Repo sync

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Docs changelog
 
+**24 November 2025**
+
+We've added a new tutorial on burning down technical debt in a project: 
+
+[Using GitHub Copilot to reduce technical debt](https://docs.github.com/en/copilot/tutorials/reduce-technical-debt)
+
+The addition of this tutorial was prompted by a presentation by Brittany Ellich at this year's GitHub Universe conference: [Tackling your tech debt with Copilot coding agent](https://www.youtube.com/watch?v=LafpndhNC_E), and is based on a GitHub community post by Akash Sharma: [Stop Letting Technical Debt Slow You Down](https://github.com/orgs/community/discussions/178975).
+
+<hr>
+
 **13 November 2025**
 
 We've published a new tutorial on [using custom instructions for Copilot code review](https://docs.github.com/copilot/tutorials/use-custom-instructions). In this tutorial you'll learn how to write effective custom instructions that help Copilot provide more relevant and actionable code reviews.

Dockerfile

@@ -8,7 +8,7 @@
 # ---------------------------------------------------------------
 # To update the sha:
 # https://github.com/github/gh-base-image/pkgs/container/gh-base-image%2Fgh-base-noble
-FROM ghcr.io/github/gh-base-image/gh-base-noble:20251114-221740-gd084d271e AS base
+FROM ghcr.io/github/gh-base-image/gh-base-noble:20251119-090131-gb27dc275c AS base
 
 # Install curl for Node install and determining the early access branch
 # Install git for cloning docs-early-access & translations repos

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise.md

@@ -51,6 +51,9 @@ Disallowing {% data variables.product.prodname_GH_sp_cs_and_cq_or_as %} for an o
 {% data reusables.enterprise-accounts.advanced-security-organization-policy-drop-down %}
 {% data reusables.enterprise-accounts.advanced-security-individual-organization-policy-drop-down %}
 
+> [!NOTE]
+> If {% data variables.product.prodname_actions %} is not available for an organization, {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_code_quality %} will be unable to run even if they are made available with this policy. See [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#policies).
+
 {% ifversion ghec %}
 
 ## Enforcing a policy for visibility of dependency insights

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md

@@ -31,6 +31,8 @@ Enterprise policies control the options that are available to enterprise members
 
 If you don't enforce enterprise policies, organization owners{% ifversion custom-org-roles %} and users with the "Manage organization Actions policies" permission{% endif %} have full control over {% data variables.product.prodname_actions %} for their organizations.
 
+> [!NOTE] {% data variables.product.prodname_actions %} must be enabled for repositories in an organization for the {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} default setup and {% data variables.product.prodname_code_quality %} workflows to run. However, the {% data variables.product.prodname_codeql %} default setup for {% data variables.product.prodname_code_scanning %} is not affected by other {% data variables.product.prodname_actions %} policies (such as restricting access to public actions or reusable workflows).
+
 ## Enforcing policies
 
 {% data reusables.enterprise-accounts.access-enterprise %}
@@ -48,7 +50,14 @@ In the "Policies" section, you can control which organizations within your enter
 * Enable {% data variables.product.prodname_actions %} for specific organizations
 * Disable {% data variables.product.prodname_actions %} for all organizations
 
-You can also limit the use of public actions {% ifversion actions-workflow-policy %}and reusable workflows{% endif %}, with the following options:
+> [!NOTE]
+> If you disable {% data variables.product.prodname_actions %}, or do not enable the feature for one or more organizations, this blocks affected organizations from using {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_code_quality %} analysis.
+
+### Controlling access to public actions{% ifversion actions-workflow-policy %} and reusable workflows{% endif %}
+
+Enterprises often want to limit access to only a well-tested group of public actions {% ifversion actions-workflow-policy %}and reusable workflows{% endif %} as part of their supply chain governance. The policies available in {% data variables.product.github %} allow you to control access without blocking the dynamic workflows used by {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_code_quality %}.
+
+You can enforce strict controls without defining exceptions or additional configuration for {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_code_quality %}, with the following options:
 
 * **Allow all actions {% ifversion actions-workflow-policy %}and reusable workflows{% endif %}:** Any action {% ifversion actions-workflow-policy %}or reusable workflow{% endif %} can be used, regardless of who authored it or where it is defined.
 * **Allow enterprise actions {% ifversion actions-workflow-policy %}and reusable workflows{% endif %}:** Only actions {% ifversion actions-workflow-policy %}and reusable workflows{% endif %} defined in a repository within the enterprise can be used. {% ifversion ghec %}Blocks all access to actions authored by {% data variables.product.prodname_dotcom %}, such as the [`actions/checkout`](https://github.com/actions/checkout) action.{% endif %}

content/admin/enforcing-policies/enforcing-policy-with-pre-receive-hooks/about-pre-receive-hooks.md

@@ -44,6 +44,26 @@ Due to risk of failure and performance impact for all users of your instance, we
 > [!NOTE]
 > To avoid rejection of a push due to a timeout, all combined pre-receive hooks should run in under five seconds.
 
+## Pre-receive hook timeouts
+
+Pre-receive hooks in {% data variables.product.prodname_ghe_server %} have a fixed timeout budget of 5 seconds (shared across all hooks). This is intentional design to prevent resource exhaustion from long-running hooks and to prevent runaway scripts from blocking repository operations indefinitely.
+
+All pre-receive hooks for a repository share a **cumulative timeout budget**:
+- If hook A takes 3 seconds, hook B gets 2 seconds remaining (from 5 second default)
+- If hook A times out at 5 seconds, hook B never executes
+
+> [!IMPORTANT]
+> Pre-receive hook timeouts are handled differently from exit codes:
+> - **Exit codes**: Enforcement configuration is honored (non-enforced hooks don't block pushes)
+> - **Timeouts**: Push may fail regardless of enforcement configuration
+
+### Timeout behavior
+
+Scenario | Enforcement = Enabled | Enforcement = Disabled/Testing
+----------|----------------------|--------------------------------
+Exit code ≠ 0 | Push rejected | Push continues (warning only)
+Timeout exceeded | Push rejected | Warning + push may still fail
+
 {% ifversion ghes > 3.16 %}
 
 {% data reusables.repositories.push-rule-and-prereceive-hooks %}

content/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app.md

@@ -20,7 +20,7 @@ Your JWT must be signed using the `RS256` algorithm and must contain the followi
 |---|---|---|
 |`iat`| Issued At | The time that the JWT was created. To protect against clock drift, we recommend that you set this 60 seconds in the past and ensure that your server's date and time is set accurately (for example, by using the Network Time Protocol). |
 |`exp`| Expires At | The expiration time of the JWT, after which it can't be used to request an installation token. The time must be no more than 10 minutes into the future. |
-|`iss`| Issuer | The client ID or application ID of your {% data variables.product.prodname_github_app %}. This value is used to find the right public key to verify the signature of the JWT. You can find your app's IDs on the settings page for your {% data variables.product.prodname_github_app %}. Use of the client ID is recommended. For more information about navigating to the settings page for your {% data variables.product.prodname_github_app %}, see [AUTOTITLE](/apps/maintaining-github-apps/modifying-a-github-app-registration#navigating-to-your-github-app-settings).|
+|`iss`| Issuer | The {% ifversion client-id-for-app %}client ID or {% endif %}application ID of your {% data variables.product.prodname_github_app %}. This value is used to find the right public key to verify the signature of the JWT. You can find your app's ID{% ifversion client-id-for-app %}s{% endif %} on the settings page for your {% data variables.product.prodname_github_app %}.{% ifversion client-id-for-app %} Use of the client ID is recommended.{% endif %} For more information about navigating to the settings page for your {% data variables.product.prodname_github_app %}, see [AUTOTITLE](/apps/maintaining-github-apps/modifying-a-github-app-registration#navigating-to-your-github-app-settings).|
 |`alg`| Message authentication code algorithm | This should be `RS256` since your JWT must be signed using the `RS256` algorithm. |
 
 To use a JWT, pass it in the `Authorization` header of an API request. For example:
@@ -47,7 +47,7 @@ Most programming languages have a package that can generate a JWT. In all cases,
 > [!NOTE]
 > You must run `gem install jwt` to install the `jwt` package in order to use this script.
 
-In the following example, replace `YOUR_PATH_TO_PEM` with the file path where your private key is stored. Replace `YOUR_CLIENT_ID` with the ID of your app. Make sure to enclose the values for `YOUR_PATH_TO_PEM` and `YOUR_CLIENT_ID` in double quotes.
+In the following example, replace `YOUR_PATH_TO_PEM` with the file path where your private key is stored. Replace {% ifversion client-id-for-app %}`YOUR_CLIENT_ID`{% else %}`YOUR_APP_ID`{% endif %} with the ID of your app. Make sure to enclose the values for `YOUR_PATH_TO_PEM` and {% ifversion client-id-for-app %}`YOUR_CLIENT_ID`{% else %}`YOUR_APP_ID`{% endif %} in double quotes.
 
 ```ruby
 require 'openssl'
@@ -63,10 +63,11 @@ payload = {
   iat: Time.now.to_i - 60,
   # JWT expiration time (10 minute maximum)
   exp: Time.now.to_i + (10 * 60),
-
+  {% ifversion client-id-for-app %}
 # {% data variables.product.prodname_github_app %}'s client ID
-  iss: "YOUR_CLIENT_ID"
-
+  iss: "YOUR_CLIENT_ID"{% else %}
+# {% data variables.product.prodname_github_app %}'s app ID
+  iss: "YOUR_APP_ID"{% endif %}
 }
 
 jwt = JWT.encode(payload, private_key, "RS256")
@@ -92,12 +93,19 @@ if len(sys.argv) > 1:
 else:
     pem = input("Enter path of private PEM file: ")
 
+{% ifversion client-id-for-app %}
 # Get the Client ID
 if len(sys.argv) > 2:
     client_id = sys.argv[2]
 else:
     client_id = input("Enter your Client ID: ")
-
+{% else %}
+# Get the App ID
+if len(sys.argv) > 2:
+    app_id = sys.argv[2]
+else:
+    app_id = input("Enter your APP ID: ")
+{% endif %}
 
 # Open PEM
 with open(pem, 'rb') as pem_file:
@@ -108,9 +116,11 @@ payload = {
     'iat': int(time.time()),
     # JWT expiration time (10 minutes maximum)
     'exp': int(time.time()) + 600,
-
+    {% ifversion client-id-for-app %}
     # {% data variables.product.prodname_github_app %}'s client ID
-    'iss': client_id
+    'iss': client_id{% else %}
+    # {% data variables.product.prodname_github_app %}'s app ID
+    'iss': app_id{% endif %}
 
 }
 
@@ -125,14 +135,16 @@ This script will prompt you for the file path where your private key is stored a
 ### Example: Using Bash to generate a JWT
 
 > [!NOTE]
-> You must pass your Client ID and the file path where your private key is stored as arguments when running this script.
+> You must pass your {% ifversion client-id-for-app %}Client ID{% else %}App ID{% endif %} and the file path where your private key is stored as arguments when running this script.
 
 ```bash copy
 #!/usr/bin/env bash
 
-set -o pipefail
+{% ifversion client-id-for-app %}
 client_id=$1 # Client ID as first argument
-
+{% else %}
+app_id=$1 # App ID as first argument
+{% endif %}
 pem=$( cat $2 ) # file path of the private key as second argument
 
 now=$(date +%s)
@@ -151,7 +163,7 @@ header=$( echo -n "${header_json}" | b64enc )
 payload_json="{
     \"iat\":${iat},
     \"exp\":${exp},
-    \"iss\":\"${client_id}\"
+    {% ifversion client-id-for-app %}\"iss\":\"${client_id}\"{% else %}\"iss\":\"${app_id}\"{% endif %}
 }"
 # Payload encode
 payload=$( echo -n "${payload_json}" | b64enc )
@@ -170,13 +182,16 @@ printf '%s\n' "JWT: $JWT"
 
 ### Example: Using PowerShell to generate a JWT
 
-In the following example, replace `YOUR_PATH_TO_PEM` with the file path where your private key is stored. Replace `YOUR_CLIENT_ID` with the ID of your app. Make sure to enclose the values for `YOUR_PATH_TO_PEM` in double quotes.
+In the following example, replace `YOUR_PATH_TO_PEM` with the file path where your private key is stored. Replace {% ifversion client-id-for-app %}`YOUR_CLIENT_ID`{% else %}`YOUR_APP_ID`{% endif %} with the ID of your app. Make sure to enclose the values for `YOUR_PATH_TO_PEM` in double quotes.
 
 ```powershell copy
 #!/usr/bin/env pwsh
 
+{% ifversion client-id-for-app %}
 $client_id = YOUR_CLIENT_ID
-
+{% else %}
+$app_id = YOUR_APP_ID
+{% endif %}
 $private_key_path = "YOUR_PATH_TO_PEM"
 
 $header = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes((ConvertTo-Json -InputObject @{
@@ -187,7 +202,7 @@ $header = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes((Conve
 $payload = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes((ConvertTo-Json -InputObject @{
   iat = [System.DateTimeOffset]::UtcNow.AddSeconds(-10).ToUnixTimeSeconds()
   exp = [System.DateTimeOffset]::UtcNow.AddMinutes(10).ToUnixTimeSeconds()
-   iss = $client_id 
+  {% ifversion client-id-for-app %}iss = $client_id{% else %}iss = $app_id{% endif %}
 }))).TrimEnd('=').Replace('+', '-').Replace('/', '_');
 
 $rsa = [System.Security.Cryptography.RSA]::Create()

content/billing/concepts/cost-centers.md

@@ -35,3 +35,4 @@ For more details, see [AUTOTITLE](/billing/reference/cost-center-allocation).
 * The maximum number of resources per cost center is 10,000.
 * A maximum of 50 resources can be added to or removed from a cost center at a time.
 * Azure subscriptions can only be added to or removed from cost centers through the UI.
+* Outside collaborators can only be added to cost centers via the cost center API. For more information, see [AUTOTITLE](/billing/tutorials/control-costs-at-scale#add-resources-to-the-cost-center).

content/code-security/code-quality/concepts/about-code-quality.md

@@ -42,7 +42,7 @@ With {% data variables.product.prodname_code_quality_short %}, you can:
 
 {% data reusables.code-quality.codeql-supported-languages %}
 
-Code quality problems in other languages are detected by AI analysis alone. For more information on analysis, see [AUTOTITLE](/code-security/code-quality/responsible-use/code-quality).
+{% data variables.product.prodname_code_quality_short %} also performs AI-powered analysis with results displayed separately on the "**{% data variables.code-quality.recent_suggestions %}**" repository dashboard. Unlike the rule-based {% data variables.product.prodname_codeql %} analysis that scans the entire codebase and pull requests, this AI-powered analysis only examines files recently pushed to the default branch and may identify issues in languages beyond those listed above. For more information, see [AUTOTITLE](/code-security/code-quality/responsible-use/code-quality).
 
 ## Understanding where {% data variables.product.prodname_code_quality_short %} findings appear after enablement
 

content/code-security/code-quality/get-started/quickstart.md

@@ -21,7 +21,7 @@ In this tutorial, you’ll learn how to identify and fix a code quality finding
 ### Prerequisites
 
 * {% data variables.product.prodname_code_quality %} must be enabled for your repository and you must have code in a supported language. See [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality).
-* If you're enabling {% data variables.product.prodname_code_quality %} for the first time, ensure you've waited a few minutes after enablement for a scan of the default branch to complete.
+* If you're enabling {% data variables.product.prodname_code_quality %} for the first time, ensure you've waited a few minutes after enablement for a full {% data variables.product.prodname_codeql %} scan of the default branch to complete.
 
 ## Review scan results for your default branch
 
@@ -30,7 +30,7 @@ In your repository, go to the **Security** tab, click **{% data variables.code-q
 Here you'll see:
 
 * Ratings for the **Reliability** and **Maintainability** of your codebase, which help you understand your code health at a glance.
-* A **results list** of all the quality issues detected on your default branch, which are grouped by rule and language.
+* A **results list** of all the quality issues detected by a {% data variables.product.prodname_codeql %}-powered analysis on your default branch, which are grouped by rule and language.
 
   ![Screenshot of code quality ratings in the "{% data variables.code-quality.all_findings %}" view for {% data variables.product.prodname_code_quality_short %}.](/assets/images/help/code-quality/all-findings-overview-repo.png)
 

content/code-security/code-quality/how-tos/interpret-results.md

@@ -50,6 +50,8 @@ Code quality results should always be interpreted in the context of your reposit
 * Repositories with a lot of generated code may have many maintenance results, lowering the rating for maintainability. This is not a problem if the source code itself is maintainable.
 * Large repositories with a lot of code in a fully supported language often have many results even if the majority of the code has good maintainability and reliability standards.
 
+To learn more about the metrics and how the ratings are calculated, see [AUTOTITLE](/code-security/code-quality/reference/metrics-and-ratings).
+
 ## Next steps
 
 * Remediate quality findings in your default branch and improve the maintainability and reliability rating for your repository. See [AUTOTITLE](/code-security/code-quality/tutorials/improve-your-codebase).

content/code-security/code-quality/tutorials/fix-findings-in-prs.md

@@ -26,9 +26,9 @@ Catching code quality issues early keeps your team's codebase in shape. {% data
 
 ## 1. Understand how {% data variables.product.prodname_code_quality %} works on pull requests
 
-When you open a pull request, {% data variables.product.prodname_code_quality %} automatically scans your changes for quality issues like those described above.
+When you open a pull request, {% data variables.product.prodname_code_quality %} uses {% data variables.product.prodname_codeql %} to automatically scan your changes for quality issues like those described above.
 
-The results of the scan are reported as comments on your pull request, left by the `{% data variables.code-quality.pr_commenter %}`. Each comment corresponds to a specific code quality problem that was detected in your changes, and comes with a suggested autofix.
+The results of the {% data variables.product.prodname_codeql %} scan are reported as comments on your pull request, left by the `{% data variables.code-quality.pr_commenter %}`. Each comment corresponds to a specific code quality problem that was detected in your changes, and comes with a suggested autofix.
 
 Comments are labeled by severity (**Error**, **Warning**, **Note**), so you can see which findings are the most critical to address.
 

content/code-security/code-quality/tutorials/improve-recent-merges.md

@@ -17,7 +17,7 @@ redirect_from:
 
 ## Introduction
 
-This tutorial shows you how to explore and remediate quality issues that have been detected by {% data variables.product.prodname_code_quality_short %}'s analysis of code that was recently merged into your default branch.
+This tutorial shows you how to explore and remediate quality issues that have been detected by {% data variables.product.prodname_code_quality_short %}'s AI-powered analysis of code that was recently merged into your default branch.
 
 When you improve quality of recently merged files, you reduce technical debt in the repository and make it easier for other developers to work on files that are under active development.
 

content/code-security/code-quality/tutorials/improve-your-codebase.md

@@ -20,7 +20,7 @@ This tutorial guides you through using {% data variables.product.prodname_code_q
 ### Prerequisites
 
 * {% data variables.product.prodname_code_quality_short %} is enabled for your repository. See [AUTOTITLE](/code-security/code-quality/how-tos/enable-code-quality).
-* A full scan of the default branch has completed.
+* If you're enabling {% data variables.product.prodname_code_quality %} for the first time, ensure you've waited a few minutes after enablement for a full {% data variables.product.prodname_codeql %} scan of the default branch to complete.
 
 ## 1. Assess your repository's overall code health