You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/admin/managing-iam/provisioning-user-accounts-with-scim/troubleshooting-team-membership-with-identity-provider-groups.md
+56Lines changed: 56 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -78,3 +78,59 @@ If synchronization of team membership with a group on your IdP fails due to a pr
78
78
{% data variables.product.prodname_dotcom %} will try to resolve this problem automatically during the next sync, which occurs at least once daily. You may be able to resolve the problem by unlinking the impacted team from the IdP group and then linking it to the same group again. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups#managing-the-connection-between-an-existing-organization-team-and-an-idp-group).
79
79
80
80
If the problem persists, contact {% data variables.contact.contact_ent_support %} and provide details about the organization, team, and the IdP group you're experiencing problems with.
81
+
82
+
## SCIM API incomplete events
83
+
84
+
If you see an `external_identity.scim_api_incomplete` or `external_group.scim_api_incomplete` event in your enterprise audit log, a SCIM request from your identity provider was received by {% data variables.product.github %} but did not complete successfully. No response was sent back to your identity provider, which may report the operation as failed or timed out.
85
+
86
+
### Resolving the issue
87
+
88
+
Re-trigger provisioning from your identity provider for the affected user or group. SCIM operations are idempotent, so re-provisioning will not create duplicates.
89
+
90
+
***Entra ID:** In the Microsoft Entra admin center, go to **Enterprise Applications** > your SCIM app > **Provisioning**, and use **Provision on demand** for the affected user or group, or **Restart provisioning** for a full sync. For more information, see [On-demand provisioning in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/provision-on-demand) in the Microsoft documentation.
91
+
***Okta:** Re-push the affected group from **Push Groups**, or re-assign the app to the affected user. For more information, see [Push Groups](https://help.okta.com/en-us/content/topics/users-groups/usgr-push-groups.htm) in the Okta documentation.
92
+
***Other identity providers:** Consult your identity provider's documentation for how to re-trigger SCIM provisioning for a specific user or group.
93
+
94
+
### Checking if the change was applied
95
+
96
+
If you have audit log streaming configured, you can search your streamed logs for other events with the same `request_id` value from the `scim_api_incomplete` event. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise).
97
+
98
+
A single group SCIM API call can trigger any of the following events during processing:
99
+
100
+
| Audit log event | Description |
101
+
| --- | --- |
102
+
|`external_group.provision`| Group was created |
103
+
|`external_group.delete`| Group was deleted |
104
+
|`external_group.update`| Group metadata was updated |
105
+
|`external_group.update_display_name`| Display name was changed |
106
+
|`external_group.add_member`| A specific member was added |
107
+
|`external_group.remove_member`| A specific member was removed |
108
+
109
+
To determine which member changes were applied before the interruption, the `add_member` and `remove_member` events are the most useful. They identify the specific member affected. If you find fewer member events than the request intended, the remaining members were not processed.
110
+
111
+
> [!NOTE]
112
+
> The enterprise audit log UI and REST API do not currently support filtering by `request_id`. Audit log streaming to a SIEM or log platform is required for this step.
113
+
114
+
### Common causes
115
+
116
+
### Common causes of incomplete events
117
+
118
+
* Processing time exceeds the connection timeout, often because of large groups.
119
+
* A network interruption occurs between the identity provider and {% data variables.product.github %}.
120
+
* A transient issue occurs on {% data variables.product.github %}'s infrastructure.
121
+
* Your network environment, such as corporate proxies, firewalls, or CASB solutions, interferes with the connection.
122
+
* The identity provider's SCIM client timeout settings are too restrictive.
123
+
124
+
If this event recurs for the same group or user, contact {% data variables.contact.contact_ent_support %} with the `request_id` values from the affected events.
125
+
126
+
## Large group timeouts
127
+
128
+
A single SCIM `PUT` or `PATCH` request for a group with a large number of members can exceed the request timeout. When this happens, your identity provider may report the operation as failed, and you may see an `external_group.scim_api_incomplete` event in your enterprise audit log.
129
+
130
+
The SCIM provisioning rate limits describe a limit of 1,000 users per group per hour, but a single `PUT` or `PATCH` request that changes membership for a large group can also exceed the request timeout before all members are processed. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api#understand-rate-limits-on-github).
131
+
132
+
### Preventing timeouts
133
+
134
+
***Break large groups into smaller groups.** If your identity provider supports it, consider splitting groups that frequently time out into multiple smaller groups. This reduces the processing time per SCIM request.
135
+
***Use incremental updates.** Where possible, use `PATCH` requests to add or remove individual members rather than `PUT` requests that replace the entire membership list.
136
+
***Monitor for incomplete events.** Set up audit log streaming and alert on `scim_api_incomplete` events so you can re-trigger provisioning promptly.
Copy file name to clipboardExpand all lines: content/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/customize-the-agent-environment.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -29,6 +29,8 @@ You can customize {% data variables.product.prodname_copilot_short %}'s developm
29
29
*[Give {% data variables.product.prodname_copilot_short %} a Windows development environment](#switching-copilot-to-a-windows-development-environment), instead of the default Ubuntu Linux environment
30
30
*[Enable Git Large File Storage (LFS)](#enabling-git-large-file-storage-lfs)
31
31
32
+
{% data variables.copilot.copilot_code-review_short %} also runs in an ephemeral development environment, and you can customize it in the same ways described in this article. By default, {% data variables.copilot.copilot_code-review_short %} reuses your `copilot-setup-steps.yml` file, but you can also create a dedicated `copilot-code-review.yml` file to configure {% data variables.copilot.copilot_code-review_short %}'s environment independently of {% data variables.copilot.copilot_cloud_agent %}. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/request-a-code-review/use-code-review#customizing-copilot-code-reviews-environment).
Copy file name to clipboardExpand all lines: content/copilot/how-tos/copilot-on-github/customize-copilot/customize-the-firewall.md
+14-8Lines changed: 14 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,8 +1,8 @@
1
1
---
2
-
title: Customizing or disabling the firewall for GitHub Copilot cloud agent
3
-
shortTitle: Customize the agent firewall
2
+
title: Customizing or disabling the firewall for GitHub Copilot
3
+
shortTitle: Customize the firewall
4
4
allowTitleToDifferFromFilename: true
5
-
intro: 'Learn how to control the domains and URLs that {% data variables.copilot.copilot_cloud_agent %} can access.'
5
+
intro: 'Learn how to control the domains and URLs that {% data variables.copilot.copilot_cloud_agent %} and {% data variables.copilot.copilot_code-review_short %} can access.'
> Firewall configuration has moved to the {% data variables.copilot.copilot_cloud_agent %} settings page. Previous configurations saved as Actions variables will be maintained on that page.
22
+
> Firewall configuration is managed from the "Internet access" settings tab, which covers both {% data variables.copilot.copilot_cloud_agent %} and {% data variables.copilot.copilot_code-review_short %}. Previous configurations saved as Actions variables will be maintained on that page.
22
23
23
24
## Overview
24
25
25
26
By default, {% data variables.product.prodname_copilot_short %}'s access to the internet is limited by a firewall.
26
27
28
+
> [!NOTE]
29
+
> {% data variables.copilot.copilot_code-review_short %} also supports firewall configuration, at both the organization and repository level, under its own section of the "Internet access" tab described below. This allows you to configure firewall rules for {% data variables.copilot.copilot_code-review_short %} independently of {% data variables.copilot.copilot_cloud_agent %}. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/request-a-code-review/use-code-review#customizing-copilot-code-reviews-environment).
30
+
27
31
Limiting internet access helps manage data exfiltration risks. Unexpected behavior from {% data variables.product.prodname_copilot_short %}, or malicious instructions, could lead to code or other sensitive information being leaked to remote locations.
28
32
29
33
The firewall always allows access to a number of hosts that {% data variables.product.prodname_copilot_short %} uses to interact with {% data variables.product.github %}. By default, a recommended allowlist is also enabled to allow the agent to download dependencies.
@@ -56,11 +60,13 @@ For the complete list of hosts included in the recommended allowlist, see [AUTOT
56
60
57
61
## Configuring the firewall at the organization level
58
62
59
-
Organization owners can configure all firewall settings at the organization level. To access the firewall settings:
63
+
Organization owners can configure all firewall settings at the organization level, for both {% data variables.copilot.copilot_cloud_agent %} and {% data variables.copilot.copilot_code-review_short %}. To access the firewall settings:
60
64
61
65
{% data reusables.profile.access_org %}
62
66
{% data reusables.profile.org_settings %}
63
-
{% data reusables.copilot.cloud-agent-settings %}
67
+
{% data reusables.copilot.internet-access-settings %}
68
+
69
+
The "Internet access" page has separate sections for {% data variables.copilot.copilot_cloud_agent %} and {% data variables.copilot.copilot_code-review_short %}, so you can configure the following settings independently for each.
64
70
65
71
### Enabling or disabling the firewall
66
72
@@ -88,13 +94,13 @@ Items added to the organization custom allowlist apply to all repositories in th
88
94
89
95
## Configuring the firewall at the repository level
90
96
91
-
Repository administrators can configure firewall settings at the repository level, including enabling or disabling the firewall, enabling or disabling the recommended allowlist, and managing a custom allowlist. Depending on the organization-level configuration, some of these settings may be locked.
97
+
Repository administrators can configure firewall settings at the repository level, including enabling or disabling the firewall, enabling or disabling the recommended allowlist, and managing a custom allowlist. Depending on the organization-level configuration, some of these settings may be locked. The repository settings page also has separate sections for {% data variables.copilot.copilot_cloud_agent %} and {% data variables.copilot.copilot_code-review_short %}, so you can configure these settings independently for each.
92
98
93
99
To access the firewall settings:
94
100
95
101
{% data reusables.repositories.navigate-to-repo %}
96
102
{% data reusables.repositories.sidebar-settings %}
97
-
1. In the "Code & automation" section of the sidebar, click **{% data variables.product.prodname_copilot_short %}** then **{% data variables.copilot.copilot_cloud_agent_short %}**.
103
+
1. In the "Code & automation" section of the sidebar, click **{% data variables.product.prodname_copilot_short %}** then **Internet access**.
Copy file name to clipboardExpand all lines: content/copilot/how-tos/use-copilot-agents/request-a-code-review/use-code-review.md
+13-2Lines changed: 13 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -66,7 +66,7 @@ If you're happy with the changes, you can accept a single suggestion from {% dat
66
66
You can also invoke {% data variables.copilot.copilot_cloud_agent %} to implement suggested changes. To do this, you must:
67
67
68
68
* Enable {% data variables.copilot.copilot_code-review %} and {% data variables.copilot.copilot_cloud_agent %}.
69
-
* On review comments from {% data variables.copilot.copilot_code-review %}, click **Fix with Copilot**. This creates a draft comment on the pull request, where you can instruct {% data variables.product.prodname_copilot_short %} to address specific feedback. You can then select whether {% data variables.product.prodname_copilot_short %} will create a new pull request against your branch or a commit to the same pull request with the suggestions applied.
69
+
* On review comments from {% data variables.copilot.copilot_code-review %}, click **Fix with {% data variables.product.prodname_copilot_short %}**. This creates a draft comment on the pull request, where you can instruct {% data variables.product.prodname_copilot_short %} to address specific feedback. You can then select whether {% data variables.product.prodname_copilot_short %} will create a new pull request against your branch or a commit to the same pull request with the suggestions applied.
70
70
71
71
## Requesting a re-review from {% data variables.product.prodname_copilot_short %}
72
72
@@ -91,12 +91,23 @@ To automatically request re-reviews from {% data variables.product.prodname_copi
91
91
To make these available for {% data variables.copilot.copilot_code-review_short %} on {% data variables.product.github %}, configure:
92
92
93
93
***Agent skills** in your repository (in `.github/skills`). If you want a skill to target review tasks, use a review-focused skill directory name such as `code-review`. For setup details, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/add-skills).
94
-
***MCP servers** in repository Copilot settings. The {% data variables.product.github %} MCP server and Playwright MCP server are enabled by default. For setup details, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/configure-mcp-servers).
94
+
***MCP servers** in repository {% data variables.product.prodname_copilot_short %} settings. The {% data variables.product.github %} MCP server and Playwright MCP server are enabled by default. For setup details, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/configure-mcp-servers).
95
95
96
96
{% data reusables.copilot.code-review.mcp-context-usage %}
97
97
98
98
{% data reusables.copilot.code-review.mcp-tools-setting %}
99
99
100
+
## Customizing {% data variables.copilot.copilot_code-review_short %}'s environment
101
+
102
+
{% data variables.copilot.copilot_code-review_short %} runs in an ephemeral development environment, similar to {% data variables.copilot.copilot_cloud_agent %}. You can customize this environment using a {% data variables.product.prodname_actions %} workflow file, in the same way you would for {% data variables.copilot.copilot_cloud_agent %}, for example, to preinstall tools or dependencies, or to switch to a different operating system. For more information on how to structure this file, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/customize-the-agent-environment).
103
+
104
+
You can use either of the following files to configure {% data variables.copilot.copilot_code-review_short %}'s environment:
105
+
106
+
*`.github/workflows/copilot-setup-steps.yml`: If you have already configured this file for {% data variables.copilot.copilot_cloud_agent %}, {% data variables.copilot.copilot_code-review_short %} will use the same configuration by default.
107
+
*`.github/workflows/copilot-code-review.yml`: We recommend creating this file if you want to configure {% data variables.copilot.copilot_code-review_short %}'s environment independently of {% data variables.copilot.copilot_cloud_agent %}. If this file is present in your repository, it is used for {% data variables.copilot.copilot_code-review_short %} instead of `copilot-setup-steps.yml`.
108
+
109
+
You can also configure firewall rules to control the domains and URLs that {% data variables.copilot.copilot_code-review_short %} can access, at both the organization and repository level. These settings are configured separately from {% data variables.copilot.copilot_cloud_agent %}'s firewall settings, in their own section of the same "Internet access" tab. See [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/customize-the-agent-firewall).
110
+
100
111
## Providing feedback on {% data variables.product.prodname_copilot_short %}'s reviews
101
112
102
113
You can provide feedback on {% data variables.product.prodname_copilot_short %}'s comments directly within each comment. We use this information to improve the product and the quality of {% data variables.product.prodname_copilot_short %}'s suggestions.
In the sidebar, under "Code, planning, and automation", click **{% octicon "copilot" aria-hidden="true" aria-label="copilot" %} {% data variables.product.prodname_copilot_short %}**, and then click **Internet access**.
1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration.
2
-
1
+
1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration).
0 commit comments