Repo sync

content/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets.md

@@ -167,7 +167,8 @@ You can check which access policies are being applied to a secret in your organi
 > [!NOTE]
 > * {% data reusables.actions.forked-secrets %}
 > * Secrets are not automatically passed to reusable workflows. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow).
-> {% data reusables.actions.about-oidc-short-overview %}
+> * Secrets are not available to workflows triggered by {% data variables.product.prodname_dependabot %} events. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#accessing-secrets).
+> * {% data reusables.actions.about-oidc-short-overview %}
 
 > [!WARNING] Mask all sensitive information that is not a {% data variables.product.prodname_dotcom %} secret by using `::add-mask::VALUE`. This causes the value to be treated as a secret and redacted from logs.
 

content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users.md

@@ -108,11 +108,14 @@ After the initial configuration of SAML SSO, the only setting you can update on
 {% data reusables.enterprise-accounts.identity-provider-tab %}
 {% data reusables.enterprise-accounts.sso-configuration %}
 
-1. Under "SAML single sign-on", select **Add SAML configuration**.
+1. Under "SAML single sign-on," select **Add SAML configuration**.
 1. Under **Sign on URL**, type the HTTPS endpoint of your IdP for SSO requests that you noted while configuring your IdP.
 1. Under **Issuer**, type your SAML issuer URL that you noted while configuring your IdP, to verify the authenticity of sent messages.
 1. Under **Public Certificate**, paste the certificate that you noted while configuring your IdP, to verify SAML responses.
-1. Under **Public Certificate**, select the **Signature Method** and **Digest Method** dropdown menus, then click the hashing algorithm used by your SAML issuer.
+
+   > [!NOTE]
+   > {% data variables.product.github %} does not enforce the expiration of this SAML IdP certificate. This means that even if this certificate expires, your SAML authentication will continue to work. However, if your IdP administrator regenerates the SAML certificate, and you don't update it on the {% data variables.product.github %} side, users will encounter a `digest mismatch` error during SAML authentication attempts due to the certificate mismatch. See [Error: Digest mismatch](/admin/managing-iam/using-saml-for-enterprise-iam/troubleshooting-saml-authentication#error-digest-mismatch).
+1. Under the same **Public Certificate** section, select the **Signature Method** and **Digest Method** dropdown menus, then click the hashing algorithm used by your SAML issuer.
 1. Before enabling SAML SSO for your enterprise, to ensure that the information you've entered is correct, click **Test SAML configuration**. {% data reusables.saml.test-must-succeed %}
 1. Click **Save SAML settings**.
 

content/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise.md

@@ -92,6 +92,7 @@ For more detailed information about how to enable SAML using Okta, see [AUTOTITL
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.settings-tab %}
 {% data reusables.enterprise-accounts.security-tab %}
+
 1. {% data reusables.enterprise-accounts.view-current-policy-config-orgs %}
 1. Under "SAML single sign-on", select **Require SAML authentication**.
 1. In the **Sign on URL** field, type the HTTPS endpoint of your IdP for single sign-on requests. This value is available in your IdP configuration.
@@ -101,6 +102,7 @@ For more detailed information about how to enable SAML using Okta, see [AUTOTITL
    To find the certificate, refer to the documentation for your IdP. Some IdPs call this an X.509 certificate.
 
 {% data reusables.saml.edit-signature-and-digest-methods %}
+
 1. Before enabling SAML SSO for your enterprise, to ensure that the information you've entered is correct, click **Test SAML configuration** . {% data reusables.saml.test-must-succeed %}
 1. Click **Save**.
 {% data reusables.enterprise-accounts.download-recovery-codes %}
@@ -117,6 +119,7 @@ You can enable or disable SAML authentication for {% data variables.location.pro
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
 {% data reusables.enterprise_management_console.authentication %}
+
 1. Under "Authentication", select **SAML**.
 1. {% data reusables.enterprise_user_management.built-in-authentication-option %}
 1. Optionally, to enable unsolicited response SSO, select **IdP initiated SSO**. By default, {% data variables.product.prodname_ghe_server %} will reply to an unsolicited Identity Provider (IdP) initiated request with an `AuthnRequest` back to the IdP.
@@ -129,18 +132,23 @@ You can enable or disable SAML authentication for {% data variables.location.pro
 
    You must ensure that your IdP supports encrypted assertions and that the encryption and key transport methods in the management console match the values configured on your IdP. You must also provide {% data variables.location.product_location %}'s public certificate to your IdP. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/enabling-encrypted-assertions).
 
-1. Under "Single sign-on URL," type the HTTP or HTTPS endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration. If the host is only available from your internal network, you may need to [configure {% data variables.location.product_location %} to use internal nameservers](/admin/configuration/configuring-network-settings/configuring-dns-nameservers).
+1. In the **Single sign-on URL** field, type the HTTP or HTTPS endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration. If the host is only available from your internal network, you may need to [configure {% data variables.location.product_location %} to use internal nameservers](/admin/configuration/configuring-network-settings/configuring-dns-nameservers).
 1. Optionally, in the **Issuer** field, type your SAML issuer's name. This verifies the authenticity of messages sent to {% data variables.location.product_location %}.
 1. Select the **Signature Method** and **Digest Method** dropdown menus, then click the hashing algorithm used by your SAML issuer to verify the integrity of the requests from {% data variables.location.product_location %}.
 1. Select the **Name Identifier Format** dropdown menu, then click a format.
-1. Under "Verification certificate," click **Choose File**, then choose a certificate to validate SAML responses from the IdP.
+1. Under "Verification certificate", click **Choose File**, then choose a certificate to validate SAML responses from the IdP.
+
+   > [!NOTE]
+   > {% data variables.product.github %} does not enforce the expiration of this SAML IdP certificate. This means that even if this certificate expires, your SAML authentication will continue to work. However, if your IdP administrator regenerates the SAML certificate, and you don't update it on the {% data variables.product.github %} side, users will encounter a `digest mismatch` error during SAML authentication attempts due to the certificate mismatch. See [Error: Digest mismatch](/admin/managing-iam/using-saml-for-enterprise-iam/troubleshooting-saml-authentication#error-digest-mismatch).
+
 1. Under "User attributes", modify the SAML attribute names to match your IdP if needed, or accept the default names.
 
 {% endif %}
 
 ## Further reading
 
 {%- ifversion ghec %}
+
 * [AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization)
 {%- endif %}
 {%- ifversion ghes %}

content/admin/managing-iam/using-saml-for-enterprise-iam/troubleshooting-saml-authentication.md

@@ -31,22 +31,24 @@ For more information about SAML response requirements, see [AUTOTITLE](/admin/id
 You can configure {% data variables.product.prodname_ghe_server %} to write verbose debug logs for every SAML authentication attempt. You may be able to troubleshoot failed authentication attempts with this extra output.
 
 > [!WARNING]
+>
 > * Only enable SAML debugging temporarily, and disable debugging immediately after you finish troubleshooting. If you leave debugging enabled, the size of the logs increases much faster than usual, which can negatively impact the performance of {% data variables.product.prodname_ghe_server %}.
 > * Test new authentication settings for {% data variables.location.product_location %} in a staging environment before you apply the settings in your production environment. For more information, see [AUTOTITLE](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance).
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.policies-tab %}
 {% data reusables.enterprise-accounts.options-tab %}
+
 1. Under "SAML debugging", select the drop-down and click **Enabled**.
-1. Attempt to sign into {% data variables.location.product_location %} through your SAML IdP.
-1. Review the debug output in the systemd journal for `github-unicorn`on {% data variables.location.product_location %}. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/monitoring-your-instance/about-system-logs#system-logs-in-the-systemd-journal-for-github-enterprise-server).
+1. Attempt to sign in to {% data variables.location.product_location %} through your SAML IdP.
+1. Review the debug output in the `systemd` journal for `github-unicorn` on {% data variables.location.product_location %}. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/monitoring-your-instance/about-system-logs#system-logs-in-the-systemd-journal-for-github-enterprise-server).
 1. When you're done troubleshooting, select the drop-down and click **Disabled**.
 
 ## Decoding responses
 
-Some output in the systemd journal for `github-unicorn` may be Base64-encoded. You can access the administrative shell and use the `base64` utility on {% data variables.location.product_location %} to decode these responses. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh).
+Some output in the `systemd` journal for `github-unicorn` may be Base64-encoded. You can access the administrative shell and use the `base64` utility on {% data variables.location.product_location %} to decode these responses. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh).
 
-To decode the output, run the following command, replacing ENCODED_OUTPUT with the encoded output from the log.
+To decode the output, run the following command, replacing `ENCODED_OUTPUT` with the encoded output from the log.
 
 ```shell
 base64 --decode ENCODED_OUTPUT
@@ -110,3 +112,11 @@ This error can occur in version 3.17.0 or later of {% data variables.location.pr
 {% ifversion ghec %}
 {% data reusables.saml.authentication-loop %}
 {% endif %}
+
+## Error: Digest mismatch
+
+A "Digest mismatch" error indicates that your SAML IdP is using a different SAML signing certificate than the one you have uploaded to {% data variables.product.github %}{% ifversion ghes %} or that the **Signature Method** or **Digest Method** configured on {% data variables.product.github %} differs from what your IdP is using{% endif %}.
+
+{% ifversion ghes %}Re-download this SAML certificate from your IdP and validate it using an online tool, such as the [Format a x509 cert](https://www.samltool.com/format_x509cert.php) tool from OneLogin. Then upload the SAML certificate again in the "Authentication" section in your {% data variables.product.prodname_ghe_server %} management console. See [AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-management-console#accessing-the-management-console-as-an-unauthenticated-user).{% endif %}
+
+{% ifversion ghec %}Re-download this SAML certificate from your IdP and validate it using a tool such as the [Format a x509 cert](https://www.samltool.com/format_x509cert.php) tool from OneLogin. Then update the certificate saved in the {% data variables.product.github %} SAML settings.{% endif %}

content/github-models/use-github-models/prototyping-with-ai-models.md

@@ -271,7 +271,7 @@ For custom models accessed with your own API keys, rate limits are set and enfor
     <td>1</td>
   </tr>
   <tr>
-    <th rowspan="4" scope="rowgroup"><b>Azure OpenAI o1 and o3</b></th>
+    <th rowspan="4" scope="rowgroup"><b>Azure OpenAI o1, o3, and gpt-5</b></th>
     <th style="padding-left: 0"><b>Requests per minute</b></th>
     <td>Not applicable</td>
     <td>1</td>
@@ -300,7 +300,7 @@ For custom models accessed with your own API keys, rate limits are set and enfor
     <td>1</td>
   </tr>
   <tr>
-    <th rowspan="4" scope="rowgroup"><b>Azure OpenAI o1-mini, o3-mini, and o4-mini</b></th>
+    <th rowspan="4" scope="rowgroup"><b>Azure OpenAI o1-mini, o3-mini, o4-mini, gpt-5-mini, gpt-5-nano, and gpt-5-chat</b></th>
     <th style="padding-left: 0"><b>Requests per minute</b></th>
     <td>Not applicable</td>
     <td>2</td>

content/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization.md

@@ -35,7 +35,8 @@ For more information about the identity providers (IdPs) that {% data variables.
 {% data reusables.profile.access_org %}
 {% data reusables.profile.org_settings %}
 {% data reusables.organizations.security %}
-1. Under "SAML single sign-on", select **Enable SAML authentication**.
+
+1. Under "SAML single sign-on," select **Enable SAML authentication**.
 
    > [!NOTE]
    > After enabling SAML SSO, you can download your single sign-on recovery codes so that you can access your organization even if your IdP is unavailable. For more information, see [AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes).
@@ -46,8 +47,13 @@ For more information about the identity providers (IdPs) that {% data variables.
    > [!NOTE]
    > If you want to enable team synchronization for your organization, the "Issuer" field is a required. For more information, see [AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization).
 
-1. Under "Public Certificate," paste a certificate to verify SAML responses.
+1. Under "Public Certificate", paste a certificate to verify SAML responses.
+
+   > [!NOTE]
+   > {% data variables.product.github %} does not enforce the expiration of this SAML IdP certificate. This means that even if this certificate expires, your SAML authentication will continue to work. However, if your IdP administrator regenerates the SAML certificate, and you don't update it on the {% data variables.product.github %} side, users will encounter a `digest mismatch` error during SAML authentication attempts due to the certificate mismatch. See [Error: Digest mismatch](/admin/managing-iam/using-saml-for-enterprise-iam/troubleshooting-saml-authentication#error-digest-mismatch).
+
 {% data reusables.saml.edit-signature-and-digest-methods %}
+
 1. Before enabling SAML SSO for your organization, to ensure that the information you've entered is correct, click **Test SAML configuration**. {% data reusables.saml.test-must-succeed %}
 
    > [!TIP]