github
diff --git a/‎CHANGELOG.md‎
Lines changed: 8 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 1 addition & 1 deletion b/‎Dockerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎content/actions/reference/limits.md‎
Lines changed: 2 additions & 1 deletion b/‎content/actions/reference/limits.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎content/actions/reference/workflows-and-actions/dependency-caching.md‎
Lines changed: 13 additions & 1 deletion b/‎content/actions/reference/workflows-and-actions/dependency-caching.md‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎content/admin/data-residency/feature-overview-for-github-enterprise-cloud-with-data-residency.md‎
Lines changed: 1 addition & 0 deletions b/‎content/admin/data-residency/feature-overview-for-github-enterprise-cloud-with-data-residency.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎content/admin/managing-iam/index.md‎
Lines changed: 1 addition & 0 deletions b/‎content/admin/managing-iam/index.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎content/admin/managing-iam/respond-to-incidents/index.md‎
Lines changed: 15 additions & 0 deletions b/‎content/admin/managing-iam/respond-to-incidents/index.md‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎content/admin/managing-iam/respond-to-incidents/lock-down-sso.md‎
Lines changed: 38 additions & 0 deletions b/‎content/admin/managing-iam/respond-to-incidents/lock-down-sso.md‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎content/admin/managing-iam/respond-to-incidents/revoke-authorizations-or-tokens.md‎
Lines changed: 109 additions & 0 deletions b/‎content/admin/managing-iam/respond-to-incidents/revoke-authorizations-or-tokens.md‎
Lines changed: 109 additions & 0 deletions
diff --git a/‎content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise.md‎
Lines changed: 3 additions & 0 deletions b/‎content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise.md‎
Lines changed: 3 additions & 0 deletions
@@ -1,5 +1,13 @@
 # Docs changelog
 
+**17 February 2026**
+
+We’ve added a new tutorial, "[Using hooks with Copilot CLI for predictable, policy-compliant execution](https://docs.github.com/en/copilot/tutorials/copilot-cli-hooks)", to help teams configure repository-scoped hooks that log prompts and tool usage, enforce guardrails with `preToolUse`, and roll out policies safely across repositories.
+
+This tutorial helps organizations adopt Copilot CLI automation with clear guardrails, improving security, auditability, and confidence, without blocking legitimate development workflows.
+
+<hr>
+
 **4 February 2026**
 
 We've published a new tutorial on [using GitHub Copilot coding agent to improve a project](https://docs.github.com/copilot/tutorials/coding-agent/improve-a-project).
 
@@ -8,7 +8,7 @@
 # ---------------------------------------------------------------
 # To update the sha:
 # https://github.com/github/gh-base-image/pkgs/container/gh-base-image%2Fgh-base-noble
-FROM ghcr.io/github/gh-base-image/gh-base-noble:20260128-000359-ga6d0dc7c0@sha256:e2dd6aa64dc4b3fd0fee388a817b2ce0ce239f1da31fd628c359a74832abdfcb AS base
+FROM ghcr.io/github/gh-base-image/gh-base-noble:20260218-111945-g0ef8bb15f@sha256:03eb088f3581049afaf2984f917a3a9be7e5efc248049f4156cd83481579fb59 AS base
 
 # Install curl for Node install and determining the early access branch
 # Install git for cloning docs-early-access & translations repos
 
@@ -41,6 +41,7 @@ These limits are subject to change.
 | Larger runners | Static IP limits | 10 IPs | 10 IPs per enterprise and organization. | {% octicon "check" aria-label="Yes" %} Support ticket |
 | Larger runners | Private IP scaling for vnet injection | 30% buffer | You need a buffer to accommodate the maximum job concurrency you anticipate. See [Private IP scaling for vnet injection on larger runners](#private-ip-scaling-for-vnet-injection-on-larger-runners). | {% octicon "check" aria-label="Yes" %} Configurable Azure virtual network |
 | Dependency caching | Uploads per minute | 200 per minute | Each repository is limited to 200 cache entry uploads per minute. If this limit is exceeded, subsequent cache upload attempts will fail until the rate limit resets. | {% octicon "x" aria-label="No" %} |
+| Dependency caching | Downloads per minute | 1500 per minute | Each repository is limited to 1500 cache entry downloads per minute. If this limit is exceeded, subsequent cache download attempts will fail until the rate limit resets. | {% octicon "x" aria-label="No" %} |
 
 ### Job concurrency limits for {% data variables.product.github %}-hosted runners
 
@@ -89,4 +90,4 @@ When using larger runners with vnet injection, you need to determine the appropr
 
 * **{% data variables.product.github %}-hosted runners pulling public images:** Docker Hub's rate limit is not applied.
 * **{% data variables.product.github %}-hosted runners pulling private images:** Pulling private images from Docker Hub is subject to the rate limit.
-* **Self-hosted runners pulling public or private images:** Pulling images from Docker Hub is always subject to the rate limit.
+* **Self-hosted runners pulling public or private images:** Pulling images from Docker Hub is always subject to the rate limit.
@@ -275,7 +275,7 @@ Multiple workflow runs in a repository can share caches. A cache created for a b
 {% endif %}
 {% ifversion fpt or ghec %}
 
-You can create cache entries at a rate of up to 200 uploads per minute per repository. If you exceed this rate, subsequent cache upload attempts will fail until the rate limit resets. The time until the rate limit resets is returned in the `Retry-After` header of the response.
+You can create cache entries at a rate of up to 200 uploads per minute per repository, and download them at a rate of 1500 downloads per minute per repository. If you exceed this rate, subsequent cache upload or download attempts will fail until the relevant rate limit resets. The time until the rate limit resets is returned in the `Retry-After` header of the response. See [AUTOTITLE](/actions/reference/limits) for more information about {% data variables.product.prodname_actions %} rate limits.
 
 ### Increasing cache size
 
@@ -286,6 +286,18 @@ For more information, see:
 * [AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#managing-github-actions-cache-storage-for-your-organization)
 * [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#artifact-and-log-retention)
 
+Usage of additional storage is also controlled by budgets set for {% data variables.product.prodname_actions %} or the Actions Cache Storage SKU. If you have limits configured, and you exceed a budget, your cache will become read-only until your billing status is resolved, or your usage goes beneath the free limit of 10GB by caches expiring or being explicitly deleted. For more information on how to set up budgets, see [AUTOTITLE](/billing/how-tos/set-up-budgets).
+
+Setting your Actions Cache Storage SKU budgets lower than the total cost of using your configured storage over your billing period can lead to your cache frequently going into read-only mode. For example, if your budget for the SKU is $0, and you've configured your repository's maximum cache size at 20GB, your cache will enter read-only mode as soon as storage exceeds the free threshold.
+
+Below are some illustrative monthly costs to inform budgets you may wish to set for the Actions Cache Storage SKU.
+
+| Cache size | Monthly cost (if fully utilized) |
+| ---------- | -------------------------------- |
+| 50GB       | $2.80                            |
+| 200GB      | $13.30                           |
+| 1000GB     | $69.30                           |
+
 {% endif %}
 
 ## Next steps
 
@@ -28,6 +28,7 @@ The following features are currently unavailable on {% data variables.enterprise
 | Certain features of {% data variables.product.prodname_github_connect %} | Although you can connect an enterprise on {% data variables.enterprise.data_residency_site %} to a {% data variables.product.prodname_ghe_server %} instance, certain features of {% data variables.product.prodname_github_connect %} are not available, including resolution of actions from {% data variables.product.prodname_dotcom_the_website %}. | [{% data variables.product.prodname_github_connect %}](#github-connect) |
 | Some features currently in {% data variables.release-phases.public_preview %} or {% data variables.release-phases.private_preview %} | Certain features that are in a preview phase on {% data variables.product.prodname_dotcom_the_website %} may not be available on {% data variables.enterprise.data_residency_site %} until GA. | |
 | Migrations REST API | Currently unavailable. | [AUTOTITLE](/rest/migrations) |
+| Streaming audit logs to Amazon S3 with OpenID Connect (OIDC) | Currently unavailable. | [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise) |
 
 ## Permanently unavailable features
 
 
@@ -24,5 +24,6 @@ children:
   - /provisioning-user-accounts-with-scim
   - /reconfiguring-iam-for-enterprise-managed-users
   - /managing-recovery-codes-for-your-enterprise
+  - /respond-to-incidents
 ---
 
@@ -0,0 +1,15 @@
+---
+title: Responding to security incidents in your enterprise
+intro: Take bulk action when facing a major security incident.
+versions:
+  feature: revoke-enterprise-tokens
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+children:
+  - /revoke-authorizations-or-tokens
+  - /lock-down-sso
+shortTitle: Respond to incidents
+---
@@ -0,0 +1,38 @@
+---
+title: Locking down single sign-on in your enterprise
+intro: 'Take action in a security incident by blocking SSO for all users except enterprise owners.'
+permissions: 'Enterprise owners and users with the "Manage enterprise single sign-on configuration" fine-grained permission'
+product: 'Enterprises with managed users, or enterprises that have enabled SAML SSO for the enterprise or its organizations'
+versions:
+  feature: revoke-enterprise-tokens
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+shortTitle: Lock down SSO
+---
+
+When your enterprise is affected by a major security incident, you can temporarily block single sign-on for all users except enterprise owners. This allows you to lock down access to your enterprise in order to investigate the incident within a more isolated surface area.
+
+The outcome of this action depends on your enterprise type:
+
+* **{% data variables.product.prodname_emus %}**: Prevents users from signing in to their {% data variables.enterprise.prodname_managed_user %} entirely.
+* **Enterprise with personal accounts**: Prevents users from authenticating to access SSO-protected resources or authorize tokens for SSO, but does not prevent them from signing in to their account and accessing non-protected resources.
+
+In either case, all existing active SSO sessions are terminated, including for enterprise owners, who can reauthenticate with SSO to access the enterprise during the lockdown.
+
+## Locking down single sign-on
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. Find the correct page for your enterprise type:
+   * **{% data variables.product.prodname_emus %}**: At the top of the page, click **Identity provider**.
+   * **Personal accounts**: Click **Settings** at the top of the page, then click **Authentication security** in the left sidebar.
+1. Scroll down to the "Danger zone" section and, next to "Single sign-on lockdown", click **Enable**.
+
+   >[!IMPORTANT] If you have the "Manage enterprise single sign-on configuration" permission but are **not** an enterprise owner, you can enable the lockdown, but you will be unable to authenticate with SSO while the lockdown is active. If your enterprise uses {% data variables.product.prodname_emus %} or has enabled SAML at the enterprise level, this means you will not be able to authenticate to disable the lockdown later.
+
+1. If you are an enterprise owner, reauthenticate with SSO.
+1. Once the investigation is complete and you are confident in resuming SSO authentication, come back to this section and disable the lockdown.
@@ -0,0 +1,109 @@
+---
+title: Revoking SSO authorizations or deleting credentials in your enterprise
+intro: 'Respond to a security incident by taking bulk action on credentials with access to your enterprise.'
+permissions: 'Enterprise owners and users with the "Manage enterprise credentials" fine-grained permission'
+product: 'Enterprises with managed users, or enterprises that have enabled SAML SSO for the enterprise or its organizations'
+versions:
+  feature: revoke-enterprise-tokens
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+shortTitle: Revoke authorizations or tokens
+---
+
+When your enterprise is affected by a major security incident, you can respond by preventing programmatic access to your enterprise or its organizations.
+
+In the  "Authentication security" section of your enterprise settings, you can review counts for user tokens and keys that are authorized for single sign-on (SSO). Then, if needed, you can use one of the following bulk actions in the "Danger zone":
+
+* **Revoke SSO authorizations** to remove access to SSO-protected organization resources for user credentials in your enterprise.
+* **Delete keys and tokens** to remove user tokens and SSH keys in your enterprise, even if they don't have an SSO authorization ({% data variables.product.prodname_emus %} only).
+
+>[!WARNING] These are high-impact actions that should be reserved for major security incidents. They are likely to break automations, and it could take months of work to restore your original state. For alternative options for responding to individual compromised tokens on a smaller scale, see the [Resources for smaller-scale responses](#resources-for-smaller-scale-responses) section.
+
+## Accessing the authentication security page
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+1. In the left sidebar, click **Authentication security**.
+
+## Reviewing credentials
+
+In the "Credentials" section, you can view how many credentials of each type have **at least one SSO authorization** for an organization in your enterprise. For more information, see [AUTOTITLE](/authentication/authenticating-with-single-sign-on/about-authentication-with-single-sign-on).
+
+The counts include:
+
+* {% data variables.product.pat_v2_caps_plural %}
+* {% data variables.product.pat_v1_caps_plural %}
+* User SSH keys
+* {% data variables.product.prodname_github_app %} and {% data variables.product.prodname_oauth_app %} user access tokens
+
+An exact count is displayed if there are 10,000 or fewer of a token type. Above that figure, the description `10k+ tokens` is displayed.
+
+## Taking bulk action (danger zone)
+
+Use the **Danger zone** bulk action buttons to respond to a security incident as needed. The following sections describe each action, which SSO authorizations or credentials are impacted, and related audit log events.
+
+>[!NOTE] If your enterprise does **not** use {% data variables.product.prodname_emus %} and has **not** enabled SAML SSO, neither of these actions is available. As an alternative, if you need users to replace {% data variables.product.pat_generic_plural %} as part of your incident response, you can configure an enterprise policy to expire all {% data variables.product.pat_generic_plural %}. See [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise).
+
+### Revoke SSO authorizations
+
+This action is available for {% data variables.product.prodname_emus %} or enterprises that use SAML SSO.
+
+Revoking authorizations removes SSO authorizations for user tokens and SSH keys across all organizations in your enterprise.
+
+* Credentials that have had SSO authorizations revoked **cannot be re-authorized** for the affected organizations. To restore access, users must create new credentials and authorize them.
+* The credentials themselves are not deleted, and their permissions for the user and enterprise scopes, and for non-SSO-protected organizations, **remain active**.
+* Credentials that have not been authorized for SSO are **not affected**.
+
+Authorization for **{% data variables.product.pat_v2_plural %}** works differently, so this action has a different effect on this token type. For fine-grained PATs where an organization is the "resource owner," the resource owner is removed, removing access to organization resources. Users can change the resource owner back to the organization account, which may require approval (see [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-personal-access-tokens-in-your-enterprise#enforcing-an-approval-policy-for-fine-grained-personal-access-tokens)).
+
+### Delete keys and tokens
+
+This action is available for {% data variables.product.prodname_emus %} only.
+
+Deleting keys and tokens removes credentials that have access to your enterprise, regardless of whether they are authorized for SSO. The credentials stop working and are no longer visible in the UI.
+
+To restore programmatic access, users must create new credentials, authorize them with organizations if required, and update affected processes to use the new credentials.
+
+### Included credentials
+
+Both actions include the following credential types:
+
+* User SSH keys
+* {% data variables.product.prodname_oauth_apps %} user access tokens (`ghu_`)
+* {% data variables.product.prodname_github_app %} user access tokens
+* {% data variables.product.pat_v1_caps_plural %}
+* {% data variables.product.pat_v2_caps_plural %}
+
+Note that the "revoke authorizations" action works differently for {% data variables.product.pat_v2_plural %}, as explained above.
+
+The following credential types are **not** affected:
+
+* {% data variables.product.prodname_github_app %} installation tokens (`ghs_`)
+* {% data variables.product.pat_v2_caps_plural %}
+* Deploy keys
+* {% data variables.product.prodname_actions %} `GITHUB_TOKEN` access
+
+### Audit and security log events
+
+The "revoke authorizations" action generates the following events:
+
+* `org_credential_authorization.deauthorize`
+* `org_credential_authorization.revoke`
+* `personal_access_token.access_revoked`
+
+The "delete tokens" action also generates those events, and additionally generates the following events:
+
+* `oauth_access.destroy`
+* `personal_access_token.destroy`
+
+## Resources for smaller-scale responses
+
+The following articles describe alternative actions for managing incidents that are smaller in scope, where you can identify specific compromised tokens or user accounts.
+
+* [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)
+* [AUTOTITLE](/code-security/tutorials/remediate-leaked-secrets/remediating-a-leaked-secret)
+* [AUTOTITLE](/rest/credentials/revoke) in the REST API documentation
@@ -129,6 +129,9 @@ From {% data variables.product.prodname_dotcom %}:
 
 #### Setting up streaming to S3 with OpenID Connect
 
+> [!NOTE]
+> Audit log streaming to S3 with OpenID Connect for {% data variables.enterprise.data_residency %} is currently unavailable. See [AUTOTITLE](/admin/data-residency/feature-overview-for-github-enterprise-cloud-with-data-residency#currently-unavailable-features).
+
 From AWS:
 
 1. Add the {% data variables.product.prodname_dotcom %} OIDC provider to IAM. See [Creating OpenID Connect (OIDC) identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) in the AWS documentation.