From 6df77cb86fa558d0d6023fd7ed1857633c627c41 Mon Sep 17 00:00:00 2001 From: docs-bot <77750099+docs-bot@users.noreply.github.com> Date: Wed, 15 Apr 2026 16:00:36 -0700 Subject: [PATCH 1/4] docs: update copilot-cli content from source docs (#60794) Co-authored-by: github-actions[bot] Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com> --- .../cli-command-reference.md | 39 ++++++++++++++++++- src/content-pipelines/state/copilot-cli.sha | 2 +- 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/content/copilot/reference/copilot-cli-reference/cli-command-reference.md b/content/copilot/reference/copilot-cli-reference/cli-command-reference.md index d8c2867605ee..b5cf739dba0b 100644 --- a/content/copilot/reference/copilot-cli-reference/cli-command-reference.md +++ b/content/copilot/reference/copilot-cli-reference/cli-command-reference.md @@ -317,6 +317,7 @@ Settings cascade from user to repository to local, with more specific scopes ove | `compactPaste` | `boolean` | `true` | Collapse large pastes into compact tokens. | | `custom_agents.default_local_only` | `boolean` | `false` | Only use local custom agents. | | `denied_urls` | `string[]` | `[]` | URLs or domains blocked (takes precedence over `allowed_urls`). | +| `enabledFeatureFlags` | `object` | — | Enable or disable individual feature flags. Keys are flag names; values are `true` (enable) or `false` (explicitly disable). Takes precedence over the legacy `feature_flags.enabled` array format. See [Feature flag reference](#feature-flag-reference). | | `experimental` | `boolean` | `false` | Enable experimental features. | | `includeCoAuthoredBy` | `boolean` | `true` | Add a `Co-authored-by` trailer to git commits made by the agent. | | `companyAnnouncements` | `string[]` | `[]` | Custom messages shown randomly on startup. | @@ -969,6 +970,26 @@ MCP servers are loaded from multiple sources, each with a different trust level. All MCP tool invocations require explicit permission. This applies even to read-only operations on external services. +### Migrating from `.vscode/mcp.json` + +If your project uses `.vscode/mcp.json` (VS Code's MCP configuration format), migrate to `.mcp.json` for {% data variables.copilot.copilot_cli %}. The migration remaps the `servers` key to `mcpServers`. + +**POSIX shells (bash, zsh, fish, and others):** + +```shell +jq '{mcpServers: .servers}' .vscode/mcp.json > .mcp.json +``` + +Requires [`jq`](https://jqlang.github.io/jq/). + +**PowerShell:** + +```powershell +pwsh -NoProfile -Command "`$json = Get-Content '.vscode/mcp.json' -Raw | ConvertFrom-Json; `$content = ([pscustomobject]@{ mcpServers = `$json.servers } | ConvertTo-Json -Depth 100); [System.IO.File]::WriteAllText('.mcp.json', `$content, (New-Object System.Text.UTF8Encoding `$false))" +``` + +On Windows, replace `pwsh` with `powershell` if you are using Windows PowerShell instead of PowerShell Core. + ## Skills reference Skills are Markdown files that extend what the CLI can do. Each skill lives in its own directory containing a `SKILL.md` file. When invoked (via `/SKILL-NAME` or automatically by the agent), the skill's content is injected into the conversation. @@ -1239,7 +1260,23 @@ When content capture is enabled, the following attributes are populated. ## Feature flag reference -Feature flags enable functionality that is not yet generally available. Enable flags via the `COPILOT_CLI_ENABLED_FEATURE_FLAGS` environment variable (comma-separated list) or by using the `/experimental` slash command. +Feature flags enable functionality that is not yet generally available. You can enable or disable individual flags in three ways: + +* **Environment variable**: Set `COPILOT_CLI_ENABLED_FEATURE_FLAGS` to a comma-separated list of flag names (for example, `"SOME_FEATURE,SOME_OTHER_FEATURE"`). +* **Slash command**: Use `/experimental on` in an interactive session to enable all experimental-tier flags. +* **Configuration file**: Add an `enabledFeatureFlags` object to `~/.copilot/config.json`. Set a flag to `true` to enable it or `false` to explicitly disable a flag that would otherwise be enabled by your tier. + +```json +{ + "enabledFeatureFlags": { + "SOME_FEATURE": true, + "SOME_OTHER_FEATURE": false + } +} +``` + +> [!NOTE] +> The legacy `feature_flags.enabled` array format is still supported as a fallback, but `enabledFeatureFlags` takes precedence when both are present. | Flag | Tier | Description | |------|------|-------------| diff --git a/src/content-pipelines/state/copilot-cli.sha b/src/content-pipelines/state/copilot-cli.sha index 578f9054b180..3813f23c6c28 100644 --- a/src/content-pipelines/state/copilot-cli.sha +++ b/src/content-pipelines/state/copilot-cli.sha @@ -1 +1 @@ -3aa5cd78f969f848b3607863b5f73ba722a3f489 +584832db507d47454ed410791e2d0c53468bea20 From 6110e2cbfde8060ac1e0bff624caee037fdb93a5 Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Wed, 15 Apr 2026 18:06:46 -0500 Subject: [PATCH 2/4] Document OIDC support for org-level private registries (#60652) Co-authored-by: Laura Coursen --- .../giving-org-access-private-registries.md | 31 +++++++++++++++++-- ...ss-to-private-registries-for-dependabot.md | 13 +++++++- data/features/org-private-registry-oidc.yml | 7 +++++ 3 files changed, 47 insertions(+), 4 deletions(-) create mode 100644 data/features/org-private-registry-oidc.yml diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md index b80007cd5062..4762a629b118 100644 --- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md +++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md @@ -43,13 +43,17 @@ You need to be an **organization owner** to set up access to private registries 1. Use the **URL** and **Type** fields to define the location and type of the registry: * **URL** is the location where you access the private registry. For example, to use the {% data variables.product.prodname_registry %} registry for NuGet: `https://nuget.pkg.github.com/ORGANIZATION/index.json`, where `ORGANIZATION` is the name of your organization on {% data variables.product.github %}. * **Type** is the type of registry. -1. Select either **Token** or **Username and password**, depending on the authentication method, then enter data into the appropriate fields. - Some types of authentication tokens, such as a {% data variables.product.github %} {% data variables.product.pat_generic_title_case %}, are tied to a particular user identity. Select the **Username and password** option for these and enter the relevant username as **Username** and the token as **Password**. +1. Select the authentication method for the registry: + * **Token**: Enter the token used to authenticate with the registry. + * **Username and password**: Enter the username and password used to authenticate with the registry. Some types of authentication tokens, such as a {% data variables.product.github %} {% data variables.product.pat_generic_title_case %}, are tied to a particular user identity. Select this option for these and enter the relevant username as **Username** and the token as **Password**. + {% ifversion org-private-registry-oidc %} + * **OIDC (OpenID Connect)**: Use short-lived credentials from a cloud identity provider instead of storing long-lived secrets. When you select this option, choose a provider and fill in the provider-specific fields. For more information, see [Configuring OIDC authentication for a private registry](#configuring-oidc-authentication-for-a-private-registry). + {% endif %} 1. Define which repositories in the organization can access the private registry using these details: all, private and internal, or selected repositories only. 1. When you have finished defining the private registry, select **Add Registry** to save the registry information. > [!TIP] -> When you add a private registry to an organization the token or password is stored as an encrypted secret. Once the registry is created, the token or password cannot be viewed again. +> When you add a private registry to an organization using **Token** or **Username and password** authentication, the token or password is stored as an encrypted secret. Once the registry is created, the token or password cannot be viewed again. ### Enabling {% data variables.product.prodname_code_scanning %} default setup to use a registry definition @@ -77,6 +81,27 @@ Any private registries used by the build must also be accessible to the workflow When you configure access to one or more private registries, {% data variables.product.prodname_dependabot %} can propose pull requests to upgrade a vulnerable dependency or to maintain a dependency, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot). +{% ifversion org-private-registry-oidc %} + +### Configuring OIDC authentication for a private registry + +OIDC (OpenID Connect) authentication allows {% data variables.product.prodname_dependabot %} to use short-lived credentials from your cloud identity provider to access private registries, eliminating the need to store long-lived secrets. With OIDC, credentials are generated dynamically for each {% data variables.product.prodname_dependabot %} update job. You must configure a trust relationship between your cloud provider and {% data variables.product.github %} before {% data variables.product.prodname_dependabot %} can authenticate. + +> [!NOTE] +> OIDC authentication for organization-level private registries is currently supported by {% data variables.product.prodname_dependabot %}. It is not supported by {% data variables.product.prodname_code_scanning %} default setup. + +When you select **OIDC** as the authentication method for a private registry, choose one of the supported providers and fill in the required fields: + +* **Azure**: Enter the **Tenant ID** (Azure AD tenant ID) and **Client ID** (Azure AD application client ID). You must configure a federated credential in Azure AD that trusts {% data variables.product.github %}'s OIDC provider. +* **AWS CodeArtifact**: Enter the **AWS Region**, **Account ID** (AWS account ID), **Role Name** (IAM role name), **Domain** (CodeArtifact domain), and **Domain Owner** (CodeArtifact domain owner / AWS account ID). You can optionally provide an **Audience**. You must configure an IAM OIDC identity provider in AWS that trusts {% data variables.product.github %}'s OIDC provider. +* **JFrog Artifactory**: Enter the **OIDC Provider Name**. You can optionally provide an **Audience** and **Identity Mapping Name**. + +The authentication type of a private registry cannot be changed after creation. To switch from OIDC to another authentication method, or vice versa, delete the existing registry and create a new one. + +For more information about how OIDC works, see [AUTOTITLE](/actions/concepts/security/openid-connect). + +{% endif %} + {% ifversion code-quality %} ## {% data variables.product.prodname_code_quality_short %} access to private registries diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot.md index 344576e1a8f6..7193aa093447 100644 --- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot.md +++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot.md @@ -32,7 +32,11 @@ For specific ecosystems, you can configure {% data variables.product.prodname_de {% ifversion org-private-registry %} -You can configure {% data variables.product.prodname_dependabot %}'s access to private registries at the org-level. For more information on how to configure that, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries). +You can configure {% data variables.product.prodname_dependabot %}'s access to private registries at the org-level. +{% ifversion org-private-registry-oidc %} +Organization-level registries support **Token**, **Username and password**, and **OIDC** authentication. +{% endif %} +For more information about configuration, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries). {% endif %} @@ -126,6 +130,13 @@ If your private registry is configured with an IP allow list, you can find the I With OIDC-based authentication, {% data variables.product.prodname_dependabot %} update jobs can dynamically obtain short-lived credentials from your cloud identity provider, just like {% data variables.product.prodname_actions %} workflows using OIDC federation. +{% ifversion org-private-registry-oidc %} + +> [!TIP] +> OIDC authentication is also available for **organization-level** private registries, which you can configure through the organization settings UI or the REST API. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#configuring-oidc-authentication-for-a-private-registry). + +{% endif %} + {% data variables.product.prodname_dependabot %} supports OIDC authentication for any registry type that uses `username` and `password` authentication, when the registry is hosted on one of the following cloud providers: * AWS CodeArtifact diff --git a/data/features/org-private-registry-oidc.yml b/data/features/org-private-registry-oidc.yml new file mode 100644 index 000000000000..83d295b3c515 --- /dev/null +++ b/data/features/org-private-registry-oidc.yml @@ -0,0 +1,7 @@ +# Reference: github/github#419577 +# OIDC authentication support for organization-level private registries used by Dependabot. +# This allows organizations to authenticate with private registries using OpenID Connect +# instead of storing long-lived secrets. +versions: + fpt: '*' + ghec: '*' From eeed34addbf2bf1bd05ea5fc1d419d507b5b21e8 Mon Sep 17 00:00:00 2001 From: Junko Suzuki Date: Thu, 16 Apr 2026 10:46:09 +0900 Subject: [PATCH 3/4] Remove Copilot Business from trial (#60805) Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: sunbrye --- .../overview/setting-up-a-trial-of-github-enterprise-cloud.md | 2 +- .../setting-up-a-trial-of-github-enterprise.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/admin/overview/setting-up-a-trial-of-github-enterprise-cloud.md b/content/admin/overview/setting-up-a-trial-of-github-enterprise-cloud.md index e103798de800..12dc56725bb1 100644 --- a/content/admin/overview/setting-up-a-trial-of-github-enterprise-cloud.md +++ b/content/admin/overview/setting-up-a-trial-of-github-enterprise-cloud.md @@ -54,7 +54,7 @@ If you invite an existing organization into your trial enterprise, **all of thes ## Do I need to provide a payment method? -You do not need to provide a payment method to start a trial. If you want to use {% data variables.copilot.copilot_business_short %} during the trial, you can contact {% data variables.contact.github_support %} for approval. Once your request is approved, you will need to provide a credit card for additional validation. You **won't** be charged for using {% data variables.copilot.copilot_business_short %} during the trial. +You do not need to provide a payment method to start a trial. ## During the trial diff --git a/content/enterprise-onboarding/getting-started-with-your-enterprise/setting-up-a-trial-of-github-enterprise.md b/content/enterprise-onboarding/getting-started-with-your-enterprise/setting-up-a-trial-of-github-enterprise.md index 8c1d3608f1df..138d261e325e 100644 --- a/content/enterprise-onboarding/getting-started-with-your-enterprise/setting-up-a-trial-of-github-enterprise.md +++ b/content/enterprise-onboarding/getting-started-with-your-enterprise/setting-up-a-trial-of-github-enterprise.md @@ -37,7 +37,7 @@ If you invite an existing organization into your trial enterprise, **all of thes ## Do I need to provide a payment method? -You do not need to provide a payment method to start a trial. If you want to use {% data variables.copilot.copilot_business_short %} during the trial, you need to provide a credit card. You **won't** be charged for using {% data variables.copilot.copilot_business_short %} during the trial. +You do not need to provide a payment method to start a trial. ## During the trial From 9a658b9d8d85654751adc917cfc153485646cab8 Mon Sep 17 00:00:00 2001 From: Eyal Gal Date: Thu, 16 Apr 2026 01:04:16 -0700 Subject: [PATCH 4/4] Add Memory Alpha blob storage hostnames to GHE.com network requirements (#60795) Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- content/admin/data-residency/network-details-for-ghecom.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/admin/data-residency/network-details-for-ghecom.md b/content/admin/data-residency/network-details-for-ghecom.md index ddfa94fa0f6c..e3fba053769b 100644 --- a/content/admin/data-residency/network-details-for-ghecom.md +++ b/content/admin/data-residency/network-details-for-ghecom.md @@ -200,6 +200,8 @@ Japan region: #### EU `*.blob.core.windows.net` can be replaced with: +* `memoryalphaprodsdc01.blob.core.windows.net` +* `memoryalphaprodweu01.blob.core.windows.net` * `prodsdc01resultssa0.blob.core.windows.net` * `prodsdc01resultssa1.blob.core.windows.net` * `prodsdc01resultssa2.blob.core.windows.net` @@ -212,6 +214,7 @@ Japan region: #### Australia `*.blob.core.windows.net` can be replaced with: +* `memoryalphaprodae01.blob.core.windows.net` * `prodae01resultssa0.blob.core.windows.net` * `prodae01resultssa1.blob.core.windows.net` * `prodae01resultssa2.blob.core.windows.net` @@ -220,6 +223,7 @@ Japan region: #### Japan `*.blob.core.windows.net` can be replaced with: +* `memoryalphaprodjpw01.blob.core.windows.net` * `prodjpw01resultssa0.blob.core.windows.net` * `prodjpw01resultssa1.blob.core.windows.net` * `prodjpw01resultssa2.blob.core.windows.net`