Skip to content

Commit 85ce489

Browse files
authored
Merge pull request #45065 from github/repo-sync
Repo sync
2 parents 3067584 + dc34d87 commit 85ce489

5 files changed

Lines changed: 21 additions & 13 deletions

File tree

content/actions/reference/security/securely-using-pull_request_target.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ Read [`pull_request_target`](/actions/reference/workflows-and-actions/events-tha
1717

1818
## The risks of the pull_request_target event
1919

20-
Workflows triggered by `pull_request_target` run with elevated trust: the job receives the base repository's `GITHUB_TOKEN`, access to repository and organization secrets, and write access to the default-branch cache. This is the same trust given to events like `push` that only collaborators can trigger, and it is what makes `pull_request_target` useful for automation that responds to pull requests from forks, such as labeling, triage, or for posting authenticated status checks.
20+
Workflows triggered by `pull_request_target` run with elevated trust: the job receives the base repository's `GITHUB_TOKEN` and access to repository and organization secrets. This is the same trust given to events like `push` that only collaborators can trigger, and it is what makes `pull_request_target` useful for automation that responds to pull requests from forks, such as labeling, triage, or for posting authenticated status checks.
2121

2222
To understand why this is safe by default, and how that safety is commonly broken, review `pull_request_target` against [`pull_request`](/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request).
2323

@@ -67,7 +67,7 @@ If you have confirmed you need `pull_request_target`, apply these controls to li
6767

6868
* **Restrict secrets.** Confirm that the permissions set on the `GITHUB_TOKEN` have the least privileges and that only the necessary repository and organization secrets are used for the workflow. For more information, see [AUTOTITLE](/actions/tutorials/authenticate-with-github_token#modifying-the-permissions-for-the-github_token).
6969

70-
* **Understand the impact to caching.** Outside of the `GITHUB_TOKEN` and configured secrets, workflows that run on `pull_request_target` also have write access to the cache shared with other workflows on the default branch. Malicious changes to this cache from `pull_request_target` events could impact the execution of other, unrelated, workflows.
70+
* **Understand the impact to caching.** To reduce the risk of cache poisoning, workflows triggered by `pull_request_target` have read-only access to the cache in the default branch's scope. These workflows can restore existing cache entries but cannot create or overwrite them, so they cannot affect the execution of other, unrelated, workflows through the shared cache. If such a workflow attempts to save a cache, the save fails but the step and the job continue, and the failure is reported as a warning in the workflow log. If your workflow needs to populate the cache, save it from a workflow that runs on a trusted trigger such as `push`. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/dependency-caching#cache-access-for-low-trust-workflow-triggers).
7171

7272
* **Ensure the underlying compute is isolated and ephemeral.** If self-hosted runners are used, you must confirm that the runner environment is properly restricted from internal resources and is not reused across {% data variables.product.prodname_actions %} runs. For more information, see [AUTOTITLE](/actions/reference/security/secure-use#hardening-for-self-hosted-runners).
7373

content/copilot/how-tos/github-copilot-app/agent-sessions.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ The session mode controls how much autonomy the agent has. You can set the mode
3737

3838
You can select a model and reasoning effort from the dropdowns above the prompt field. Higher reasoning effort gives the agent more time to think through complex problems but may take longer. You can change both settings at any time during a session.
3939

40-
If you configured your own model provider in the app using bring your own key (BYOK), those models also appear in the picker. For setup steps, see [AUTOTITLE](/copilot/how-tos/github-copilot-app/use-byok-models).
40+
If you configured your own model provider in the app, those models also appear in the picker. For setup steps, see [AUTOTITLE](/copilot/how-tos/github-copilot-app/use-byok-models).
4141

4242
Hover over the {% octicon "info" aria-label="the info icon" %} icon in the model picker to see model details.
4343

content/copilot/how-tos/github-copilot-app/getting-started.md

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,8 @@ For a conceptual overview of the {% data variables.copilot.github_copilot_app %}
1919
## Prerequisites
2020

2121
* [Git](https://github.com/git-guides/install-git) installed on your computer.
22-
* A paid {% data variables.product.prodname_copilot_short %} plan.
22+
* A {% data variables.product.github %} account.
23+
* A {% data variables.product.prodname_copilot_short %} plan. Alternatively, if using your own model provider, you will need required credentials such as an API key. For more information, see [AUTOTITLE](/copilot/how-tos/github-copilot-app/use-byok-models).
2324
* If you use {% data variables.copilot.copilot_business_short %} or {% data variables.copilot.copilot_enterprise_short %}, your plan administrator must enable the **{% data variables.copilot.copilot_cli_short %}** policy. See [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-organization/manage-policies) or [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-enterprise-policies).
2425

2526
## Installing the {% data variables.copilot.github_copilot_app %}
@@ -31,8 +32,10 @@ For a conceptual overview of the {% data variables.copilot.github_copilot_app %}
3132

3233
1. Open the {% data variables.copilot.github_copilot_app %}.
3334
1. Click **Sign in to {% data variables.product.github %}** and follow the prompts to authenticate. If you use {% data variables.product.prodname_ghe_server %}, choose **Use GitHub Enterprise** and enter your server address when prompted.
34-
1. The app walks you through onboarding. When prompted, select one or more repositories based on your recent {% data variables.product.github %} activity, or choose a sample project. You can also skip this step and add repositories later.
35-
1. Choose a theme, then complete onboarding.
35+
1. If you do not have a {% data variables.product.prodname_copilot_short %} plan, choose whether to sign up for a plan or continue with your own model provider.
36+
* If you choose to use your own model provider, select a provider, enter any required credentials, then click **Save and continue**.
37+
1. When prompted, select one or more repositories based on your recent {% data variables.product.github %} activity. You can also add a local repository, or skip this step and add repositories later.
38+
1. Choose a theme, then complete onboarding to open the app.
3639

3740
## Connecting a repository
3841

content/copilot/how-tos/github-copilot-app/use-byok-models.md

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -13,12 +13,14 @@ category:
1313
---
1414

1515
> [!NOTE]
16-
> Support to use your own provider (BYOK) in the {% data variables.copilot.github_copilot_app %} is in {% data variables.release-phases.public_preview %} and subject to change.
16+
> Support to use your own model provider in the {% data variables.copilot.github_copilot_app %} is in {% data variables.release-phases.public_preview %} and subject to change.
1717
18-
You can configure the {% data variables.copilot.github_copilot_app %} to use your own LLM provider, also called BYOK (Bring Your Own Key), instead of {% data variables.product.github %}-hosted models.
18+
You can configure the {% data variables.copilot.github_copilot_app %} to use your own LLM provider, also called BYOK (Bring Your Own Key), instead of {% data variables.product.github %}-hosted models. You can set up your model provider when you first open the app or later in app settings.
19+
20+
You must sign in with a {% data variables.product.github %} account to use the app, but you do not need a {% data variables.product.prodname_copilot_short %} plan if you use your own model provider. If you do have a {% data variables.product.prodname_copilot_short %} plan, you can use both your own model provider and {% data variables.product.github %}-hosted models in the same app.
1921

2022
> [!NOTE]
21-
> This article is for users who want to configure their own LLM provider API key on their local machine. To set up custom models for users in an organization or enterprise, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-organization/use-your-own-api-keys) and [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/use-your-own-api-keys).
23+
> This article is for users who want to configure their own LLM provider settings on their local machine. To set up custom models for users in an organization or enterprise, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-organization/use-your-own-api-keys) and [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/use-your-own-api-keys).
2224
2325
## Supported providers
2426

@@ -36,9 +38,12 @@ You can configure the {% data variables.copilot.github_copilot_app %} to use you
3638
## Prerequisites
3739

3840
* The {% data variables.copilot.github_copilot_app %} is installed. For setup steps, see [AUTOTITLE](/copilot/how-tos/github-copilot-app/getting-started).
39-
* You have an API key for your model provider.
41+
* You have any required credentials, such as API key, for your model provider.
42+
## Set up a model provider
43+
44+
If you are setting up the app for the first time and do not have a {% data variables.product.prodname_copilot_short %} plan, you can choose to set up your own model provider during onboarding.
4045

41-
## Add a model provider
46+
To add or update a model provider later:
4247

4348
1. Open the {% data variables.copilot.github_copilot_app %}.
4449
1. Open app settings, then click **Model providers**.
@@ -49,4 +54,4 @@ You can configure the {% data variables.copilot.github_copilot_app %} to use you
4954

5055
After you add a provider, its models appear in the model picker alongside {% data variables.product.github %}-hosted models. You can select the model and use it in a session. For more information, see [AUTOTITLE](/copilot/how-tos/github-copilot-app/agent-sessions).
5156

52-
Keys are stored in the system credential store and are never displayed in the UI.
57+
Provider credentials are stored in the system credential store and are never displayed in the UI.
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
{% data variables.copilot.github_copilot_app %} is available for all paid {% data variables.product.prodname_copilot_short %} plans.
1+
{% data variables.copilot.github_copilot_app %} is available for all {% data variables.product.prodname_copilot_short %} plans.

0 commit comments

Comments
 (0)