github · docs-bot · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025
diff --git a/content/actions/reference/security/oidc.md b/content/actions/reference/security/oidc.md
@@ -49,6 +49,9 @@ The OIDC token includes the following claims.
 | `actor`| The personal account that initiated the workflow run.                   |
 | `actor_id`| The ID of personal account that initiated the workflow run.             |
 | `base_ref`| The target branch of the pull request in a workflow run.                   |
+| {% ifversion actions-OIDC-check-run-id-claim %} |
+| `check_run_id`| The check run ID of the current job. |
+| {% endif %} |
 | {% ifversion actions-OIDC-custom-claim-enterprise %} |
 | `enterprise`| The name of the enterprise that contains the repository from where the workflow is running.                  |
 | {% endif %} |

diff --git a/...a-residency/feature-overview-for-github-enterprise-cloud-with-data-residency.md b/...a-residency/feature-overview-for-github-enterprise-cloud-with-data-residency.md
@@ -20,7 +20,6 @@ The following features are currently unavailable on {% data variables.enterprise
 
 | Feature | Details | More information |
 | :- | :- | :- |
-| Restricting {% data variables.product.prodname_actions %} policies to verified creators | Currently unavailable | [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allow-enterprise-and-select-non-enterprise-actions-and-reusable-workflows) |
 | {% data variables.product.prodname_copilot_short %} Metrics API | Currently unavailable | [AUTOTITLE](/rest/copilot/copilot-metrics) |
 | {% data variables.product.prodname_github_codespaces %} | Currently unavailable. | [AUTOTITLE](/codespaces/quickstart) |
 | {% data variables.product.prodname_importer %} (the "Import repository" button on {% data variables.product.prodname_dotcom_the_website %}) | Instead, the **{% data variables.product.prodname_importer_proper_name %}** is available to migrate data. See [AUTOTITLE](/migrations/using-github-enterprise-importer/understanding-github-enterprise-importer/about-github-enterprise-importer). | [AUTOTITLE](/migrations/importing-source-code/using-github-importer/about-github-importer) |

diff --git a/...ion/authenticating-with-single-sign-on/authorizing-an-app-for-single-sign-on.md b/...ion/authenticating-with-single-sign-on/authorizing-an-app-for-single-sign-on.md
@@ -0,0 +1,35 @@
+---
+title: Authorizing an app for single sign-on
+intro: 'To use an {% data variables.product.prodname_oauth_app %} or {% data variables.product.prodname_github_app %} with an organization that uses single sign-on (SSO), you must first set up your SSO sessions and then authorize the application.'
+versions:
+  ghec: '*'
+topics:
+  - SSO
+shortTitle: Apps and SSO
+---
+
+## About authorizing apps with SSO
+
+If your organization or enterprise uses single sign-on (SSO) and you want to access the organization or enterprise's resources through an {% data variables.product.prodname_oauth_app %} or {% data variables.product.prodname_github_app %}, you must set up an active SSO session and then authorize the app.
+
+If you do not have an SSO session with an organization's identity provider when you go through the app authentication flow, you will not be able to request or install the application for that organization.
+
+When you sign in to an application (also known as authorizing it), the token that the app receives can be used against any of the organizations where the app is allowed (via installation or approval) _and_ you meet the SSO provider requirements.
+
+If you want to sign in to an application but do not want the resulting token to have access to a specific SSO-protected organization, you must first sign out of your SSO session with the organization.
+
+## Authorizing an app for  SSO
+
+Apps are automatically authorized for all of the organizations you have an SSO session for at the time of sign in, as long as the app itself is allowed in that organization. 
+
+If you sign into an app but it is unable to access an organization you belong to, first check that the app is approved or installed for the organization. If it is, you then need to sign into that organization's SSO providers using the following steps: 
+
+1. Go to your [organization settings](https://github.com/settings/organizations).
+1. Under "Single sign-on", find the organization you need to authenticate to, and click **Sign in**.
+   If your enterprise manages SSO for your organization, signing in to one organization in the enterprise works as an SSO session for all organizations in the enterprise.
+
+1. Try to sign into the the app again. When you are authorizing the app you will see the organizations you've signed into and be able to request or install the app for those organizations. 
+
+For more information, see [AUTOTITLE](/apps/using-github-apps/installing-a-github-app-from-a-third-party), [AUTOTITLE](/apps/using-github-apps/installing-a-github-app-from-github-marketplace-for-your-organizations), and [AUTOTITLE](/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner).
+
+For more information about authorizing apps with SSO, see [AUTOTITLE](/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps) or [AUTOTITLE](/apps/using-github-apps/saml-and-github-apps).
diff --git a/content/authentication/authenticating-with-single-sign-on/index.md b/content/authentication/authenticating-with-single-sign-on/index.md
@@ -15,6 +15,7 @@ children:
   - /about-authentication-with-single-sign-on
   - /authorizing-an-ssh-key-for-use-with-single-sign-on
   - /authorizing-a-personal-access-token-for-use-with-single-sign-on
+  - /authorizing-an-app-for-single-sign-on
   - /viewing-and-managing-your-active-sso-sessions
 shortTitle: Authenticate with SSO
 ---
diff --git a/...ode-security/dependabot/working-with-dependabot/dependabot-options-reference.md b/...ode-security/dependabot/working-with-dependabot/dependabot-options-reference.md
@@ -381,11 +381,13 @@ Specify your own labels for all pull requests raised for a package manager.  For
 
 * All pull requests have a `dependencies` label.
 * If you define more than one package manager, an additional label for the ecosystem or language is added to each pull request. For example: `java` for Gradle updates and `submodules` for git submodule updates.
+* If semantic version (SemVer) labels are present in the repository, they will be applied automatically to indicate the type of version update (`major`, `minor`, or `patch`).
 * {% data variables.product.prodname_dependabot %} creates these default labels automatically, as necessary in your repository.
 
 When `labels` is defined:
 
 * The labels specified are used instead of the default labels.
+* SemVer labels (if present in the repository) will still be applied in addition to any custom labels defined.
 * If any of these labels is not defined in the repository, it is ignored.
 * You can disable all labels, including the default labels, using `labels: [ ]`.
 

diff --git a/data/features/actions-OIDC-check-run-id-claim.yml b/data/features/actions-OIDC-check-run-id-claim.yml
@@ -0,0 +1,3 @@
+versions:
+  ghec: '*'
+  fpt: '*'
diff --git a/data/reusables/dependabot/default-labels.md b/data/reusables/dependabot/default-labels.md
@@ -3,3 +3,5 @@ By default, {% data variables.product.prodname_dependabot %} raises pull request
 {% data variables.product.prodname_dependabot %} also applies an ecosystem label, such as `java`, `npm`, or `github-actions`, to pull requests. {% data variables.product.prodname_dependabot %} adds both the `dependencies` label and the ecosystem label to all pull requests, including single-ecosystem updates, to improve filtering and triaging.
 
 {% data variables.product.prodname_dependabot %} creates the default labels it applies to pull requests if they do not already exist in the repository. If you want to use custom labels instead of the defaults, you can set the `labels` option in your `dependabot.yml` file per package ecosystem; this overrides the defaults. For more information, see [AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/managing-labels) and [`labels`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#labels--).
+
+If semantic version (SemVer) labels are present in the repository, {% data variables.product.prodname_dependabot %} will also automatically apply them to indicate the type of version update (`major`, `minor`, or `patch`). These labels are applied in addition to any custom labels you define.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -3,3 +3,5 @@ By default, {% data variables.product.prodname_dependabot %} raises pull request
		{% data variables.product.prodname_dependabot %} also applies an ecosystem label, such as `java`, `npm`, or `github-actions`, to pull requests. {% data variables.product.prodname_dependabot %} adds both the `dependencies` label and the ecosystem label to all pull requests, including single-ecosystem updates, to improve filtering and triaging.

		{% data variables.product.prodname_dependabot %} creates the default labels it applies to pull requests if they do not already exist in the repository. If you want to use custom labels instead of the defaults, you can set the `labels` option in your `dependabot.yml` file per package ecosystem; this overrides the defaults. For more information, see [AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/managing-labels) and [`labels`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#labels--).

		If semantic version (SemVer) labels are present in the repository, {% data variables.product.prodname_dependabot %} will also automatically apply them to indicate the type of version update (`major`, `minor`, or `patch`). These labels are applied in addition to any custom labels you define.