diff --git a/config/moda/deployment.yaml b/config/moda/deployment.yaml
index de9d768b85ba..a12c2f4b6497 100644
--- a/config/moda/deployment.yaml
+++ b/config/moda/deployment.yaml
@@ -3,6 +3,9 @@
 environments:
   - name: production
     require_pipeline: true
+    # Bumped from default 10m because pod scheduling occasionally pushes
+    # rollouts past the timeout even though the deploy itself succeeds.
+    timeout: 1200
     cluster_selector:
       profile: general
       region: iad
@@ -201,13 +204,13 @@ pipelines:
   production_rollout:
     thread_notifications: true
     notify_users_via_dm: false
-    timeout: 1200
+    timeout: 1800
     stages:
       - name: full_production
         kind: deployment
         config:
           environment: production
-          timeout: 1200
+          timeout: 1800
 
 notifications:
   slack_channels:
diff --git a/content/actions/concepts/security/github_token.md b/content/actions/concepts/security/github_token.md
index 101873ecb605..71664d6301a6 100644
--- a/content/actions/concepts/security/github_token.md
+++ b/content/actions/concepts/security/github_token.md
@@ -29,6 +29,11 @@ The token is also available in the `github.token` context. For more information,
 
 {% data reusables.actions.actions-do-not-trigger-workflows %}
 
+{% ifversion actions-github-token-pull-request-approval %}
+> [!NOTE]
+> If you need workflow runs from workflow-created pull requests to execute without requiring approval, use a {% data variables.product.prodname_github_app %} installation access token or a {% data variables.product.pat_generic %} instead of `GITHUB_TOKEN` when creating or updating the pull request.
+{% endif %}
+
 {% data reusables.actions.actions-do-not-trigger-pages-rebuilds %}
 
 ## Next steps
diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md
index 0031fe057e89..23c4a26bcaa3 100644
--- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md
+++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md
@@ -70,6 +70,17 @@ Edit the trust policy, adding the `sub` field to the validation conditions. For
 }
 ```
 
+For repositories created after June 18, 2026, or that have opted in to immutable subject claims, the `sub` claim includes immutable owner and repository IDs (not available on {% data variables.product.prodname_ghe_server %}). Make sure your trust policy matches the format your repository uses. For more information, see [AUTOTITLE](/actions/reference/openid-connect-reference#immutable-subject-claims).
+
+```json copy
+"Condition": {
+  "StringEquals": {
+    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
+    "token.actions.githubusercontent.com:sub": "repo:octo-org-123456/octo-repo-456789:ref:refs/heads/octo-branch"
+  }
+}
+```
+
 If you use a workflow with an environment, the `sub` field must reference the environment name: `repo:ORG-NAME/REPO-NAME:environment:ENVIRONMENT-NAME`. For more information, see [AUTOTITLE](/actions/reference/openid-connect-reference#filtering-for-a-specific-environment).
 
 {% data reusables.actions.oidc-deployment-protection-rules %}
diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md
index bb00ccd24be8..78d21474c93c 100644
--- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md
+++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md
@@ -32,6 +32,8 @@ This guide gives an overview of how to configure Azure to trust {% data variable
 
 {% data reusables.actions.oidc-on-ghecom %}
 
+For repositories created after June 18, 2026, and repository renames or transfers after that date, use an immutable default OIDC `sub` claim that includes owner and repository IDs (not available on {% data variables.product.prodname_ghe_server %}). Existing repositories keep the previous format unless they opt in. For more information, see [AUTOTITLE](/actions/reference/openid-connect-reference#immutable-subject-claims).
+
 {% ifversion ghes %}
 {% data reusables.actions.oidc-endpoints %}
   <!-- This note is indented to align with the above reusable. -->
diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md
index 1875e63e43e9..567f42167f3f 100644
--- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md
+++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md
@@ -31,6 +31,8 @@ This guide gives an overview of how to configure GCP to trust {% data variables.
 
 {% data reusables.actions.oidc-on-ghecom %}
 
+For repositories created after June 18, 2026, and repository renames or transfers after that date, use an immutable default OIDC `sub` claim that includes owner and repository IDs (not available on {% data variables.product.prodname_ghe_server %}). Existing repositories keep the previous format unless they opt in. For more information, see [AUTOTITLE](/actions/reference/openid-connect-reference#immutable-subject-claims).
+
 {% ifversion ghes %}
 {% data reusables.actions.oidc-endpoints %}
   <!-- This note is indented to align with the above reusable. -->
diff --git a/content/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow.md b/content/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow.md
index ed93ed0ef4e5..3915f0c0786d 100644
--- a/content/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow.md
+++ b/content/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow.md
@@ -25,7 +25,7 @@ To learn more about workflows and triggering workflows, see [AUTOTITLE](/actions
 
 {% data reusables.actions.actions-do-not-trigger-workflows %} For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication).
 
-If you do want to trigger a workflow from within a workflow run, you can use a {% data variables.product.prodname_github_app %} installation access token or a {% data variables.product.pat_generic %} instead of `GITHUB_TOKEN` to trigger events that require a token.
+If you do want to trigger a workflow from within a workflow run, you can use a {% data variables.product.prodname_github_app %} installation access token or a {% data variables.product.pat_generic %} instead of `GITHUB_TOKEN` to trigger events that require a token.{% ifversion actions-github-token-pull-request-approval %} Using one of these alternatives also lets `pull_request` workflows run automatically (without the approval prompt described above) when the pull request is created or updated by automation.{% endif %}
 
 If you use a {% data variables.product.prodname_github_app %}, you'll need to create a {% data variables.product.prodname_github_app %} and store the app ID and private key as secrets. For more information, see [AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow). If you use a {% data variables.product.pat_generic %}, you'll need to create a {% data variables.product.pat_generic %} and store it as a secret. For more information about creating a {% data variables.product.pat_generic %}, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). For more information about storing secrets, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions).
 
diff --git a/content/actions/reference/security/oidc.md b/content/actions/reference/security/oidc.md
index c598a05a8491..a35412b618f8 100644
--- a/content/actions/reference/security/oidc.md
+++ b/content/actions/reference/security/oidc.md
@@ -26,7 +26,7 @@ The OIDC token includes the following claims.
 | ----------- | -----| ---------------------- |
 | `aud`| Audience | By default, this is the URL of the repository owner, such as the organization that owns the repository. You can set a custom audience with a toolkit command: [`core.getIDToken(audience)`](https://www.npmjs.com/package/@actions/core/v/1.6.0) |
 | `iss`| Issuer | The issuer of the OIDC token: {% ifversion ghes %}`https://HOSTNAME/_services/token`{% else %}`https://token.actions.githubusercontent.com`{% endif %} |
-| `sub`| Subject | Defines the subject claim that is to be validated by the cloud provider. This setting is essential for making sure that access tokens are only allocated in a predictable way. |
+| `sub`| Subject | Defines the subject claim that is to be validated by the cloud provider. This setting is essential for making sure that access tokens are only allocated in a predictable way. For repositories using immutable subject claims, the `sub` format includes immutable owner and repository IDs (not available on {% data variables.product.prodname_ghe_server %}). |
 
 ### Additional standard JOSE header parameters and claims
 
@@ -163,6 +163,22 @@ You can configure a subject that includes metadata containing colons. In this ex
 
 {% endif %}
 
+## Immutable subject claims
+
+The OpenID Connect (OIDC) specification requires subject (`sub`) claims to be locally unique and never reassigned. Previously, the default `sub` format used only organization and repository names. If a namespace was recycled, a different owner could create the same subject value.
+
+To help prevent this scenario, repositories created after June 18, 2026 now use an immutable default subject format that includes both the owner ID and repository ID. This rollout does not include {% data variables.product.prodname_ghe_server %}.
+
+* Syntax: `repo:OWNER-ID/REPO-ID:ref:refs/heads/BRANCH`
+* Previous format example: `repo:octo-org/octo-repo:ref:refs/heads/main`
+* Immutable format example: `repo:octo-org-123456/octo-repo-456789:ref:refs/heads/main`
+
+The `-` separator is used between names and IDs because `-` cannot appear in {% data variables.product.github %} usernames or repository names.
+
+Repositories created before June 18, 2026 keep the previous format unless you opt in to immutable subject claims. You can opt in at the organization or repository level by using the OIDC settings UI or REST API.
+
+Repository renames and transfers after June 18, 2026 also move to the immutable subject format.
+
 ## Configuring the subject in your cloud provider
 
 To configure the subject in your cloud provider's trust relationship, you must add the subject string to its trust configuration. The following examples demonstrate how various cloud providers can accept the same `repo:octo-org/octo-repo:ref:refs/heads/demo-branch` subject in different ways:
@@ -174,6 +190,15 @@ To configure the subject in your cloud provider's trust relationship, you must a
 | Google Cloud Platform| `(assertion.sub=='repo:octo-org/octo-repo:ref:refs/heads/demo-branch')` |
 | HashiCorp Vault| `bound_subject="repo:octo-org/octo-repo:ref:refs/heads/demo-branch"` |
 
+For repositories created after June 18, 2026, or that have opted in to immutable subject claims, the `sub` claim includes `owner_id` and `repo_id` as shown in the immutable examples. Update your trust policies to match the format your repository uses. Immutable subject claims are not available on {% data variables.product.prodname_ghe_server %}.
+
+| Cloud provider | Immutable format example |
+| ------ | ----------- |
+| Amazon Web Services | `"token.actions.githubusercontent.com:sub": "repo:octo-org-123456/octo-repo-456789:ref:refs/heads/demo-branch"` |
+| Azure| `repo:octo-org-123456/octo-repo-456789:ref:refs/heads/demo-branch` |
+| Google Cloud Platform| `(assertion.sub=='repo:octo-org-123456/octo-repo#456789:ref:refs/heads/demo-branch')` |
+| HashiCorp Vault| `bound_subject="repo:octo-org-123456/octo-repo-456789:ref:refs/heads/demo-branch"` |
+
 For more information about configuring specific cloud providers, see the guides listed in [AUTOTITLE](/actions/how-tos/security-for-github-actions/security-hardening-your-deployments).
 
 ## Customizing the token claims
@@ -315,6 +340,7 @@ Customizing the claims results in a new format for the entire `sub` claim, which
 > [!NOTE]
 > The `sub` claim uses the shortened form `repo` (for example, `repo:ORG-NAME/REPO-NAME`) instead of `repository` to reference the repository. {% ifversion fpt or ghec or ghes > 3.15 %}
 > Any `:` within the context value will be replaced with `%3A`. {% endif %}
+> For repositories using immutable subject claims (not available on {% data variables.product.prodname_ghe_server %}), `owner_id` and `repo_id` are always included in the `repo` segment of the `sub` claim, even when you customize claims with `include_claim_keys`. You can't remove these IDs from the immutable format.
 
 The following example templates demonstrate various ways to customize the subject claim. To configure these settings on {% data variables.product.prodname_dotcom %}, admins use the REST API to specify a list of claims that must be included in the subject (`sub`) claim.
 
diff --git a/content/actions/reference/workflows-and-actions/events-that-trigger-workflows.md b/content/actions/reference/workflows-and-actions/events-that-trigger-workflows.md
index 186211d44b84..8a555cba0da4 100644
--- a/content/actions/reference/workflows-and-actions/events-that-trigger-workflows.md
+++ b/content/actions/reference/workflows-and-actions/events-that-trigger-workflows.md
@@ -510,7 +510,8 @@ on:
 > [!NOTE]
 > * {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request). By default, a workflow only runs when a `pull_request` event's activity type is `opened`, `synchronize`, or `reopened`. To trigger workflows by different activity types, use the `types` keyword. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onevent_nametypes).
 > * Workflows will not run on `pull_request` activity if the pull request has a merge conflict. The merge conflict must be resolved first. Conversely, workflows with the `pull_request_target` event will run even if the pull request has a merge conflict. Before using the `pull_request_target` trigger, you should be aware of the security risks. For more information, see [`pull_request_target`](#pull_request_target).
-> * The `pull_request` webhook event payload is empty for merged pull requests and pull requests that come from forked repositories.
+> * The `pull_request` webhook event payload is empty for merged pull requests and pull requests that come from forked repositories.{% ifversion actions-github-token-pull-request-approval %}
+> * When a pull request is created or updated by a workflow using `GITHUB_TOKEN`, `pull_request` events with the `opened`, `synchronize`, or `reopened` activity types create workflow runs that require approval. A user with write access to the repository can approve these runs from the pull request page. With the exception of `workflow_dispatch` and `repository_dispatch`, other `GITHUB_TOKEN`-triggered events do not create workflow runs at all.{% endif %}
 > * The value of `GITHUB_REF` varies for a closed pull request depending on whether the pull request has been merged or not. If a pull request was closed but not merged, it will be `refs/pull/PULL_REQUEST_NUMBER/merge`. If a pull request was closed as a result of being merged, it will be the fully qualified `ref` of the branch it was merged into, for example `/refs/heads/main`.
 
 Runs your workflow when activity on a pull request in the workflow's repository occurs. For example, if no activity types are specified, the workflow runs when a pull request is opened or reopened or when the head branch of the pull request is updated. For activity related to pull request reviews, pull request review comments, or pull request comments, use the [`pull_request_review`](#pull_request_review), [`pull_request_review_comment`](#pull_request_review_comment), or [`issue_comment`](#issue_comment) events instead. For information about the pull request APIs, see [AUTOTITLE](/graphql/reference/objects#pullrequest) in the GraphQL API documentation or [AUTOTITLE](/rest/pulls).
diff --git a/content/billing/reference/product-and-sku-names.md b/content/billing/reference/product-and-sku-names.md
index e76291130a08..9c0251ac1c83 100644
--- a/content/billing/reference/product-and-sku-names.md
+++ b/content/billing/reference/product-and-sku-names.md
@@ -31,64 +31,41 @@ For **SkuPricing** budgets or to query usage by SKU, use one of the following va
 
 <!-- markdownlint-disable GHD046 -->
 
-* `actions_beta_classroom_repository` - Actions beta classroom repository
-* `actions_beta_custom_runner_azure` - Actions beta custom runner (Azure)
-* `actions_beta_macos_xl_runner` - Actions beta macOS XL runner
-* `actions_beta_public_repository` - Actions beta public repository
-* `actions_beta_self_hosted_runner` - Actions beta self-hosted runner
 * `actions_cache_storage` - Actions cache storage
 * `actions_custom_image_storage` - Actions custom image storage
 * `actions_linux` - Actions Linux runners
-* `actions_linux_16_core_perf` - Actions Linux 16-core performance
-* `actions_linux_20_core_mem` - Actions Linux 20-core memory
 * `actions_linux_2_core_advanced` - Actions Linux 2-core advanced
 * `actions_linux_2_core_arm` - Actions Linux 2-core ARM
 * `actions_linux_32_core` - Actions Linux 32-core
 * `actions_linux_32_core_arm` - Actions Linux 32-core ARM
-* `actions_linux_32_core_stor` - Actions Linux 32-core storage
 * `actions_linux_4_core` - Actions Linux 4-core
-* `actions_linux_4_core_advanced` - Actions Linux 4-core advanced
+* `actions_linux_4_core_arm` - Actions Linux 4-core ARM
 * `actions_linux_4_core_gpu` - Actions Linux 4-core GPU
 * `actions_linux_64_core` - Actions Linux 64-core
 * `actions_linux_64_core_arm` - Actions Linux 64-core ARM
 * `actions_linux_8_core` - Actions Linux 8-core
 * `actions_linux_8_core_arm` - Actions Linux 8-core ARM
-* `actions_linux_8_core_stor` - Actions Linux 8-core storage
 * `actions_linux_96_core` - Actions Linux 96-core
-* `actions_linux_a100_24_core_gpu` - Actions Linux A100 24-core GPU
-* `actions_linux_a10_36_core_gpu` - Actions Linux A10 36-core GPU
 * `actions_linux_arm` - Actions Linux ARM
 * `actions_linux_slim` - Actions Linux slim
 * `actions_macos` - Actions macOS runners
-* `actions_macos_12_core` - Actions macOS 12-core
-* `actions_macos_8_core` - Actions macOS 8-core
 * `actions_macos_l` - Actions macOS large
 * `actions_macos_xl` - Actions macOS XL
-* `actions_self_hosted_linux` - Actions self-hosted Linux
-* `actions_self_hosted_macos` - Actions self-hosted macOS
-* `actions_self_hosted_unknown` - Actions self-hosted unknown
-* `actions_self_hosted_windows` - Actions self-hosted Windows
 * `actions_storage` - Actions storage
-* `actions_unknown` - Actions unknown
 * `actions_windows` - Actions Windows runners
 * `actions_windows_16_core` - Actions Windows 16-core
-* `actions_windows_176_core_perf` - Actions Windows 176-core performance
 * `actions_windows_2_core` - Actions Windows 2-core
 * `actions_windows_2_core_advanced` - Actions Windows 2-core advanced
 * `actions_windows_2_core_arm` - Actions Windows 2-core ARM
+* `actions_windows_4_core_arm` - Actions Windows 4-core ARM
 * `actions_windows_32_core` - Actions Windows 32-core
 * `actions_windows_32_core_arm` - Actions Windows 32-core ARM
-* `actions_windows_32_core_stor` - Actions Windows 32-core storage
 * `actions_windows_4_core` - Actions Windows 4-core
 * `actions_windows_4_core_gpu` - Actions Windows 4-core GPU
 * `actions_windows_64_core` - Actions Windows 64-core
 * `actions_windows_64_core_arm` - Actions Windows 64-core ARM
 * `actions_windows_8_core` - Actions Windows 8-core
 * `actions_windows_8_core_arm` - Actions Windows 8-core ARM
-* `actions_windows_8_core_mem` - Actions Windows 8-core memory
-* `actions_windows_8_core_stor` - Actions Windows 8-core storage
-* `actions_windows_a100_24_core_gpu` - Actions Windows A100 24-core GPU
-* `actions_windows_a10_36_core_gpu` - Actions Windows A10 36-core GPU
 * `actions_windows_arm` - Actions Windows ARM
 
  <!-- markdownlint-enable GHD046 -->
diff --git a/content/copilot/concepts/about-enterprise-accounts-for-copilot-business.md b/content/copilot/concepts/about-enterprise-accounts-for-copilot-business.md
index 30de161b5e57..2d26b4a87748 100644
--- a/content/copilot/concepts/about-enterprise-accounts-for-copilot-business.md
+++ b/content/copilot/concepts/about-enterprise-accounts-for-copilot-business.md
@@ -8,7 +8,16 @@ redirect_from:
   - /admin/copilot-business-only
   - /admin/copilot-business-only/about-enterprise-accounts-for-copilot-business
   - /early-access/copilot/managing-copilot-business-licenses-with-an-enterprise-account
-  - /early-access/copilot/managing-copilot-business-licenses-with-an-enterprise-account
+  - /billing/managing-billing-for-github-copilot/managing-your-github-copilot-business-subscription
+  - /billing/managing-billing-for-github-copilot/managing-your-github-copilot-subscription-for-your-organization-or-enterprise
+  - /copilot/managing-copilot/managing-github-copilot-in-your-organization/subscribing-to-copilot-for-your-organization
+  - /copilot/managing-copilot/managing-github-copilot-in-your-organization/managing-the-copilot-subscription-for-your-organization/subscribing-to-copilot-for-your-organization
+  - /copilot/managing-copilot/managing-github-copilot-in-your-organization/managing-the-copilot-plan-for-your-organization/subscribing-to-copilot-for-your-organization
+  - /copilot/how-tos/administer/organizations/managing-the-copilot-plan-for-your-organization/subscribing-to-copilot-for-your-organization
+  - /copilot/how-tos/administer/organizations/managing-the-copilot-plan-for-your-organization/subscribe
+  - /copilot/how-tos/administer/organizations/manage-plan/subscribe
+  - /copilot/how-tos/administer/manage-for-organization/manage-plan/subscribe
+  - /copilot/how-tos/administer-copilot/manage-for-organization/manage-plan/subscribe
 contentType: concepts
 category:
   - Learn about Copilot
diff --git a/content/copilot/get-started/what-is-github-copilot.md b/content/copilot/get-started/what-is-github-copilot.md
index 597f0f0a12d7..37d1d3b3f85b 100644
--- a/content/copilot/get-started/what-is-github-copilot.md
+++ b/content/copilot/get-started/what-is-github-copilot.md
@@ -76,13 +76,11 @@ See [AUTOTITLE](/copilot/managing-copilot/managing-copilot-as-an-individual-subs
 
 ### Organizations and enterprises
 
-**Organization owners** can set up {% data variables.copilot.copilot_business_short %} for their team by [contacting {% data variables.product.github %}'s Sales team](https://github.com/enterprise/contact?ref_product=copilot&ref_type=engagement&ref_style=text). See [AUTOTITLE](/copilot/managing-copilot/managing-github-copilot-in-your-organization/subscribing-to-copilot-for-your-organization).
+**Organization owners** can get {% data variables.copilot.copilot_business_short %} for their team through an enterprise account. If you don't already have an enterprise account, you can create one specifically for managing {% data variables.copilot.copilot_business_short %} licenses. See [AUTOTITLE](/copilot/concepts/about-enterprise-accounts-for-copilot-business).
 
 If your organization is owned by an enterprise that has a {% data variables.product.prodname_copilot_short %} subscription, you can ask your enterprise owner to enable {% data variables.product.prodname_copilot_short %} for your organization. Go to [https://github.com/settings/copilot](https://github.com/settings/copilot) and request access under "Get {% data variables.product.prodname_copilot_short %} from an organization."
 
-**Enterprise owners** can set up {% data variables.copilot.copilot_business_short %} or {% data variables.copilot.copilot_enterprise_short %} for your enterprise by [contacting {% data variables.product.github %}'s Sales team](https://github.com/enterprise/contact?ref_product=copilot&ref_type=engagement&ref_style=text). See [AUTOTITLE](/copilot/managing-copilot/managing-copilot-for-your-enterprise/subscribing-to-copilot-for-your-enterprise).
-
-If you don't need other {% data variables.product.github %} features, you can create an enterprise account specifically for managing {% data variables.copilot.copilot_business_short %} licenses. This gives you enterprise-grade authentication without charges for {% data variables.product.prodname_enterprise %} licenses. See [AUTOTITLE](/copilot/concepts/about-enterprise-accounts-for-copilot-business).
+**Enterprise owners** can set up {% data variables.copilot.copilot_business_short %} or {% data variables.copilot.copilot_enterprise_short %} for their enterprise by [contacting {% data variables.product.github %}'s Sales team](https://github.com/enterprise/contact?ref_product=copilot&ref_type=engagement&ref_style=text). 
 
 ## Next steps
 
diff --git a/content/copilot/how-tos/administer-copilot/manage-for-organization/manage-access/manage-requests-for-access.md b/content/copilot/how-tos/administer-copilot/manage-for-organization/manage-access/manage-requests-for-access.md
index 88572631c615..b2e7ccd24384 100644
--- a/content/copilot/how-tos/administer-copilot/manage-for-organization/manage-access/manage-requests-for-access.md
+++ b/content/copilot/how-tos/administer-copilot/manage-for-organization/manage-access/manage-requests-for-access.md
@@ -26,6 +26,6 @@ If your organization is owned by an enterprise, before you can approve a request
 {% data reusables.profile.access_org %}
 {% data reusables.organizations.org-list %}
 1. In the "Access" section of the sidebar, click **{% octicon "bell" aria-hidden="true" aria-label="bell" %} Requests from members**.
-1. To accept the request and grant the member access to {% data variables.copilot.copilot_for_business %}, click **Buy {% data variables.copilot.copilot_business_short %}**.
+1. To accept the request and grant the member access to {% data variables.copilot.copilot_for_business %}, approve the request.
 
 All requests for {% data variables.copilot.copilot_business_short %} are grouped together under "{% data variables.copilot.copilot_business_short %}."
diff --git a/content/copilot/how-tos/administer-copilot/manage-for-organization/manage-plan/index.md b/content/copilot/how-tos/administer-copilot/manage-for-organization/manage-plan/index.md
index 4312dbc5e84e..60c7d363616f 100644
--- a/content/copilot/how-tos/administer-copilot/manage-for-organization/manage-plan/index.md
+++ b/content/copilot/how-tos/administer-copilot/manage-for-organization/manage-plan/index.md
@@ -5,7 +5,6 @@ intro: 'Organization owners can manage the {% data variables.product.prodname_co
 versions:
   feature: copilot
 children:
-  - /subscribe
   - /cancel
 redirect_from:
   - /copilot/managing-copilot/managing-github-copilot-in-your-organization/managing-the-copilot-subscription-for-your-organization
diff --git a/content/copilot/how-tos/administer-copilot/manage-for-organization/manage-plan/subscribe.md b/content/copilot/how-tos/administer-copilot/manage-for-organization/manage-plan/subscribe.md
deleted file mode 100644
index cd043a93cdeb..000000000000
--- a/content/copilot/how-tos/administer-copilot/manage-for-organization/manage-plan/subscribe.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-title: Subscribing to GitHub Copilot for your organization
-shortTitle: Subscribe
-intro: 'Organization owners can set up a {% data variables.copilot.copilot_business_short %} plan for their organization.'
-permissions: Organization owners
-versions:
-  feature: copilot
-redirect_from:
-  - /billing/managing-billing-for-github-copilot/managing-your-github-copilot-business-subscription
-  - /billing/managing-billing-for-github-copilot/managing-your-github-copilot-subscription-for-your-organization-or-enterprise
-  - /copilot/managing-copilot/managing-github-copilot-in-your-organization/subscribing-to-copilot-for-your-organization
-  - /copilot/managing-copilot/managing-github-copilot-in-your-organization/managing-the-copilot-subscription-for-your-organization/subscribing-to-copilot-for-your-organization
-  - /copilot/managing-copilot/managing-github-copilot-in-your-organization/managing-the-copilot-plan-for-your-organization/subscribing-to-copilot-for-your-organization
-  - /copilot/how-tos/administer/organizations/managing-the-copilot-plan-for-your-organization/subscribing-to-copilot-for-your-organization
-  - /copilot/how-tos/administer/organizations/managing-the-copilot-plan-for-your-organization/subscribe
-  - /copilot/how-tos/administer/organizations/manage-plan/subscribe
-  - /copilot/how-tos/administer/manage-for-organization/manage-plan/subscribe
-contentType: how-tos
-category: 
-  - Manage Copilot for a team
----
-
-{% ifversion ghec %}
->[!NOTE]
-> If your organization is part of an enterprise, you can gain {% data variables.product.prodname_copilot_short %} through your enterprise instead. See [AUTOTITLE](/copilot/managing-copilot/managing-copilot-for-your-enterprise/subscribing-to-copilot-for-your-enterprise) and [AUTOTITLE](/copilot/managing-copilot/managing-copilot-for-your-enterprise/enabling-copilot-for-organizations-in-your-enterprise).
-{% endif %}
-
-{% data reusables.copilot.signup-procedure-org %}
-
-## Next steps
-
-* To finish setting up {% data variables.product.prodname_copilot_short %} for your organization, see [AUTOTITLE](/copilot/setting-up-github-copilot/setting-up-github-copilot-for-your-organization).
-* For billing information, see [AUTOTITLE](/billing/managing-billing-for-github-copilot/about-billing-for-github-copilot#about-billing-for-github-copilot-business-and-github-copilot-enterprise) and [AUTOTITLE](/billing/managing-your-billing).
diff --git a/content/copilot/how-tos/copilot-on-github/set-up-copilot/enable-copilot/set-up-for-organization.md b/content/copilot/how-tos/copilot-on-github/set-up-copilot/enable-copilot/set-up-for-organization.md
index 3c5d0547969f..f3dd27ea9cbe 100644
--- a/content/copilot/how-tos/copilot-on-github/set-up-copilot/enable-copilot/set-up-for-organization.md
+++ b/content/copilot/how-tos/copilot-on-github/set-up-copilot/enable-copilot/set-up-for-organization.md
@@ -20,11 +20,11 @@ category:
   - Configure Copilot
 ---
 
-## Subscribe your organization to {% data variables.product.prodname_copilot %}
+## Enable {% data variables.product.prodname_copilot %} for your organization through an enterprise account
 
-Set up a {% data variables.copilot.copilot_business_short %} plan for your organization. See [AUTOTITLE](/copilot/managing-copilot/managing-github-copilot-in-your-organization/subscribing-to-copilot-for-your-organization).
+To enable {% data variables.copilot.copilot_business_short %} for your organization, your organization needs to be part of an enterprise account with a {% data variables.product.prodname_copilot_short %} subscription. If you don't already have an enterprise account, you can create one specifically for managing {% data variables.copilot.copilot_business_short %} licenses. See [AUTOTITLE](/copilot/concepts/about-enterprise-accounts-for-copilot-business).
 
-If your organization belongs to an enterprise with a {% data variables.copilot.copilot_enterprise_short %} or {% data variables.copilot.copilot_business_short %} plan, your enterprise owner can enable {% data variables.product.prodname_copilot_short %} for your organization instead. Request access from your enterprise owner at [https://github.com/settings/copilot](https://github.com/settings/copilot?ref_product=copilot&ref_type=engagement&ref_style=text), under "Get Copilot from an organization."
+If your organization already belongs to an enterprise with a {% data variables.copilot.copilot_enterprise_short %} or {% data variables.copilot.copilot_business_short %} plan, your enterprise owner can enable {% data variables.product.prodname_copilot_short %} for your organization. Request access from your enterprise owner at [{% data variables.product.prodname_copilot %} settings](https://github.com/settings/copilot?ref_product=copilot&ref_type=engagement&ref_style=text), under "Get Copilot from an organization."
 
 ## Set policies
 
diff --git a/content/organizations/managing-organization-settings/index.md b/content/organizations/managing-organization-settings/index.md
index 66882f9caf15..db9ff62ef0a5 100644
--- a/content/organizations/managing-organization-settings/index.md
+++ b/content/organizations/managing-organization-settings/index.md
@@ -40,6 +40,7 @@ children:
   - /managing-the-display-of-member-names-in-your-organization
   - /managing-updates-from-accounts-your-organization-sponsors
   - /managing-the-publication-of-github-pages-sites-for-your-organization
+  - /managing-commit-comments-for-your-organization
   - /archiving-an-organization
   - /deleting-an-organization-account
   - /converting-an-organization-into-a-user
diff --git a/content/organizations/managing-organization-settings/managing-commit-comments-for-your-organization.md b/content/organizations/managing-organization-settings/managing-commit-comments-for-your-organization.md
new file mode 100644
index 000000000000..48b01588e241
--- /dev/null
+++ b/content/organizations/managing-organization-settings/managing-commit-comments-for-your-organization.md
@@ -0,0 +1,38 @@
+---
+title: Managing commit comments for your organization
+intro: 'Organization owners can allow or disallow commit comments by default for repositories in their organization.'
+permissions: Organization owners
+versions:
+  fpt: '*'
+  ghes: '>= 3.22'
+  ghec: '*'
+shortTitle: Manage commit comments
+category:
+  - Set repository policies
+---
+
+## About commit comments
+
+Commit comments are comments people add directly to a commit outside of a pull request. Disallowing commit comments can help organizations reduce noise and maintain cleaner commit histories, especially if commit comments are not part of your development workflow.
+
+It is possible to allow or disallow commit comments at a repository level. Organization owners can configure the default setting for commit comments for all repositories in an organization.
+
+## What happens when commit comments are disabled?
+
+When you disable commit comments for your organization:
+
+* People cannot create new commit comments.
+* Existing commit comments remain visible.
+* Repository administrators can override the setting in their repository's settings.
+
+## Managing the default setting for commit comments in your organization's repositories
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+1. In the "Code, planning, and automation" section of the sidebar, select **{% octicon "repo" aria-hidden="true" aria-label="repo" %} Repository**, then click **General**.
+1. Under "Commits", select or deselect **Allow comments on individual commits**.
+
+
+## Further reading
+
+* [AUTOTITLE](/communities/moderating-comments-and-conversations/managing-disruptive-comments)
diff --git a/data/features/actions-github-token-pull-request-approval.yml b/data/features/actions-github-token-pull-request-approval.yml
new file mode 100644
index 000000000000..6fe3c1626b8f
--- /dev/null
+++ b/data/features/actions-github-token-pull-request-approval.yml
@@ -0,0 +1,7 @@
+# Approval-required workflow runs for pull requests created or updated by
+# workflows using GITHUB_TOKEN. Implementation feature flag:
+# `actions_requires_approval_for_actions_bot_prs`.
+versions:
+  fpt: '*'
+  ghec: '*'
+  # ghes: '>=3.XX' # Uncomment when this ships to GHES (currently rolling out on dotcom)
diff --git a/data/features/vulnerability-alerts-permission.yml b/data/features/vulnerability-alerts-permission.yml
new file mode 100644
index 000000000000..5246a2699360
--- /dev/null
+++ b/data/features/vulnerability-alerts-permission.yml
@@ -0,0 +1,6 @@
+# Vulnerability alerts permission for GITHUB_TOKEN
+# GHES support will be added when the feature ships to GHES
+versions:
+  fpt: '*'
+  ghec: '*'
+  # ghes: '>=3.XX' # Uncomment when vulnerability-alerts permission ships to GHES
diff --git a/data/reusables/actions/actions-do-not-trigger-workflows.md b/data/reusables/actions/actions-do-not-trigger-workflows.md
index 01a0e89c3f80..ba20bdcc672b 100644
--- a/data/reusables/actions/actions-do-not-trigger-workflows.md
+++ b/data/reusables/actions/actions-do-not-trigger-workflows.md
@@ -1 +1,6 @@
-When you use the repository's `GITHUB_TOKEN` to perform tasks, events triggered by the `GITHUB_TOKEN`, with the exception of `workflow_dispatch` and `repository_dispatch`, will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository's `GITHUB_TOKEN`, a new workflow will not run even when the repository contains a workflow configured to run when `push` events occur.
+When you use the repository's `GITHUB_TOKEN` to perform tasks, events triggered by the `GITHUB_TOKEN` will not create a new workflow run, with the following exceptions:
+
+* `workflow_dispatch` and `repository_dispatch` events always create workflow runs.{% ifversion actions-github-token-pull-request-approval %}
+* `pull_request` events with the `opened`, `synchronize`, or `reopened` activity types: when a workflow using `GITHUB_TOKEN` creates or updates a pull request, the resulting `pull_request` event creates workflow runs in an **approval-required** state. The pull request displays a banner in the merge box, and a user with write access to the repository can start the runs by selecting **Approve workflows to run**. Other `pull_request` activity types (such as `labeled`, `edited`, or `closed`) do not create workflow runs. This prevents recursive workflow runs while still allowing CI workflows to run on pull requests created by automation. For more information about approving workflow runs, see [AUTOTITLE](/actions/how-tos/manage-workflow-runs/approve-runs-from-forks).{% endif %}
+
+For all other events, this behavior prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository's `GITHUB_TOKEN`, a new workflow will not run even when the repository contains a workflow configured to run when `push` events occur.
diff --git a/data/reusables/actions/github-token-available-permissions.md b/data/reusables/actions/github-token-available-permissions.md
index b2c7ab5c735e..93d1c75b4411 100644
--- a/data/reusables/actions/github-token-available-permissions.md
+++ b/data/reusables/actions/github-token-available-permissions.md
@@ -17,7 +17,8 @@ permissions:
   pull-requests: read|write|none{% ifversion projects-v1 %}
   repository-projects: read|write|none{% endif %}
   security-events: read|write|none
-  statuses: read|write|none
+  statuses: read|write|none{% ifversion vulnerability-alerts-permission %}
+  vulnerability-alerts: read|none{% endif %}
 ```
 
 If you specify the access for any of these permissions, all of those that are not specified are set to `none`.
diff --git a/data/reusables/actions/github-token-scope-descriptions.md b/data/reusables/actions/github-token-scope-descriptions.md
index 9ad41c9d9d56..840dbe7b5bf3 100644
--- a/data/reusables/actions/github-token-scope-descriptions.md
+++ b/data/reusables/actions/github-token-scope-descriptions.md
@@ -28,5 +28,8 @@ Available permissions and details of what each allows an action to do:
 | {% ifversion projects-v1 %} |
 |  `repository-projects` | Work with GitHub projects (classic). For example, `repository-projects: write` permits an action to add a column to a project (classic). For more information, see [AUTOTITLE](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-projects). |
 | {% endif %} |
-|  `security-events` | Work with GitHub code scanning alerts. For example, `security-events: read` permits an action to list the code scanning alerts for the repository, and `security-events: write` allows an action to update the status of a code scanning alert. For more information, see [Repository permissions for 'Code scanning alerts'](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-code-scanning-alerts). <br><br> Dependabot and secret scanning alerts cannot be read with this permission and require a GitHub App or a {% data variables.product.pat_generic %}. For more information, see [Repository permissions for 'Dependabot alerts'](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-dependabot-alerts) and [Repository permissions for 'Secret scanning alerts'](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-secret-scanning-alerts) in "Permissions required for GitHub Apps." |
+|  `security-events` | Work with GitHub code scanning alerts. For example, `security-events: read` permits an action to list the code scanning alerts for the repository, and `security-events: write` allows an action to update the status of a code scanning alert. For more information, see [Repository permissions for "Code scanning alerts"](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-code-scanning-alerts). <br><br> {% ifversion vulnerability-alerts-permission %}For Dependabot alerts, use the `vulnerability-alerts` permission. Secret scanning alerts cannot be read with this permission and require a GitHub App or a {% data variables.product.pat_generic %}. For more information, see [Repository permissions for "Secret scanning alerts"](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-secret-scanning-alerts) in "Permissions required for GitHub Apps."{% else %}Dependabot and secret scanning alerts cannot be read with this permission and require a GitHub App or a {% data variables.product.pat_generic %}. For more information, see [Repository permissions for "Dependabot alerts"](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-dependabot-alerts) and [Repository permissions for "Secret scanning alerts"](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-secret-scanning-alerts) in "Permissions required for GitHub Apps."{% endif %} |
 | `statuses` | Work with commit statuses. For example, `statuses:read` permits an action to list the commit statuses for a given reference. For more information, see [AUTOTITLE](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-commit-statuses). |
+| {% ifversion vulnerability-alerts-permission %} |
+|  `vulnerability-alerts` | Read Dependabot alerts. For example, `vulnerability-alerts: read` permits an action to list Dependabot alerts for the repository. Only `read` and `none` are supported; `write` is not valid. When `write-all` or `read-all` is used, `vulnerability-alerts` is automatically included as `read`. For more information, see [Repository permissions for "Dependabot alerts"](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-dependabot-alerts). |
+| {% endif %} |