.steps`
@@ -876,7 +876,7 @@ Fractional values are not supported. `timeout-minutes` must be a positive intege
The maximum number of minutes to let a job run before {% data variables.product.prodname_dotcom %} automatically cancels it. Default: 360
-If the timeout exceeds the job execution time limit for the runner, the job will be canceled when the execution time limit is met instead. For more information about job execution time limits, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration#usage-limits) for {% data variables.product.prodname_dotcom %}-hosted runners and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits) for self-hosted runner usage limits.
+If the timeout exceeds the job execution time limit for the runner, the job will be canceled when the execution time limit is met instead. For more information about job execution time limits, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration#usage-limits) for {% data variables.product.prodname_dotcom %}-hosted runners and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/usage-limits-for-self-hosted-runners) for self-hosted runner usage limits.
> [!NOTE]
> {% data reusables.actions.github-token-expiration %} For self-hosted runners, the token may be the limiting factor if the job timeout is greater than 24 hours. For more information on the `GITHUB_TOKEN`, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication#about-the-github_token-secret).
diff --git a/content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md b/content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md
index dc3ba8775b4a..67be9adaef4a 100644
--- a/content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md
+++ b/content/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities.md
@@ -287,6 +287,11 @@ ghe-reactivate-admin-login
### ghe-saml-mapping-csv
+{% ifversion scim-for-ghes-ga %}
+> [!NOTE]
+> This utility does not work with configurations that use SAML with SCIM provisioning. For the SCIM version of this tool, please refer to [`ghe-scim-identities-csv` utility](#ghe-scim-identities-csv).
+{% endif %}
+
This utility allows administrators to output or update the SAML `NameID` mappings for users on an instance. The utility can output a CSV file that lists all existing mappings. You can also update mappings for users on your instance by editing the resulting file, then using the utility to assign new mappings from the file.
To output a CSV file containing a list of all user SAML `NameID` mappings on the instance, run the following command.
@@ -311,6 +316,31 @@ To update SAML mappings on the instance with new values from the file, run the f
ghe-saml-mapping-csv -u -f /PATH/TO/FILE
```
+{% ifversion scim-for-ghes-ga %}
+
+### ghe-scim-identities-csv
+
+> [!NOTE]
+> This utility only works with configurations that use SAML with SCIM provisioning. For the SAML only version of this tool, please refer to the [`ghe-saml-mapping-csv` utility](#ghe-saml-mapping-csv).
+
+This utility allows administrators to output the SCIM identities for users on an instance. The utility can output a CSV file that lists all existing identities and the groups they are members of.
+
+To output CSV data containing a list of all user SCIM identities on the instance, run the following command. This will create a file located at `/data/user/tmp/scim-identities-DATE.csv` containing your SCIM identities.
+
+```shell
+ghe-scim-identities-csv
+```
+
+Or, if you'd like to specify the file, run the following command.
+
+```shell
+ghe-scim-identities-csv -f /PATH/TO/FILE
+```
+
+We recommend writing to a file in `/data/user/tmp`.
+
+{% endif %}
+
### ghe-service-list
This utility lists all of the services that have been started or stopped (are running or waiting) on your appliance.
diff --git a/content/admin/configuring-settings/configuring-github-connect/enabling-automatic-user-license-sync-for-your-enterprise.md b/content/admin/configuring-settings/configuring-github-connect/enabling-automatic-user-license-sync-for-your-enterprise.md
index 41608fe4ac07..f3046944b49d 100644
--- a/content/admin/configuring-settings/configuring-github-connect/enabling-automatic-user-license-sync-for-your-enterprise.md
+++ b/content/admin/configuring-settings/configuring-github-connect/enabling-automatic-user-license-sync-for-your-enterprise.md
@@ -43,3 +43,8 @@ Before enabling license synchronization on {% data variables.location.product_lo
1. To the right of "License sync", click **Enable**.
+
+{% ifversion scim-for-ghes-ga %}
+> [!NOTE]
+> If SAML with SCIM is enabled, the `scim-admin` setup user will not consume a license. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#1-create-a-built-in-setup-user).
+{% endif %}
diff --git a/content/admin/configuring-settings/configuring-network-settings/network-ports.md b/content/admin/configuring-settings/configuring-network-settings/network-ports.md
index b394e26e0975..00df981a606d 100644
--- a/content/admin/configuring-settings/configuring-network-settings/network-ports.md
+++ b/content/admin/configuring-settings/configuring-network-settings/network-ports.md
@@ -56,7 +56,7 @@ Email ports must be accessible directly or via relay for inbound email support f
## {% data variables.product.prodname_actions %} ports
-{% data variables.product.prodname_actions %} ports must be accessible for self-hosted runners to connect to {% data variables.location.product_location %}. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github-enterprise-server).
+{% data variables.product.prodname_actions %} ports must be accessible for self-hosted runners to connect to {% data variables.location.product_location %}. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners).
| Port | Service | Description |
|---|---|---|
diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md
index d7b4203741f5..d350de2e32fe 100644
--- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md
+++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md
@@ -198,9 +198,18 @@ If you use SAML authentication and SCIM provisioning, you can filter members bas
1. Select **Account Type**, then choose from the following options.
* **Built-in:** Users with local accounts on {% data variables.location.product_location %} who authenticate with a username and password.
+{% ifversion scim-for-ghes-ga %}
+ * **SAML JIT provisioned:** Users who authenticate with SAML via an identity provider and were created through just-in-time (JIT) provisioning when they first signed in. These users are not linked to SCIM identities.
+ * **SCIM provisioned:** Users who were created and managed through SCIM provisioning from your identity provider. These users are linked to SCIM identities.
+{% else %}
* **SAML linked:** Users who authenticate with SAML via an identity provider, but were not provisioned by SCIM.
* **SAML and SCIM linked:** Users who authenticate with SAML via an identity provider, and were provisioned by SCIM.
+{% endif %}
+
+{% endif %}
+{% ifversion scim-for-ghes-ga %}
+{% data reusables.scim.ghe-scim-identities-csv %}
{% endif %}
## Viewing members without an email address from a verified domain
diff --git a/content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise.md b/content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise.md
index a6607075c18e..de863c54c797 100644
--- a/content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise.md
+++ b/content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise.md
@@ -83,7 +83,7 @@ You can create a runner group to manage access to the runner that you added to y
> [!WARNING]
> {% data reusables.actions.self-hosted-runner-security %}
>
- > For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories).
+ > For more information, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions).
{% data reusables.actions.create-runner-group %}
1. Click the "Runners" tab.
diff --git a/content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md b/content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md
index c9a4a4588297..b82ec5ad7b73 100644
--- a/content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md
+++ b/content/admin/managing-github-actions-for-your-enterprise/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md
@@ -90,7 +90,7 @@ You may need to upgrade the CPU and memory resources for {% data variables.locat
{% data variables.product.prodname_actions %} workflows require runners.{% ifversion ghec %} You can choose to use {% data variables.product.prodname_dotcom %}-hosted runners or self-hosted runners. {% data variables.product.company_short %} manages maintenance and upgrades for {% data variables.product.prodname_dotcom %}-hosted runners. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners).
-To manage your own resources, configuration, or geographic location of your runner machines, use self hosted runners. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners).
+To manage your own resources, configuration, or geographic location of your runner machines, use self-hosted runners. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners).
If you want more control over the networking policies for your runners, use self-hosted runners or private networking options for {% data variables.product.prodname_dotcom %}-hosted runners. For more information about private networking options, see [AUTOTITLE](/actions/using-github-hosted-runners/connecting-to-a-private-network/about-private-networking-with-github-hosted-runners).{% else %} You will need to host your own runners by installing the {% data variables.product.prodname_actions %} self-hosted runner application on your own machines. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners).{% endif %}
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-authentication-and-provisioning-with-entra-id.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-authentication-and-provisioning-with-entra-id.md
index a1cb5f77c2d2..d4fd712a4985 100644
--- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-authentication-and-provisioning-with-entra-id.md
+++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-authentication-and-provisioning-with-entra-id.md
@@ -86,6 +86,8 @@ Before starting this section, ensure you have followed steps **1 to 4** in [AUTO
* "Secret Token": the {% data variables.product.pat_v1 %} created for the setup user
1. Click **Test Connection**.
1. When the test is complete, click **Save**.
+1. Navigate back to the "Overview" page.
+1. To provision your EntraID users to your {% data variables.product.prodname_ghe_server %} appliance, Click **Start provisioning**.
When you have finished configuring SCIM, you may want to disable some SAML settings you enabled for the configuration process. See [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#6-disable-optional-settings).
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md
index 24ca7538d116..6b91a165326f 100644
--- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md
+++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md
@@ -57,6 +57,7 @@ If you're configuring SCIM provisioning for a new enterprise, make sure to compl
{% else %}
+* SCIM is a server-to-server protocol. Your instance's REST API endpoints must be accessible to your SCIM provider.
* For authentication, your instance must use SAML SSO, or a mix of SAML and built-in authentication.
* You cannot mix SCIM with other external authentication methods. If you use CAS or LDAP, you will need to migrate to SAML before using SCIM.
* After you have configured SCIM, you must keep SAML authentication enabled to continue using SCIM.
@@ -73,16 +74,16 @@ If you're configuring SCIM provisioning for a new enterprise, make sure to compl
To ensure you can continue to sign in and configure settings when SCIM is enabled, you'll create an enterprise owner using built-in authentication.
1. Sign in to {% data variables.product.prodname_ghe_server %} as a user with access to the Management Console.
-1. If you have **already enabled SAML authentication**, ensure your settings allow you to create and promote a built-in setup user. Go to the "Authentication" section of the Management Console and enable the following settings:
+1. If you have **already enabled SAML authentication**, ensure your settings allow you to create and promote a built-in authentication user. Go to the "Authentication" section of the Management Console and enable the following settings:
* Select **Allow creation of accounts with built-in authentication**, so you can create the user.
* Select **Disable administrator demotion/promotion**, so admin permissions can be granted outside of your SAML provider.
For help finding these settings, see [AUTOTITLE](/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise#configuring-saml-sso).
-1. Create a built-in user account to perform provisioning actions on your instance. See [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/allowing-built-in-authentication-for-users-outside-your-provider#inviting-users-outside-your-provider-to-authenticate-to-your-instance).
+1. Create a built-in user account{% ifversion scim-for-ghes-ga %} with the username `scim-admin`{% endif %} to perform provisioning actions on your instance. See [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/allowing-built-in-authentication-for-users-outside-your-provider#inviting-users-outside-your-provider-to-authenticate-to-your-instance).
- >[!NOTE] Ensure the user's email and username are different from any user you plan on provisioning through SCIM. If your email provider supports it, you can modify an email address by adding `+admin`, for example `johndoe+admin@example.com`.
+ >[!NOTE] Ensure the user's email and username are different from any user you plan on provisioning through SCIM. If your email provider supports it, you can modify an email address by adding `+admin`, for example `johndoe+admin@example.com`.{% ifversion scim-for-ghes-ga %} You can use any username you would like for your setup user, but the `scim-admin` user will not be included in your [{% data variables.product.prodname_github_connect %}](/enterprise-cloud@latest/billing/managing-your-license-for-github-enterprise/viewing-license-usage-for-github-enterprise#viewing-license-usage-on-github-enterprise-cloud) license counts, while other users will.{% endif %}
1. Promote the user to an enterprise owner. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/promoting-or-demoting-a-site-administrator#promoting-a-user-from-the-enterprise-settings).
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md
index 47a57d9903b5..5de095e927b0 100644
--- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md
+++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md
@@ -169,6 +169,7 @@ Before a person with an identity on your identity management system can sign in
* For an overview of the supported attributes for users, see [SCIM](/rest/enterprise-admin/scim#supported-scim-user-attributes) in the REST API documentation.
* You can view provisioned users in the {% data variables.product.github %} UI. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise).
+{% ifversion scim-for-ghes-ga %}* {% data reusables.scim.ghe-scim-identities-csv %}{% endif %}
| Action | Method | Endpoint and more information | Events in the audit log |
| :- | :- | :- | :- |
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md
index 95cd8992cdae..63c4ae1a53f4 100644
--- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md
+++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md
@@ -65,7 +65,7 @@ During the {% data variables.release-phases.private_preview %}, your account tea
{% data reusables.enterprise_user_management.scim-manages-user-lifecycle %}
-When SCIM is enabled, you will no longer be able to delete, suspend, or promote SCIM-provisioned users directly on {% data variables.product.prodname_ghe_server %}. You must manage these processes from your IdP.
+When SCIM is enabled, you will no longer be able to delete, suspend, or promote SCIM-provisioned users directly on {% data variables.product.prodname_ghe_server %}. You must manage these processes from your IdP.{% ifversion scim-for-ghes-ga %} If an issue arises with your IdP and you need to manage a user directly, you will need to use the SCIM REST API to manage the user identities on your appliance (see [AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/provisioning-users-with-scim-using-the-rest-api)).{% endif %}
To view suspended members, navigate to the "Suspended Members" tab of your enterprise settings. This page will be present when SCIM is enabled on {% data variables.product.prodname_ghe_server %}.
@@ -78,6 +78,7 @@ To view suspended members, navigate to the "Suspended Members" tab of your enter
If you currently use SAML SSO, and you are enabling SCIM, you should be aware of what happens to existing user accounts on {% data variables.product.prodname_ghe_server %} once SCIM is enabled.
* Existing users with SAML mappings will **not be able to sign in** until their identities have been provisioned by SCIM.
+* Existing users created with **Built in authentication** will only be able to sign in if **Built in authentication** is still enabled.
{%- ifversion scim-for-ghes-ga %}
* {% data variables.product.prodname_ghe_server %} will no longer store SAML mappings for users. Instead, SCIM identities will be stored for users when a user is provisioned.
* You will no longer see the "SAML authentication" section on the `https://HOSTNAME/users/USER/security` site admin page for users. It will not be possible to view or update SAML NameID mappings that were previously visible in this section, since these stored SAML mappings are no longer evaluated during SAML authentication when SCIM is enabled.
@@ -86,6 +87,7 @@ If you currently use SAML SSO, and you are enabling SCIM, you should be aware of
* If a user account with a matching username does exist, {% data variables.product.prodname_ghe_server %} links the SCIM identity to this user account.
* If a user account with a matching username doesn't exist, {% data variables.product.prodname_ghe_server %} creates a new user account and links it to this SCIM identity.
* If {% data variables.product.prodname_dotcom %} successfully matches a user who is authenticating via SAML with an existing user account, but account details such as email address, first name, or last name don't match, the instance **overwrites the details** with values from the IdP. Any email addresses other than the primary email provisioned by SCIM will also be deleted from the user account.
+{% ifversion scim-for-ghes-ga %}* {% data reusables.scim.ghe-scim-identities-csv %}{% endif %}
## What happens during SAML authentication?
diff --git a/content/billing/managing-billing-for-your-products/managing-billing-for-github-actions/about-billing-for-github-actions.md b/content/billing/managing-billing-for-your-products/managing-billing-for-github-actions/about-billing-for-github-actions.md
index 782f23c51fe5..2018cfe34039 100644
--- a/content/billing/managing-billing-for-your-products/managing-billing-for-github-actions/about-billing-for-github-actions.md
+++ b/content/billing/managing-billing-for-your-products/managing-billing-for-github-actions/about-billing-for-github-actions.md
@@ -117,7 +117,7 @@ Jobs that run on Windows and macOS runners that {% data variables.product.prodna
#### Points to note about rates for runners
-* The number of jobs you can run concurrently across all repositories in your user or organization account depends on your {% data variables.product.prodname_dotcom %} plan. For more information, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration) for {% data variables.product.prodname_dotcom %}-hosted runners and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits) for self-hosted runner usage limits.
+* The number of jobs you can run concurrently across all repositories in your user or organization account depends on your {% data variables.product.prodname_dotcom %} plan. For more information, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration) for {% data variables.product.prodname_dotcom %}-hosted runners and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/usage-limits-for-self-hosted-runners) for self-hosted runner usage limits.
* {% data reusables.user-settings.context_switcher %}
* {% data reusables.actions.larger-runner-permissions %}
* {% data reusables.actions.about-larger-runners-billing %}
diff --git a/content/billing/managing-the-plan-for-your-github-account/about-per-user-pricing.md b/content/billing/managing-the-plan-for-your-github-account/about-per-user-pricing.md
index 27bf08249950..4c39c0396151 100644
--- a/content/billing/managing-the-plan-for-your-github-account/about-per-user-pricing.md
+++ b/content/billing/managing-the-plan-for-your-github-account/about-per-user-pricing.md
@@ -108,6 +108,7 @@ If your enterprise does not use {% data variables.product.prodname_emus %}, you
* Guest collaborators who are not organization members or repository collaborators (see [AUTOTITLE](/enterprise-cloud@latest/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise#guest-collaborators))
* Users of {% data variables.visual_studio.prodname_vss_ghe %} whose accounts on {% data variables.product.prodname_dotcom %} are not linked, and who do not meet any of the other criteria for per-user pricing
* Users who have been provisioned with a {% data variables.enterprise.prodname_managed_user %}, but are not members of any organizations in the enterprise
+* The `scim-admin` setup user, when SCIM is enabled on your {% data variables.product.prodname_ghe_server %} appliance. For more information, see the SCIM configuration guide [AUTOTITLE](/enterprise-server@latest/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#1-create-a-built-in-setup-user).
### Accounts that consume a license on {% data variables.product.prodname_ghe_server %}
diff --git a/content/billing/managing-your-license-for-github-enterprise/troubleshooting-license-usage-for-github-enterprise.md b/content/billing/managing-your-license-for-github-enterprise/troubleshooting-license-usage-for-github-enterprise.md
index e71a148670c5..0f8064bbf70a 100644
--- a/content/billing/managing-your-license-for-github-enterprise/troubleshooting-license-usage-for-github-enterprise.md
+++ b/content/billing/managing-your-license-for-github-enterprise/troubleshooting-license-usage-for-github-enterprise.md
@@ -41,6 +41,11 @@ First, we check the primary email address of each user on {% data variables.prod
If there is no match, or if SAML authentication or SCIM provisioning is not in use, we attempt to match the primary email address on {% data variables.product.prodname_ghe_server %} with a verified email address for a user account on {% data variables.product.prodname_ghe_cloud %}. For more information about verification of email addresses on {% data variables.product.prodname_ghe_cloud %}, see [AUTOTITLE](/enterprise-cloud@latest/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/verifying-your-email-address){% ifversion not ghec %} in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}.{% endif %}
+{% ifversion scim-for-ghes-ga %}
+> [!NOTE]
+> If SAML with SCIM is enabled, the `scim-admin` setup user will not consume a license. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#1-create-a-built-in-setup-user).
+{% endif %}
+
## Fields in the consumed license files
The {% data variables.product.prodname_ghe_cloud %} license usage report and {% data variables.product.prodname_ghe_server %} exported license usage file include a variety of fields to help you troubleshoot license usage for your enterprise.
diff --git a/data/reusables/actions/azure-vnet-procedures-prereqs.md b/data/reusables/actions/azure-vnet-procedures-prereqs.md
index 789759d78058..b625ac5d6476 100644
--- a/data/reusables/actions/azure-vnet-procedures-prereqs.md
+++ b/data/reusables/actions/azure-vnet-procedures-prereqs.md
@@ -15,7 +15,7 @@ You will use a script to automate configuring your Azure resources.
If you use {% data variables.enterprise.data_residency %}, in the `AllowOutBoundGitHub` section, you must also include the ingress IP ranges for {% data variables.enterprise.data_residency_site %}. See [AUTOTITLE](/admin/data-residency/network-details-for-ghecom#ranges-for-ingress-traffic).
> [!NOTE]
- > As an alternative to using the following file, to allow {% data variables.product.prodname_actions %} to communicate with the runners, you can allow the same firewall domains that are required for communication between self-hosted runners and {% data variables.product.github %}. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github-enterprise-cloud). To determine the appropriate subnet IP address range, we recommend adding a 30% buffer to the maximum job concurrency you anticipate. For instance, if your network configuration's runners are set to a maximum job concurrency of 300, it's recommended to utilize a subnet IP address range that can accommodate at least 390 runners. This buffer helps ensure that your network can handle unexpected increases in VM needs to meet job concurrency without running out of IP addresses.
+ > As an alternative to using the following file, to allow {% data variables.product.prodname_actions %} to communicate with the runners, you can allow the same firewall domains that are required for communication between self-hosted runners and {% data variables.product.github %}. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners). To determine the appropriate subnet IP address range, we recommend adding a 30% buffer to the maximum job concurrency you anticipate. For instance, if your network configuration's runners are set to a maximum job concurrency of 300, it's recommended to utilize a subnet IP address range that can accommodate at least 390 runners. This buffer helps ensure that your network can handle unexpected increases in VM needs to meet job concurrency without running out of IP addresses.
```bicep copy
@description('NSG for outbound rules')
diff --git a/data/reusables/actions/ip-allow-list-self-hosted-runners.md b/data/reusables/actions/ip-allow-list-self-hosted-runners.md
index 3282b0f1d08d..89fb185a43be 100644
--- a/data/reusables/actions/ip-allow-list-self-hosted-runners.md
+++ b/data/reusables/actions/ip-allow-list-self-hosted-runners.md
@@ -1,4 +1,4 @@
> [!WARNING]
-> If you use an IP allow list and would also like to use {% data variables.product.prodname_actions %}, you must use self-hosted runners{% ifversion actions-hosted-runners %} or {% data variables.product.prodname_dotcom %}-hosted larger runners with static IP address ranges{% endif %}. When using [Azure private networking](/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise), IPs from your Azure subnet must be used. To reduce the number of required IPs, we recommend creating a load balancer to provide a single IP range for the GitHub allow list. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners) {% ifversion actions-hosted-runners %} or [AUTOTITLE](/actions/using-github-hosted-runners/using-larger-runners/about-larger-runners){% endif %}.
+> If you use an IP allow list and would also like to use {% data variables.product.prodname_actions %}, you must use self-hosted runners{% ifversion actions-hosted-runners %} or {% data variables.product.prodname_dotcom %}-hosted larger runners with static IP address ranges{% endif %}. When using [Azure private networking](/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-azure-private-networking-for-github-hosted-runners-in-your-enterprise), IPs from your Azure subnet must be used. To reduce the number of required IPs, we recommend creating a load balancer to provide a single IP range for the GitHub allow list. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners) {% ifversion actions-hosted-runners %} or [AUTOTITLE](/actions/using-github-hosted-runners/using-larger-runners/about-larger-runners){% endif %}.
To allow your self-hosted {% ifversion actions-hosted-runners %}or larger hosted{% endif %} runners to communicate with {% data variables.product.prodname_dotcom %}, add the IP address or IP address range of your runners to the IP allow list that you have configured for your enterprise.
diff --git a/data/reusables/actions/jobs/section-using-jobs-in-a-workflow.md b/data/reusables/actions/jobs/section-using-jobs-in-a-workflow.md
index 229759637fc2..3a6b60c53126 100644
--- a/data/reusables/actions/jobs/section-using-jobs-in-a-workflow.md
+++ b/data/reusables/actions/jobs/section-using-jobs-in-a-workflow.md
@@ -2,6 +2,6 @@ A workflow run is made up of one or more `jobs`, which run in parallel by defaul
Each job runs in a runner environment specified by `runs-on`.
-You can run an unlimited number of jobs as long as you are within the workflow usage limits. For more information, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration) for {% data variables.product.prodname_dotcom %}-hosted runners and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#usage-limits) for self-hosted runner usage limits.
+You can run an unlimited number of jobs as long as you are within the workflow usage limits. For more information, see [AUTOTITLE](/actions/learn-github-actions/usage-limits-billing-and-administration) for {% data variables.product.prodname_dotcom %}-hosted runners and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/usage-limits-for-self-hosted-runners) for self-hosted runner usage limits.
If you need to find the unique identifier of a job running in a workflow run, you can use the {% data variables.product.github %} API. For more information, see [AUTOTITLE](/rest/actions#workflow-jobs).
diff --git a/data/reusables/actions/oidc-further-reading.md b/data/reusables/actions/oidc-further-reading.md
index d9db3f4a05f9..fa07e5ddba85 100644
--- a/data/reusables/actions/oidc-further-reading.md
+++ b/data/reusables/actions/oidc-further-reading.md
@@ -1,4 +1,2 @@
* [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows)
-{% ifversion fpt %}- [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github){% endif %}
-{% ifversion ghec %}- [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github-enterprise-cloud){% endif %}
-{% ifversion ghes %}- [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github-enterprise-server){% endif %}
+* [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners)
diff --git a/data/reusables/actions/self-hosted-runner-description.md b/data/reusables/actions/self-hosted-runner-description.md
index e865326637b4..e69de29bb2d1 100644
--- a/data/reusables/actions/self-hosted-runner-description.md
+++ b/data/reusables/actions/self-hosted-runner-description.md
@@ -1 +0,0 @@
-{% ifversion fpt or ghec %}Self-hosted runners offer more control of hardware, operating system, and software tools than {% data variables.product.prodname_dotcom %}-hosted runners provide. {% endif %}With self-hosted runners, you can create custom hardware configurations that meet your needs with processing power or memory to run larger jobs, install software available on your local network, and choose an operating system{% ifversion fpt or ghec %} not offered by {% data variables.product.prodname_dotcom %}-hosted runners{% endif %}.
diff --git a/data/reusables/actions/self-hosted-runner-locations.md b/data/reusables/actions/self-hosted-runner-locations.md
index 5c52c17b39a1..e69de29bb2d1 100644
--- a/data/reusables/actions/self-hosted-runner-locations.md
+++ b/data/reusables/actions/self-hosted-runner-locations.md
@@ -1 +0,0 @@
-Self-hosted runners can be physical, virtual, in a container, on-premises, or in a cloud.
diff --git a/data/reusables/actions/self-hosted-runner-networking-to-dotcom.md b/data/reusables/actions/self-hosted-runner-networking-to-dotcom.md
index 80249f862627..0c376649cd72 100644
--- a/data/reusables/actions/self-hosted-runner-networking-to-dotcom.md
+++ b/data/reusables/actions/self-hosted-runner-networking-to-dotcom.md
@@ -1 +1 @@
-To use actions from {% data variables.product.prodname_dotcom_the_website %},{% ifversion ghes %} both {% data variables.product.prodname_ghe_server %} and{% endif %} your self-hosted runners must be able to make outbound connections to {% data variables.product.prodname_dotcom_the_website %}. No inbound connections from {% data variables.product.prodname_dotcom_the_website %} are required. For more information. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-betweens-self-hosted-runners-and-githubcom).
+To use actions from {% data variables.product.prodname_dotcom_the_website %},{% ifversion ghes %} both {% data variables.product.prodname_ghe_server %} and{% endif %} your self-hosted runners must be able to make outbound connections to {% data variables.product.prodname_dotcom_the_website %}. No inbound connections from {% data variables.product.prodname_dotcom_the_website %} are required. For more information. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners#communication-between-self-hosted-runners-and-githubcom).
diff --git a/data/reusables/actions/self-hosted-runner-security-admonition.md b/data/reusables/actions/self-hosted-runner-security-admonition.md
index d5e9f7eaa109..234b0b521227 100644
--- a/data/reusables/actions/self-hosted-runner-security-admonition.md
+++ b/data/reusables/actions/self-hosted-runner-security-admonition.md
@@ -1,4 +1,4 @@
> [!WARNING]
> {% data reusables.actions.self-hosted-runner-security %}
>
-> For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories).
+> For more information, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions).
diff --git a/data/reusables/actions/supported-github-runners.md b/data/reusables/actions/supported-github-runners.md
index 1a4e57921507..69224180c3e3 100644
--- a/data/reusables/actions/supported-github-runners.md
+++ b/data/reusables/actions/supported-github-runners.md
@@ -35,7 +35,7 @@ For public repositories, jobs using the workflow labels shown in the table below
| x64 |
windows-latest,
- windows-2025[{% data variables.release-phases.public_preview_caps %}],
+ windows-2025,
windows-2022,
windows-2019
|
@@ -70,7 +70,7 @@ For public repositories, jobs using the workflow labels shown in the table below
macos-latest,
macos-14,
- macos-15 [{% data variables.release-phases.public_preview_caps %}]
+ macos-15
|
@@ -116,7 +116,7 @@ For {% ifversion ghec %}internal and{% endif %} private repositories, jobs using
x64 |
windows-latest,
- windows-2025[{% data variables.release-phases.public_preview_caps %}],
+ windows-2025,
windows-2022,
windows-2019
|
@@ -140,7 +140,7 @@ For {% ifversion ghec %}internal and{% endif %} private repositories, jobs using
macos-latest,
macos-14,
- macos-15 [{% data variables.release-phases.public_preview_caps %}]
+ macos-15
|
diff --git a/data/reusables/code-scanning/beta-alert-tracking-in-issues.md b/data/reusables/code-scanning/beta-alert-tracking-in-issues.md
index d87e3a511a5c..9ed02615a6aa 100644
--- a/data/reusables/code-scanning/beta-alert-tracking-in-issues.md
+++ b/data/reusables/code-scanning/beta-alert-tracking-in-issues.md
@@ -1,8 +1,12 @@
+
+
{% ifversion code-scanning-task-lists %}
> [!NOTE]
-> The tracking of {% data variables.product.prodname_code_scanning %} alerts in issues is in {% data variables.release-phases.public_preview %} and subject to change.
+> The tracking of {% data variables.product.prodname_code_scanning %} alerts in issues is {% data variables.release-phases.closing_down %} on April 30th, 2025.
>
> This feature supports running analysis natively using {% data variables.product.prodname_actions %} or externally using existing CI/CD infrastructure, as well as third-party {% data variables.product.prodname_code_scanning %} tools, but _not_ third-party tracking tools.
{% endif %}
+
+
\ No newline at end of file
diff --git a/data/reusables/dependabot/dependabot-runners-network-requirements.md b/data/reusables/dependabot/dependabot-runners-network-requirements.md
index 443c054f21c5..b3bef9c1f943 100644
--- a/data/reusables/dependabot/dependabot-runners-network-requirements.md
+++ b/data/reusables/dependabot/dependabot-runners-network-requirements.md
@@ -1,6 +1,6 @@
{% data variables.product.prodname_dependabot %} runners require access to the public internet, {% data variables.product.prodname_dotcom_the_website %}, and any internal registries that will be used in {% data variables.product.prodname_dependabot_updates %}. To minimize the risk to your internal network, you should limit access from the Virtual Machine (VM) to your internal network. This reduces the potential for damage to internal systems if a runner were to download a hijacked dependency.
{% ifversion fpt or ghec %}
-You must also allow outbound traffic to `dependabot-actions.githubapp.com` to prevent the jobs for {% data variables.product.prodname_dependabot_security_updates %} from failing. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github).
+You must also allow outbound traffic to `dependabot-actions.githubapp.com` to prevent the jobs for {% data variables.product.prodname_dependabot_security_updates %} from failing. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/communicating-with-self-hosted-runners).
{% endif %}
diff --git a/data/reusables/saml/saml-supported-idps.md b/data/reusables/saml/saml-supported-idps.md
index e8ac638dd35b..5041b4bf68b6 100644
--- a/data/reusables/saml/saml-supported-idps.md
+++ b/data/reusables/saml/saml-supported-idps.md
@@ -1,6 +1,6 @@
{% data variables.product.github %} supports SAML SSO with IdPs that implement the SAML 2.0 standard. For more information, see the [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website.
-{% data variables.product.company_short %} officially supports and internally tests the following IdPs.
+{% data variables.product.company_short %} officially supports and internally tests the following IdPs for SAML.{% ifversion ghes %} For more information about the IdPs that are supported for SCIM on {% data variables.product.prodname_ghe_server %}, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes#supported-identity-providers).{% endif %}
* Microsoft Active Directory Federation Services (AD FS)
* Microsoft Entra ID (previously known as Azure AD)
diff --git a/data/reusables/scim/ghe-scim-identities-csv.md b/data/reusables/scim/ghe-scim-identities-csv.md
new file mode 100644
index 000000000000..d30df59a6bb0
--- /dev/null
+++ b/data/reusables/scim/ghe-scim-identities-csv.md
@@ -0,0 +1 @@
+Enterprise administrators with CLI access can export a full CSV of SCIM provisioned user identities using the [ghe-scim-identities-csv](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-scim-identities-csv) tool.
diff --git a/ownership.yaml b/ownership.yaml
index 7bd7a4475cb4..9486ed8bc58b 100644
--- a/ownership.yaml
+++ b/ownership.yaml
@@ -1,7 +1,7 @@
---
version: 1
ownership:
- - team: github/docs-engineering
+ - team: github/docs
repo: https://github.com/github/docs-internal
name: docs-internal
kind: moda
diff --git a/src/search/components/input/AskAIResults.tsx b/src/search/components/input/AskAIResults.tsx
index 8f6d4f28b2f4..20aa3d49f58f 100644
--- a/src/search/components/input/AskAIResults.tsx
+++ b/src/search/components/input/AskAIResults.tsx
@@ -41,6 +41,8 @@ type AISearchResultEventParams = {
connectedEventId?: string
}
+const MAX_REFERENCES_TO_SHOW = 4
+
export function AskAIResults({
query,
version,
@@ -389,27 +391,34 @@ export function AskAIResults({
>
{t('search.ai.references')}
- {references.map((source, index) => (
- {
- referenceOnSelect(source.url)
- }}
- active={index + referencesIndexOffset === selectedIndex}
- >
-
-
-
- {source.title}
-
- ))}
+ {references
+ .map((source, index) => {
+ if (index >= MAX_REFERENCES_TO_SHOW) {
+ return null
+ }
+ return (
+ {
+ referenceOnSelect(source.url)
+ }}
+ active={index + referencesIndexOffset === selectedIndex}
+ >
+
+
+
+ {source.title}
+
+ )
+ })
+ .filter(Boolean)}
diff --git a/src/secret-scanning/data/public-docs.yml b/src/secret-scanning/data/public-docs.yml
index 9a884058952e..6c7ce0bf738f 100644
--- a/src/secret-scanning/data/public-docs.yml
+++ b/src/secret-scanning/data/public-docs.yml
@@ -1713,7 +1713,7 @@
ghes: '*'
isPublic: false
isPrivateWithGhas: true
- hasPushProtection: false
+ hasPushProtection: true
hasValidityCheck: false
isduplicate: false
- provider: Grafana
@@ -1977,7 +1977,7 @@
ghes: '>=3.14'
isPublic: false
isPrivateWithGhas: true
- hasPushProtection: true
+ hasPushProtection: false
hasValidityCheck: false
isduplicate: false
- provider: IBM
@@ -1989,7 +1989,7 @@
ghes: '>=3.14'
isPublic: false
isPrivateWithGhas: true
- hasPushProtection: true
+ hasPushProtection: false
hasValidityCheck: false
isduplicate: false
- provider: Intercom
@@ -3770,7 +3770,7 @@
ghes: '*'
isPublic: true
isPrivateWithGhas: true
- hasPushProtection: false
+ hasPushProtection: true
hasValidityCheck: '{% ifversion fpt or ghes %}false{% else %}true{% endif %}'
isduplicate: false
- provider: Stripe
diff --git a/src/secret-scanning/lib/config.json b/src/secret-scanning/lib/config.json
index 716bcdddf3ff..3691711cc336 100644
--- a/src/secret-scanning/lib/config.json
+++ b/src/secret-scanning/lib/config.json
@@ -1,5 +1,5 @@
{
- "sha": "b4145ecdc18a91d474bee1fd9628de17833b4a35",
- "blob-sha": "c577f9698f2c54db3054f5652f4f47ebe87b6de4",
+ "sha": "e5322c3dee0ad441a787d1bc0051420cf544bc24",
+ "blob-sha": "1ad7e3fecbf7e3fc6c67fbb61bdf8fe8c2891adb",
"targetFilename": "code-security/secret-scanning/introduction/supported-secret-scanning-patterns"
}
\ No newline at end of file