[pull] main from github:main

content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md

@@ -826,8 +826,10 @@ The [Dependabot Action](https://github.com/github/dependabot-action) is used to
 
 Because there is no support for upgrading or deleting CRDs with Helm, it is not possible to use Helm to upgrade ARC. For more information, see [Custom Resource Definitions](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations) in the Helm documentation. To upgrade ARC to a newer version, you must complete the following steps.
 
-1. Uninstall ARC.
+1. Uninstall all installations of `gha-runner-scale-set`.
 1. Wait for resources cleanup.
+1. Uninstall ARC.
+1. If there is a change in CRDs from the version you currently have installed, to the upgraded version, remove all CRDs associated with `actions.github.com` API group.
 1. Reinstall ARC again.
 
 For more information, see "[Deploying a runner scale set](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#deploying-a-runner-scale-set)."

content/actions/using-workflows/events-that-trigger-workflows.md

@@ -184,8 +184,6 @@ on:
   deployment_status
 ```
 
-{% ifversion discussions %}
-
 ## `discussion`
 
 | Webhook event payload | Activity types | `GITHUB_SHA` | `GITHUB_REF` |
@@ -238,8 +236,6 @@ on:
     types: [created, deleted]
 ```
 
-{% endif %}
-
 ## `fork`
 
 | Webhook event payload | Activity types | `GITHUB_SHA` | `GITHUB_REF` |
@@ -1174,7 +1170,7 @@ jobs:
 
 - {% data reusables.actions.schedule-delay %}
 - In a public repository, scheduled workflows are automatically disabled when no repository activity has occurred in 60 days. For information on re-enabling a disabled workflow, see "[AUTOTITLE](/[email protected]/actions/using-workflows/disabling-and-enabling-a-workflow#enabling-a-workflow)."
-- When the last user to commit to a scheduled workflow is removed from the organization, the scheduled workflow will be disabled. If a user with `write` permissions to the repository commits to the scheduled workflow file, the scheduled workflow will be re-activated.
+- When the last user to commit to the cron schedule of a workflow is removed from the organization, the scheduled workflow will be disabled. If a user with `write` permissions to the repository makes a commit that changes the cron schedule, the scheduled workflow will be re-activated.
 
 {% endnote %}
 
@@ -1304,11 +1300,11 @@ on: workflow_dispatch
 
 ### Providing inputs
 
-You can configure custom-defined input properties, default input values, and required inputs for the event directly in your workflow. When you trigger the event, you can provide the `ref` and any `inputs`. When the workflow runs, you can access the input values in the {% ifversion actions-unified-inputs %}`inputs`{% else %}`github.event.inputs`{% endif %} context. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts)."
+You can configure custom-defined input properties, default input values, and required inputs for the event directly in your workflow. When you trigger the event, you can provide the `ref` and any `inputs`. When the workflow runs, you can access the input values in the `inputs` context. For more information, see "[AUTOTITLE](/actions/learn-github-actions/contexts)."
 
 {% data reusables.actions.inputs-vs-github-event-inputs %}
 
-This example defines inputs called `logLevel`, `tags`, and `environment`. You pass values for these inputs to the workflow when you run it. This workflow then prints the values to the log, using the {% ifversion actions-unified-inputs %}`inputs.logLevel`, `inputs.tags`, and  `inputs.environment`{% else %}`github.event.inputs.logLevel`, `github.event.inputs.tags`, and  `github.event.inputs.environment`{% endif %} context properties.
+This example defines inputs called `logLevel`, `tags`, and `environment`. You pass values for these inputs to the workflow when you run it. This workflow then prints the values to the log, using the `inputs.logLevel`, `inputs.tags`, and  `inputs.environment` context properties.
 
 ```yaml
 on:
@@ -1341,9 +1337,9 @@ jobs:
           echo "Tags: $TAGS"
           echo "Environment: $ENVIRONMENT"
         env:
-          LEVEL: {% ifversion actions-unified-inputs %}{% raw %}${{ inputs.logLevel }}{% endraw %}{% else %}{% raw %}${{ github.event.inputs.logLevel }}{% endraw %}{% endif %}
-          TAGS: {% ifversion actions-unified-inputs %}{% raw %}${{ inputs.tags }}{% endraw %}{% else %}{% raw %}${{ github.event.inputs.tags }}{% endraw %}{% endif %}
-          ENVIRONMENT: {% ifversion actions-unified-inputs %}{% raw %}${{ inputs.environment }}{% endraw %}{% else %}{% raw %}${{ github.event.inputs.environment }}{% endraw %}{% endif %}
+          LEVEL: {% raw %}${{ inputs.logLevel }}{% endraw %}
+          TAGS: {% raw %}${{ inputs.tags }}{% endraw %}
+          ENVIRONMENT: {% raw %}${{ inputs.environment }}{% endraw %}
 ```
 
 If you run this workflow from a browser you must enter values for the required inputs manually before the workflow will run.
@@ -1362,7 +1358,7 @@ For more information, see the {% data variables.product.prodname_cli %} informat
 
 | Webhook event payload | Activity types | `GITHUB_SHA` | `GITHUB_REF` |
 | --------------------- | -------------- | ------------ | -------------|
-| [`workflow_run`](/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_run) | - `completed`<br/>- `requested`{% ifversion actions-workflow-run-in-progress %}<br/>- `in_progress`{% endif %} | Last commit on default branch | Default branch |
+| [`workflow_run`](/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_run) | - `completed`<br/>- `requested`<br/>- `in_progress` | Last commit on default branch | Default branch |
 
 {% note %}
 

content/admin/identity-and-access-management/using-saml-for-enterprise-iam/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account.md

@@ -39,7 +39,6 @@ For more information about the decision to implement SAML SSO at the organizatio
 ## Switching your SAML configuration from an organization to an enterprise account
 
 1. Enforce SAML SSO for your enterprise account, making sure all organization members are assigned or given access to the IdP app being used for the enterprise account. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise)."
-1. Optionally, remove any existing SAML configuration for organizations owned by the enterprise account. To help you decide whether to remove the configurations, see "[About SAML single sign-on for enterprise accounts](#about-saml-single-sign-on-for-enterprise-accounts)."
 1. If you kept any organization-level SAML configurations in place, to prevent confusion, consider hiding the tile for the organization-level apps in your IdP.
 1. Advise your enterprise members about the change.
    - Members will no longer be able to access their organizations by clicking the SAML app for the organization in the IdP dashboard. They will need to use the new app configured for the enterprise account.

content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md

@@ -95,6 +95,20 @@ Deleting a CA cannot be undone. If you want to use the same CA in the future, yo
 {% data reusables.enterprise-accounts.settings-tab %}
 {% data reusables.enterprise-accounts.security-tab %}
 {% data reusables.organizations.delete-ssh-ca %}
+{% ifversion ssh-ca-expires %}
+
+## Upgrading an SSH certificate authority
+
+CAs uploaded to your enterprise {% ifversion ghec %}prior to March 27th, 2024,{% elsif ghes %}before {% data variables.product.prodname_ghe_server %} version 3.13{% endif %} allow the use of non-expiring certificates. To learn more about why expirations are now required for new CAs, see "[AUTOTITLE](/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities#issuing-certificates)." You can upgrade an existing CA to prevent it from issuing non-expiring certificates. For best security, we strongly recommend upgrading all your CAs once you validate you're not reliant on non-expiring certificates.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+1. Under "SSH Certificate Authorities", to the right of the CA you want to upgrade, click **Upgrade**.
+1. Read the warning, then click **Upgrade**.
+
+After upgrading the CA, non-expiring certificates signed by that CA will be rejected.
+{% endif %}
 
 {% ifversion sso-redirect %}
 

content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning.md

@@ -30,8 +30,16 @@ Advanced setup for {% data variables.product.prodname_code_scanning %} is helpfu
 {% data variables.product.prodname_code_scanning_caps %} helps you catch vulnerabilities in the code in your repository. With {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}, you can select custom or built-in query suites for use in your analysis, set a specific scan schedule, choose which events trigger a scan, and more.
 {% endif %}
 
+{% ifversion fpt or ghec %}
+
 You can also configure {% data variables.product.prodname_code_scanning %} with third-party tools. For more information, see "[Configuring {% data variables.product.prodname_code_scanning %} using third-party actions](#configuring-code-scanning-using-third-party-actions)."
 
+{% else %}
+
+Your site administrator can also make third-party actions available to users for {% data variables.product.prodname_code_scanning %}, by setting up {% data variables.product.prodname_github_connect %}. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#configuring-github-connect-to-sync-github-actions)."
+
+{% endif %}
+
 {% data reusables.code-scanning.about-multiple-configurations-link %}
 {% data reusables.code-scanning.codeql-action-version-ghes %}
 

content/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning.md

@@ -19,9 +19,19 @@ topics:
 
 ## About autofix for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}
 
-Autofix is an AI-powered expansion of {% data variables.product.prodname_code_scanning %} that provides users with targeted recommendations to help them fix {% data variables.product.prodname_code_scanning %} alerts in pull requests so they can avoid introducing new security vulnerabilities. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase, the pull request, and from {% data variables.product.prodname_codeql %} analysis.
+{% data variables.product.prodname_code_scanning_caps %} autofix is a {% data variables.product.prodname_copilot %}-powered expansion of {% data variables.product.prodname_code_scanning %} that provides users with targeted recommendations to help them fix {% data variables.product.prodname_code_scanning %} alerts in pull requests so they can avoid introducing new security vulnerabilities. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase, the pull request, and from {% data variables.product.prodname_codeql %} analysis.
 
-{% data variables.product.prodname_code_scanning_caps %} autofix generates potential fixes that are relevant to the existing source code and translates the description and location of an alert into code changes that may fix the alert. The autofix system uses the OpenAI GPT-4 large language model, which has sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes.
+{% note %}
+
+**Note:** While {% data variables.product.prodname_code_scanning %} autofix is powered by {% data variables.product.prodname_copilot %}, your enterprise does not need a subscription to {% data variables.product.prodname_copilot %} to use autofix. As long as your enterprise has {% data variables.product.prodname_GH_advanced_security %}, you will have access to autofix.
+
+{% endnote %}
+
+{% data variables.product.prodname_code_scanning_caps %} autofix generates potential fixes that are relevant to the existing source code and translates the description and location of an alert into code changes that may fix the alert. Autofix uses internal {% data variables.product.prodname_copilot %} APIs and private instances of OpenAI large language models such as GPT-4, which have sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes.
+
+{% ifversion code-scanning-autofix %}While {% data variables.product.prodname_code_scanning %} autofix is allowed by default in an enterprise and enabled for every repository using {% data variables.product.prodname_codeql %}, you can choose to opt out and disable autofix. To learn how to disable autofix at the enterprise, organization and repository levels, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning)."{% endif %}
+
+In an organization's security overview dashboard, you can view the total number of autofix suggestions generated on open and closed pull requests in the organization for a given time period. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/security-overview/viewing-security-insights-for-your-organization#autofix-suggestions)" in the {% data variables.product.prodname_ghe_cloud %} documentation.
 
 ## Developer experience
 
@@ -120,10 +130,11 @@ It is important to remember that the author of a pull request retains responsibi
 
 - "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)"
 - "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#working-with-autofix-suggestions-for-alerts)"
+- "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning)"
 
 {% elsif fpt %}
 
 - "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)"
-- [the {% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#working-with-autofix-suggestions-for-alerts)
+- [AUTOTITLE](/enterprise-cloud@latest/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#working-with-autofix-suggestions-for-alerts) in the {% data variables.product.prodname_ghe_cloud %} documentation
 
 {% endif %}

content/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning.md

@@ -0,0 +1,57 @@
+---
+title: Disabling autofix for code scanning
+shortTitle: Disable autofix
+intro: You can choose to disallow {% data variables.product.prodname_code_scanning %} autofix for an enterprise or disable autofix at the organization and repository level.
+product: '{% data reusables.rai.code-scanning.gated-feature-autofix %}'
+versions:
+  feature: code-scanning-autofix
+type: how_to
+topics:
+  - Advanced Security
+  - Code scanning
+  - CodeQL
+  - AI
+---
+
+{% data reusables.rai.code-scanning.beta-autofix %}
+
+## About disabling autofix for {% data variables.product.prodname_code_scanning %}
+
+{% data variables.product.prodname_code_scanning_caps %} autofix is a {% data variables.product.prodname_copilot %}-powered expansion of {% data variables.product.prodname_code_scanning %} that provides users with targeted recommendations to help them fix {% data variables.product.prodname_code_scanning %} alerts in pull requests so they can avoid introducing new security vulnerabilities. To learn more about autofix for code scanning, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)."
+
+{% data variables.product.prodname_code_scanning_caps %} autofix is allowed by default in an enterprise and enabled for every repository that uses {% data variables.product.prodname_codeql %}, regardless of whether it uses default or advanced setup for {% data variables.product.prodname_code_scanning %}. Administrators at the enterprise, organization and repository levels can choose to opt-out and disable autofix.
+
+Note that disabling autofix at any level will close all open autofix comments from all open pull requests at the level that was disabled. If autofix is disabled and then subsequently enabled, autofix won't automatically suggest any fixes for pull requests that are already open. The suggestions will only be generated for pull requests that are opened after autofix is enabled, or after re-running {% data variables.product.prodname_codeql %} analysis on existing pull requests.
+
+## Blocking use of autofix for an enterprise
+
+Enterprise administrators can disallow autofix for their enterprise. If you disallow autofix for an enterprise, autofix cannot be enabled for any organizations or repositories within the enterprise.
+
+Note that allowing autofix for an enterprise does not enforce enablement of autofix, but means that organization and repository administrators will have the option to enable or disable autofix.
+
+Disallowing autofix at the enterprise level will remove all open autofix comments from open pull requests across all repositories of all organizations within the enterprise.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.policies-tab %}
+{% data reusables.enterprise-accounts.code-security-and-analysis-policies %}
+1. Under "Autofix for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}", use the dropdown menu to choose "Not allowed."
+
+## Disabling autofix for an organization
+
+If autofix is allowed at the enterprise level, organization administrators have the option to disable autofix for an organization. If you disable autofix for an organization, autofix cannot be enabled for any repositories within the organization.
+
+Note that disabling autofix at the organization level will remove all open autofix comments from open pull requests across all repositories in the organization.
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.organizations.security-and-analysis %}
+1. Under the "{% data variables.product.prodname_code_scanning_caps %}" section, deselect **Autofix for {% data variables.product.prodname_codeql %}**.
+
+## Disabling autofix for a repository
+
+If autofix is allowed at the enterprise level and enabled at the organization level, repository administrators have the option to disable autofix for a repository. Disabling autofix at the repository level will remove all open autofix comments from all open pull requests across the repository.
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.user-settings.security-analysis %}
+1. In the "{% data variables.product.prodname_code_scanning_caps %}" section, deselect **Autofix for {% data variables.product.prodname_codeql %}**.

content/code-security/code-scanning/managing-code-scanning-alerts/index.md

@@ -14,6 +14,7 @@ topics:
 children:
   - /about-code-scanning-alerts
   - /about-autofix-for-codeql-code-scanning
+  - /disabling-autofix-for-code-scanning
   - /managing-code-scanning-alerts-for-your-repository
   - /triaging-code-scanning-alerts-in-pull-requests
   - /tracking-code-scanning-alerts-in-issues-using-task-lists