Merge pull request #39111 from github/repo-sync

Repo sync

Author: docs-bot

CHANGELOG.md

@@ -2,6 +2,23 @@
 
 **27 June 2025**
 
+We’ve published a new set of new documentation articles designed to help users make the most of the **Dependabot metrics page** in the organization’s security overview.
+
+These clear, actionable guides help users:
+
+- **[View metrics for Dependabot alerts](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/viewing-metrics-for-dependabot-alerts)**
+  This article is aimed at security and engineering leads who want to learn how to access and interpret key metrics, so they can quickly assess their organization’s exposure and remediation progress.
+
+- **[Understand your organization’s exposure to vulnerable dependencies](https://docs.github.com/en/enterprise-cloud@latest/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilites/about-your-exposure-to-vulnerable-dependencies)**
+  In this article, security analysts and compliance teams get a deep dive into how vulnerable dependencies are tracked and what these numbers mean for their risk landscape.
+
+- **[Prioritize Dependabot alerts using metrics](https://docs.github.com/en/enterprise-cloud@latest/code-security/securing-your-organization/understanding-your-organizations-exposure-to-vulnerabilites/prioritizing-dependabot-alerts-using-metrics)**
+  This guide provides engineering managers and remediation teams with strategies for using metrics to focus the team’s efforts where they matter most, making remediation more efficient.
+
+<hr>
+
+**27 June 2025**
+
 We've published a new scenario-based guide for Copilot: [Learning a new programming language with GitHub Copilot](https://docs.github.com/en/copilot/tutorials/learning-a-new-programming-language-with-github-copilot).
 
 This guide is for developers who are proficient with at least one programming language and want to learn an additional language. It provides information about how you can use Copilot as your personalized learning assistant. It also provides many ready-made prompts that you can use when you are learning a new programming language.

assets/images/help/copilot/ask-to-explain.png

@@ -44,12 +44,25 @@ For detailed guidance, see [Prioritizing meaningful updates](/code-security/depe
 
 {% endif %}
 
+{% ifversion dependabot-reviewers-deprecation %}
+
+## Automatically adding reviewers
+
+To ensure your project's security updates get addressed promptly by the appropriate team, you can automatically add reviewers to Dependabot pull requests using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners).
+
+{% else %}
+
 ## Automatically adding reviewers and assignees
 
+> [!NOTE]
+> The `reviewers` property is closing down and will be removed in a future release of GitHub Enterprise Server.
+
 To ensure your project's security updates get **addressed promptly** by the appropriate team, use `reviewers` and `assignees` to automatically add individuals or teams as **reviewers or assignees** to pull requests.
 
 For detailed guidance, see [Automatically adding reviewers and assignees](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#automatically-adding-reviewers-and-assignees).
 
+{% endif %}
+
 ## Labeling pull requests with custom labels
 
 To **prioritize** specific pull requests, or integrate them into CI/CD pipelines, use `labels` to apply your own **custom labels** to each pull request.
@@ -79,9 +92,58 @@ For detailed guidance, see [Changing the separator in the pull request branch na
 In this example, the `dependabot.yml` file:
 * Uses a private registry for updates to npm dependencies.
 * Disables version updates for dependencies, so that any customizations apply to security updates only.
-* Is customized so that {% data variables.product.prodname_dependabot %} applies custom labels to the pull requests and automatically adds reviewers and assignees.{% ifversion dependabot-grouped-security-updates-config %}
+* Is customized so that {% data variables.product.prodname_dependabot %} applies custom labels to the pull requests and automatically adds {% ifversion ghes < 3.19 %}reviewers and {% endif %}assignees.{% ifversion dependabot-grouped-security-updates-config %}
 * Groups security updates for golang dependencies into a single pull request.{% endif %}
 
+{% ifversion dependabot-reviewers-deprecation %}
+
+```yaml copy
+# Example configuration file that:
+#  - Uses a private registry for npm updates
+#  - Ignores lodash dependency
+#  - Disables version-updates
+#  - Applies custom labels
+{% ifversion dependabot-grouped-security-updates-config %}#  - Group security updates for golang dependencies into a single pull request{%- endif %}
+
+version: 2
+registries:
+  # Define a private npm registry with the name `example`
+  example:
+    type: npm-registry
+    url: https://example.com
+    token: {% raw %}${{secrets.NPM_TOKEN}}{% endraw %}
+updates:
+  - package-ecosystem: "npm"
+    directory: "/src/npm-project"
+    schedule:
+      interval: "daily"
+    # For Lodash, ignore all updates
+    ignore:
+      - dependency-name: "lodash"
+    # Disable version updates for npm dependencies
+    open-pull-requests-limit: 0
+    registries:
+      # Ask Dependabot to use the private registry for npm
+      - example
+    # Raise all npm pull requests for security updates with custom labels
+    labels:
+      - "npm dependencies"
+      - "triage-board"
+    # Raise all npm pull requests for security updates with assignees
+    assignees:
+      - "user-name"
+  {% ifversion dependabot-grouped-security-updates-config %}- package-ecosystem: "gomod"
+    groups:
+      # Group security updates for golang dependencies
+      # into a single pull request
+      golang:
+        applies-to: security-updates
+        patterns:
+          - "golang.org*"{% endif %}
+```
+
+{% else %}
+
 ```yaml copy
 # Example configuration file that:
 #  - Uses a private registry for npm updates
@@ -132,6 +194,8 @@ updates:
           - "golang.org*"{% endif %}
 ```
 
+{% endif %}
+
 ## Example 2: configuration for version updates and security updates
 
 In this example, the `dependabot.yml` file:

assets/images/help/copilot/highlight-lines.png

@@ -19,18 +19,37 @@ shortTitle: Customize Dependabot PRs
 
 There are various ways to customize your {% data variables.product.prodname_dependabot %} pull requests so that they better suit your own internal processes.
 
+{% ifversion dependabot-reviewers-deprecation %}
+
+For example, to integrate {% data variables.product.prodname_dependabot %}'s pull requests into your CI/CD pipelines, it can apply **custom labels** to pull requests, which you can then use to trigger action workflows.
+
+{% else %}
+
 For example:
 * To maximize efficiency, {% data variables.product.prodname_dependabot %} can automatically add specific individuals or teams as **reviewers** to its pull requests for a particular package ecosystem.
 * To integrate {% data variables.product.prodname_dependabot %}'s pull requests into your CI/CD pipelines, it can apply **custom labels** to pull requests, which you can then use to trigger action workflows.
 
+{% endif %}
+
 There are several different customization options which can all be used in combination, and tailored per package ecosystem.
 
+{% ifversion dependabot-reviewers-deprecation %}
+
+## Automatically adding reviewers
+
+To ensure your project's security updates get addressed promptly by the appropriate team, you can automatically add reviewers to Dependabot pull requests using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners).
+
+{% else %}
+
 ## Automatically adding reviewers and assignees
 
 By default, {% data variables.product.prodname_dependabot %} raises pull requests without any reviewers or assignees.
 
 However, you may want pull requests to be consistently reviewed or dealt with by a specific individual or team that has expertise in that package ecosystem, or automatically assigned to a designated security team. In which case, you can use `reviewers` and `assignees` to set these values per package ecosystem.
 
+> [!NOTE]
+> The `reviewers` property is closing down and will be removed in a future release of GitHub Enterprise Server.
+
 The example `dependabot.yml` file below changes the npm configuration so that all pull requests opened with version and security updates for npm have:
 * A team ("`my-org/team-name`") and an individual ("`octocat`") automatically added as reviewers to the pull requests.
 * An individual ("`user-name`") automatically assigned to the pull requests.
@@ -59,6 +78,8 @@ updates:
 
 See also [`assignees`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#assignees--) and [`reviewers`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#reviewers--).
 
+{% endif %}
+
 ## Labeling pull requests with custom labels
 
 {% data reusables.dependabot.default-labels %}

content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md

@@ -456,8 +456,13 @@ When `registries` is defined for a package manager:
 
 Supported values: `REGISTRY_NAME` or `"*"`
 
+{% ifversion dependabot-reviewers-deprecation %}{% else %}
+
 ## `reviewers` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %}
 
+> [!NOTE]
+> The `reviewers` property is closing down and will be removed in a future release of GitHub Enterprise Server.
+
 Specify individual reviewers, or teams of reviewers, for all pull requests raised for a package manager.  For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs).
 
 {% data variables.product.prodname_dependabot %} default behavior:
@@ -471,6 +476,11 @@ When `reviewers` is defined:
 
 Reviewers must have at least read access to the repository.
 
+> [!NOTE]
+> You can also automatically add reviewers and assignees using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners).
+
+{% endif %}
+
 ## `schedule` {% octicon "versions" aria-label="Version updates only" height="24" %}
 
 **Required option.** Define how often to check for new versions for each package manager you configure using the `interval` parameter. Optionally, for daily and weekly intervals, you can customize when {% data variables.product.prodname_dependabot %} checks for updates. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates).

content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md

@@ -0,0 +1,26 @@
+---
+title: Achieving your company's engineering goals with GitHub Copilot
+shortTitle: Achieve company goals
+intro: 'Plan your rollout based on GitHub''s recommended approach for driving and measuring improvements.'
+versions:
+  feature: copilot
+allowTitleToDifferFromFilename: true
+---
+
+When your company rolls out a new tool such as {% data variables.product.prodname_copilot %}, you will want to measure the impact of the tool on your engineering systems and assess the tool's contribution to your company's goals.
+
+{% data variables.product.company_short %}'s [Engineering System Success Playbook](https://resources.github.com/engineering-system-success-playbook/) (ESSP) provides strategies and metrics for driving meaningful and measurable improvements. The playbook recommends a three-step process for solving engineering challenges:
+
+1. Identify the current barriers to success.
+1. Evaluate what needs to be done to achieve your goals.
+1. Implement your changes, monitor results, and adjust.
+
+## Define your goals
+
+Based on the recommendations of the ESSP, the following guides show how {% data variables.product.prodname_copilot %} can help you achieve your company's goals in specific areas. They explain how {% data variables.product.prodname_copilot_short %} can help, provide advice and resources for an effective rollout, and recommend metrics for assessing {% data variables.product.prodname_copilot_short %}'s impact.
+
+We recommend defining your goals and planning your rollout accordingly. You should communicate your goals to staff and organize training to enable everyone to contribute.
+
+* [AUTOTITLE](/copilot/tutorials/rolling-out-github-copilot-at-scale/driving-downstream-impact/increase-test-coverage)
+* [AUTOTITLE](/copilot/tutorials/rolling-out-github-copilot-at-scale/driving-downstream-impact/accelerate-pull-requests)
+* [AUTOTITLE](/copilot/tutorials/rolling-out-github-copilot-at-scale/driving-downstream-impact/reduce-security-debt)

content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md

@@ -1,6 +1,6 @@
 ---
 title: Choosing your enterprise's plan for GitHub Copilot
-shortTitle: Choose your plan
+shortTitle: Choose enterprise plan
 intro: 'Choose between {% data variables.copilot.copilot_business_short %} and {% data variables.copilot.copilot_enterprise_short %}.'
 versions:
   feature: copilot
@@ -10,6 +10,7 @@ permissions: Enterprise owners and billing managers
 redirect_from:
   - /copilot/rolling-out-github-copilot-at-scale/choosing-your-enterprises-plan-for-github-copilot
   - /copilot/rolling-out-github-copilot-at-scale/planning-your-rollout/choosing-your-enterprises-plan-for-github-copilot
+  - /copilot/tutorials/rolling-out-github-copilot-at-scale/planning-your-rollout/choosing-your-enterprises-plan-for-github-copilot
 ---
 
 When you adopt {% data variables.product.prodname_copilot %} in a company, you will sign up to a {% data variables.product.prodname_copilot_short %} plan designed for businesses. These plans allow you to:
@@ -40,6 +41,12 @@ When you subscribe your enterprise account to {% data variables.copilot.copilot_
 * Evaluate the benefits of {% data variables.copilot.copilot_enterprise_short %} for a smaller group of users before rolling it out further.
 * Enable {% data variables.copilot.copilot_enterprise_short %} in the organizations where it will have the most impact, such as organizations with complex documentation or specialized engineering requirements.
 
+## What are our goals for {% data variables.product.prodname_copilot_short %}?
+
+To drive and measure downstream impact of {% data variables.product.prodname_copilot_short %}, {% data variables.product.company_short %} recommends leading your rollout with specific engineering goals in mind. Your requirements for {% data variables.product.prodname_copilot_short %} features will depend on your overall goal for the rollout.
+
+For examples of how {% data variables.product.prodname_copilot_short %} can help with common problems in engineering teams, see [AUTOTITLE](/copilot/get-started/achieve-engineering-goals).
+
 ## Do we have projects with complex requirements?
 
 For complex projects like monorepos or legacy codebases, developers in your company may need to spend a long time finding and reading documentation before they can contribute.
@@ -71,6 +78,7 @@ To summarize:
 * Choose {% data variables.copilot.copilot_enterprise_short %} if your company has projects with complex requirements or large amounts of documentation. Knowledge bases give {% data variables.product.prodname_copilot_short %} enhanced context, which can save developers time and allow them to focus on tasks they enjoy.
 * If you think your developers will benefit from premium models and {% data variables.product.prodname_copilot_short %} code reviews, it may be cost effective to choose {% data variables.copilot.copilot_enterprise_short %} rather than pay for premium requests over your allowance.
 * If you're not sure about a full rollout, choose {% data variables.copilot.copilot_enterprise_short %} at the enterprise level and enable it for individual organizations where it will have the most impact.
+* Make your decision based on your downstream goals for the {% data variables.product.prodname_copilot_short %} rollout.
 
 ## Further reading
 

content/copilot/get-started/achieve-engineering-goals.md

@@ -12,6 +12,8 @@ children:
   - /plans-for-github-copilot
   - /github-copilot-features
   - /best-practices-for-using-github-copilot
+  - /choosing-your-enterprises-plan-for-github-copilot
+  - /achieve-engineering-goals
 redirect_from:
   - /copilot/about-github-copilot
 ---

content/copilot/tutorials/rolling-out-github-copilot-at-scale/planning-your-rollout/choosing-your-enterprises-plan-for-github-copilot.md renamed to content/copilot/get-started/choosing-your-enterprises-plan-for-github-copilot.md

@@ -1,6 +1,6 @@
 ---
 title: Assigning GitHub Copilot licenses in your enterprise
-shortTitle: Assigning licenses
+shortTitle: Assign licenses
 intro: Learn recommended practices for assigning licenses and managing costs.
 versions:
   feature: copilot