github · docs-bot · Feb 27, 2026 · Feb 27, 2026 · Feb 27, 2026 · Feb 27, 2026
diff --git a/...nt/account-and-profile/how-tos/account-management/managing-multiple-accounts.md b/...nt/account-and-profile/how-tos/account-management/managing-multiple-accounts.md
@@ -101,6 +101,57 @@ For example, the following command sets the `GIT_SSH_COMMAND` environment variab
 GIT_SSH_COMMAND='ssh -i PATH/TO/KEY/FILE -o IdentitiesOnly=yes' git clone git@github.com:OWNER/REPOSITORY
 ```
 
+## Contributing to multiple accounts using SSH and multiple keys
+
+If you are a member of an {% data variables.enterprise.prodname_emu_enterprise %}, but also want to collaborate outside your enterprise using a personal account, you can use different SSH keys for each account. For more information about using SSH, see [AUTOTITLE](/authentication/connecting-to-github-with-ssh).
+> [!WARNING]
+> You cannot use the same SSH key to contribute to both repositories inside your {% data variables.enterprise.prodname_emu_org %} and outside the enterprise. 
+
+1. Generate a different SSH key for the repositories in your {% data variables.enterprise.prodname_emu_org %}. See [AUTOTITLE](/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key). When you save the key, give it a different filename from your existing key (for instance, add -emu to the suggested name of the file).
+
+1. Add the new ssh key to your {% data variables.enterprise.prodname_managed_user %}. See [AUTOTITLE](/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account)
+
+1. Configure your SSH Config File `~/.ssh/config` to use the different keys. For example, if your personal SSH key is `~/.ssh/id_ed25519` and your {% data variables.enterprise.prodname_emu_enterprise %} SSH key is `~/.ssh/id_ed25519-emu`
+
+   ```text copy
+   Host github.com
+	   IdentityFile ~/.ssh/id_ed25519
+       IdentitiesOnly yes
+
+   Host github-emu.com
+	   Hostname github.com
+	   IdentityFile ~/.ssh/id_ed25519-emu
+       IdentitiesOnly yes
+   ```
+
+   > [!NOTE]
+   > The `IdentitiesOnly` line ensures that if the ssh-agent has loaded multiple keys, ssh uses the correct key when connecting.
+
+1. Test your SSH configuration by running the following command to connect using the SSH key associated with your personal account - see [AUTOTITLE](/authentication/connecting-to-github-with-ssh/testing-your-ssh-connection) for further details
+
+   ```shell copy
+   ssh -T git@github.com
+   ```
+
+   Test to see if you can connect to ({% data variables.product.github %}) using your {% data variables.enterprise.prodname_emu_enterprise %} SSH key
+
+   ```shell copy
+   ssh -T git@github-emu.com
+   ```
+
+1. Tell `git` to use the correct key when downloading or uploading a repository in an {% data variables.enterprise.prodname_emu_org %}. 
+   To list the organizations in your {% data variables.enterprise.prodname_emu_enterprise %},
+   {% data reusables.profile.access_org %}
+   1. For each organization listed tell `git` to use the `github-emu.com` host.
+
+   For example, if one of your organizations is called `octocat-emu` then to tell `git` to use the host `github-emu.com` for repositories in the `octocat-emu` organization, run the following command
+
+   ```shell copy
+   git config --global url."git@github-emu.com:octocat-emu/".insteadOf "git@github.com:octocat-emu/"
+   ```
+
+Now, when you clone a repository using SSH, in the `octocat-emu` organization, `git` will use the SSH key associated with your {% data variables.enterprise.prodname_emu_enterprise %} instead of your personal key.
+
 ## Next steps
 
 For reference information, see [AUTOTITLE](/account-and-profile/reference/personal-account-reference).
diff --git a/content/copilot/reference/copilot-usage-metrics/copilot-usage-metrics.md b/content/copilot/reference/copilot-usage-metrics/copilot-usage-metrics.md
@@ -38,10 +38,10 @@ These metrics appear directly in the {% data variables.product.prodname_copilot_
 | Language usage per day | Daily breakdown of languages used. |
 | Model usage | Distribution of AI models used for chat. |
 | Model usage per day | Daily breakdown of chat model usage. |
-| Model usage per chat mode | Model usage by {% data variables.product.prodname_copilot_short %} feature (ask, edit, agent). |
+| Model usage per chat mode | Model usage by {% data variables.product.prodname_copilot_short %} feature (ask, edit, plan, agent). |
 | Model usage per language | Distribution of languages broken down by model. |
 | Most used chat model | The most frequently used chat model in the last 28 days. |
-| Requests per chat mode | Number of chat requests by mode (ask, edit, agent). |
+| Requests per chat mode | Number of chat requests by mode (ask, edit, plan, agent). |
 
 ## Code generation dashboard metrics
 
@@ -72,7 +72,7 @@ These fields appear in the exported NDJSON reports and in the {% data variables.
 | `enterprise_id` | Unique ID of the enterprise. |
 | `organization_id` (API only) | Unique ID of the organization. |
 | `user_id` / `user_login` | Unique identifier and {% data variables.product.github %} username for the user. |
-| `user_initiated_interaction_count` | Number of explicit prompts sent to {% data variables.product.prodname_copilot_short %}.<br><br> Only counts messages or prompts actively sent to the model. Does **not** include opening the chat panel, switching modes (for example, ask, edit, or agent), using keyboard shortcuts to open the inline UI, or making configuration changes. |
+| `user_initiated_interaction_count` | Number of explicit prompts sent to {% data variables.product.prodname_copilot_short %}.<br><br> Only counts messages or prompts actively sent to the model. Does **not** include opening the chat panel, switching modes (for example, ask, edit, plan, or agent), using keyboard shortcuts to open the inline UI, or making configuration changes. |
 | `chat_panel_agent_mode` | Captures user-initiated interactions in the chat panel with agent mode selected. |
 | `chat_panel_ask_mode` | Captures user-initiated interactions in the chat panel with ask mode selected. |
 | `chat_panel_custom_mode` | Captures user-initiated interactions in the chat panel with a custom agent selected. |

diff --git a/content/copilot/reference/copilot-usage-metrics/interpret-copilot-metrics.md b/content/copilot/reference/copilot-usage-metrics/interpret-copilot-metrics.md
@@ -34,7 +34,7 @@ The "Requests per chat mode" and "Agent adoption" charts show how developers are
 
 | Signal | What it tells you | What to look for |
 |:--|:--|:--|
-| Requests per chat mode | Breakdown of chat interactions by mode—Ask, Edit, or Agent. | A balanced distribution suggests users are exploring multiple capabilities. Heavy use of one mode can highlight where enablement should focus. |
+| Requests per chat mode | Breakdown of chat interactions by mode—Ask, Edit, Plan, or Agent. | A balanced distribution suggests users are exploring multiple capabilities. Heavy use of one mode can highlight where enablement should focus. |
 | Agent adoption | Percentage of active users who used {% data variables.copilot.copilot_agent_short %}. | Growth over time shows that developers are progressing from basic completions to more advanced {% data variables.product.prodname_copilot_short %} features. |
 
 ## Reviewing model adoption
@@ -44,7 +44,7 @@ The "Model usage per day" and "Model usage per chat mode" charts help you unders
 | Chart | Description | Insights to derive |
 |:--|:--|:--|
 | Model usage per day | Shows which AI models power {% data variables.copilot.copilot_chat_short %} activity. | Identify whether users are primarily engaging with default models or experimenting with newer ones. |
-| Model usage per chat mode | Breaks down model usage by chat mode (Ask, Edit, Agent). | Monitor how model adoption evolves as new models are released. |
+| Model usage per chat mode | Breaks down model usage by chat mode (Ask, Edit, Plan, Agent). | Monitor how model adoption evolves as new models are released. |
 
 > [!NOTE]
 > Model usage charts currently represent chat activity only. Completions data is not included in model breakdowns.

diff --git a/content/copilot/reference/copilot-usage-metrics/lines-of-code-metrics.md b/content/copilot/reference/copilot-usage-metrics/lines-of-code-metrics.md
@@ -42,17 +42,17 @@ LoC metrics require specific minimum versions of IDEs and {% data variables.prod
 | IDE | Feature | Minimum IDE version | Minimum {% data variables.copilot.copilot_chat_short %} extension version |
 |:--|:--|:--|:--|
 | Eclipse | <ul><li>`code_completion`</li></ul> | 4.31 | 0.9.3.202507240902 |
-| | <ul><li>`chat_panel` (Ask, Edit, Agent)</li></ul> | 4.31 | 0.11.0.202508291001 |
+| | <ul><li>`chat_panel` (Ask, Edit, Plan, Agent)</li></ul> | 4.31 | 0.11.0.202508291001 |
 | | <ul><li>`agent_edit`</li></ul> | 4.31 | 0.10.0.202508110512 |
-| IntelliJ/JetBrains | <ul><li>`code_completion`</li><li>`chat_panel` (Ask, Edit, Agent)</li><li>`chat_inline`</li><li>`agent_edit`</li></ul> | 2024.2.6 | 1.5.52-241 |
-| {% data variables.product.prodname_vs %} | <ul><li>`code_completion`</li><li>`chat_panel` (Ask, Edit, Agent)</li></ul> | 17.14.13 | 18.0.471.29466 |
+| IntelliJ/JetBrains | <ul><li>`code_completion`</li><li>`chat_panel` (Ask, Edit, Plan, Agent)</li><li>`chat_inline`</li><li>`agent_edit`</li></ul> | 2024.2.6 | 1.5.52-241 |
+| {% data variables.product.prodname_vs %} | <ul><li>`code_completion`</li><li>`chat_panel` (Ask, Edit, Plan, Agent)</li></ul> | 17.14.13 | 18.0.471.29466 |
 | | <ul><li>`chat_inline`</li><li>`agent_edit`</li></ul> | 17.14.14 | 18.0.471.29466 |
 | {% data variables.product.prodname_vscode_shortname %} | <ul><li>`code_completion`</li></ul> | 1.104.0 | 0.31.0 |
-| | <ul><li>`chat_panel` (Ask, Edit, Agent)</li></ul> | 1.102.0 | 0.29.0 |
+| | <ul><li>`chat_panel` (Ask, Edit, Plan, Agent)</li></ul> | 1.102.0 | 0.29.0 |
 | | <ul><li>`chat_inline`</li></ul> | 1.103.2 | 0.30.3 |
 | | <ul><li>`agent_edit`</li></ul> | 1.103.0 | 0.30.0 |
 | XCode | <ul><li>`code_completion`</li></ul> | 14.3.1 | 0.40.0 |
-| | <ul><li>`chat_panel` (Ask, Edit, Agent)</li></ul> | 15.0 | 0.43.0 |
+| | <ul><li>`chat_panel` (Ask, Edit, Plan, Agent)</li></ul> | 15.0 | 0.43.0 |
 | | <ul><li>`agent_edit`</li></ul> | 15.2 | 0.41.0 |
 
 ## How agent mode affects LoC metrics

diff --git a/...copilot/tutorials/roll-out-at-scale/assign-licenses/track-usage-and-adoption.md b/...copilot/tutorials/roll-out-at-scale/assign-licenses/track-usage-and-adoption.md
@@ -54,7 +54,7 @@ Once licenses are active, focus on the metrics that indicate healthy early adopt
 | Signal | Where to find it in the dashboard | What to look for |
 |:--|:--|:--|
 | Consistent DAU growth | “IDE daily active users” graph | Steady increase in daily users over the first month. |
-| Feature variety | “Requests per chat mode” graph | Developers trying multiple chat modes (Ask, Edit, Agent) suggests curiosity and engagement. |
+| Feature variety | “Requests per chat mode” graph | Developers trying multiple chat modes (Ask, Edit, Plan, Agent) suggests curiosity and engagement. |
 | Initial agent usage | “Agent adoption” card | Even small agent adoption (5–10%) early on is a positive signal of experimentation. |
 
 Healthy early adoption usually looks like 60–80% of assigned users showing activity within the first month.

diff --git a/...ages/working-with-a-github-packages-registry/working-with-the-nuget-registry.md b/...ages/working-with-a-github-packages-registry/working-with-the-nuget-registry.md
@@ -296,6 +296,61 @@ If you're using a nuspec file, ensure that it has a `repository` element with th
 
 If you're using a `GITHUB_TOKEN` to authenticate to a {% data variables.product.prodname_registry %} registry within a {% data variables.product.prodname_actions %} workflow, the token cannot access private repository-based packages in a different repository other than where the workflow is running in. To access packages associated with other repositories, instead generate a {% data variables.product.pat_v1 %} with the `read:packages` scope and pass this token in as a secret.
 
+### Intermittent 403 errors when restoring public packages
+
+If you're using {% data variables.product.prodname_registry %} alongside _nuget.org_ and experiencing intermittent 403 Forbidden errors when restoring standard public packages (like `Microsoft.Extensions.*`), this may occur because NuGet queries all configured package sources for every package. If {% data variables.product.prodname_registry %} authentication fails temporarily, it can block the entire restore—even for packages that don't exist on {% data variables.product.prodname_registry %}.
+
+To avoid this, use [NuGet Package Source Mapping](https://learn.microsoft.com/nuget/consume-packages/package-source-mapping) to route packages to specific sources.
+
+Replace:
+* `NAMESPACE` with the name of the personal account or organization that owns your {% data variables.product.prodname_registry %} NuGet feed.
+* `PACKAGE-ID-PREFIX` with the NuGet package ID prefix that you use for packages hosted on {% data variables.product.prodname_registry %}. If you use multiple prefixes, add additional `<package>` entries for each prefix.{% ifversion ghes %}
+* `HOSTNAME` with the host name for {% data variables.location.product_location %}.{% endif %}
+
+{% ifversion ghes %}If your instance has subdomain isolation enabled:
+{% endif %}
+
+```xml
+<configuration>
+    <packageSources>
+        <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
+        <add key="github" value="https://{% ifversion fpt or ghec %}nuget.pkg.github.com{% else %}nuget.HOSTNAME{% endif %}/NAMESPACE/index.json" />
+    </packageSources>
+    <packageSourceMapping>
+        <packageSource key="nuget.org">
+            <package pattern="*" />
+        </packageSource>
+        <packageSource key="github">
+            <package pattern="PACKAGE-ID-PREFIX.*" />
+        </packageSource>
+    </packageSourceMapping>
+</configuration>
+```
+
+{% ifversion ghes %}
+If your instance has subdomain isolation disabled:
+
+```xml
+<configuration>
+    <packageSources>
+        <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
+        <add key="github" value="https://HOSTNAME/_registry/nuget/NAMESPACE/index.json" />
+    </packageSources>
+    <packageSourceMapping>
+        <packageSource key="nuget.org">
+            <package pattern="*" />
+        </packageSource>
+        <packageSource key="github">
+            <package pattern="PACKAGE-ID-PREFIX.*" />
+        </packageSource>
+    </packageSourceMapping>
+</configuration>
+```
+
+{% endif %}
+
+NuGet uses the [most specific matching pattern](https://learn.microsoft.com/nuget/consume-packages/package-source-mapping#package-pattern-precedence), so packages matching `PACKAGE-ID-PREFIX.*` are fetched only from {% data variables.product.prodname_registry %}, while all other packages are fetched from _nuget.org_. This also helps prevent dependency confusion attacks by ensuring your private packages can only come from your {% data variables.product.prodname_registry %} feed.
+
 ## Further reading
 
 * [AUTOTITLE](/packages/learn-github-packages/deleting-and-restoring-a-package)
@@ -5,8 +5,6 @@ sections:
       **HIGH:** An attacker could execute code within a victim's browser, potentially accessing sensitive information, by causing malicious HTML to be injected into the DOM when content is rendered by the Filter component found across GitHub. GitHub has requested CVE ID [CVE-2025-13744](https://www.cve.org/cverecord?id=CVE-2025-13744) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). [Updated: 2026-01-06]
     - |
       **HIGH:** A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys—thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability has been assigned [CVE-2025-11578](https://nvd.nist.gov/vuln/detail/CVE-2025-11578) and was reported through the GitHub Bug Bounty program.
-    - |
-      Authenticated users could target the internal aqueduct-lite endpoints by using a domain name to circumvent checks. To mitigate this issue, a Server-Side Request Forgery (SSRF) vulnerability has been fixed by blocking connections to loopback addresses after resolving the domain name for the webhook delivery address.
     - |
       Packages have been updated to the latest security versions.
   bugs:

@@ -1,5 +1,8 @@
 date: '2026-01-06'
 sections:
+  security_fixes:
+    - | 
+      **HIGH:** An authenticated attacker with permission to configure webhooks could perform SSRF to access internal-only services on the instance, potentially disrupting background job processing. Exploitation required webhook configuration privileges and the ability to craft valid service requests. GitHub has requested CVE ID [CVE-2026-1999](https://www.cve.org/cverecord?id=CVE-2026-1999) for this vulnerability, which was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
   bugs:
     - |
       On instances with GitHub Actions enabled, when administrators deleted a self-hosted runner from the service, the runner process continued running on the host and did not exit automatically.

@@ -5,8 +5,6 @@ sections:
       **HIGH:** An attacker could execute code within a victim's browser, potentially accessing sensitive information, by causing malicious HTML to be injected into the DOM when content is rendered by the Filter component found across GitHub. GitHub has requested CVE ID [CVE-2025-13744](https://www.cve.org/cverecord?id=CVE-2025-13744) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). [Updated: 2026-01-06]
     - |
       **HIGH:** A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys—thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability has been assigned [CVE-2025-11578](https://nvd.nist.gov/vuln/detail/CVE-2025-11578) and was reported through the GitHub Bug Bounty program.
-    - |
-      Authenticated users could target the internal aqueduct-lite endpoints by using a domain name to circumvent checks. To mitigate this issue, this fixes a Server-Side Request Forgery (SSRF) vulnerability by blocking connections to loopback addresses after resolving the domain name for the webhook delivery address.
     - |
       Packages have been updated to the latest security versions.
   bugs:

@@ -1,5 +1,8 @@
 date: '2026-01-06'
 sections:
+  security_fixes:
+    - | 
+      **HIGH:** An authenticated attacker with permission to configure webhooks could perform SSRF to access internal-only services on the instance, potentially disrupting background job processing. Exploitation required webhook configuration privileges and the ability to craft valid service requests. GitHub has requested CVE ID [CVE-2026-2304](https://www.cve.org/cverecord?id=CVE-2026-2304) for this vulnerability, which was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
   bugs:
     - |
       On instances with GitHub Actions enabled, when administrators deleted a self-hosted runner from the service, the runner process continued running on the host and did not exit automatically.

@@ -5,8 +5,6 @@ sections:
       **CRITICAL:** Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell). Administrators should apply this update promptly to mitigate potential security risks.
     - |
       **HIGH:** An attacker could execute arbitrary code in the context of other users' browsers by supplying a malicious `label:` value that was injected into the DOM without proper sanitization. This could be triggered when a user visits a crafted Issues search URL, enabling session hijacking, account takeover, and recovery code exfiltration. GitHub has requested CVE ID [CVE-2025-11892](https://www.cve.org/cverecord?id=CVE-2025-11892) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
-    - |
-      Authenticated users could target the internal aqueduct-lite endpoints by using a domain name to circumvent checks. This fix addresses this Server-Side Request Forgery (SSRF) vulnerability by blocking connections to loopback addresses after resolving the domain name for the webhook delivery address.
     - |
       Packages have been updated to the latest security versions.
   bugs: