed.
110+
111+
> [!NOTE]
112+
> The enterprise audit log UI and REST API do not currently support filtering by `request_id`. Audit log streaming to a SIEM or log platform is required for this step.
113+
114+
### Common causes
115+
116+
### Common causes of incomplete events
117+
118+
* Processing time exceeds the connection timeout, often because of large groups.
119+
* A network interruption occurs between the identity provider and {% data variables.product.github %}.
120+
* A transient issue occurs on {% data variables.product.github %}'s infrastructure.
121+
* Your network environment, such as corporate proxies, firewalls, or CASB solutions, interferes with the connection.
122+
* The identity provider's SCIM client timeout settings are too restrictive.
123+
124+
If this event recurs for the same group or user, contact {% data variables.contact.contact_ent_support %} with the `request_id` values from the affected events.
125+
126+
## Large group timeouts
127+
128+
A single SCIM `PUT` or `PATCH` request for a group with a large number of members can exceed the request timeout. When this happens, your identity provider may report the operation as failed, and you may see an `external_group.scim_api_incomplete` event in your enterprise audit log.
129+
130+
The SCIM provisioning rate limits describe a limit of 1,000 users per group per hour, but a single `PUT` or `PATCH` request that changes membership for a large group can also exceed the request timeout before all members are processed. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api#understand-rate-limits-on-github).
131+
132+
### Preventing timeouts
133+
134+
* **Break large groups into smaller groups.** If your identity provider supports it, consider splitting groups that frequently time out into multiple smaller groups. This reduces the processing time per SCIM request.
135+
* **Use incremental updates.** Where possible, use `PATCH` requests to add or remove individual members rather than `PUT` requests that replace the entire membership list.
136+
* **Monitor for incomplete events.** Set up audit log streaming and alert on `scim_api_incomplete` events so you can re-trigger provisioning promptly.

content/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/customize-the-agent-environment.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,8 @@ You can customize {% data variables.product.prodname_copilot_short %}'s developm
2929
* [Give {% data variables.product.prodname_copilot_short %} a Windows development environment](#switching-copilot-to-a-windows-development-environment), instead of the default Ubuntu Linux environment
3030
* [Enable Git Large File Storage (LFS)](#enabling-git-large-file-storage-lfs)
3131

32+
{% data variables.copilot.copilot_code-review_short %} also runs in an ephemeral development environment, and you can customize it in the same ways described in this article. By default, {% data variables.copilot.copilot_code-review_short %} reuses your `copilot-setup-steps.yml` file, but you can also create a dedicated `copilot-code-review.yml` file to configure {% data variables.copilot.copilot_code-review_short %}'s environment independently of {% data variables.copilot.copilot_cloud_agent %}. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/request-a-code-review/use-code-review#customizing-copilot-code-reviews-environment).
33+
3234
In addition, you can:
3335

3436
* [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/configure-secrets-and-variables)

content/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/index.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,6 @@ children:
1010
- /use-hooks
1111
- /customize-the-agent-environment
1212
- /configure-secrets-and-variables
13-
- /customize-the-agent-firewall
1413
- /test-custom-agents
1514
contentType: how-tos
1615
---

content/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/customize-the-agent-firewall.md renamed to content/copilot/how-tos/copilot-on-github/customize-copilot/customize-the-firewall.md

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
---
2-
title: Customizing or disabling the firewall for GitHub Copilot cloud agent
3-
shortTitle: Customize the agent firewall
2+
title: Customizing or disabling the firewall for GitHub Copilot
3+
shortTitle: Customize the firewall
44
allowTitleToDifferFromFilename: true
5-
intro: 'Learn how to control the domains and URLs that {% data variables.copilot.copilot_cloud_agent %} can access.'
5+
intro: 'Learn how to control the domains and URLs that {% data variables.copilot.copilot_cloud_agent %} and {% data variables.copilot.copilot_code-review_short %} can access.'
66
versions:
77
feature: copilot
88
redirect_from:
@@ -12,18 +12,22 @@ redirect_from:
1212
- /copilot/how-tos/agents/copilot-coding-agent/customize-the-agent-firewall
1313
- /copilot/how-tos/agents/coding-agent/customize-the-agent-firewall
1414
- /copilot/how-tos/use-copilot-agents/cloud-agent/customize-the-agent-firewall
15+
- /copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/customize-the-agent-firewall
1516
contentType: how-tos
1617
category:
1718
- Configure Copilot
1819
---
1920

2021
> [!NOTE]
21-
> Firewall configuration has moved to the {% data variables.copilot.copilot_cloud_agent %} settings page. Previous configurations saved as Actions variables will be maintained on that page.
22+
> Firewall configuration is managed from the "Internet access" settings tab, which covers both {% data variables.copilot.copilot_cloud_agent %} and {% data variables.copilot.copilot_code-review_short %}. Previous configurations saved as Actions variables will be maintained on that page.
2223
2324
## Overview
2425

2526
By default, {% data variables.product.prodname_copilot_short %}'s access to the internet is limited by a firewall.
2627

28+
> [!NOTE]
29+
> {% data variables.copilot.copilot_code-review_short %} also supports firewall configuration, at both the organization and repository level, under its own section of the "Internet access" tab described below. This allows you to configure firewall rules for {% data variables.copilot.copilot_code-review_short %} independently of {% data variables.copilot.copilot_cloud_agent %}. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/request-a-code-review/use-code-review#customizing-copilot-code-reviews-environment).
30+
2731
Limiting internet access helps manage data exfiltration risks. Unexpected behavior from {% data variables.product.prodname_copilot_short %}, or malicious instructions, could lead to code or other sensitive information being leaked to remote locations.
2832

2933
The firewall always allows access to a number of hosts that {% data variables.product.prodname_copilot_short %} uses to interact with {% data variables.product.github %}. By default, a recommended allowlist is also enabled to allow the agent to download dependencies.
@@ -56,11 +60,13 @@ For the complete list of hosts included in the recommended allowlist, see [AUTOT
5660

5761
## Configuring the firewall at the organization level
5862

59-
Organization owners can configure all firewall settings at the organization level. To access the firewall settings:
63+
Organization owners can configure all firewall settings at the organization level, for both {% data variables.copilot.copilot_cloud_agent %} and {% data variables.copilot.copilot_code-review_short %}. To access the firewall settings:
6064

6165
{% data reusables.profile.access_org %}
6266
{% data reusables.profile.org_settings %}
63-
{% data reusables.copilot.cloud-agent-settings %}
67+
{% data reusables.copilot.internet-access-settings %}
68+
69+
The "Internet access" page has separate sections for {% data variables.copilot.copilot_cloud_agent %} and {% data variables.copilot.copilot_code-review_short %}, so you can configure the following settings independently for each.
6470

6571
### Enabling or disabling the firewall
6672

@@ -88,13 +94,13 @@ Items added to the organization custom allowlist apply to all repositories in th
8894

8995
## Configuring the firewall at the repository level
9096

91-
Repository administrators can configure firewall settings at the repository level, including enabling or disabling the firewall, enabling or disabling the recommended allowlist, and managing a custom allowlist. Depending on the organization-level configuration, some of these settings may be locked.
97+
Repository administrators can configure firewall settings at the repository level, including enabling or disabling the firewall, enabling or disabling the recommended allowlist, and managing a custom allowlist. Depending on the organization-level configuration, some of these settings may be locked. The repository settings page also has separate sections for {% data variables.copilot.copilot_cloud_agent %} and {% data variables.copilot.copilot_code-review_short %}, so you can configure these settings independently for each.
9298

9399
To access the firewall settings:
94100

95101
{% data reusables.repositories.navigate-to-repo %}
96102
{% data reusables.repositories.sidebar-settings %}
97-
1. In the "Code & automation" section of the sidebar, click **{% data variables.product.prodname_copilot_short %}** then **{% data variables.copilot.copilot_cloud_agent_short %}**.
103+
1. In the "Code & automation" section of the sidebar, click **{% data variables.product.prodname_copilot_short %}** then **Internet access**.
98104

99105
### Enabling or disabling the firewall
100106

content/copilot/how-tos/copilot-on-github/customize-copilot/index.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ children:
88
- /customize-copilot-overview
99
- /add-custom-instructions
1010
- /customize-cloud-agent
11+
- /customize-the-firewall
1112
- /configure-mcp-servers
1213
- /copilot-spaces
1314
contentType: how-tos

content/copilot/how-tos/use-copilot-agents/request-a-code-review/use-code-review.md

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@ If you're happy with the changes, you can accept a single suggestion from {% dat
6666
You can also invoke {% data variables.copilot.copilot_cloud_agent %} to implement suggested changes. To do this, you must:
6767

6868
* Enable {% data variables.copilot.copilot_code-review %} and {% data variables.copilot.copilot_cloud_agent %}.
69-
* On review comments from {% data variables.copilot.copilot_code-review %}, click **Fix with Copilot**. This creates a draft comment on the pull request, where you can instruct {% data variables.product.prodname_copilot_short %} to address specific feedback. You can then select whether {% data variables.product.prodname_copilot_short %} will create a new pull request against your branch or a commit to the same pull request with the suggestions applied.
69+
* On review comments from {% data variables.copilot.copilot_code-review %}, click **Fix with {% data variables.product.prodname_copilot_short %}**. This creates a draft comment on the pull request, where you can instruct {% data variables.product.prodname_copilot_short %} to address specific feedback. You can then select whether {% data variables.product.prodname_copilot_short %} will create a new pull request against your branch or a commit to the same pull request with the suggestions applied.
7070

7171
## Requesting a re-review from {% data variables.product.prodname_copilot_short %}
7272

@@ -91,12 +91,23 @@ To automatically request re-reviews from {% data variables.product.prodname_copi
9191
To make these available for {% data variables.copilot.copilot_code-review_short %} on {% data variables.product.github %}, configure:
9292

9393
* **Agent skills** in your repository (in `.github/skills`). If you want a skill to target review tasks, use a review-focused skill directory name such as `code-review`. For setup details, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/add-skills).
94-
* **MCP servers** in repository Copilot settings. The {% data variables.product.github %} MCP server and Playwright MCP server are enabled by default. For setup details, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/configure-mcp-servers).
94+
* **MCP servers** in repository {% data variables.product.prodname_copilot_short %} settings. The {% data variables.product.github %} MCP server and Playwright MCP server are enabled by default. For setup details, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/configure-mcp-servers).
9595

9696
{% data reusables.copilot.code-review.mcp-context-usage %}
9797

9898
{% data reusables.copilot.code-review.mcp-tools-setting %}
9999

100+
## Customizing {% data variables.copilot.copilot_code-review_short %}'s environment
101+
102+
{% data variables.copilot.copilot_code-review_short %} runs in an ephemeral development environment, similar to {% data variables.copilot.copilot_cloud_agent %}. You can customize this environment using a {% data variables.product.prodname_actions %} workflow file, in the same way you would for {% data variables.copilot.copilot_cloud_agent %}, for example, to preinstall tools or dependencies, or to switch to a different operating system. For more information on how to structure this file, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/customize-the-agent-environment).
103+
104+
You can use either of the following files to configure {% data variables.copilot.copilot_code-review_short %}'s environment:
105+
106+
* `.github/workflows/copilot-setup-steps.yml`: If you have already configured this file for {% data variables.copilot.copilot_cloud_agent %}, {% data variables.copilot.copilot_code-review_short %} will use the same configuration by default.
107+
* `.github/workflows/copilot-code-review.yml`: We recommend creating this file if you want to configure {% data variables.copilot.copilot_code-review_short %}'s environment independently of {% data variables.copilot.copilot_cloud_agent %}. If this file is present in your repository, it is used for {% data variables.copilot.copilot_code-review_short %} instead of `copilot-setup-steps.yml`.
108+
109+
You can also configure firewall rules to control the domains and URLs that {% data variables.copilot.copilot_code-review_short %} can access, at both the organization and repository level. These settings are configured separately from {% data variables.copilot.copilot_cloud_agent %}'s firewall settings, in their own section of the same "Internet access" tab. See [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/customize-the-agent-firewall).
110+
100111
## Providing feedback on {% data variables.product.prodname_copilot_short %}'s reviews
101112

102113
You can provide feedback on {% data variables.product.prodname_copilot_short %}'s comments directly within each comment. We use this information to improve the product and the quality of {% data variables.product.prodname_copilot_short %}'s suggestions.
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
In the sidebar, under "Code, planning, and automation", click **{% octicon "copilot" aria-hidden="true" aria-label="copilot" %} {% data variables.product.prodname_copilot_short %}**, and then click **Internet access**.
Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1 @@
1-
1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration.
2-
1+
1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration).

data/ui.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -367,10 +367,11 @@ product_landing:
367367
all_content: 'View all {{ title }} content'
368368

369369
journey_track_nav:
370-
prev_article: Previous
371370
next_article: Next
372371
more_articles: More articles →
373372
current_progress: 'Article {i} of {n}'
373+
up_next: Up next
374+
up_next_progress: 'Step {i} of {n} in {track}'
374375

375376
scroll_button:
376377
scroll_to_top: Scroll to top

0 commit comments

Comments
 (0)