Repo sync

content/apps/using-github-apps/installing-a-github-app-from-a-third-party.md

@@ -45,9 +45,9 @@ Organization owners can install {% data variables.product.prodname_github_apps %
 Enterprise owners can install {% data variables.product.prodname_github_apps %} on their enterprise accounts, if the application requests enterprise permissions and is owned by the enterprise or one of its organizations.
 {% endif %}
 
-Admins of repositories that are owned by an organization can also install {% data variables.product.prodname_github_apps %} on the organization if they only grant the app access to repositories that they are an admin of and if the app does not request any organization permissions or the "repository administration" permission. Organization owners can prevent outside collaborators who are repository admins from installing {% data variables.product.prodname_github_apps %}.
+{% data reusables.apps.repo-admin-install-restriction %}
 
-Organization members who are not organization owners or repository admins can still select the organization during the install process. Instead of installing the app, {% data variables.product.company_short %} will send a notification to the organization owner to request the organization owner to install the app.
+Organization members and outside collaborators that cannot install an app on the organization can still select the organization during the install process. Instead of installing the app, {% data variables.product.company_short %} will send a notification to the organization owner to request the organization owner to install the app. The ability to make these requests can be controlled using app access request policies. See [AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests).
 
 The "app manager" role does not give a person the ability to install a {% data variables.product.prodname_github_app %} on the organization{% ifversion enterprise-app-manager %}  or enterprise{% endif %}. See [AUTOTITLE](/apps/maintaining-github-apps/about-github-app-managers).
 

content/apps/using-github-apps/installing-a-github-app-from-github-marketplace-for-your-organizations.md

@@ -46,7 +46,7 @@ Organization owners can install {% data variables.product.prodname_github_apps %
 
 For enterprises that pay by credit card, enterprise owners who are also organization owners can install {% data variables.product.prodname_github_apps %} on organizations within their enterprise.
 
-Admins of repositories that are owned by an organization can also install {% data variables.product.prodname_github_apps %} on the organization if they only grant the app access to repositories that they are an admin of and if the app does not request any organization permissions or the "repository administration" permission. Organization owners can prevent outside collaborators who are repository admins from installing {% data variables.product.prodname_github_apps %}.
+{% data reusables.apps.repo-admin-install-restriction %}
 
 The "app manager" role does not give a person the ability to install a {% data variables.product.prodname_github_app %} in the organization{% ifversion enterprise-app-manager %} or enterprise{% endif %}. For more information, see [AUTOTITLE](/apps/maintaining-github-apps/about-github-app-managers).
 

content/code-security/code-scanning/managing-code-scanning-alerts/responsible-use-autofix-code-scanning.md

@@ -22,7 +22,7 @@ redirect_from:
 
 {% data reusables.rai.code-scanning.copilot-autofix-note %}
 
-{% data variables.copilot.copilot_autofix_short %} generates potential fixes that are relevant to the existing source code and translates the description and location of an alert into code changes that may fix the alert. {% data variables.copilot.copilot_autofix_short %} uses internal {% data variables.product.prodname_copilot %} APIs interfacing with the large language model {% data variables.copilot.copilot_gpt_41 %} from OpenAI, which has sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes.
+{% data variables.copilot.copilot_autofix_short %} generates potential fixes that are relevant to the existing source code and translates the description and location of an alert into code changes that may fix the alert. {% data variables.copilot.copilot_autofix_short %} uses internal {% data variables.product.prodname_copilot %} APIs interfacing with the large language model {% data variables.copilot.copilot_gpt_51 %} from OpenAI, which has sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes.
 
 {% data variables.copilot.copilot_autofix_short %} is allowed by default and enabled for every repository using {% data variables.product.prodname_codeql %}, but you can choose to opt out and disable {% data variables.copilot.copilot_autofix_short %}. To learn how to disable {% data variables.copilot.copilot_autofix_short %} at the enterprise, organization and repository levels, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning).
 

content/organizations/managing-programmatic-access-to-your-organization/about-programmatic-access-in-your-organization.md

@@ -20,9 +20,11 @@ versions:
 
 ## {% data variables.product.prodname_github_apps %}
 
-Organization owners can install {% data variables.product.prodname_github_apps %} on their organization. Repository admins can also install a {% data variables.product.prodname_github_app %} on the organization if the app does not request organization resources and if they only grant the app access to repositories where they are an admin. Organization members can submit a request for their organization owner to install a {% data variables.product.prodname_github_app %} on the organization. For more information, see {% ifversion fpt or ghec %}[AUTOTITLE](/apps/using-github-apps/installing-an-app-in-your-organization).{% else %}[AUTOTITLE](/apps/maintaining-github-apps/installing-github-apps).{% endif %}
+Organization owners can install {% data variables.product.prodname_github_apps %} on their organization. Repository admins can also install a {% data variables.product.prodname_github_app %} on the organization if the app does not request organization resources and if they only grant the app access to repositories where they are an admin. Organization members and outside collaborators can submit a request for their organization owner to install a {% data variables.product.prodname_github_app %} on the organization. For more information, see {% ifversion fpt or ghec %}[AUTOTITLE](/apps/using-github-apps/installing-an-app-in-your-organization).{% else %}[AUTOTITLE](/apps/maintaining-github-apps/installing-github-apps).{% endif %}
 
-Organization owners can prevent outside collaborators from requesting {% data variables.product.prodname_github_apps %} or from installing a {% data variables.product.prodname_github_app %} even if the collaborator is a repository admin. For more information, see [AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests).
+{% ifversion fpt or ghec or ghes > 3.19 %}Organization owners can restrict {% data variables.product.prodname_github_app %} installation to only organization owners. When this restriction is enabled, repository admins cannot install {% data variables.product.prodname_github_apps %} for their repositories and must instead use the request flow to ask organization owners to install apps.{% endif %}
+
+Organization owners can prevent users from requesting {% data variables.product.prodname_github_apps %} or from installing a {% data variables.product.prodname_github_app %} even if they are a repository admin. For more information, see [AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests).
 
 Organization owners can review the {% data variables.product.prodname_github_apps %} that are installed on their organization and modify the repositories that each app can access. For more information, see [AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/reviewing-github-apps-installed-in-your-organization).
 
@@ -32,7 +34,7 @@ To help maintain {% data variables.product.prodname_github_apps %} owned by thei
 
 ## {% data variables.product.prodname_oauth_apps %}
 
-Organization managers can restrict {% data variables.product.prodname_oauth_apps %} from accessing organization resources. When these restrictions are enabled, organization members and outside collaborators can still request approval for individual {% data variables.product.prodname_oauth_apps %}. For more information, see [AUTOTITLE](/organizations/managing-oauth-access-to-your-organizations-data/about-oauth-app-access-restrictions).
+Organization managers must approve {% data variables.product.prodname_oauth_apps %} that users would like to use in their organization. When this requirement is enabled, organization members and outside collaborators must request approval for individual {% data variables.product.prodname_oauth_apps %}. For more information, see [AUTOTITLE](/organizations/managing-oauth-access-to-your-organizations-data/about-oauth-app-access-restrictions) and [AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests).
 
 {% endif %}
 

content/organizations/managing-programmatic-access-to-your-organization/index.md

@@ -20,7 +20,7 @@ children:
   - /setting-a-personal-access-token-policy-for-your-organization
   - /managing-requests-for-personal-access-tokens-in-your-organization
   - /reviewing-and-revoking-personal-access-tokens-in-your-organization
-  - /limiting-oauth-app-and-github-app-access-requests
+  - /limiting-oauth-app-and-github-app-access-requests-and-installations
   - /viewing-api-insights-in-your-organization
 shortTitle: Manage programmatic access
 ---

content/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests-and-installations.md

@@ -0,0 +1,58 @@
+---
+title: Limiting OAuth app and GitHub App access requests and installations
+intro: 'As an organization owner, you can control which users can request organization access for apps{% ifversion fpt or ghec or ghes > 3.19 %}, and whether repository admins can install {% data variables.product.prodname_github_apps %}{% endif %}.'
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
+permissions: Organization owners can limit who can make app access requests to the organization{% ifversion fpt or ghec or ghes > 3.19 %} and who can install apps{% endif %}.
+topics:
+  - Organizations
+  - GitHub Apps
+  - OAuth apps
+shortTitle: Limit app requests and installations
+redirect_from:
+  - /organizations/managing-organization-settings/limiting-oauth-app-and-github-app-access-requests
+  - /organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests
+---
+
+## About app access requests
+
+When app access requests are enabled, members and outside collaborators can request organization access for {% data variables.product.prodname_github_apps %}{% ifversion fpt or ghec %} and {% data variables.product.prodname_oauth_apps %}{% endif %} which have not yet been approved by your organization. For {% data variables.product.prodname_github_apps %} this is a request for installation, which grants the app access to your organization directly.{% ifversion fpt or ghec %} For {% data variables.product.prodname_oauth_apps %} this is a request to allow the app through the [AUTOTITLE](/organizations/managing-oauth-access-to-your-organizations-data/about-oauth-app-access-restrictions), which allows the app to access your organization after it's signed in a user.{% endif %}
+
+You can control if {% ifversion fpt or ghec or ghes > 3.20 %}members or {% endif %}outside collaborators are able to request unapproved apps for your organization. Users can still consent to apps for use in their personal accounts, and use them with your organization if you've approved those apps for use.
+
+By default, app access requests are enabled. If your organization has a large number of {% ifversion fpt or ghec or ghes > 3.20 %}members or {% endif %}outside collaborators, you may want to disable app access requests to reduce the number of requests you have to review.
+
+## Enabling or disabling app access requests
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.profile.org_member_privileges %}
+1. Under "{% ifversion fpt or ghec or ghes > 3.20 %}App{% else %}Integration{% endif %} access requests" select which users should be allowed to request apps and click **Save**.
+
+{% ifversion fpt or ghec or ghes > 3.20 %}Blocking app access requests from organization members is in public preview.{% endif %}
+
+{% ifversion fpt or ghec or ghes > 3.19 %}
+
+## About {% data variables.product.prodname_github_app %} installation restrictions
+
+By default, repository admins can install {% data variables.product.prodname_github_apps %} on repositories within your organization if the app does not request organization permissions or the "repository administration" permission. As an organization owner, you can restrict {% data variables.product.prodname_github_app %} installations to only organization owners. When this restriction is enabled:
+
+* Repository admins, including outside collaborators with repository admin access, cannot install {% data variables.product.prodname_github_apps %} on their repositories.
+* Repository admins must use the request flow to ask organization owners to install apps on their repositories.
+* Repository admins cannot add their repositories to existing {% data variables.product.prodname_github_app %} installations in the organization.
+
+This installation restriction applies to {% data variables.product.prodname_github_apps %} only. {% data variables.product.prodname_oauth_apps %} require organization approval by default and cannot be approved on a per-repository basis.
+
+> [!NOTE]
+> If you have also disabled app access requests, users with repository admin access will be blocked from both installing apps and requesting installations.
+
+## Restricting {% data variables.product.prodname_github_app %} installation to organization owners
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.profile.org_member_privileges %}
+1. Under "{% data variables.product.prodname_github_apps %}", deselect **Allow repository admins to install {% data variables.product.prodname_github_apps %} for their repositories** and click **Save**.
+
+{% endif %}

data/reusables/apps/oauth-app-access-restrictions.md

@@ -1 +1 @@
-When {% data variables.product.prodname_oauth_app %} access restrictions are enabled, organization members and outside collaborators cannot authorize {% data variables.product.prodname_oauth_app %} access to organization resources. Organization members can request owner approval for {% data variables.product.prodname_oauth_apps %} they'd like to use, and organization owners receive a notification of pending requests.
+When {% data variables.product.prodname_oauth_app %} access restrictions are enabled, organization members and outside collaborators cannot authorize {% data variables.product.prodname_oauth_app %} access to organization resources. Users can request owner approval for {% data variables.product.prodname_oauth_apps %} they'd like to use, and organization owners receive a notification of pending requests.

data/reusables/apps/repo-admin-install-restriction.md

@@ -0,0 +1 @@
+Repository admins can install {% data variables.product.prodname_github_apps %} in the organization that owns the repository if the app does not request any organization permissions nor the "repository administration" permission. When doing so, they can only install the app with access to the repositories that they admin. {% ifversion fpt or ghec or ghes > 3.19 %}Organization owners can restrict {% data variables.product.prodname_github_app %} installation by repository admins. When this restriction is enabled, repository admins cannot install {% data variables.product.prodname_github_apps %} and must instead request that organization owners install the desired app. For more information, see [AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests).{% endif %}