Repo sync

.github/workflows/link-check-internal.yml

@@ -89,12 +89,13 @@ jobs:
         run: npm run check-links-internal
 
       - name: Upload report artifact
-        if: failure()
+        if: always()
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: link-report-${{ matrix.version }}-${{ matrix.language }}
           path: artifacts/link-report-*.md
           retention-days: 5
+          if-no-files-found: ignore
 
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() && github.event_name != 'workflow_dispatch' }}

content/code-security/concepts/secret-security/about-bypass-requests-for-push-protection.md

@@ -0,0 +1,68 @@
+---
+title: About bypass requests for push protection
+intro: 'Learn how bypass requests work when push protection blocks commits containing secrets.'
+permissions: '{% data reusables.permissions.delegated-bypass-list %}'
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '*'
+topics:
+  - Secret scanning
+  - Secret Protection
+  - Alerts
+  - Repositories
+shortTitle: Bypass requests
+contentType: concepts
+---
+
+## About bypass requests for push protection
+
+When push protection blocks a commit containing a secret, contributors may need to bypass the block to complete their push. If delegated bypass for push protection is enabled, contributors without bypass privileges must submit a bypass request and wait for approval from designated reviewers. This allows organizations to maintain security oversight while enabling legitimate exceptions when needed. For more information, see [AUTOTITLE](/code-security/concepts/secret-security/about-delegated-bypass-for-push-protection).
+
+If delegated bypass for push protection is not enabled, contributors can bypass push protection at their own discretion.
+
+When enabling delegated bypass for push protection, organization owners or repository administrators decide which {% ifversion push-protection-bypass-fine-grained-permissions %}individuals, {% endif %}roles or teams can review (approve or deny) requests to bypass push protection.
+
+If you are a designated reviewer, you must review bypass requests and either approve or deny them based on the request details and your organization's security policies.
+
+## How bypass requests work
+
+When a contributor without bypass privileges requests to push a commit containing a secret, a bypass requests is sent to the reviewers. The designated group of reviewers:
+
+* Receives an email notification containing a link to the request
+* Reviews the request in the "Bypass requests" page of the repository{% ifversion security-overview-delegated-bypass-requests %}, or in the organization's security overview{% endif %}.
+* Has **7 days** to either approve or deny the request before the request expires
+
+### Information available to reviewers
+
+{% data variables.product.github %} displays the following information for each request:
+
+* Name of the user who attempted the push
+* Repository where the push was attempted
+* Commit hash of the push
+* Timestamp of the push{% ifversion push-protection-delegated-bypass-enhancements %}
+* File path and branch information (branch information is only available for pushes to single branches){% endif %}
+
+### Outcomes
+
+The contributor is notified by email of the decision and must take the required action:
+
+* **If the request is approved**: The contributor can push the commit containing the secret to the repository.
+* **If the request is denied**: The contributor must remove the secret from the commit before successfully pushing the commit to the repository.
+
+## Automatic bypass request reviews
+
+You can use {% data variables.product.prodname_github_apps %} with fine-grained permissions to programmatically review and approve push protection bypass requests. This enables you to enforce consistent security policies, integrate with external security tools, or reduce manual review burden.
+
+{% ifversion ghes %}
+
+>[!NOTE]
+> For {% data variables.product.prodname_ghe_server %}, the use of {% data variables.product.prodname_github_apps %} to review bypass requests is available from version 3.19.
+
+{% endif %}
+
+> For more information about permissions, see [Organization permissions for "Organization bypass requests for secret scanning"](/enterprise-cloud@latest/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#organization-permissions-for-organization-bypass-requests-for-secret-scanning).
+
+## Next steps
+
+* To learn how to manage bypass requests for push protection as a reviewer, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/manage-bypass-requests/managing-requests-to-bypass-push-protection).

content/code-security/concepts/secret-security/index.md

@@ -16,6 +16,7 @@ children:
   - /about-secret-security-with-github
   - /about-alerts
   - /about-delegated-bypass-for-push-protection
+  - /about-bypass-requests-for-push-protection
   - /about-secret-scanning-for-partners
   - /github-secret-types
   - /push-protection-from-the-command-line

content/code-security/concepts/security-at-scale/about-security-campaigns.md

@@ -38,6 +38,9 @@ A security campaign has many benefits over other ways of encouraging developers
 * Developers can see the alerts you've highlighted for remediation without leaving their normal workflows.
 * Each campaign has a named point of contact for questions, reviews, and collaboration.  {% ifversion security-campaigns-autofix %}
 * For {% data variables.product.prodname_code_scanning %} alerts, {% data variables.copilot.copilot_autofix %} is automatically triggered to suggest a resolution. {% endif %}
+{%- ifversion code-secret-alert-assignees %}
+* For both {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_secret_scanning %}, you can assign alerts in a campaign to users with write access{% ifversion copilot %} or to {% data variables.copilot.copilot_coding_agent %} to automatically generate pull requests with fixes{% endif %}.
+{%- endif %}
 
 You can use one of the templates to select a group of closely related alerts for a campaign. This allows developers to build on the knowledge gained by resolving one alert and use it to fix several more, providing them with an incentive to fix multiple alerts.
 
@@ -69,7 +72,7 @@ The creation workflow is the same for all campaigns, but you will notice a few d
 
 {% ifversion code-secret-alert-assignees %}
 
-## Assigning alerts{% ifversion security-campaigns-assign-to-cca %} to users and {% data variables.copilot.copilot_coding_agent %}{% endif %}
+## About assigning alerts{% ifversion security-campaigns-assign-to-cca %} to users and {% data variables.copilot.copilot_coding_agent %}{% endif %}
 
 {% ifversion code-secret-alert-assignees-ga %}{% elsif ghes = 3.20 %}
 

content/code-security/how-tos/secure-your-secrets/customize-leak-detection/generating-regular-expressions-for-custom-patterns-with-copilot-secret-scanning.md

@@ -1,6 +1,6 @@
 ---
 title: Generating regular expressions for custom patterns with Copilot secret scanning
-shortTitle: Regular expression generator
+shortTitle: Generate regular expressions
 intro: You can use {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.custom-pattern-regular-expression-generator %} to write regular expressions for custom patterns. The generator uses an AI model to generate expressions that match your input, and optionally example strings.
 permissions: '{% data reusables.permissions.security-repo-enable %}'
 allowTitleToDifferFromFilename: true

content/code-security/how-tos/secure-your-secrets/manage-bypass-requests/managing-requests-to-bypass-push-protection.md

@@ -17,36 +17,15 @@ redirect_from:
   - /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection
 ---
 
-## Managing requests to bypass push protection
-
 {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
 
-When enabling delegated bypass for push protection, organization owners or repository administrators decide which {% ifversion push-protection-bypass-fine-grained-permissions %}individuals, {% endif %}roles or teams can review (approve or deny) requests to bypass push protection.
-
->[!NOTE]
-> You can also use {% data variables.product.prodname_github_apps %} with fine-grained permissions to programmatically review and approve push protection bypass requests. This enables your organization to streamline security request reviews and enforce policies, or integrate with external security tools, ensuring that all reviews meet established standards. _For {% data variables.product.prodname_ghe_server %}, the use of {% data variables.product.prodname_github_apps %} to review bypass requests is available from version 3.19._
-> For more information about permissions, see [Organization permissions for "Organization bypass requests for secret scanning"](/enterprise-cloud@latest/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#organization-permissions-for-organization-bypass-requests-for-secret-scanning).
-
-When a contributor requests bypass privileges to push a commit containing a secret, this designated group of reviewers:
-
-* Receives an email notification containing a link to the request.
-* Reviews the request in the "Bypass requests" page of the repository{% ifversion security-overview-delegated-bypass-requests %}, or in the organization's security overview{% endif %}.
-* Has 7 days to either approve or deny the request before the request expires.
-
-To help reviewers efficiently triage secrets for which there is a bypass request, {% data variables.product.prodname_dotcom %} displays the following information in the request:
-
-* Name of the user who attempted the push.
-* Repository where the push was attempted.
-* Commit hash of the push.
-* Timestamp of the push.{% ifversion push-protection-delegated-bypass-enhancements %}
-* File path and branch information. The branch information is only available for pushes to single branches.{% endif %}
+When delegated bypass for push protection is enabled, designated reviewers can approve or deny requests from contributors who want to push commits containing secrets.
 
-The contributor is notified of the decision by email and must take the required action:
+This article explains how to review and manage bypass requests for repositories and organizations.
 
-* If the request is approved, the contributor can push the commit containing the secret to the repository.
-* If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository.
+For more information about how bypass requests work, see [AUTOTITLE](/code-security/concepts/secret-security/about-bypass-requests-for-push-protection).
 
-### Managing requests for a repository
+## Managing requests for a repository
 
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-security %}
@@ -61,13 +40,13 @@ The contributor is notified of the decision by email and must take the required
 
 {% ifversion security-overview-delegated-bypass-requests %}
 
-### Managing requests for an organization
+## Managing requests for an organization
 
 Organization owners, security managers and organization members with the relevant fine-grained permission (via a custom role) can review and manage bypass requests for all repositories in the organization using security overview. See [AUTOTITLE](/code-security/security-overview/reviewing-requests-to-bypass-push-protection).
 
 {% endif %}
 
-### Filtering requests
+## Filtering requests
 
 You can filter requests by:
 
@@ -76,7 +55,7 @@ You can filter requests by:
 * Timeframe
 * Status
 
-#### Filtering by status
+### Filtering by status
 
 The following statuses are assigned to a request: