[pull] main from github:main

.github/workflows/content-pipelines.yml

@@ -62,8 +62,10 @@ jobs:
           echo "pr_number=$PR_NUMBER" >> "$GITHUB_OUTPUT"
 
       - name: Setup branch
+        id: setup-branch
         env:
           UPDATE_BRANCH: ${{ steps.branch.outputs.update_branch }}
+          PR_NUMBER: ${{ steps.check-pr.outputs.pr_number }}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
@@ -76,7 +78,12 @@ jobs:
               git merge --abort 2>/dev/null || true
               git checkout main
               git branch -D "$UPDATE_BRANCH"
-              git push origin --delete "$UPDATE_BRANCH" || true
+              if [ -z "$PR_NUMBER" ]; then
+                git push origin --delete "$UPDATE_BRANCH" || true
+              else
+                echo "Skipping remote branch delete — PR #$PR_NUMBER is open"
+                echo "force_push=true" >> "$GITHUB_OUTPUT"
+              fi
               git checkout -b "$UPDATE_BRANCH"
             }
           else
@@ -111,12 +118,19 @@ jobs:
         if: steps.commit.outputs.has_changes == 'true'
         env:
           UPDATE_BRANCH: ${{ steps.branch.outputs.update_branch }}
-        run: git push origin "$UPDATE_BRANCH"
+          FORCE_PUSH: ${{ steps.setup-branch.outputs.force_push }}
+        run: |
+          if [ "$FORCE_PUSH" = "true" ]; then
+            echo "Force-pushing to align branch after merge conflict reset"
+            git push --force-with-lease origin "$UPDATE_BRANCH"
+          else
+            git push origin "$UPDATE_BRANCH"
+          fi
 
       - name: Create or update PR
         if: steps.commit.outputs.has_changes == 'true'
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
           UPDATE_BRANCH: ${{ steps.branch.outputs.update_branch }}
           PIPELINE_ID: ${{ matrix.id }}
         run: |
@@ -136,15 +150,16 @@ jobs:
 
           if [ -n "$PR_NUMBER" ]; then
             echo "PR #$PR_NUMBER already exists — new commit pushed"
+            echo "Ensuring PR #$PR_NUMBER is marked ready for review"
+            gh pr ready "$PR_NUMBER" || echo "Unable to mark PR #$PR_NUMBER as ready (it may already be ready)"
           else
             echo "Creating new PR"
             gh pr create \
               --title "$PR_TITLE" \
               --body "$PR_BODY" \
               --base main \
               --head "$UPDATE_BRANCH" \
-              --label "workflow-generated,content-pipeline-update" \
-              --draft
+              --label "workflow-generated,content-pipeline-update,ready-for-doc-review"
           fi
 
       - uses: ./.github/actions/slack-alert

content/actions/concepts/runners/larger-runners.md

@@ -24,11 +24,26 @@ To learn about larger runners, see [the {% data variables.product.prodname_ghe_c
 
 {% data variables.product.prodname_dotcom %} offers {% data variables.actions.hosted_runners %} with macOS, Ubuntu, or Windows operating systems, and different features and sizes are available depending on which operating system you use.
 
+{% ifversion default-setup-larger-runners %}
+
+## About {% data variables.actions.hosted_runners %} for {% data variables.product.prodname_code_scanning %} default setup
+
+Consider configuring {% data variables.actions.hosted_runners %} for {% data variables.product.prodname_code_scanning %} default setup if:
+
+* Your scans with standard {% data variables.product.prodname_dotcom %}-hosted runners are taking too long.
+* Your scans with standard {% data variables.product.prodname_dotcom %}-hosted runners are returning memory or disk errors.
+* You want to customize aspects of your {% data variables.product.prodname_code_scanning %} runner, such as the runner size, runner image, and job concurrency, without using self-hosted runners.
+
+For more information on configuring {% data variables.actions.hosted_runners %} for {% data variables.product.prodname_code_scanning %} default setup, see [AUTOTITLE](/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/configuring-larger-runners-for-default-setup).
+
+{% endif %}
+
 ## About Ubuntu and Windows {% data variables.actions.hosted_runners %}
 
 {% data variables.actions.hosted_runner_caps %}s with Ubuntu or Windows operating systems are configured in your organization or enterprise. When you add a {% data variables.actions.hosted_runner %}, you are defining a type of machine from a selection of available hardware specifications and operating system images.
 
 With Ubuntu and Windows {% data variables.actions.hosted_runners %}, you can:
+
 * Assign runners static IP addresses from a specific range, allowing you to use this range to configure a firewall allowlist
 * Control access to your resources by assigning runners to runner groups
 * Use autoscaling to simplify runner management and control your costs

content/billing/how-tos/products/disable-ghas-for-enterprise.md

@@ -4,10 +4,6 @@ intro: Disable {% data variables.product.prodname_GHAS %} and prevent accidental
 permissions: Enterprise owners
 versions:
   feature: disable-ghas-button
-topics:
-  - Billing
-  - Advanced Security
-  - Enterprise
 shortTitle: Disable GHAS for enterprise
 contentType: how-tos
 ---
@@ -34,4 +30,4 @@ Once you have disabled {% data variables.product.prodname_GHAS %}:
 * If you use **volume billing**, you agreed to a number of licenses and billing period upfront. You'll continue to pay for the rest of this period.
 * If you use **metered billing**, you pay based on usage, and your billing will stop from next month. However, you _will_ continue paying for any licenses you've already consumed this month until the end of the month.
 
-  For example, if you had 10 licenses in use and disabled GHAS on the second day of the month, you will still be billed for your 10 licenses for the full month instead of just for the two days.
+  For example, if you had 10 licenses in use and disabled {% data variables.product.prodname_GHAS %} on the second day of the month, you will still be billed for your 10 licenses for the full month instead of just for the two days.

content/code-security/concepts/code-scanning/codeql/about-the-codeql-cli.md

@@ -115,6 +115,12 @@ The {% data variables.product.prodname_codeql_cli %} uses special programs, call
 
 {% data reusables.code-scanning.codeql-license %}
 
+## About {% data variables.product.prodname_codeql_cli %} database bundles
+
+The {% data variables.product.prodname_codeql_cli %} database bundle command can be used to create a relocatable archive of a {% data variables.product.prodname_codeql %} database.
+
+A copy of a database bundle can be used to share troubleshooting information with your team members or with {% data variables.contact.github_support %}. See [AUTOTITLE](/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/creating-database-bundle-for-troubleshooting).
+
 ## Getting started
 
 For the simplest way to get started, see [AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli).

content/code-security/concepts/code-scanning/copilot-autofix-for-code-scanning.md

@@ -0,0 +1,29 @@
+---
+title: About Copilot Autofix for code scanning
+shortTitle: Copilot Autofix
+allowTitleToDifferFromFilename: true
+intro: '{% data variables.copilot.copilot_autofix_short %} provides targeted recommendations to help you fix {% data variables.product.prodname_code_scanning %} alerts and avoid introducing new security vulnerabilities.'
+product: '{% data reusables.rai.code-scanning.gated-feature-autofix %}'
+versions:
+  feature: code-scanning-autofix
+contentType: concepts
+topics:
+  - Code Security
+  - Code scanning
+  - CodeQL
+  - AI
+---
+
+{% data variables.copilot.copilot_autofix_short %} is an expansion of {% data variables.product.prodname_code_scanning %} that provides you with targeted recommendations to help you fix {% data variables.product.prodname_code_scanning %} alerts so you can avoid introducing new security vulnerabilities. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase and from {% data variables.product.prodname_code_scanning %} analysis.
+
+## How {% data variables.copilot.copilot_autofix_short %} works
+
+{% data variables.copilot.copilot_autofix_short %} translates the description and location of an alert into code changes that may fix the alert. It interfaces with the large language model {% data variables.copilot.copilot_gpt_51 %} from OpenAI, which has sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes.
+
+## Enabling and managing {% data variables.copilot.copilot_autofix_short %}
+
+You do not need a subscription to {% data variables.product.prodname_copilot %} to use {% data variables.copilot.copilot_autofix %}. {% data variables.copilot.copilot_autofix_short %} is available to all public repositories on {% data variables.product.prodname_dotcom_the_website %}, as well as internal or private repositories owned by organizations and enterprises that have a license for {% data variables.product.prodname_GH_code_security %}.
+
+{% data variables.copilot.copilot_autofix_short %} is allowed by default and enabled for every repository that uses {% data variables.product.prodname_codeql %}, regardless of whether it uses default or advanced setup for {% data variables.product.prodname_code_scanning %}. There is no separate step to enable {% data variables.copilot.copilot_autofix_short %}: enabling {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %} is sufficient. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning).
+
+Administrators at the enterprise, organization, and repository levels can choose to disable {% data variables.copilot.copilot_autofix_short %}. If {% data variables.copilot.copilot_autofix_short %} has been disabled at your level, you can re-enable it by following the same steps used to disable it and selecting the option to allow {% data variables.copilot.copilot_autofix_short %}. To learn how to manage {% data variables.copilot.copilot_autofix_short %} at each level, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/disabling-autofix-for-code-scanning).

content/code-security/concepts/code-scanning/index.md

@@ -15,6 +15,7 @@ contentType: concepts
 children:
   - /about-code-scanning
   - /about-code-scanning-alerts
+  - /copilot-autofix-for-code-scanning
   - /setup-types
   - /about-integration-with-code-scanning
   - /sarif-files

content/code-security/concepts/security-at-scale/delegated-alert-dismissal.md

@@ -0,0 +1,43 @@
+---
+title: Delegated alert dismissal
+intro: 'Increase your governance over security alerts with delegated alert dismissal.'
+versions:
+  feature: security-delegated-alert-dismissal
+topics:
+  - Alerts
+  - Repositories
+  - Dependencies
+  - Vulnerabilities
+  - Secret scanning
+  - Code scanning
+contentType: concepts
+---
+
+Delegated alert dismissal lets you restrict which users can directly dismiss an alert. When you enable the feature:
+* Users with write access to a repository must request to dismiss alerts in that repository.
+* Organization owners and security managers can approve or deny dismissal requests, as well as dismiss alerts directly themselves.
+
+Reviewers are notified of dismissal requests via email, and can either approve the request to dismiss the alert, or deny the request to leave the alert open. After a request is reviewed, the requester is notified of the outcome via email.
+
+## Availability
+
+You can enable delegated alert dismissal for:
+* {% data variables.product.prodname_code_scanning_caps %} alerts (available on {% data variables.product.prodname_dotcom_the_website %} and {% data variables.product.prodname_ghe_server %} 3.17+)
+* {% data variables.product.prodname_secret_scanning_caps %} alerts (available on {% data variables.product.prodname_dotcom_the_website %} and {% data variables.product.prodname_ghe_server %} 3.17+)
+* {% data variables.product.prodname_dependabot_alerts %} (available on {% data variables.product.prodname_dotcom_the_website %} and {% data variables.product.prodname_ghe_server %} 3.21+)
+
+## Custom roles for delegated alert dismissal
+
+You can use a custom role to let team members who are not organization owners or security managers respond to dismissal requests and dismiss alerts directly. The custom role needs the following permissions:
+
+* Organization permissions for reviewing and bypassing alert dismissal requests. To find the exact permissions required for a particular product, see [Permissions for organization access](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles#permissions-for-organization-access).
+* Repository permissions to view, dismiss, and reopen alerts. To find the exact permissions required for a particular product, see [Security](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles#security).
+
+{% data reusables.organizations.custom-role-repo-perms-preview-note %}
+
+## Next steps
+
+To configure delegated alert dismissal, see:
+* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/enabling-delegated-alert-dismissal-for-code-scanning)
+* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-secret-scanning-alerts/enabling-delegated-alert-dismissal-for-secret-scanning){% ifversion dependabot-delegated-alert-dismissal %}
+* [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/enable-delegated-alert-dismissal){% endif %}

content/code-security/concepts/security-at-scale/index.md

@@ -20,6 +20,7 @@ children:
   - /about-security-overview
   - /about-security-campaigns
   - /auditing-security-alerts
+  - /delegated-alert-dismissal
   - /about-supply-chain-security-for-your-enterprise
 redirect_from:
   - /admin/managing-code-security/managing-supply-chain-security-for-your-enterprise