Repo sync

content/actions/how-tos/manage-runners/larger-runners/use-custom-images.md

@@ -44,6 +44,7 @@ To create a custom image, you must first set up an image-generation runner. When
    * **Platform**: Select a supported platform that matches the platform of the image you plan to create (Linux x64, Linux ARM64, or Windows x64).
    * **Image**: Select an image to build on, then enable the checkbox **Enable this runner to generate custom images**.
      * You can start from a {% data variables.product.github %}-owned image or choose a base image to start from a clean OS.
+     * You can start from an existing custom image as the base, enabling layered image workflows.
      * For ARM64 platforms, you can also select an ARM-maintained image with preinstalled tooling.
    * **Runner group**: Select the group for your runner to be a member of. Once the custom image is created, only runners in this runner group can generate new versions of that image.
 
@@ -139,6 +140,12 @@ If you specify an older major version in the YAML (for example, version: 1.* whe
 > [!NOTE]
 > {% data variables.actions.github_hosted_larger_runner %} creation does not support wildcards in image version selection.
 
+## Expiration for images built from custom images
+
+When a custom image is built from another custom image, the derived image inherits the expiration timeline of its base image. The maximum version age is calculated from when the base custom image was built, not when the derived image was created.
+
+For example, if Custom Image A is built on Day 2 and Custom Image B is built from A on Day 4 with a 7-day maximum version age policy, both A and B expire on Day 9.
+
 ## Billing and storage for custom images
 
 Jobs that use custom images are billed at the same per-minute rate as the {% data variables.actions.hosted_runner %} that uses the image. Storage for custom images is billed separately through {% data variables.product.prodname_actions %} storage.

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/actions-policies/about-actions-policies.md

@@ -0,0 +1,16 @@
+---
+title: About Actions policies
+shortTitle: About Actions policies
+intro: 'Actions policies let you govern how {% data variables.product.prodname_actions %} workflows run across organizations and repositories in your enterprise, starting with workflow execution protections.'
+versions:
+  ghec: '*'
+contentType: concepts
+---
+
+{% data reusables.actions.actions-policies-preview-note %}
+
+{% data reusables.actions.actions-policies-about-body %}
+
+## Next steps
+
+To configure workflow execution protections for your enterprise, including setting up event and actor rules, see [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/actions-policies/workflow-execution-protections).

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/actions-policies/index.md

@@ -0,0 +1,11 @@
+---
+title: Actions policies
+shortTitle: Actions policies
+intro: 'Actions policies let you govern how {% data variables.product.prodname_actions %} workflows run across organizations and repositories in your enterprise.'
+versions:
+  ghec: '*'
+children:
+  - /about-actions-policies
+  - /workflow-execution-protections
+---
+

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/actions-policies/workflow-execution-protections.md

@@ -0,0 +1,23 @@
+---
+title: Workflow execution protections
+shortTitle: Workflow execution protections
+intro: 'Workflow execution protections let you control who can trigger {% data variables.product.prodname_actions %} workflows and which events are permitted to run them across your enterprise.'
+versions:
+  ghec: '*'
+contentType: how-tos
+---
+
+{% data reusables.actions.workflow-execution-protections-preview-note %}
+
+{% data reusables.actions.workflow-execution-protections-body %}
+
+## Configuring workflow execution protections
+
+You configure workflow execution protections in the new **Policies** section of your {% data variables.product.prodname_actions %} settings. This **Policies** section is separate from your existing **General** settings.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.policies-tab %}
+{% data reusables.enterprise-accounts.actions-tab %}
+1. Click **Policies**.
+1. Create a ruleset, then add your event and actor rules.
+1. Choose whether the ruleset is active or in evaluate mode, then save your changes.

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/index.md

@@ -18,6 +18,7 @@ children:
   - /enforcing-policies-for-github-sponsors-in-your-enterprise
   - /enforcing-policies-for-security-settings-in-your-enterprise
   - /enforcing-policies-for-github-actions-in-your-enterprise
+  - /actions-policies
   - /enforcing-policies-for-github-copilot-in-your-enterprise
   - /enforcing-policies-for-github-codespaces-in-your-enterprise
   - /enforcing-policies-for-code-security-and-analysis-for-your-enterprise
@@ -27,3 +28,4 @@ children:
 shortTitle: Enforce policies
 ---
 
+

content/copilot/how-tos/copilot-sdk/getting-started.md

@@ -155,7 +155,7 @@ Create `index.ts`:
 import { CopilotClient } from "@github/copilot-sdk";
 
 const client = new CopilotClient();
-const session = await client.createSession({ model: "gpt-4.1" });
+const session = await client.createSession({ model: "auto" });
 
 const response = await session.sendAndWait({ prompt: "What is 2 + 2?" });
 console.log(response?.data.content);
@@ -184,7 +184,7 @@ async def main():
     client = CopilotClient()
     await client.start()
 
-    session = await client.create_session(on_permission_request=PermissionHandler.approve_all, model="gpt-4.1")
+    session = await client.create_session(on_permission_request=PermissionHandler.approve_all, model="auto")
     response = await session.send_and_wait("What is 2 + 2?")
     print(response.data.content)
 
@@ -224,7 +224,7 @@ func main() {
 	}
 	defer client.Stop()
 
-	session, err := client.CreateSession(ctx, &copilot.SessionConfig{Model: "gpt-4.1"})
+	session, err := client.CreateSession(ctx, &copilot.SessionConfig{Model: "auto"})
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -301,7 +301,7 @@ using GitHub.Copilot;
 await using var client = new CopilotClient();
 await using var session = await client.CreateSessionAsync(new SessionConfig
 {
-    Model = "gpt-4.1",
+    Model = "auto",
     OnPermissionRequest = PermissionHandler.ApproveAll
 });
 
@@ -333,7 +333,7 @@ public class HelloCopilot {
 
             var session = client.createSession(
                 new SessionConfig()
-                    .setModel("gpt-4.1")
+                    .setModel("auto")
                     .setOnPermissionRequest(PermissionHandler.APPROVE_ALL)
             ).get();
 
@@ -380,7 +380,7 @@ import { CopilotClient } from "@github/copilot-sdk";
 
 const client = new CopilotClient();
 const session = await client.createSession({
-    model: "gpt-4.1",
+    model: "auto",
     streaming: true,
 });
 
@@ -414,7 +414,7 @@ async def main():
     client = CopilotClient()
     await client.start()
 
-    session = await client.create_session(on_permission_request=PermissionHandler.approve_all, model="gpt-4.1", streaming=True)
+    session = await client.create_session(on_permission_request=PermissionHandler.approve_all, model="auto", streaming=True)
 
     # Listen for response chunks
     def handle_event(event):
@@ -459,7 +459,7 @@ func main() {
 	defer client.Stop()
 
 	session, err := client.CreateSession(ctx, &copilot.SessionConfig{
-		Model:     "gpt-4.1",
+		Model:     "auto",
 		Streaming: copilot.Bool(true),
 	})
 	if err != nil {
@@ -551,7 +551,7 @@ using GitHub.Copilot;
 await using var client = new CopilotClient();
 await using var session = await client.CreateSessionAsync(new SessionConfig
 {
-    Model = "gpt-4.1",
+    Model = "auto",
     OnPermissionRequest = PermissionHandler.ApproveAll,
     Streaming = true,
 });
@@ -590,7 +590,7 @@ public class HelloCopilot {
 
             var session = client.createSession(
                 new SessionConfig()
-                    .setModel("gpt-4.1")
+                    .setModel("auto")
                     .setStreaming(true)
                     .setOnPermissionRequest(PermissionHandler.APPROVE_ALL)
             ).get();
@@ -887,7 +887,7 @@ const getWeather = defineTool("get_weather", {
 
 const client = new CopilotClient();
 const session = await client.createSession({
-    model: "gpt-4.1",
+    model: "auto",
     streaming: true,
     tools: [getWeather],
 });
@@ -941,7 +941,7 @@ async def main():
     client = CopilotClient()
     await client.start()
 
-    session = await client.create_session(on_permission_request=PermissionHandler.approve_all, model="gpt-4.1", streaming=True, tools=[get_weather])
+    session = await client.create_session(on_permission_request=PermissionHandler.approve_all, model="auto", streaming=True, tools=[get_weather])
 
     def handle_event(event):
         if event.type == SessionEventType.ASSISTANT_MESSAGE_DELTA:
@@ -1016,7 +1016,7 @@ func main() {
 	defer client.Stop()
 
 	session, err := client.CreateSession(ctx, &copilot.SessionConfig{
-		Model:     "gpt-4.1",
+		Model:     "auto",
 		Streaming: copilot.Bool(true),
 		Tools:     []copilot.Tool{getWeather},
 	})
@@ -1152,7 +1152,7 @@ var getWeather = CopilotTool.DefineTool(
 
 await using var session = await client.CreateSessionAsync(new SessionConfig
 {
-    Model = "gpt-4.1",
+    Model = "auto",
     OnPermissionRequest = PermissionHandler.ApproveAll,
     Streaming = true,
     Tools = [getWeather],
@@ -1225,7 +1225,7 @@ public class HelloCopilot {
 
             var session = client.createSession(
                 new SessionConfig()
-                    .setModel("gpt-4.1")
+                    .setModel("auto")
                     .setStreaming(true)
                     .setTools(List.of(getWeather))
                     .setOnPermissionRequest(PermissionHandler.APPROVE_ALL)
@@ -1283,7 +1283,7 @@ const getWeather = defineTool("get_weather", {
 
 const client = new CopilotClient();
 const session = await client.createSession({
-    model: "gpt-4.1",
+    model: "auto",
     streaming: true,
     tools: [getWeather],
 });
@@ -1354,7 +1354,7 @@ async def main():
     client = CopilotClient()
     await client.start()
 
-    session = await client.create_session(on_permission_request=PermissionHandler.approve_all, model="gpt-4.1", streaming=True, tools=[get_weather])
+    session = await client.create_session(on_permission_request=PermissionHandler.approve_all, model="auto", streaming=True, tools=[get_weather])
 
     def handle_event(event):
         if event.type == SessionEventType.ASSISTANT_MESSAGE_DELTA:
@@ -1445,7 +1445,7 @@ func main() {
 	defer client.Stop()
 
 	session, err := client.CreateSession(ctx, &copilot.SessionConfig{
-		Model:     "gpt-4.1",
+		Model:     "auto",
 		Streaming: copilot.Bool(true),
 		Tools:     []copilot.Tool{getWeather},
 	})
@@ -1630,7 +1630,7 @@ var getWeather = CopilotTool.DefineTool(
 await using var client = new CopilotClient();
 await using var session = await client.CreateSessionAsync(new SessionConfig
 {
-    Model = "gpt-4.1",
+    Model = "auto",
     OnPermissionRequest = PermissionHandler.ApproveAll,
     Streaming = true,
     Tools = [getWeather]
@@ -1723,7 +1723,7 @@ public class WeatherAssistant {
 
             var session = client.createSession(
                 new SessionConfig()
-                    .setModel("gpt-4.1")
+                    .setModel("auto")
                     .setStreaming(true)
                     .setOnPermissionRequest(request ->
                         CompletableFuture.completedFuture(PermissionDecision.allow())

content/organizations/managing-organization-settings/actions-policies/about-actions-policies.md

@@ -0,0 +1,17 @@
+---
+title: About Actions policies
+shortTitle: About Actions policies
+intro: 'Actions policies let you govern how {% data variables.product.prodname_actions %} workflows run across repositories in your organization, starting with workflow execution protections.'
+versions:
+  fpt: '*'
+  ghec: '*'
+contentType: concepts
+---
+
+{% data reusables.actions.actions-policies-preview-note %}
+
+{% data reusables.actions.actions-policies-about-body %}
+
+## Next steps
+
+To configure workflow execution protections for your organization, including setting up event and actor rules, see [AUTOTITLE](/organizations/managing-organization-settings/actions-policies/workflow-execution-protections).

content/organizations/managing-organization-settings/actions-policies/index.md

@@ -0,0 +1,12 @@
+---
+title: Actions policies
+shortTitle: Actions policies
+intro: 'Actions policies let you govern how {% data variables.product.prodname_actions %} workflows run across repositories in your organization.'
+versions:
+  fpt: '*'
+  ghec: '*'
+children:
+  - /about-actions-policies
+  - /workflow-execution-protections
+---
+

content/organizations/managing-organization-settings/actions-policies/workflow-execution-protections.md

@@ -0,0 +1,23 @@
+---
+title: Workflow execution protections
+shortTitle: Workflow execution protections
+intro: 'Workflow execution protections let you control who can trigger {% data variables.product.prodname_actions %} workflows and which events are permitted to run them across your organization.'
+versions:
+  fpt: '*'
+  ghec: '*'
+contentType: how-tos
+---
+
+{% data reusables.actions.workflow-execution-protections-preview-note %}
+
+{% data reusables.actions.workflow-execution-protections-body %}
+
+## Configuring workflow execution protections
+
+You configure workflow execution protections in the new **Policies** section of your {% data variables.product.prodname_actions %} settings. This **Policies** section is separate from your existing **General** settings.
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+1. In the left sidebar, under **Actions**, click **Policies**.
+1. Create a ruleset, then add your event and actor rules.
+1. Choose whether the ruleset is active or in evaluate mode, then save your changes.

content/organizations/managing-organization-settings/index.md

@@ -20,6 +20,7 @@ children:
   - /managing-the-forking-policy-for-your-organization
   - /managing-pull-request-reviews-in-your-organization
   - /disabling-or-limiting-github-actions-for-your-organization
+  - /actions-policies
   - /about-networking-for-hosted-compute-products-in-your-organization
   - /about-azure-private-networking-for-github-hosted-runners-in-your-organization
   - /configuring-private-networking-for-github-hosted-runners-in-your-organization
@@ -55,3 +56,4 @@ children:
   - /managing-or-restricting-github-models-for-your-organization
 shortTitle: Manage organization settings
 ---
+

content/repositories/managing-your-repositorys-settings-and-features/actions-policies/about-actions-policies.md

@@ -0,0 +1,17 @@
+---
+title: About Actions policies
+shortTitle: About Actions policies
+intro: 'Actions policies let you govern how {% data variables.product.prodname_actions %} workflows run in your repository, starting with workflow execution protections.'
+versions:
+  fpt: '*'
+  ghec: '*'
+contentType: concepts
+---
+
+{% data reusables.actions.actions-policies-preview-note %}
+
+{% data reusables.actions.actions-policies-about-body %}
+
+## Next steps
+
+To configure workflow execution protections for your repository, including setting up event and actor rules, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/actions-policies/workflow-execution-protections).

content/repositories/managing-your-repositorys-settings-and-features/actions-policies/index.md

@@ -0,0 +1,12 @@
+---
+title: Actions policies
+shortTitle: Actions policies
+intro: 'Actions policies let you govern how {% data variables.product.prodname_actions %} workflows run in a repository.'
+versions:
+  fpt: '*'
+  ghec: '*'
+children:
+  - /about-actions-policies
+  - /workflow-execution-protections
+---
+

content/repositories/managing-your-repositorys-settings-and-features/actions-policies/workflow-execution-protections.md

@@ -0,0 +1,23 @@
+---
+title: Workflow execution protections
+shortTitle: Workflow execution protections
+intro: 'Workflow execution protections let you control who can trigger {% data variables.product.prodname_actions %} workflows and which events are permitted to run them.'
+versions:
+  fpt: '*'
+  ghec: '*'
+contentType: how-tos
+---
+
+{% data reusables.actions.workflow-execution-protections-preview-note %}
+
+{% data reusables.actions.workflow-execution-protections-body %}
+
+## Configuring workflow execution protections
+
+You configure workflow execution protections in the new **Policies** section of your {% data variables.product.prodname_actions %} settings. This **Policies** section is separate from your existing **General** settings.
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+1. In the left sidebar, under **Actions**, click **Policies**.
+1. Create a ruleset, then add your event and actor rules.
+1. Choose whether the ruleset is active or in evaluate mode, then save your changes.

content/repositories/managing-your-repositorys-settings-and-features/index.md

@@ -13,7 +13,9 @@ children:
   - /repository-access-and-collaboration
   - /customizing-your-repository
   - /enabling-features-for-your-repository
+  - /actions-policies
   - /managing-repository-settings
 shortTitle: Manage repository settings
 ---
 
+