Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions .github/workflows/link-check-on-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -59,14 +59,12 @@ jobs:

- name: Check links in changed files
if: steps.changed-files.outputs.any_changed == 'true'
# Work in progress: never fail the PR. The comment is informational only.
continue-on-error: true
env:
FILES_CHANGED: ${{ steps.changed-files.outputs.all_changed_files }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
SHOULD_COMMENT: ${{ secrets.DOCS_BOT_APP_ID != '' }}
FAIL_ON_FLAW: false
FAIL_ON_FLAW: true
ENABLED_LANGUAGES: en
run: npm run check-links-pr

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -78,3 +78,59 @@ If synchronization of team membership with a group on your IdP fails due to a pr
{% data variables.product.prodname_dotcom %} will try to resolve this problem automatically during the next sync, which occurs at least once daily. You may be able to resolve the problem by unlinking the impacted team from the IdP group and then linking it to the same group again. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups#managing-the-connection-between-an-existing-organization-team-and-an-idp-group).

If the problem persists, contact {% data variables.contact.contact_ent_support %} and provide details about the organization, team, and the IdP group you're experiencing problems with.

## SCIM API incomplete events

If you see an `external_identity.scim_api_incomplete` or `external_group.scim_api_incomplete` event in your enterprise audit log, a SCIM request from your identity provider was received by {% data variables.product.github %} but did not complete successfully. No response was sent back to your identity provider, which may report the operation as failed or timed out.

### Resolving the issue

Re-trigger provisioning from your identity provider for the affected user or group. SCIM operations are idempotent, so re-provisioning will not create duplicates.

* **Entra ID:** In the Microsoft Entra admin center, go to **Enterprise Applications** > your SCIM app > **Provisioning**, and use **Provision on demand** for the affected user or group, or **Restart provisioning** for a full sync. For more information, see [On-demand provisioning in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/provision-on-demand) in the Microsoft documentation.
* **Okta:** Re-push the affected group from **Push Groups**, or re-assign the app to the affected user. For more information, see [Push Groups](https://help.okta.com/en-us/content/topics/users-groups/usgr-push-groups.htm) in the Okta documentation.
* **Other identity providers:** Consult your identity provider's documentation for how to re-trigger SCIM provisioning for a specific user or group.

### Checking if the change was applied

If you have audit log streaming configured, you can search your streamed logs for other events with the same `request_id` value from the `scim_api_incomplete` event. For more information, see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise).

A single group SCIM API call can trigger any of the following events during processing:

| Audit log event | Description |
| --- | --- |
| `external_group.provision` | Group was created |
| `external_group.delete` | Group was deleted |
| `external_group.update` | Group metadata was updated |
| `external_group.update_display_name` | Display name was changed |
| `external_group.add_member` | A specific member was added |
| `external_group.remove_member` | A specific member was removed |

To determine which member changes were applied before the interruption, the `add_member` and `remove_member` events are the most useful. They identify the specific member affected. If you find fewer member events than the request intended, the remaining members were not processed.

> [!NOTE]
> The enterprise audit log UI and REST API do not currently support filtering by `request_id`. Audit log streaming to a SIEM or log platform is required for this step.

### Common causes

### Common causes of incomplete events

* Processing time exceeds the connection timeout, often because of large groups.
* A network interruption occurs between the identity provider and {% data variables.product.github %}.
* A transient issue occurs on {% data variables.product.github %}'s infrastructure.
* Your network environment, such as corporate proxies, firewalls, or CASB solutions, interferes with the connection.
* The identity provider's SCIM client timeout settings are too restrictive.

If this event recurs for the same group or user, contact {% data variables.contact.contact_ent_support %} with the `request_id` values from the affected events.

## Large group timeouts

A single SCIM `PUT` or `PATCH` request for a group with a large number of members can exceed the request timeout. When this happens, your identity provider may report the operation as failed, and you may see an `external_group.scim_api_incomplete` event in your enterprise audit log.

The SCIM provisioning rate limits describe a limit of 1,000 users per group per hour, but a single `PUT` or `PATCH` request that changes membership for a large group can also exceed the request timeout before all members are processed. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api#understand-rate-limits-on-github).

### Preventing timeouts

* **Break large groups into smaller groups.** If your identity provider supports it, consider splitting groups that frequently time out into multiple smaller groups. This reduces the processing time per SCIM request.
* **Use incremental updates.** Where possible, use `PATCH` requests to add or remove individual members rather than `PUT` requests that replace the entire membership list.
* **Monitor for incomplete events.** Set up audit log streaming and alert on `scim_api_incomplete` events so you can re-trigger provisioning promptly.
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ You can customize {% data variables.product.prodname_copilot_short %}'s developm
* [Give {% data variables.product.prodname_copilot_short %} a Windows development environment](#switching-copilot-to-a-windows-development-environment), instead of the default Ubuntu Linux environment
* [Enable Git Large File Storage (LFS)](#enabling-git-large-file-storage-lfs)

{% data variables.copilot.copilot_code-review_short %} also runs in an ephemeral development environment, and you can customize it in the same ways described in this article. By default, {% data variables.copilot.copilot_code-review_short %} reuses your `copilot-setup-steps.yml` file, but you can also create a dedicated `copilot-code-review.yml` file to configure {% data variables.copilot.copilot_code-review_short %}'s environment independently of {% data variables.copilot.copilot_cloud_agent %}. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/request-a-code-review/use-code-review#customizing-copilot-code-reviews-environment).

In addition, you can:

* [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/configure-secrets-and-variables)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ children:
- /use-hooks
- /customize-the-agent-environment
- /configure-secrets-and-variables
- /customize-the-agent-firewall
- /test-custom-agents
contentType: how-tos
---
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
title: Customizing or disabling the firewall for GitHub Copilot cloud agent
shortTitle: Customize the agent firewall
title: Customizing or disabling the firewall for GitHub Copilot
shortTitle: Customize the firewall
allowTitleToDifferFromFilename: true
intro: 'Learn how to control the domains and URLs that {% data variables.copilot.copilot_cloud_agent %} can access.'
intro: 'Learn how to control the domains and URLs that {% data variables.copilot.copilot_cloud_agent %} and {% data variables.copilot.copilot_code-review_short %} can access.'
versions:
feature: copilot
redirect_from:
Expand All @@ -12,18 +12,22 @@ redirect_from:
- /copilot/how-tos/agents/copilot-coding-agent/customize-the-agent-firewall
- /copilot/how-tos/agents/coding-agent/customize-the-agent-firewall
- /copilot/how-tos/use-copilot-agents/cloud-agent/customize-the-agent-firewall
- /copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/customize-the-agent-firewall
contentType: how-tos
category:
- Configure Copilot
---

> [!NOTE]
> Firewall configuration has moved to the {% data variables.copilot.copilot_cloud_agent %} settings page. Previous configurations saved as Actions variables will be maintained on that page.
> Firewall configuration is managed from the "Internet access" settings tab, which covers both {% data variables.copilot.copilot_cloud_agent %} and {% data variables.copilot.copilot_code-review_short %}. Previous configurations saved as Actions variables will be maintained on that page.

## Overview

By default, {% data variables.product.prodname_copilot_short %}'s access to the internet is limited by a firewall.

> [!NOTE]
> {% data variables.copilot.copilot_code-review_short %} also supports firewall configuration, at both the organization and repository level, under its own section of the "Internet access" tab described below. This allows you to configure firewall rules for {% data variables.copilot.copilot_code-review_short %} independently of {% data variables.copilot.copilot_cloud_agent %}. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/request-a-code-review/use-code-review#customizing-copilot-code-reviews-environment).

Limiting internet access helps manage data exfiltration risks. Unexpected behavior from {% data variables.product.prodname_copilot_short %}, or malicious instructions, could lead to code or other sensitive information being leaked to remote locations.

The firewall always allows access to a number of hosts that {% data variables.product.prodname_copilot_short %} uses to interact with {% data variables.product.github %}. By default, a recommended allowlist is also enabled to allow the agent to download dependencies.
Expand Down Expand Up @@ -56,11 +60,13 @@ For the complete list of hosts included in the recommended allowlist, see [AUTOT

## Configuring the firewall at the organization level

Organization owners can configure all firewall settings at the organization level. To access the firewall settings:
Organization owners can configure all firewall settings at the organization level, for both {% data variables.copilot.copilot_cloud_agent %} and {% data variables.copilot.copilot_code-review_short %}. To access the firewall settings:

{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% data reusables.copilot.cloud-agent-settings %}
{% data reusables.copilot.internet-access-settings %}

The "Internet access" page has separate sections for {% data variables.copilot.copilot_cloud_agent %} and {% data variables.copilot.copilot_code-review_short %}, so you can configure the following settings independently for each.

### Enabling or disabling the firewall

Expand Down Expand Up @@ -88,13 +94,13 @@ Items added to the organization custom allowlist apply to all repositories in th

## Configuring the firewall at the repository level

Repository administrators can configure firewall settings at the repository level, including enabling or disabling the firewall, enabling or disabling the recommended allowlist, and managing a custom allowlist. Depending on the organization-level configuration, some of these settings may be locked.
Repository administrators can configure firewall settings at the repository level, including enabling or disabling the firewall, enabling or disabling the recommended allowlist, and managing a custom allowlist. Depending on the organization-level configuration, some of these settings may be locked. The repository settings page also has separate sections for {% data variables.copilot.copilot_cloud_agent %} and {% data variables.copilot.copilot_code-review_short %}, so you can configure these settings independently for each.

To access the firewall settings:

{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
1. In the "Code & automation" section of the sidebar, click **{% data variables.product.prodname_copilot_short %}** then **{% data variables.copilot.copilot_cloud_agent_short %}**.
1. In the "Code & automation" section of the sidebar, click **{% data variables.product.prodname_copilot_short %}** then **Internet access**.

### Enabling or disabling the firewall

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ children:
- /customize-copilot-overview
- /add-custom-instructions
- /customize-cloud-agent
- /customize-the-firewall
- /configure-mcp-servers
- /copilot-spaces
contentType: how-tos
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ If you're happy with the changes, you can accept a single suggestion from {% dat
You can also invoke {% data variables.copilot.copilot_cloud_agent %} to implement suggested changes. To do this, you must:

* Enable {% data variables.copilot.copilot_code-review %} and {% data variables.copilot.copilot_cloud_agent %}.
* On review comments from {% data variables.copilot.copilot_code-review %}, click **Fix with Copilot**. This creates a draft comment on the pull request, where you can instruct {% data variables.product.prodname_copilot_short %} to address specific feedback. You can then select whether {% data variables.product.prodname_copilot_short %} will create a new pull request against your branch or a commit to the same pull request with the suggestions applied.
* On review comments from {% data variables.copilot.copilot_code-review %}, click **Fix with {% data variables.product.prodname_copilot_short %}**. This creates a draft comment on the pull request, where you can instruct {% data variables.product.prodname_copilot_short %} to address specific feedback. You can then select whether {% data variables.product.prodname_copilot_short %} will create a new pull request against your branch or a commit to the same pull request with the suggestions applied.

## Requesting a re-review from {% data variables.product.prodname_copilot_short %}

Expand All @@ -91,12 +91,23 @@ To automatically request re-reviews from {% data variables.product.prodname_copi
To make these available for {% data variables.copilot.copilot_code-review_short %} on {% data variables.product.github %}, configure:

* **Agent skills** in your repository (in `.github/skills`). If you want a skill to target review tasks, use a review-focused skill directory name such as `code-review`. For setup details, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/add-skills).
* **MCP servers** in repository Copilot settings. The {% data variables.product.github %} MCP server and Playwright MCP server are enabled by default. For setup details, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/configure-mcp-servers).
* **MCP servers** in repository {% data variables.product.prodname_copilot_short %} settings. The {% data variables.product.github %} MCP server and Playwright MCP server are enabled by default. For setup details, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/configure-mcp-servers).

{% data reusables.copilot.code-review.mcp-context-usage %}

{% data reusables.copilot.code-review.mcp-tools-setting %}

## Customizing {% data variables.copilot.copilot_code-review_short %}'s environment

{% data variables.copilot.copilot_code-review_short %} runs in an ephemeral development environment, similar to {% data variables.copilot.copilot_cloud_agent %}. You can customize this environment using a {% data variables.product.prodname_actions %} workflow file, in the same way you would for {% data variables.copilot.copilot_cloud_agent %}, for example, to preinstall tools or dependencies, or to switch to a different operating system. For more information on how to structure this file, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/customize-the-agent-environment).

You can use either of the following files to configure {% data variables.copilot.copilot_code-review_short %}'s environment:

* `.github/workflows/copilot-setup-steps.yml`: If you have already configured this file for {% data variables.copilot.copilot_cloud_agent %}, {% data variables.copilot.copilot_code-review_short %} will use the same configuration by default.
* `.github/workflows/copilot-code-review.yml`: We recommend creating this file if you want to configure {% data variables.copilot.copilot_code-review_short %}'s environment independently of {% data variables.copilot.copilot_cloud_agent %}. If this file is present in your repository, it is used for {% data variables.copilot.copilot_code-review_short %} instead of `copilot-setup-steps.yml`.

You can also configure firewall rules to control the domains and URLs that {% data variables.copilot.copilot_code-review_short %} can access, at both the organization and repository level. These settings are configured separately from {% data variables.copilot.copilot_cloud_agent %}'s firewall settings, in their own section of the same "Internet access" tab. See [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/customize-the-agent-firewall).

## Providing feedback on {% data variables.product.prodname_copilot_short %}'s reviews

You can provide feedback on {% data variables.product.prodname_copilot_short %}'s comments directly within each comment. We use this information to improve the product and the quality of {% data variables.product.prodname_copilot_short %}'s suggestions.
Expand Down
1 change: 1 addition & 0 deletions data/reusables/copilot/internet-access-settings.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
In the sidebar, under "Code, planning, and automation", click **{% octicon "copilot" aria-hidden="true" aria-label="copilot" %} {% data variables.product.prodname_copilot_short %}**, and then click **Internet access**.
Original file line number Diff line number Diff line change
@@ -1,2 +1 @@
1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration.

1. Create a new custom security configuration, or edit an existing one. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/create-custom-configuration).
3 changes: 2 additions & 1 deletion data/ui.yml
Original file line number Diff line number Diff line change
Expand Up @@ -367,10 +367,11 @@ product_landing:
all_content: 'View all {{ title }} content'

journey_track_nav:
prev_article: Previous
next_article: Next
more_articles: More articles →
current_progress: 'Article {i} of {n}'
up_next: Up next
up_next_progress: 'Step {i} of {n} in {track}'

scroll_button:
scroll_to_top: Scroll to top
Expand Down
Loading
Loading