From c8f647fa5eba21cb8d1eedc0aedae19495921ba3 Mon Sep 17 00:00:00 2001 From: Felix Guntrip Date: Thu, 23 Apr 2026 22:02:02 +0100 Subject: [PATCH 1/5] Managing commit comments for your organization (#60869) Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com> --- .../managing-organization-settings/index.md | 1 + ...g-commit-comments-for-your-organization.md | 38 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 content/organizations/managing-organization-settings/managing-commit-comments-for-your-organization.md diff --git a/content/organizations/managing-organization-settings/index.md b/content/organizations/managing-organization-settings/index.md index 66882f9caf15..db9ff62ef0a5 100644 --- a/content/organizations/managing-organization-settings/index.md +++ b/content/organizations/managing-organization-settings/index.md @@ -40,6 +40,7 @@ children: - /managing-the-display-of-member-names-in-your-organization - /managing-updates-from-accounts-your-organization-sponsors - /managing-the-publication-of-github-pages-sites-for-your-organization + - /managing-commit-comments-for-your-organization - /archiving-an-organization - /deleting-an-organization-account - /converting-an-organization-into-a-user diff --git a/content/organizations/managing-organization-settings/managing-commit-comments-for-your-organization.md b/content/organizations/managing-organization-settings/managing-commit-comments-for-your-organization.md new file mode 100644 index 000000000000..48b01588e241 --- /dev/null +++ b/content/organizations/managing-organization-settings/managing-commit-comments-for-your-organization.md @@ -0,0 +1,38 @@ +--- +title: Managing commit comments for your organization +intro: 'Organization owners can allow or disallow commit comments by default for repositories in their organization.' +permissions: Organization owners +versions: + fpt: '*' + ghes: '>= 3.22' + ghec: '*' +shortTitle: Manage commit comments +category: + - Set repository policies +--- + +## About commit comments + +Commit comments are comments people add directly to a commit outside of a pull request. Disallowing commit comments can help organizations reduce noise and maintain cleaner commit histories, especially if commit comments are not part of your development workflow. + +It is possible to allow or disallow commit comments at a repository level. Organization owners can configure the default setting for commit comments for all repositories in an organization. + +## What happens when commit comments are disabled? + +When you disable commit comments for your organization: + +* People cannot create new commit comments. +* Existing commit comments remain visible. +* Repository administrators can override the setting in their repository's settings. + +## Managing the default setting for commit comments in your organization's repositories + +{% data reusables.profile.access_org %} +{% data reusables.profile.org_settings %} +1. In the "Code, planning, and automation" section of the sidebar, select **{% octicon "repo" aria-hidden="true" aria-label="repo" %} Repository**, then click **General**. +1. Under "Commits", select or deselect **Allow comments on individual commits**. + + +## Further reading + +* [AUTOTITLE](/communities/moderating-comments-and-conversations/managing-disruptive-comments) From 14d1235e37fd14b72f3ac283502970526df4ad92 Mon Sep 17 00:00:00 2001 From: Kevin Heis Date: Thu, 23 Apr 2026 14:30:20 -0700 Subject: [PATCH 2/5] Bump moda production deploy timeout (#60930) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- config/moda/deployment.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/config/moda/deployment.yaml b/config/moda/deployment.yaml index de9d768b85ba..a12c2f4b6497 100644 --- a/config/moda/deployment.yaml +++ b/config/moda/deployment.yaml @@ -3,6 +3,9 @@ environments: - name: production require_pipeline: true + # Bumped from default 10m because pod scheduling occasionally pushes + # rollouts past the timeout even though the deploy itself succeeds. + timeout: 1200 cluster_selector: profile: general region: iad @@ -201,13 +204,13 @@ pipelines: production_rollout: thread_notifications: true notify_users_via_dm: false - timeout: 1200 + timeout: 1800 stages: - name: full_production kind: deployment config: environment: production - timeout: 1200 + timeout: 1800 notifications: slack_channels: From 9e93d7ca5d7854d83b836785da362701ef1ea01e Mon Sep 17 00:00:00 2001 From: Salman Chishti Date: Thu, 23 Apr 2026 23:39:58 +0100 Subject: [PATCH 3/5] Add vulnerability-alerts permission documentation (#60783) Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com> --- data/features/vulnerability-alerts-permission.yml | 6 ++++++ .../reusables/actions/github-token-available-permissions.md | 3 ++- data/reusables/actions/github-token-scope-descriptions.md | 5 ++++- 3 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 data/features/vulnerability-alerts-permission.yml diff --git a/data/features/vulnerability-alerts-permission.yml b/data/features/vulnerability-alerts-permission.yml new file mode 100644 index 000000000000..5246a2699360 --- /dev/null +++ b/data/features/vulnerability-alerts-permission.yml @@ -0,0 +1,6 @@ +# Vulnerability alerts permission for GITHUB_TOKEN +# GHES support will be added when the feature ships to GHES +versions: + fpt: '*' + ghec: '*' + # ghes: '>=3.XX' # Uncomment when vulnerability-alerts permission ships to GHES diff --git a/data/reusables/actions/github-token-available-permissions.md b/data/reusables/actions/github-token-available-permissions.md index b2c7ab5c735e..93d1c75b4411 100644 --- a/data/reusables/actions/github-token-available-permissions.md +++ b/data/reusables/actions/github-token-available-permissions.md @@ -17,7 +17,8 @@ permissions: pull-requests: read|write|none{% ifversion projects-v1 %} repository-projects: read|write|none{% endif %} security-events: read|write|none - statuses: read|write|none + statuses: read|write|none{% ifversion vulnerability-alerts-permission %} + vulnerability-alerts: read|none{% endif %} ``` If you specify the access for any of these permissions, all of those that are not specified are set to `none`. diff --git a/data/reusables/actions/github-token-scope-descriptions.md b/data/reusables/actions/github-token-scope-descriptions.md index 9ad41c9d9d56..840dbe7b5bf3 100644 --- a/data/reusables/actions/github-token-scope-descriptions.md +++ b/data/reusables/actions/github-token-scope-descriptions.md @@ -28,5 +28,8 @@ Available permissions and details of what each allows an action to do: | {% ifversion projects-v1 %} | | `repository-projects` | Work with GitHub projects (classic). For example, `repository-projects: write` permits an action to add a column to a project (classic). For more information, see [AUTOTITLE](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-projects). | | {% endif %} | -| `security-events` | Work with GitHub code scanning alerts. For example, `security-events: read` permits an action to list the code scanning alerts for the repository, and `security-events: write` allows an action to update the status of a code scanning alert. For more information, see [Repository permissions for 'Code scanning alerts'](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-code-scanning-alerts).

Dependabot and secret scanning alerts cannot be read with this permission and require a GitHub App or a {% data variables.product.pat_generic %}. For more information, see [Repository permissions for 'Dependabot alerts'](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-dependabot-alerts) and [Repository permissions for 'Secret scanning alerts'](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-secret-scanning-alerts) in "Permissions required for GitHub Apps." | +| `security-events` | Work with GitHub code scanning alerts. For example, `security-events: read` permits an action to list the code scanning alerts for the repository, and `security-events: write` allows an action to update the status of a code scanning alert. For more information, see [Repository permissions for "Code scanning alerts"](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-code-scanning-alerts).

{% ifversion vulnerability-alerts-permission %}For Dependabot alerts, use the `vulnerability-alerts` permission. Secret scanning alerts cannot be read with this permission and require a GitHub App or a {% data variables.product.pat_generic %}. For more information, see [Repository permissions for "Secret scanning alerts"](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-secret-scanning-alerts) in "Permissions required for GitHub Apps."{% else %}Dependabot and secret scanning alerts cannot be read with this permission and require a GitHub App or a {% data variables.product.pat_generic %}. For more information, see [Repository permissions for "Dependabot alerts"](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-dependabot-alerts) and [Repository permissions for "Secret scanning alerts"](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-secret-scanning-alerts) in "Permissions required for GitHub Apps."{% endif %} | | `statuses` | Work with commit statuses. For example, `statuses:read` permits an action to list the commit statuses for a given reference. For more information, see [AUTOTITLE](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-commit-statuses). | +| {% ifversion vulnerability-alerts-permission %} | +| `vulnerability-alerts` | Read Dependabot alerts. For example, `vulnerability-alerts: read` permits an action to list Dependabot alerts for the repository. Only `read` and `none` are supported; `write` is not valid. When `write-all` or `read-all` is used, `vulnerability-alerts` is automatically included as `read`. For more information, see [Repository permissions for "Dependabot alerts"](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-dependabot-alerts). | +| {% endif %} | From 4591eedc9b0656f2bff25595fcfd1c9a33059c6d Mon Sep 17 00:00:00 2001 From: Salman Chishti Date: Thu, 23 Apr 2026 23:46:32 +0100 Subject: [PATCH 4/5] Document GITHUB_TOKEN pull request workflow approval behavior (#60926) Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com> --- content/actions/concepts/security/github_token.md | 5 +++++ .../choose-when-workflows-run/trigger-a-workflow.md | 2 +- .../workflows-and-actions/events-that-trigger-workflows.md | 3 ++- .../actions-github-token-pull-request-approval.yml | 7 +++++++ data/reusables/actions/actions-do-not-trigger-workflows.md | 7 ++++++- 5 files changed, 21 insertions(+), 3 deletions(-) create mode 100644 data/features/actions-github-token-pull-request-approval.yml diff --git a/content/actions/concepts/security/github_token.md b/content/actions/concepts/security/github_token.md index 101873ecb605..71664d6301a6 100644 --- a/content/actions/concepts/security/github_token.md +++ b/content/actions/concepts/security/github_token.md @@ -29,6 +29,11 @@ The token is also available in the `github.token` context. For more information, {% data reusables.actions.actions-do-not-trigger-workflows %} +{% ifversion actions-github-token-pull-request-approval %} +> [!NOTE] +> If you need workflow runs from workflow-created pull requests to execute without requiring approval, use a {% data variables.product.prodname_github_app %} installation access token or a {% data variables.product.pat_generic %} instead of `GITHUB_TOKEN` when creating or updating the pull request. +{% endif %} + {% data reusables.actions.actions-do-not-trigger-pages-rebuilds %} ## Next steps diff --git a/content/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow.md b/content/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow.md index ed93ed0ef4e5..3915f0c0786d 100644 --- a/content/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow.md +++ b/content/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow.md @@ -25,7 +25,7 @@ To learn more about workflows and triggering workflows, see [AUTOTITLE](/actions {% data reusables.actions.actions-do-not-trigger-workflows %} For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication). -If you do want to trigger a workflow from within a workflow run, you can use a {% data variables.product.prodname_github_app %} installation access token or a {% data variables.product.pat_generic %} instead of `GITHUB_TOKEN` to trigger events that require a token. +If you do want to trigger a workflow from within a workflow run, you can use a {% data variables.product.prodname_github_app %} installation access token or a {% data variables.product.pat_generic %} instead of `GITHUB_TOKEN` to trigger events that require a token.{% ifversion actions-github-token-pull-request-approval %} Using one of these alternatives also lets `pull_request` workflows run automatically (without the approval prompt described above) when the pull request is created or updated by automation.{% endif %} If you use a {% data variables.product.prodname_github_app %}, you'll need to create a {% data variables.product.prodname_github_app %} and store the app ID and private key as secrets. For more information, see [AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow). If you use a {% data variables.product.pat_generic %}, you'll need to create a {% data variables.product.pat_generic %} and store it as a secret. For more information about creating a {% data variables.product.pat_generic %}, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). For more information about storing secrets, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions). diff --git a/content/actions/reference/workflows-and-actions/events-that-trigger-workflows.md b/content/actions/reference/workflows-and-actions/events-that-trigger-workflows.md index 186211d44b84..8a555cba0da4 100644 --- a/content/actions/reference/workflows-and-actions/events-that-trigger-workflows.md +++ b/content/actions/reference/workflows-and-actions/events-that-trigger-workflows.md @@ -510,7 +510,8 @@ on: > [!NOTE] > * {% data reusables.developer-site.multiple_activity_types %} For information about each activity type, see [AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request). By default, a workflow only runs when a `pull_request` event's activity type is `opened`, `synchronize`, or `reopened`. To trigger workflows by different activity types, use the `types` keyword. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onevent_nametypes). > * Workflows will not run on `pull_request` activity if the pull request has a merge conflict. The merge conflict must be resolved first. Conversely, workflows with the `pull_request_target` event will run even if the pull request has a merge conflict. Before using the `pull_request_target` trigger, you should be aware of the security risks. For more information, see [`pull_request_target`](#pull_request_target). -> * The `pull_request` webhook event payload is empty for merged pull requests and pull requests that come from forked repositories. +> * The `pull_request` webhook event payload is empty for merged pull requests and pull requests that come from forked repositories.{% ifversion actions-github-token-pull-request-approval %} +> * When a pull request is created or updated by a workflow using `GITHUB_TOKEN`, `pull_request` events with the `opened`, `synchronize`, or `reopened` activity types create workflow runs that require approval. A user with write access to the repository can approve these runs from the pull request page. With the exception of `workflow_dispatch` and `repository_dispatch`, other `GITHUB_TOKEN`-triggered events do not create workflow runs at all.{% endif %} > * The value of `GITHUB_REF` varies for a closed pull request depending on whether the pull request has been merged or not. If a pull request was closed but not merged, it will be `refs/pull/PULL_REQUEST_NUMBER/merge`. If a pull request was closed as a result of being merged, it will be the fully qualified `ref` of the branch it was merged into, for example `/refs/heads/main`. Runs your workflow when activity on a pull request in the workflow's repository occurs. For example, if no activity types are specified, the workflow runs when a pull request is opened or reopened or when the head branch of the pull request is updated. For activity related to pull request reviews, pull request review comments, or pull request comments, use the [`pull_request_review`](#pull_request_review), [`pull_request_review_comment`](#pull_request_review_comment), or [`issue_comment`](#issue_comment) events instead. For information about the pull request APIs, see [AUTOTITLE](/graphql/reference/objects#pullrequest) in the GraphQL API documentation or [AUTOTITLE](/rest/pulls). diff --git a/data/features/actions-github-token-pull-request-approval.yml b/data/features/actions-github-token-pull-request-approval.yml new file mode 100644 index 000000000000..6fe3c1626b8f --- /dev/null +++ b/data/features/actions-github-token-pull-request-approval.yml @@ -0,0 +1,7 @@ +# Approval-required workflow runs for pull requests created or updated by +# workflows using GITHUB_TOKEN. Implementation feature flag: +# `actions_requires_approval_for_actions_bot_prs`. +versions: + fpt: '*' + ghec: '*' + # ghes: '>=3.XX' # Uncomment when this ships to GHES (currently rolling out on dotcom) diff --git a/data/reusables/actions/actions-do-not-trigger-workflows.md b/data/reusables/actions/actions-do-not-trigger-workflows.md index 01a0e89c3f80..ba20bdcc672b 100644 --- a/data/reusables/actions/actions-do-not-trigger-workflows.md +++ b/data/reusables/actions/actions-do-not-trigger-workflows.md @@ -1 +1,6 @@ -When you use the repository's `GITHUB_TOKEN` to perform tasks, events triggered by the `GITHUB_TOKEN`, with the exception of `workflow_dispatch` and `repository_dispatch`, will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository's `GITHUB_TOKEN`, a new workflow will not run even when the repository contains a workflow configured to run when `push` events occur. +When you use the repository's `GITHUB_TOKEN` to perform tasks, events triggered by the `GITHUB_TOKEN` will not create a new workflow run, with the following exceptions: + +* `workflow_dispatch` and `repository_dispatch` events always create workflow runs.{% ifversion actions-github-token-pull-request-approval %} +* `pull_request` events with the `opened`, `synchronize`, or `reopened` activity types: when a workflow using `GITHUB_TOKEN` creates or updates a pull request, the resulting `pull_request` event creates workflow runs in an **approval-required** state. The pull request displays a banner in the merge box, and a user with write access to the repository can start the runs by selecting **Approve workflows to run**. Other `pull_request` activity types (such as `labeled`, `edited`, or `closed`) do not create workflow runs. This prevents recursive workflow runs while still allowing CI workflows to run on pull requests created by automation. For more information about approving workflow runs, see [AUTOTITLE](/actions/how-tos/manage-workflow-runs/approve-runs-from-forks).{% endif %} + +For all other events, this behavior prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository's `GITHUB_TOKEN`, a new workflow will not run even when the repository contains a workflow configured to run when `push` events occur. From ba4be375dbfb53d94614b29bc93ea0355688823c Mon Sep 17 00:00:00 2001 From: Larissa Fortuna <56982181+lkfortuna@users.noreply.github.com> Date: Thu, 23 Apr 2026 16:06:31 -0700 Subject: [PATCH 5/5] Cleanup non-live SKUs in product reference (#60907) Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com> --- .../reference/product-and-sku-names.md | 27 ++----------------- 1 file changed, 2 insertions(+), 25 deletions(-) diff --git a/content/billing/reference/product-and-sku-names.md b/content/billing/reference/product-and-sku-names.md index e76291130a08..9c0251ac1c83 100644 --- a/content/billing/reference/product-and-sku-names.md +++ b/content/billing/reference/product-and-sku-names.md @@ -31,64 +31,41 @@ For **SkuPricing** budgets or to query usage by SKU, use one of the following va -* `actions_beta_classroom_repository` - Actions beta classroom repository -* `actions_beta_custom_runner_azure` - Actions beta custom runner (Azure) -* `actions_beta_macos_xl_runner` - Actions beta macOS XL runner -* `actions_beta_public_repository` - Actions beta public repository -* `actions_beta_self_hosted_runner` - Actions beta self-hosted runner * `actions_cache_storage` - Actions cache storage * `actions_custom_image_storage` - Actions custom image storage * `actions_linux` - Actions Linux runners -* `actions_linux_16_core_perf` - Actions Linux 16-core performance -* `actions_linux_20_core_mem` - Actions Linux 20-core memory * `actions_linux_2_core_advanced` - Actions Linux 2-core advanced * `actions_linux_2_core_arm` - Actions Linux 2-core ARM * `actions_linux_32_core` - Actions Linux 32-core * `actions_linux_32_core_arm` - Actions Linux 32-core ARM -* `actions_linux_32_core_stor` - Actions Linux 32-core storage * `actions_linux_4_core` - Actions Linux 4-core -* `actions_linux_4_core_advanced` - Actions Linux 4-core advanced +* `actions_linux_4_core_arm` - Actions Linux 4-core ARM * `actions_linux_4_core_gpu` - Actions Linux 4-core GPU * `actions_linux_64_core` - Actions Linux 64-core * `actions_linux_64_core_arm` - Actions Linux 64-core ARM * `actions_linux_8_core` - Actions Linux 8-core * `actions_linux_8_core_arm` - Actions Linux 8-core ARM -* `actions_linux_8_core_stor` - Actions Linux 8-core storage * `actions_linux_96_core` - Actions Linux 96-core -* `actions_linux_a100_24_core_gpu` - Actions Linux A100 24-core GPU -* `actions_linux_a10_36_core_gpu` - Actions Linux A10 36-core GPU * `actions_linux_arm` - Actions Linux ARM * `actions_linux_slim` - Actions Linux slim * `actions_macos` - Actions macOS runners -* `actions_macos_12_core` - Actions macOS 12-core -* `actions_macos_8_core` - Actions macOS 8-core * `actions_macos_l` - Actions macOS large * `actions_macos_xl` - Actions macOS XL -* `actions_self_hosted_linux` - Actions self-hosted Linux -* `actions_self_hosted_macos` - Actions self-hosted macOS -* `actions_self_hosted_unknown` - Actions self-hosted unknown -* `actions_self_hosted_windows` - Actions self-hosted Windows * `actions_storage` - Actions storage -* `actions_unknown` - Actions unknown * `actions_windows` - Actions Windows runners * `actions_windows_16_core` - Actions Windows 16-core -* `actions_windows_176_core_perf` - Actions Windows 176-core performance * `actions_windows_2_core` - Actions Windows 2-core * `actions_windows_2_core_advanced` - Actions Windows 2-core advanced * `actions_windows_2_core_arm` - Actions Windows 2-core ARM +* `actions_windows_4_core_arm` - Actions Windows 4-core ARM * `actions_windows_32_core` - Actions Windows 32-core * `actions_windows_32_core_arm` - Actions Windows 32-core ARM -* `actions_windows_32_core_stor` - Actions Windows 32-core storage * `actions_windows_4_core` - Actions Windows 4-core * `actions_windows_4_core_gpu` - Actions Windows 4-core GPU * `actions_windows_64_core` - Actions Windows 64-core * `actions_windows_64_core_arm` - Actions Windows 64-core ARM * `actions_windows_8_core` - Actions Windows 8-core * `actions_windows_8_core_arm` - Actions Windows 8-core ARM -* `actions_windows_8_core_mem` - Actions Windows 8-core memory -* `actions_windows_8_core_stor` - Actions Windows 8-core storage -* `actions_windows_a100_24_core_gpu` - Actions Windows A100 24-core GPU -* `actions_windows_a10_36_core_gpu` - Actions Windows A10 36-core GPU * `actions_windows_arm` - Actions Windows ARM