From 4e09b6044a32bed35c3318dd7b794f031e6b76c9 Mon Sep 17 00:00:00 2001 From: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com> Date: Mon, 7 Jul 2025 12:06:55 -0700 Subject: [PATCH 1/2] Copilot deprecating o1, GPT-4.5 (#56505) Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com> --- .../understanding-and-managing-requests-in-copilot.md | 4 +--- .../choosing-your-enterprises-plan-for-github-copilot.md | 2 +- ...-policies-and-features-for-copilot-in-your-enterprise.md | 4 +--- .../troubleshooting-common-issues-with-github-copilot.md | 2 +- .../ai-models/choosing-the-right-ai-model-for-your-task.md | 4 ---- .../reference/ai-models/supported-ai-models-in-copilot.md | 6 ------ .../tutorials/comparing-ai-models-using-different-tasks.md | 2 +- data/reusables/copilot/available-models-per-plan.md | 2 -- data/variables/copilot.yml | 2 -- 9 files changed, 5 insertions(+), 23 deletions(-) diff --git a/content/copilot/concepts/copilot-billing/understanding-and-managing-requests-in-copilot.md b/content/copilot/concepts/copilot-billing/understanding-and-managing-requests-in-copilot.md index 8ac9ba9d16c4..0212d4b7dce5 100644 --- a/content/copilot/concepts/copilot-billing/understanding-and-managing-requests-in-copilot.md +++ b/content/copilot/concepts/copilot-billing/understanding-and-managing-requests-in-copilot.md @@ -92,7 +92,6 @@ If you use **{% data variables.copilot.copilot_free_short %}**, you have access |-------------------------------------------------------------------------|--------------------------------|-----------------------| | {% data variables.copilot.copilot_gpt_41 %} | 0 | 1 | | {% data variables.copilot.copilot_gpt_4o %} | 0 | 1 | -| {% data variables.copilot.copilot_gpt_45 %} | 50 | Not applicable | | {% data variables.copilot.copilot_claude_sonnet_35 %} | 1 | 1 | | {% data variables.copilot.copilot_claude_sonnet_37 %} | 1 | Not applicable | | {% data variables.copilot.copilot_claude_sonnet_37 %} Thinking | 1.25 | Not applicable | @@ -100,7 +99,6 @@ If you use **{% data variables.copilot.copilot_free_short %}**, you have access | {% data variables.copilot.copilot_claude_opus %} | 10 | Not applicable | | {% data variables.copilot.copilot_gemini_flash %} | 0.25 | 1 | | {% data variables.copilot.copilot_gemini_25_pro %} | 1 | Not applicable | -| {% data variables.copilot.copilot_o1 %} | 10 | Not applicable | | {% data variables.copilot.copilot_o3 %} | 1 | Not applicable | | {% data variables.copilot.copilot_o3_mini %} | 0.33 | 1 | | {% data variables.copilot.copilot_o4_mini %} | 0.33 | Not applicable | @@ -111,6 +109,6 @@ If you use **{% data variables.copilot.copilot_free_short %}**, you have access Premium request usage is based on the model’s multiplier and the feature you’re using. For example: -* **Using {% data variables.copilot.copilot_gpt_45 %} in {% data variables.copilot.copilot_chat_short %}**: With a 50× multiplier, one interaction counts as 50 premium requests. +* **Using {% data variables.copilot.copilot_claude_opus %} in {% data variables.copilot.copilot_chat_short %}**: With a 10× multiplier, one interaction counts as 10 premium requests. * **Using {% data variables.copilot.copilot_gpt_41 %} on {% data variables.copilot.copilot_free_short %}**: Each interaction counts as 1 premium request. * **Using {% data variables.copilot.copilot_gpt_41 %} on a paid plan**: No premium requests are consumed. diff --git a/content/copilot/get-started/choosing-your-enterprises-plan-for-github-copilot.md b/content/copilot/get-started/choosing-your-enterprises-plan-for-github-copilot.md index 9da43098d18d..44accb3e3366 100644 --- a/content/copilot/get-started/choosing-your-enterprises-plan-for-github-copilot.md +++ b/content/copilot/get-started/choosing-your-enterprises-plan-for-github-copilot.md @@ -63,7 +63,7 @@ With {% data variables.copilot.copilot_code-review_short %}, {% data variables.p {% data reusables.copilot.premium-requests-for-enterprises %} -To decide if you will benefit from a higher allowance for premium requests, compare the goals of your rollout to **development tasks** that each model is specialized in. For example, the o1 model is focused on math and science. Teams who work in specialized areas may require more requests to premium models. To learn about the benefits of different models, see [AUTOTITLE](/copilot/using-github-copilot/ai-models/choosing-the-right-ai-model-for-your-task). +To decide if you will benefit from a higher allowance for premium requests, compare the goals of your rollout to **development tasks** that each model is specialized in. For example, the {% data variables.copilot.copilot_claude_sonnet_40 %} is designed for advanced reasoning and coding tasks. Teams who work in specialized areas may require more requests to premium models. To learn about the benefits of different models, see [AUTOTITLE](/copilot/using-github-copilot/ai-models/choosing-the-right-ai-model-for-your-task). Regardless of your plan, you can set a spending limit for premium requests over your plan's allowance. Premium requests over the allowance will be charged at a rate of {% data variables.copilot.additional_premium_requests %} per request, with an additional multiplier applied to certain models. diff --git a/content/copilot/how-tos/administer/enterprises/managing-policies-and-features-for-copilot-in-your-enterprise.md b/content/copilot/how-tos/administer/enterprises/managing-policies-and-features-for-copilot-in-your-enterprise.md index d178a651e719..854fab8e7ee9 100644 --- a/content/copilot/how-tos/administer/enterprises/managing-policies-and-features-for-copilot-in-your-enterprise.md +++ b/content/copilot/how-tos/administer/enterprises/managing-policies-and-features-for-copilot-in-your-enterprise.md @@ -49,7 +49,7 @@ You can enable "{% data variables.product.prodname_copilot_short %} in {% data v * **{% data variables.product.prodname_copilot_short %} pull request summaries** - {% data variables.product.prodname_copilot_short %} can generate a summary of the changes made in a pull request, as well as a list of impacted files, using natural language. This overview helps reviewers quickly understand the proposed changes. * **{% data variables.product.prodname_copilot_short %} knowledge bases** - Organization owners can create knowledge bases consisting of Markdown documentation across one or more repositories, allowing organization members to use that documentation as context when they ask questions in {% data variables.copilot.copilot_chat_dotcom_short %}, {% data variables.copilot.copilot_chat_short %} in {% data variables.product.prodname_vscode %}, and {% data variables.copilot.copilot_chat_short %} in {% data variables.product.prodname_vs %}. -If you enable "{% data variables.product.prodname_copilot_short %} in {% data variables.product.prodname_dotcom_the_website %}", you can also configure additional features: +If you enable "{% data variables.product.prodname_copilot_short %} in {% data variables.product.prodname_dotcom_the_website %}," you can also configure additional features: {% data reusables.copilot.policies-for-dotcom %} @@ -87,8 +87,6 @@ Some features of {% data variables.product.prodname_copilot_short %} are availab ### {% data variables.product.prodname_copilot_short %} access to alternative AI models -> [!NOTE] Support for GPT-4.5 is only available on {% data variables.copilot.copilot_enterprise_short %}. - By default, {% data variables.copilot.copilot_chat_short %} uses an included model. If you grant access to the alternative models, members of your enterprise can choose to use these models rather than the included model. The available alternative models are: * **{% data variables.copilot.copilot_claude %}**. See [AUTOTITLE](/copilot/using-github-copilot/ai-models/using-claude-in-github-copilot). diff --git a/content/copilot/how-tos/troubleshoot/troubleshooting-common-issues-with-github-copilot.md b/content/copilot/how-tos/troubleshoot/troubleshooting-common-issues-with-github-copilot.md index e6e054f6f4ce..f74fe234638c 100644 --- a/content/copilot/how-tos/troubleshoot/troubleshooting-common-issues-with-github-copilot.md +++ b/content/copilot/how-tos/troubleshoot/troubleshooting-common-issues-with-github-copilot.md @@ -66,7 +66,7 @@ For more information, see the [{% data variables.copilot.copilot_cli_short %} ex This error suggests that you have exceeded the rate limit for {% data variables.product.prodname_copilot_short %} requests. {% data variables.product.github %} uses rate limits to ensure everyone has fair access to the {% data variables.product.prodname_copilot_short %} service and to protect against abuse. -Most people see rate limiting for preview models, like OpenAI’s o1 and o3-mini, which are rate-limited due to limited capacity. +Most people see rate limiting for preview models, like OpenAI’s {% data variables.copilot.copilot_o3 %} and {% data variables.copilot.copilot_o4_mini %}, which are rate-limited due to limited capacity. Service-level request rate limits ensure high service quality for all {% data variables.product.prodname_copilot_short %} users and should not affect typical or even deeply engaged {% data variables.product.prodname_copilot_short %} usage. We are aware of some use cases that are affected by it. {% data variables.product.github %} is iterating on {% data variables.product.prodname_copilot_short %}’s rate-limiting heuristics to ensure it doesn’t block legitimate use cases. diff --git a/content/copilot/reference/ai-models/choosing-the-right-ai-model-for-your-task.md b/content/copilot/reference/ai-models/choosing-the-right-ai-model-for-your-task.md index 48c4a0aac378..7be020625d22 100644 --- a/content/copilot/reference/ai-models/choosing-the-right-ai-model-for-your-task.md +++ b/content/copilot/reference/ai-models/choosing-the-right-ai-model-for-your-task.md @@ -23,9 +23,7 @@ Use this table to find a suitable model quickly, see more detail in the sections | Model | Task area | Excels at (primary use case) | Additional capabilities | |-------|-----------|-------------------------------|--------------------------| | {% data variables.copilot.copilot_gpt_41 %} | General-purpose coding and writing | Fast, accurate code completions and explanations | Agent mode, visual | -| {% data variables.copilot.copilot_gpt_45 %} | Deep reasoning and debugging | Multi-step reasoning and complex code generation | Reasoning | | {% data variables.copilot.copilot_gpt_4o %} | General-purpose coding and writing | Fast completions and visual input understanding | Agent mode, visual | -| {% data variables.copilot.copilot_o1 %} | Deep reasoning and debugging | Step-by-step problem solving and deep logic analysis | Reasoning | | {% data variables.copilot.copilot_o3 %} | Deep reasoning and debugging | Multi-step problem solving and architecture-level code analysis | Reasoning | | {% data variables.copilot.copilot_o3_mini %} | Fast help with simple or repetitive tasks | Quick responses for code snippets, explanations, and prototyping | Lower latency | | {% data variables.copilot.copilot_o4_mini %} | Fast help with simple or repetitive tasks | Fast, reliable answers to lightweight coding questions | Lower latency | @@ -96,9 +94,7 @@ These models are designed for tasks that require step-by-step reasoning, complex | Model | Why it's a good fit | |-------|---------------------| -| {% data variables.copilot.copilot_gpt_45 %} | Delivers consistent results for multi-step logic, long-context tasks, and complex reasoning. Ideal for debugging and planning. | | {% data variables.copilot.copilot_o3 %} | Strong at algorithm design, system debugging, and architecture decisions. Balances performance and reasoning. | -| {% data variables.copilot.copilot_o1 %} | Excels at deliberate, structured reasoning and deep analysis. Good for performance tuning and problem-solving. | | {% data variables.copilot.copilot_claude_sonnet_37 %} | Provides hybrid reasoning that adapts to both fast tasks and deeper thinking. | | {% data variables.copilot.copilot_claude_sonnet_40 %} | Improves on 3.7 with more reliable completions and smarter reasoning under pressure. | | {% data variables.copilot.copilot_claude_opus %} | Anthropic’s most powerful model. Strong at strategy, debugging, and multi-layered logic. | diff --git a/content/copilot/reference/ai-models/supported-ai-models-in-copilot.md b/content/copilot/reference/ai-models/supported-ai-models-in-copilot.md index f3f8e356ffec..19384bf6643f 100644 --- a/content/copilot/reference/ai-models/supported-ai-models-in-copilot.md +++ b/content/copilot/reference/ai-models/supported-ai-models-in-copilot.md @@ -35,9 +35,7 @@ This table lists the AI models available in {% data variables.product.prodname_c | Model name | Provider | Release status | Agent mode | Ask mode | Edit mode | |------------|----------|----------------|------------|----------------------|---------------| | {% data variables.copilot.copilot_gpt_41 %} | OpenAI | GA | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| {% data variables.copilot.copilot_gpt_45 %} | OpenAI | {% data variables.release-phases.public_preview_caps %} | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | {% data variables.copilot.copilot_gpt_4o %} | OpenAI | GA | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| {% data variables.copilot.copilot_o1 %} | OpenAI | {% data variables.release-phases.public_preview_caps %} | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | {% data variables.copilot.copilot_o3 %} | OpenAI | {% data variables.release-phases.public_preview_caps %} | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | {% data variables.copilot.copilot_o3_mini %} | OpenAI | GA | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | {% data variables.copilot.copilot_o4_mini %} | OpenAI | {% data variables.release-phases.public_preview_caps %} | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | @@ -60,9 +58,7 @@ The following table shows which models are available in each client. | Model | {% data variables.product.prodname_dotcom_the_website %} | {% data variables.product.prodname_vscode %} | {% data variables.product.prodname_vs %} | Eclipse | Xcode | JetBrains IDEs | |---------------------------|------------|---------|----------------|---------|--------|------------| | {% data variables.copilot.copilot_gpt_41 %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| {% data variables.copilot.copilot_gpt_45 %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | {% data variables.copilot.copilot_gpt_4o %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| {% data variables.copilot.copilot_o1 %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | {% data variables.copilot.copilot_o3 %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | {% data variables.copilot.copilot_o3_mini %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | {% data variables.copilot.copilot_o4_mini %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | @@ -93,9 +89,7 @@ For more information about premium requests, see [AUTOTITLE](/copilot/managing-c | Model | Multiplier for **paid plans** | Multiplier for **{% data variables.copilot.copilot_free_short %}** | |-------|-------------------------------|-------------------------------------------------| | {% data variables.copilot.copilot_gpt_41 %} | 0 | 1 | -| {% data variables.copilot.copilot_gpt_45 %} | 50 | Not applicable | | {% data variables.copilot.copilot_gpt_4o %} | 0 | 1 | -| {% data variables.copilot.copilot_o1 %} | 10 | Not applicable | | {% data variables.copilot.copilot_o3 %} | 1 | Not applicable | | {% data variables.copilot.copilot_o3_mini %} | 0.33 | 1 | | {% data variables.copilot.copilot_o4_mini %} | 0.33 | Not applicable | diff --git a/content/copilot/tutorials/comparing-ai-models-using-different-tasks.md b/content/copilot/tutorials/comparing-ai-models-using-different-tasks.md index 67a5c1023bf8..426ff12d3b29 100644 --- a/content/copilot/tutorials/comparing-ai-models-using-different-tasks.md +++ b/content/copilot/tutorials/comparing-ai-models-using-different-tasks.md @@ -77,7 +77,7 @@ def grant_editor_access(user_id, doc_id): ## {% data variables.copilot.copilot_o3_mini %} -OpenAI {% data variables.copilot.copilot_o3_mini %} is a fast, cost-effective reasoning model designed to deliver coding performance while maintaining lower latency and resource usage. {% data variables.copilot.copilot_o3_mini %} outperforms {% data variables.copilot.copilot_o1 %} on coding benchmarks with response times that are comparable to o1-mini. {% data variables.product.prodname_copilot_short %} is configured to use OpenAI's "medium" reasoning effort. +OpenAI {% data variables.copilot.copilot_o3_mini %} is a fast, cost-effective reasoning model designed to deliver coding performance while maintaining lower latency and resource usage. {% data variables.product.prodname_copilot_short %} is configured to use OpenAI's "medium" reasoning effort. ### Example scenario diff --git a/data/reusables/copilot/available-models-per-plan.md b/data/reusables/copilot/available-models-per-plan.md index 67eb789570be..62d467f89b2e 100644 --- a/data/reusables/copilot/available-models-per-plan.md +++ b/data/reusables/copilot/available-models-per-plan.md @@ -3,9 +3,7 @@ | Available models in chat | {% data variables.copilot.copilot_free_short %} | {% data variables.copilot.copilot_pro_short %} | {% data variables.copilot.copilot_pro_plus_short %} | {% data variables.copilot.copilot_business_short %} | {% data variables.copilot.copilot_enterprise_short %} | |----------------------------------------------------------------|--------------------------------------------------|--------------------------------------------------|------------------------------------------------------|-------------------------------------------------------|----------------------------------------------------------| | {% data variables.copilot.copilot_gpt_41 %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| {% data variables.copilot.copilot_gpt_45 %} | {% octicon "x" aria-label="Not included" %} | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | | {% data variables.copilot.copilot_gpt_4o %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | -| {% data variables.copilot.copilot_o1 %} | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | {% data variables.copilot.copilot_o3 %} | {% octicon "x" aria-label="Not included" %} | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | | {% data variables.copilot.copilot_o3_mini %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | {% data variables.copilot.copilot_o4_mini %} | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | diff --git a/data/variables/copilot.yml b/data/variables/copilot.yml index 523f32c91c34..c3821cb84f9f 100644 --- a/data/variables/copilot.yml +++ b/data/variables/copilot.yml @@ -109,9 +109,7 @@ copilot_gemini_25_pro: 'Gemini 2.5 Pro' # OpenAI GPT series: copilot_gpt_4o: 'GPT-4o' copilot_gpt_41: 'GPT-4.1' -copilot_gpt_45: 'GPT-4.5' # OpenAI 'o' series: -copilot_o1: 'o1' copilot_o3: 'o3' copilot_o3_mini: 'o3-mini' copilot_o4_mini: 'o4-mini' From 89ef89a75c9423539fb6fe181d7af1ee062f99d9 Mon Sep 17 00:00:00 2001 From: Joe Clark <31087804+jc-clark@users.noreply.github.com> Date: Mon, 7 Jul 2025 12:21:18 -0700 Subject: [PATCH 2/2] EDI - Actions secrets (#56467) Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- content/actions/concepts/security/index.md | 5 +- .../security/{about-secrets.md => secrets.md} | 38 ++++++------- .../workflows-and-actions/variables.md | 2 +- .../using-secrets-in-github-actions.md | 57 ++----------------- content/actions/reference/index.md | 1 + .../actions/reference/secrets-reference.md | 55 ++++++++++++++++++ 6 files changed, 84 insertions(+), 74 deletions(-) rename content/actions/concepts/security/{about-secrets.md => secrets.md} (56%) create mode 100644 content/actions/reference/secrets-reference.md diff --git a/content/actions/concepts/security/index.md b/content/actions/concepts/security/index.md index 435a11e4c725..9254f7c870fe 100644 --- a/content/actions/concepts/security/index.md +++ b/content/actions/concepts/security/index.md @@ -1,12 +1,13 @@ --- title: Security in GitHub Actions shortTitle: Security -intro: "Learn about security as a concept in GitHub Actions." +intro: Learn about security as a concept in GitHub Actions. versions: fpt: '*' ghes: '*' ghec: '*' children: - - /about-secrets + - /secrets - /about-security-hardening-with-openid-connect --- + diff --git a/content/actions/concepts/security/about-secrets.md b/content/actions/concepts/security/secrets.md similarity index 56% rename from content/actions/concepts/security/about-secrets.md rename to content/actions/concepts/security/secrets.md index b25bc2a3ba74..bac2de67f2a5 100644 --- a/content/actions/concepts/security/about-secrets.md +++ b/content/actions/concepts/security/secrets.md @@ -1,45 +1,31 @@ --- -title: About secrets -intro: 'Learn about secrets as they''re used in GitHub Actions.' +title: Secrets +intro: Learn about secrets as they are used in {% data variables.product.prodname_actions %} workflows. versions: fpt: '*' ghes: '*' ghec: '*' redirect_from: - /actions/security-for-github-actions/security-guides/about-secrets + - /actions/concepts/security/about-secrets --- -{% data reusables.actions.enterprise-github-hosted-runners %} - ## About secrets Secrets allow you to store sensitive information in your organization, repository, or repository environments. Secrets are variables that you create to use in {% data variables.product.prodname_actions %} workflows in an organization, repository, or repository environment. {% data variables.product.prodname_actions %} can only read a secret if you explicitly include the secret in a workflow. -## Naming your secrets - ->[!TIP] -> To help ensure that {% data variables.product.prodname_dotcom %} redacts your secrets in logs correctly, avoid using structured data as the values of secrets. - -The following rules apply to secret names: - -{% data reusables.actions.actions-secrets-and-variables-naming %} - -{% data reusables.codespaces.secret-precedence %} Similarly, if an organization, repository, and environment all have a secret with the same name, the environment-level secret takes precedence. - -## Using your secrets in workflows - -{% data reusables.actions.secrets-redaction-warning %} +## Organization-level secrets {% data reusables.actions.secrets-org-level-overview %} +When creating a secret for an organization, you can use a policy to limit access by repository. For example, you can grant access to all repositories, or limit access to only private repositories or a specified list of repositories. + For environment secrets, you can enable required reviewers to control access to the secrets. A workflow job cannot access environment secrets until approval is granted by required approvers. To make a secret available to an action, you must set the secret as an input or environment variable in your workflow file. Review the action's README file to learn about which inputs and environment variables the action expects. See [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsenv). -Organization and repository secrets are read when a workflow run is queued, and environment secrets are read when a job referencing the environment starts. - ## Limiting credential permissions When generating credentials, we recommend that you grant the minimum permissions possible. For example, instead of using personal credentials, use [deploy keys](/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys) or a service account. Consider granting read-only permissions if that's all that is needed, and limit access as much as possible. @@ -48,6 +34,18 @@ When generating a {% data variables.product.pat_v1 %}, select the fewest scopes Instead of using a {% data variables.product.pat_generic %}, consider using a {% data variables.product.prodname_github_app %}, which uses fine-grained permissions and short lived tokens, similar to a {% data variables.product.pat_v2 %}. Unlike a {% data variables.product.pat_generic %}, a {% data variables.product.prodname_github_app %} is not tied to a user, so the workflow will continue to work even if the user who installed the app leaves your organization. For more information, see [AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow). +## Automatically redacted secrets + +{% data variables.product.prodname_actions %} automatically redacts the contents of all {% data variables.product.prodname_dotcom %} secrets that are printed to workflow logs. + +{% data variables.product.prodname_actions %} also redacts information that is recognized as sensitive, but is not stored as a secret. For a list of automatically redacted secrets, see [AUTOTITLE](/actions/reference/secrets-reference#automatically-redacted-secrets). + +> [!NOTE] If you would like other types of sensitive information to be automatically redacted, please reach out to us in our [community discussions](https://github.com/orgs/community/discussions?discussions_q=is%3Aopen+label%3AActions). + +As a habit of best practice, you should mask all sensitive information that is not a {% data variables.product.prodname_dotcom %} secret by using `::add-mask::VALUE`. This causes the value to be treated as a secret and redacted from logs. For more information about masking data, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#masking-a-value-in-a-log). + +Redacting of secrets is performed by your workflow runners. This means a secret will only be redacted if it was used within a job and is accessible by the runner. If an unredacted secret is sent to a workflow run log, you should delete the log and rotate the secret. For information on deleting logs, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#deleting-logs). + ## Further reading * [AUTOTITLE](/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions) diff --git a/content/actions/concepts/workflows-and-actions/variables.md b/content/actions/concepts/workflows-and-actions/variables.md index 5360a6585448..d19c2e89e2a6 100644 --- a/content/actions/concepts/workflows-and-actions/variables.md +++ b/content/actions/concepts/workflows-and-actions/variables.md @@ -20,7 +20,7 @@ You can set your own custom variables or use the default environment variables t You can set a custom variable in two ways. * To define an environment variable for use in a single workflow, you can use the `env` key in the workflow file. For more information, see [Defining environment variables for a single workflow](/actions/how-tos/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#defining-environment-variables-for-a-single-workflow). -* To define a configuration variable across multiple workflows, you can define it at the organization, repository, or environment level. For more information, see [Defining configuration variables for multiple workflows](/actions/how-tos/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#defining-configuration-variables-for-multiple-workflows). +* To define a configuration variable across multiple workflows, you can define it at the organization, repository, or environment level. When creating a variable in an organization, you can use a policy to limit access by repository. For example, you can grant access to all repositories, or limit access to only private repositories or a specified list of repositories. For more information, see [Defining configuration variables for multiple workflows](/actions/how-tos/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#defining-configuration-variables-for-multiple-workflows). > [!WARNING] > By default, variables render unmasked in your build outputs. If you need greater security for sensitive information, such as passwords, use secrets instead. For more information, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/about-secrets). diff --git a/content/actions/how-tos/security-for-github-actions/security-guides/using-secrets-in-github-actions.md b/content/actions/how-tos/security-for-github-actions/security-guides/using-secrets-in-github-actions.md index 785a4922ec71..7d6a68217c8a 100644 --- a/content/actions/how-tos/security-for-github-actions/security-guides/using-secrets-in-github-actions.md +++ b/content/actions/how-tos/security-for-github-actions/security-guides/using-secrets-in-github-actions.md @@ -1,7 +1,7 @@ --- title: Using secrets in GitHub Actions shortTitle: Using secrets -intro: 'Secrets allow you to store sensitive information in your organization, repository, or repository environments.' +intro: 'Learn how to create secrets at the repository, environment, and organization levels for {% data variables.product.prodname_actions %} workflows.' redirect_from: - /github/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets - /actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets @@ -19,10 +19,6 @@ versions: ghec: '*' --- -{% data reusables.actions.enterprise-github-hosted-runners %} - -For general information about secrets, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/about-secrets). - ## Creating secrets for a repository {% data reusables.actions.permissions-statement-secrets-variables-repository %} @@ -45,8 +41,6 @@ If your repository has environment secrets or can access secrets from the parent {% cli %} -{% data reusables.cli.cli-learn-more %} - To add a repository secret, use the `gh secret set` subcommand. Replace `secret-name` with the name of your secret. ```shell @@ -172,6 +166,8 @@ You can check which access policies are being applied to a secret in your organi > * Secrets are not automatically passed to reusable workflows. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow). > {% data reusables.actions.about-oidc-short-overview %} +> [!WARNING] Mask all sensitive information that is not a {% data variables.product.prodname_dotcom %} secret by using `::add-mask::VALUE`. This causes the value to be treated as a secret and redacted from logs. + To provide an action with a secret as an input or environment variable, you can use the `secrets` context to access secrets you've created in your repository. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts) and [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions). {% raw %} @@ -240,19 +236,7 @@ steps: {% endraw %} -## Limits for secrets - -You can store up to 1,000 organization secrets, 100 repository secrets, and 100 environment secrets. - -A workflow created in a repository can access the following number of secrets: - -* All 100 repository secrets. -* If the repository is assigned access to more than 100 organization secrets, the workflow can only use the first 100 organization secrets (sorted alphabetically by secret name). -* All 100 environment secrets. - -Secrets are limited to 48 KB in size. To store larger secrets, see the [Storing large secrets](#storing-large-secrets) workaround below. - -### Storing large secrets +## Storing large secrets To use secrets that are larger than 48 KB, you can use a workaround to store secrets in your repository and save the decryption passphrase as a secret on {% data variables.product.prodname_dotcom %}. For example, you can use `gpg` to encrypt a file containing your secret locally before checking the encrypted file in to your repository on {% data variables.product.prodname_dotcom %}. For more information, see the [gpg manpage](https://www.gnupg.org/gph/de/manual/r1023.html). @@ -330,7 +314,8 @@ To use secrets that are larger than 48 KB, you can use a workaround to store sec You can use Base64 encoding to store small binary blobs as secrets. You can then reference the secret in your workflow and decode it for use on the runner. For the size limits, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions#limits-for-secrets). > [!NOTE] -> Note that Base64 only converts binary to text, and is not a substitute for actual encryption. +> * Note that Base64 only converts binary to text, and is not a substitute for actual encryption. +> * Using another shell might require different commands for decoding the secret to a file. On Windows runners, we recommend [using a bash shell](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell) with `shell: bash` to use the commands in the `run` step above. 1. Use `base64` to encode your file into a Base64 string. For example: @@ -374,33 +359,3 @@ You can use Base64 encoding to store small binary blobs as secrets. You can then run: | openssl x509 -in cert.der -inform DER -text -noout ``` - -> [!NOTE] -> Using another shell might require different commands for decoding the secret to a file. On Windows runners, we recommend [using a bash shell](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell) with `shell: bash` to use the commands in the `run` step above. - -## Redacting secrets from workflow run logs - -{% data variables.product.prodname_actions %} automatically redacts the contents of all {% data variables.product.prodname_dotcom %} secrets that are printed to workflow logs. - -{% data variables.product.prodname_actions %} also redacts information that is recognized as sensitive, but is not stored as a secret. Currently {% data variables.product.prodname_dotcom %} supports the following: - -* 32-byte and 64-byte Azure keys -* Azure AD client app passwords -* Azure Cache keys -* Azure Container Registry keys -* Azure Function host keys -* Azure Search keys -* Database connection strings -* HTTP Bearer token headers -* JWTs -* NPM author tokens -* NuGet API keys -* v1 GitHub installation tokens -* v2 GitHub installation tokens (`ghp`, `gho`, `ghu`, `ghs`, `ghr`) -* v2 GitHub PATs - -> [!NOTE] If you would like other types of sensitive information to be automatically redacted, please reach out to us in our [community discussions](https://github.com/orgs/community/discussions?discussions_q=is%3Aopen+label%3AActions). - -As a habit of best practice, you should mask all sensitive information that is not a {% data variables.product.prodname_dotcom %} secret by using `::add-mask::VALUE`. This causes the value to be treated as a secret and redacted from logs. For more information about masking data, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#masking-a-value-in-a-log). - -Redacting of secrets is performed by your workflow runners. This means a secret will only be redacted if it was used within a job and is accessible by the runner. If an unredacted secret is sent to a workflow run log, you should delete the log and rotate the secret. For information on deleting logs, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#deleting-logs). diff --git a/content/actions/reference/index.md b/content/actions/reference/index.md index 72dac46857ee..34075502d25d 100644 --- a/content/actions/reference/index.md +++ b/content/actions/reference/index.md @@ -11,6 +11,7 @@ children: - /events-that-trigger-workflows - /workflow-commands-for-github-actions - /variables-reference + - /secrets-reference - /evaluate-expressions-in-workflows-and-actions - /contexts-reference - /metadata-syntax-reference diff --git a/content/actions/reference/secrets-reference.md b/content/actions/reference/secrets-reference.md new file mode 100644 index 000000000000..8ef2c1bb78d8 --- /dev/null +++ b/content/actions/reference/secrets-reference.md @@ -0,0 +1,55 @@ +--- +title: Secrets reference +shortTitle: Secrets reference +intro: 'Find technical information about secrets in {% data variables.product.prodname_actions %}.' +versions: + fpt: '*' + ghec: '*' + ghes: '*' +--- + +## Naming your secrets + +>[!TIP] +> To help ensure that {% data variables.product.prodname_dotcom %} redacts your secrets in logs correctly, avoid using structured data as the values of secrets. + +The following rules apply to secret names: + +{% data reusables.actions.actions-secrets-and-variables-naming %} + +{% data reusables.codespaces.secret-precedence %} Similarly, if an organization, repository, and environment all have a secret with the same name, the environment-level secret takes precedence. + +## Limits for secrets + +You can store up to 1,000 organization secrets, 100 repository secrets, and 100 environment secrets. + +A workflow created in a repository can access the following number of secrets: + +* All 100 repository secrets. +* If the repository is assigned access to more than 100 organization secrets, the workflow can only use the first 100 organization secrets (sorted alphabetically by secret name). +* All 100 environment secrets. + +Secrets are limited to 48 KB in size. To store larger secrets, see [AUTOTITLE](/actions/how-tos/security-for-github-actions/security-guides/using-secrets-in-github-actions#storing-large-secrets). + +## When {% data variables.product.prodname_actions %} reads secrets + +Organization and repository secrets are read when a workflow run is queued, and environment secrets are read when a job referencing the environment starts. + +## Automatically redacted secrets + +{% data variables.product.prodname_dotcom %} automatically redacts the following sensitive information from workflow logs. + +* 32-byte and 64-byte Azure keys +* Azure AD client app passwords +* Azure Cache keys +* Azure Container Registry keys +* Azure Function host keys +* Azure Search keys +* Database connection strings +* HTTP Bearer token headers +* JWTs +* NPM author tokens +* NuGet API keys +* v1 GitHub installation tokens +* v2 GitHub installation tokens (`ghp`, `gho`, `ghu`, `ghs`, `ghr`) +* v2 GitHub PATs