Repo sync

Dockerfile

@@ -10,7 +10,7 @@
 # ---------------------------------------------------------------
 # To update the sha:
 # https://github.com/github/gh-base-image/pkgs/container/gh-base-image%2Fgh-base-noble
-FROM ghcr.io/github/gh-base-image/gh-base-noble:20260616-174421-gbe30bd25c@sha256:ff51e3a814bf958736588a809c5adc5cc15fe6c74bdb701296a08f86691bc67b AS base
+FROM ghcr.io/github/gh-base-image/gh-base-noble:20260622-194245-g8d7fb0aeb@sha256:ec6e933b7e49fcafd02cab5d31a179a96fa9badd127b39eb153bbe2affee9e48 AS base
 
 # Install curl for Node install and determining the early access branch
 # Install git for cloning docs-early-access & translations repos

content/account-and-profile/concepts/account-management.md

@@ -48,7 +48,7 @@ For more information, see the following articles.
 * [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/removing-yourself-from-an-organization)
 * [AUTOTITLE](/account-and-profile/reference/personal-account-reference#account-deletion)
 
-To delete your personal account, see [AUTOTITLE](/account-and-profile/how-tos/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/deleting-your-personal-account).
+To delete your personal account, see [AUTOTITLE](/account-and-profile/how-tos/account-management/deleting-your-personal-account).
 
 ## About unlinking your email address
 

content/account-and-profile/concepts/email-addresses.md

@@ -55,7 +55,7 @@ You can also choose to block commits you push from the command line that expose
 
 To ensure that commits are attributed to you and appear in your contributions graph, use an email address that is connected to your account on {% data variables.product.github %}{% ifversion fpt or ghec %}, or the `noreply` email address provided to you in your email settings{% endif %}.
 
-For more information, see [AUTOTITLE](/account-and-profile/how-tos/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address).
+For more information, see [AUTOTITLE](/account-and-profile/how-tos/email-preferences/setting-your-commit-email-address).
 
 ## Next steps
 

content/account-and-profile/concepts/username-changes.md

@@ -63,4 +63,4 @@ After changing your username, CODEOWNERS files that include your old username wi
 
 ## Next steps
 
-To change your username, see [AUTOTITLE](/account-and-profile/how-tos/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/changing-your-username).
+To change your username, see [AUTOTITLE](/account-and-profile/how-tos/account-management/changing-your-username).

content/account-and-profile/how-tos/email-preferences/adding-an-email-address-to-your-github-account.md

@@ -34,6 +34,6 @@ category:
 
 ## Next steps
 
-If you are having trouble adding an email address, see [AUTOTITLE](/account-and-profile/how-tos/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/troubleshooting-adding-an-email).
+If you are having trouble adding an email address, see [AUTOTITLE](/account-and-profile/how-tos/email-preferences/troubleshooting-adding-an-email).
 
 For reference information, see [AUTOTITLE](/account-and-profile/reference/email-addresses-reference).

content/account-and-profile/tutorials/personalize-your-profile.md

@@ -128,4 +128,4 @@ You can set a status to display information about your current availability.
 
 * For reference information, see [AUTOTITLE](/account-and-profile/reference/profile-reference).
 
-* For more detailed profile customizations, see [AUTOTITLE](/account-and-profile/how-tos/setting-up-and-managing-your-github-profile).
+* For more detailed profile customizations, see [AUTOTITLE](/account-and-profile/how-tos).

content/code-security/concepts/supply-chain-security/automatic-dependabot-access-to-github-registries.md

@@ -0,0 +1,45 @@
+---
+title:  Automatic Dependabot access to {% data variables.product.github %}-hosted registries
+intro: 'Keep your private dependencies up to date reliably by granting {% data variables.product.prodname_dependabot %} automatic access to {% data variables.product.prodname_registry %} and {% data variables.product.prodname_container_registry %}, so you never need to create or rotate credentials for these registries.'
+versions:
+  feature: org-automatic-registry-access
+shortTitle: Automatic registry access
+allowTitleToDifferFromFilename: true
+contentType: concepts
+category:
+  - Secure your dependencies
+---
+
+## About automatic access to {% data variables.product.github %}-hosted registries
+
+{% data variables.product.prodname_dependabot %} can authenticate to private {% data variables.product.prodname_registry %} and {% data variables.product.prodname_container_registry %} packages using the same access grants that {% data variables.product.prodname_actions %} workflows use. If a package has granted your repository **Read** access in the package settings on {% data variables.product.github %}, {% data variables.product.prodname_dependabot %} can access that package automatically.
+
+This eliminates the need to:
+
+* Create and manage {% data variables.product.pat_generic_plural %} for registry access
+* Manually configure access to {% data variables.product.github %}-hosted registries in your `dependabot.yml` file 
+* Rotate credentials when tokens expire
+
+## How automatic access works
+
+{% data variables.product.prodname_dependabot %} uses its `GITHUB_TOKEN` to request `packages: read` permission when pulling from `*.pkg.github.com` and {% data variables.product.prodname_container_registry_namespace %}. Any package that has granted your repository access through "Manage Actions access" accepts this token, the same way it would for a regular {% data variables.product.prodname_actions %} workflow. See [AUTOTITLE](/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package).git s
+
+This works for every {% data variables.product.prodname_registry %} ecosystem that {% data variables.product.prodname_dependabot %} supports.
+
+## When to use automatic access
+
+Use automatic access to {% data variables.product.github %}-hosted registries when:
+
+* Your repositories depend on private packages stored in {% data variables.product.prodname_registry %} or {% data variables.product.prodname_container_registry %}.
+* You want to reduce credential management overhead.
+* You want to avoid silent update failures caused by expired {% data variables.product.pat_generic_plural %}.
+
+For third-party registries (such as Artifactory, Azure Artifacts, or Nexus), you can only use the `dependabot.yml` registry configuration or organization-level private registry settings. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot).
+
+## How to enable automatic access
+
+For each package that {% data variables.product.prodname_dependabot %} needs to read, you need to go to the package's settings page and add the repository that runs {% data variables.product.prodname_dependabot %} with **Read** access. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#configuring-private-github-hosted-registries).
+
+Once the repository has been granted access, {% data variables.product.prodname_dependabot %} can pull from that package automatically. You do not need to configure the `dependabot.yml` file, and you can remove any existing {% data variables.product.pat_generic %}-based registry entries you previously added for these packages.
+
+For more information about configuring package access, see [AUTOTITLE](/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package).

content/code-security/concepts/supply-chain-security/index.md

@@ -22,10 +22,10 @@ children:
   - dependabot-pull-requests
   - multi-ecosystem-updates
   - about-the-dependabot-yml-file
+  - automatic-dependabot-access-to-github-registries
   - dependabot-auto-triage-rules
   - dependabot-on-actions
   - dependabot-job-logs
   - immutable-releases
   - linked-artifacts
 ---
-

content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md

@@ -81,6 +81,19 @@ Any private registries used by the build must also be accessible to the workflow
 
 When you configure access to one or more private registries, {% data variables.product.prodname_dependabot %} can propose pull requests to upgrade a vulnerable dependency or to maintain a dependency, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot).
 
+{% ifversion org-automatic-registry-access %}
+
+### Automatic access to {% data variables.product.github %}-hosted registries
+
+For packages stored in {% data variables.product.prodname_registry %} and {% data variables.product.prodname_container_registry %}, {% data variables.product.prodname_dependabot %} can authenticate automatically without {% data variables.product.pat_generic_plural %} or `dependabot.yml` registry configuration. 
+
+{% data variables.product.prodname_dependabot %} uses its `GITHUB_TOKEN` to request read access, reusing the same package access grants that {% data variables.product.prodname_actions %} workflows use.
+
+To enable this, grant the repository **Read** access to each package in the package settings. Once access is granted, {% data variables.product.prodname_dependabot %} can pull from those packages automatically, and you can remove any {% data variables.product.pat_generic %}-based registry entries you previously configured for them.
+
+See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#configuring-private-github-hosted-registries).
+{% endif %}
+
 {% ifversion org-private-registry-oidc %}
 
 ### Configuring OIDC authentication for a private registry

content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries.md

@@ -29,8 +29,41 @@ For specific ecosystems, you can configure {% data variables.product.prodname_de
 
 {% ifversion dependabot-on-actions-self-hosted %}To allow {% data variables.product.prodname_dependabot %} access to registries hosted privately or restricted to internal networks, configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners).{% endif %}
 
+{% ifversion org-automatic-registry-access %}
+
+## Configuring private {% data variables.product.github %}-hosted registries
+
+For packages stored in {% data variables.product.prodname_registry %} or {% data variables.product.prodname_container_registry %}, {% data variables.product.prodname_dependabot %} can authenticate automatically using its `GITHUB_TOKEN`. This uses the same "Manage Actions access" grants that {% data variables.product.prodname_actions %} workflows use. No {% data variables.product.pat_generic_plural %} or `dependabot.yml` registry entries are required.git push
+
+The `dependabot.yml` registry configuration using {% data variables.product.pat_generic_title_case %}-based registry entries and described in [Configuring private third-party registries](#configuring-private-third-party-registries) is still required for third-party private registries (such as Artifactory, Azure Artifacts, or Nexus).
+
+To grant {% data variables.product.prodname_dependabot %} access to a private package:
+
+ {% data reusables.package_registry.package-settings-from-org-level %}
+ {% data reusables.package_registry.package-settings-option %}
+ {% data reusables.package_registry.package-settings-actions-access %}
+ 1. {% data reusables.package_registry.package-settings-add-repo %}. 
+    Search for the repository where {% data variables.product.prodname_dependabot %} runs, and select it.
+ {% data reusables.package_registry.package-settings-actions-access-role-repo %}
+    Select **Read** as the access level. {% data variables.product.prodname_dependabot %} only needs read access to pull packages.
+
+You need to repeat these steps for each private package that you want {% data variables.product.prodname_dependabot %} to access.
+
+Once access is granted, {% data variables.product.prodname_dependabot %} can pull from those packages automatically. You can remove any {% data variables.product.pat_generic %}-based registry entries in `dependabot.yml` that you previously configured for these packages.
+
+> [!NOTE]
+> This method works for every {% data variables.product.prodname_registry %} ecosystem that {% data variables.product.prodname_dependabot %} supports, including container images in {% data variables.product.prodname_container_registry %}.
+
+For more information about how automatic access works, see [AUTOTITLE](/code-security/concepts/supply-chain-security/automatic-dependabot-access-to-github-registries). For more information about package access settings, see [AUTOTITLE](/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package).
+
+## Configuring private third-party registries
+
+{% else %}
+
 ## Configuring private registries
 
+{% endif %}
+
 {% ifversion org-private-registry %}
 
 You can configure {% data variables.product.prodname_dependabot %}'s access to private registries at the org-level.

content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-private-registries.md

@@ -109,6 +109,12 @@ The snippet below shows a `dependabot.yml` file configuration that uses a token.
 
 Docker supports using a username and password for registries. For more information, see `docker-registry` in [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#docker-registry).
 
+{% ifversion org-automatic-registry-access %}
+
+For images stored in {% data variables.product.prodname_container_registry %}, you can grant your repository **Read** access in the package settings instead of configuring credentials in your `dependabot.yml` file. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#configuring-private-github-hosted-registries).
+
+{% endif %}
+
 Snippet of `dependabot.yml` file using a username and password.
 
 {% raw %}

content/copilot/concepts/mcp-management.md

@@ -41,14 +41,13 @@ MCP management features are supported as follows:
 
 | Surface | Registry display | Allowlist enforcement |
 |---|:---:|:---:|
-| {% data variables.copilot.copilot_cli_short %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
+| {% data variables.copilot.copilot_cli_short %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} v1.0.11+ |
 | {% data variables.copilot.copilot_cloud_agent %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
-| Eclipse | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
-| JetBrains | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
-| {% data variables.product.prodname_vs %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
-| {% data variables.product.prodname_vscode_shortname %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
-| {% data variables.product.prodname_vscode_shortname %} Insiders | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
-| Xcode | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
+| Eclipse | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} v4.38+ |
+| JetBrains | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} v1.5.64+ |
+| {% data variables.product.prodname_vs %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} v18.4.0+ |
+| {% data variables.product.prodname_vscode_shortname %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} v1.109.3+ |
+| Xcode | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} v0.47.0+ |
 
 > [!NOTE]
 > For Eclipse, JetBrains, and Xcode, MCP management features are supported in the pre-release versions of {% data variables.product.prodname_copilot_short %}.

content/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/create-github-private-repo.md

@@ -0,0 +1,44 @@
+---
+title: Creating a `.github-private` repository
+shortTitle: Create github-private repository
+allowTitleToDifferFromFilename: true
+intro: 'A `.github-private` repository can serve as a designated source of governance settings for agents and plugins across your enterprise.'
+permissions: Enterprise owners
+versions:
+  feature: copilot
+contentType: how-tos
+category:
+  - Configure Copilot
+  - Manage Copilot for a team
+---
+
+A `.github-private` repository can house governance settings for your enterprise's custom agent profiles, client permissions, and plugins.
+
+A repository-based governance approach allows users to open pull request with suggestions to improve the settings, and it allows settings changes to be restricted by codeowners and rulesets.
+
+You can create a `.github-private` repository using a template or from scratch.
+
+## Creating a repository for your enterprise governance
+
+1. Choose an organization in your enterprise to own the repository containing your enterprise-level {% data variables.copilot.custom_agents_short %} and governance settings.
+1. Navigate to the [governance template repository](https://github.com/docs/custom-agents-template?ref_product=copilot&ref_type=engagement&ref_style=text&ref_plan=enterprise).
+1. In the top-right corner, click "Use this template" and create a new repository in your chosen organization named `.github-private`. Settings will apply to members regardless of whether they can access the repository, so choose the visibility based on who should be able to suggest changes:
+     * To grant **read access to all members** of your enterprise, choose {% octicon "organization" aria-hidden="true" aria-label="organization" %} **Internal**.
+     * To **manually grant access after creation**, choose {% octicon "lock" aria-hidden="true" aria-label="lock" %} **Private**.
+1. Update the template README as needed. Consider including creation guidelines for {% data variables.copilot.custom_agents_short %} or compliance considerations specific to your enterprise.
+
+> [!NOTE]
+> Settings in this repository apply to all users on your enterprise's {% data variables.product.prodname_copilot_short %} plan who use a supported client.
+
+## Selecting your repository as your source of governance
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.ai-controls-tab %}
+1. On the "Agents" tab, in the "Configuration source" section, select the **Select organization** {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %} dropdown menu, then click the organization that contains your `.github-private` repository.
+
+The "Configuration summary" on the settings page will display the settings taken from this repository.
+
+## Next steps
+* [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/prepare-for-custom-agents)
+* [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/disable-automatic-commands)
+* [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/configure-enterprise-plugin-standards)

content/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/index.md

@@ -6,6 +6,7 @@ versions:
   feature: copilot
 children:
   - /prepare-for-custom-agents
+  - /create-github-private-repo
   - /configure-enterprise-plugin-standards
   - /disable-automatic-commands
   - /monitor-agentic-activity