Merge branch 'main' into patch-10

Author: Sharra-writes

content/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets.md

@@ -167,7 +167,8 @@ You can check which access policies are being applied to a secret in your organi
 > [!NOTE]
 > * {% data reusables.actions.forked-secrets %}
 > * Secrets are not automatically passed to reusable workflows. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow).
-> {% data reusables.actions.about-oidc-short-overview %}
+> * Secrets are not available to workflows triggered by {% data variables.product.prodname_dependabot %} events. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#accessing-secrets).
+> * {% data reusables.actions.about-oidc-short-overview %}
 
 > [!WARNING] Mask all sensitive information that is not a {% data variables.product.prodname_dotcom %} secret by using `::add-mask::VALUE`. This causes the value to be treated as a secret and redacted from logs.
 

content/actions/tutorials/use-containerized-services/create-redis-service-containers.md

@@ -35,7 +35,7 @@ This guide shows you workflow examples that configure a service container using
 You may also find it helpful to have a basic understanding of YAML, the syntax for {% data variables.product.prodname_actions %}, and Redis. For more information, see:
 
 * [AUTOTITLE](/actions/learn-github-actions)
-* [Getting Started with Redis](https://redislabs.com/get-started-with-redis/) in the Redis documentation
+* [Getting Started with Redis](https://redis.io/learn/howtos/quick-start) in the Redis documentation
 
 ## Running jobs in containers
 

content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users.md

@@ -108,11 +108,14 @@ After the initial configuration of SAML SSO, the only setting you can update on
 {% data reusables.enterprise-accounts.identity-provider-tab %}
 {% data reusables.enterprise-accounts.sso-configuration %}
 
-1. Under "SAML single sign-on", select **Add SAML configuration**.
+1. Under "SAML single sign-on," select **Add SAML configuration**.
 1. Under **Sign on URL**, type the HTTPS endpoint of your IdP for SSO requests that you noted while configuring your IdP.
 1. Under **Issuer**, type your SAML issuer URL that you noted while configuring your IdP, to verify the authenticity of sent messages.
 1. Under **Public Certificate**, paste the certificate that you noted while configuring your IdP, to verify SAML responses.
-1. Under **Public Certificate**, select the **Signature Method** and **Digest Method** dropdown menus, then click the hashing algorithm used by your SAML issuer.
+
+   > [!NOTE]
+   > {% data variables.product.github %} does not enforce the expiration of this SAML IdP certificate. This means that even if this certificate expires, your SAML authentication will continue to work. However, if your IdP administrator regenerates the SAML certificate, and you don't update it on the {% data variables.product.github %} side, users will encounter a `digest mismatch` error during SAML authentication attempts due to the certificate mismatch. See [Error: Digest mismatch](/admin/managing-iam/using-saml-for-enterprise-iam/troubleshooting-saml-authentication#error-digest-mismatch).
+1. Under the same **Public Certificate** section, select the **Signature Method** and **Digest Method** dropdown menus, then click the hashing algorithm used by your SAML issuer.
 1. Before enabling SAML SSO for your enterprise, to ensure that the information you've entered is correct, click **Test SAML configuration**. {% data reusables.saml.test-must-succeed %}
 1. Click **Save SAML settings**.
 

content/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise.md

@@ -92,6 +92,7 @@ For more detailed information about how to enable SAML using Okta, see [AUTOTITL
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.settings-tab %}
 {% data reusables.enterprise-accounts.security-tab %}
+
 1. {% data reusables.enterprise-accounts.view-current-policy-config-orgs %}
 1. Under "SAML single sign-on", select **Require SAML authentication**.
 1. In the **Sign on URL** field, type the HTTPS endpoint of your IdP for single sign-on requests. This value is available in your IdP configuration.
@@ -101,6 +102,7 @@ For more detailed information about how to enable SAML using Okta, see [AUTOTITL
    To find the certificate, refer to the documentation for your IdP. Some IdPs call this an X.509 certificate.
 
 {% data reusables.saml.edit-signature-and-digest-methods %}
+
 1. Before enabling SAML SSO for your enterprise, to ensure that the information you've entered is correct, click **Test SAML configuration** . {% data reusables.saml.test-must-succeed %}
 1. Click **Save**.
 {% data reusables.enterprise-accounts.download-recovery-codes %}
@@ -117,6 +119,7 @@ You can enable or disable SAML authentication for {% data variables.location.pro
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
 {% data reusables.enterprise_management_console.authentication %}
+
 1. Under "Authentication", select **SAML**.
 1. {% data reusables.enterprise_user_management.built-in-authentication-option %}
 1. Optionally, to enable unsolicited response SSO, select **IdP initiated SSO**. By default, {% data variables.product.prodname_ghe_server %} will reply to an unsolicited Identity Provider (IdP) initiated request with an `AuthnRequest` back to the IdP.
@@ -129,18 +132,23 @@ You can enable or disable SAML authentication for {% data variables.location.pro
 
    You must ensure that your IdP supports encrypted assertions and that the encryption and key transport methods in the management console match the values configured on your IdP. You must also provide {% data variables.location.product_location %}'s public certificate to your IdP. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/enabling-encrypted-assertions).
 
-1. Under "Single sign-on URL," type the HTTP or HTTPS endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration. If the host is only available from your internal network, you may need to [configure {% data variables.location.product_location %} to use internal nameservers](/admin/configuration/configuring-network-settings/configuring-dns-nameservers).
+1. In the **Single sign-on URL** field, type the HTTP or HTTPS endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration. If the host is only available from your internal network, you may need to [configure {% data variables.location.product_location %} to use internal nameservers](/admin/configuration/configuring-network-settings/configuring-dns-nameservers).
 1. Optionally, in the **Issuer** field, type your SAML issuer's name. This verifies the authenticity of messages sent to {% data variables.location.product_location %}.
 1. Select the **Signature Method** and **Digest Method** dropdown menus, then click the hashing algorithm used by your SAML issuer to verify the integrity of the requests from {% data variables.location.product_location %}.
 1. Select the **Name Identifier Format** dropdown menu, then click a format.
-1. Under "Verification certificate," click **Choose File**, then choose a certificate to validate SAML responses from the IdP.
+1. Under "Verification certificate", click **Choose File**, then choose a certificate to validate SAML responses from the IdP.
+
+   > [!NOTE]
+   > {% data variables.product.github %} does not enforce the expiration of this SAML IdP certificate. This means that even if this certificate expires, your SAML authentication will continue to work. However, if your IdP administrator regenerates the SAML certificate, and you don't update it on the {% data variables.product.github %} side, users will encounter a `digest mismatch` error during SAML authentication attempts due to the certificate mismatch. See [Error: Digest mismatch](/admin/managing-iam/using-saml-for-enterprise-iam/troubleshooting-saml-authentication#error-digest-mismatch).
+
 1. Under "User attributes", modify the SAML attribute names to match your IdP if needed, or accept the default names.
 
 {% endif %}
 
 ## Further reading
 
 {%- ifversion ghec %}
+
 * [AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization)
 {%- endif %}
 {%- ifversion ghes %}

content/admin/managing-iam/using-saml-for-enterprise-iam/troubleshooting-saml-authentication.md

@@ -31,22 +31,24 @@ For more information about SAML response requirements, see [AUTOTITLE](/admin/id
 You can configure {% data variables.product.prodname_ghe_server %} to write verbose debug logs for every SAML authentication attempt. You may be able to troubleshoot failed authentication attempts with this extra output.
 
 > [!WARNING]
+>
 > * Only enable SAML debugging temporarily, and disable debugging immediately after you finish troubleshooting. If you leave debugging enabled, the size of the logs increases much faster than usual, which can negatively impact the performance of {% data variables.product.prodname_ghe_server %}.
 > * Test new authentication settings for {% data variables.location.product_location %} in a staging environment before you apply the settings in your production environment. For more information, see [AUTOTITLE](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance).
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.policies-tab %}
 {% data reusables.enterprise-accounts.options-tab %}
+
 1. Under "SAML debugging", select the drop-down and click **Enabled**.
-1. Attempt to sign into {% data variables.location.product_location %} through your SAML IdP.
-1. Review the debug output in the systemd journal for `github-unicorn`on {% data variables.location.product_location %}. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/monitoring-your-instance/about-system-logs#system-logs-in-the-systemd-journal-for-github-enterprise-server).
+1. Attempt to sign in to {% data variables.location.product_location %} through your SAML IdP.
+1. Review the debug output in the `systemd` journal for `github-unicorn` on {% data variables.location.product_location %}. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/monitoring-your-instance/about-system-logs#system-logs-in-the-systemd-journal-for-github-enterprise-server).
 1. When you're done troubleshooting, select the drop-down and click **Disabled**.
 
 ## Decoding responses
 
-Some output in the systemd journal for `github-unicorn` may be Base64-encoded. You can access the administrative shell and use the `base64` utility on {% data variables.location.product_location %} to decode these responses. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh).
+Some output in the `systemd` journal for `github-unicorn` may be Base64-encoded. You can access the administrative shell and use the `base64` utility on {% data variables.location.product_location %} to decode these responses. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh).
 
-To decode the output, run the following command, replacing ENCODED_OUTPUT with the encoded output from the log.
+To decode the output, run the following command, replacing `ENCODED_OUTPUT` with the encoded output from the log.
 
 ```shell
 base64 --decode ENCODED_OUTPUT
@@ -110,3 +112,11 @@ This error can occur in version 3.17.0 or later of {% data variables.location.pr
 {% ifversion ghec %}
 {% data reusables.saml.authentication-loop %}
 {% endif %}
+
+## Error: Digest mismatch
+
+A "Digest mismatch" error indicates that your SAML IdP is using a different SAML signing certificate than the one you have uploaded to {% data variables.product.github %}{% ifversion ghes %} or that the **Signature Method** or **Digest Method** configured on {% data variables.product.github %} differs from what your IdP is using{% endif %}.
+
+{% ifversion ghes %}Re-download this SAML certificate from your IdP and validate it using an online tool, such as the [Format a x509 cert](https://www.samltool.com/format_x509cert.php) tool from OneLogin. Then upload the SAML certificate again in the "Authentication" section in your {% data variables.product.prodname_ghe_server %} management console. See [AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-management-console#accessing-the-management-console-as-an-unauthenticated-user).{% endif %}
+
+{% ifversion ghec %}Re-download this SAML certificate from your IdP and validate it using a tool such as the [Format a x509 cert](https://www.samltool.com/format_x509cert.php) tool from OneLogin. Then update the certificate saved in the {% data variables.product.github %} SAML settings.{% endif %}

content/authentication/troubleshooting-ssh/using-ssh-over-the-https-port.md

@@ -14,7 +14,8 @@ shortTitle: Use SSH over HTTPS port
 ---
 
 > [!WARNING]
-> **{% data variables.product.prodname_ghe_server %} users:** Accessing {% data variables.product.prodname_ghe_server %} via SSH over the HTTPS port is currently not supported.
+> **{% data variables.product.prodname_ghe_server %} users:** Accessing {% data variables.product.prodname_ghe_server %} via SSH over the HTTPS port is currently not supported.  
+> **{% data variables.enterprise.data_residency %} users:** Accessing {% data variables.enterprise.data_residency %} via SSH over the HTTPS port is currently not supported.
 
 To test if SSH over the HTTPS port is possible, run this SSH command:
 
@@ -27,9 +28,6 @@ $ ssh -T -p 443 git@ssh.github.com
 If that worked, great! If not, you may need to [follow our troubleshooting guide](/authentication/troubleshooting-ssh/error-permission-denied-publickey).
 
 > [!NOTE] The hostname for port 443 is `ssh.{% data variables.product.product_url %}`, not `{% data variables.product.product_url %}`.
-> {% ifversion ghec %}
-> {% data reusables.enterprise-data-residency.access-domain %}
-{% endif %}
 
 Now, to clone the repository, you can run the following command:
 

content/billing/concepts/enterprise-billing/azure-devops-licenses.md

@@ -0,0 +1,19 @@
+---
+title: Combined use of GitHub Enterprise and Azure DevOps
+intro: '{% data variables.product.prodname_ghe_cloud %} customers can use Azure DevOps without additional costs.'
+versions:
+  fpt: '*'
+  ghec: '*'
+topics:
+  - Billing
+  - Enterprise
+  - Licensing
+shortTitle: Azure DevOps licenses
+contentType: concepts
+---
+
+{% data variables.product.prodname_ghe_cloud %} customers can use Azure DevOps without additional costs per user. For customers using Microsoft Entra, users can sign in with the same credentials on {% data variables.product.github %} and Azure DevOps.
+
+No additional setup is required. {% data variables.product.prodname_enterprise %} users are detected automatically when they sign in to Azure DevOps. See [User and permissions management](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/faq-user-and-permissions-management?view=azure-devops#github-enterprise) in the Microsoft Learn documentation.
+
+Combined use is not currently available with {% data variables.enterprise.data_residency %}, but this is planned as a future improvement.