diff --git a/content/admin/monitoring-activity-in-your-enterprise/exploring-user-activity-in-your-enterprise/activity-dashboard.md b/content/admin/monitoring-activity-in-your-enterprise/exploring-user-activity-in-your-enterprise/activity-dashboard.md
index 74df51611672..fc82f267fde1 100644
--- a/content/admin/monitoring-activity-in-your-enterprise/exploring-user-activity-in-your-enterprise/activity-dashboard.md
+++ b/content/admin/monitoring-activity-in-your-enterprise/exploring-user-activity-in-your-enterprise/activity-dashboard.md
@@ -9,7 +9,7 @@ redirect_from:
   - /admin/user-management/monitoring-activity-in-your-enterprise/activity-dashboard
   - /admin/monitoring-activity-in-your-enterprise/exploring-user-activity/activity-dashboard
 versions:
-  ghes: '*'
+  ghes: '<3.16'
 ---
 
 The Activity dashboard provides weekly, monthly, and yearly graphs of the number of:
diff --git a/content/code-security/concepts/code-scanning/codeql/about-codeql-code-scanning-for-compiled-languages.md b/content/code-security/concepts/code-scanning/codeql/about-codeql-code-scanning-for-compiled-languages.md
new file mode 100644
index 000000000000..8e9cf224ede6
--- /dev/null
+++ b/content/code-security/concepts/code-scanning/codeql/about-codeql-code-scanning-for-compiled-languages.md
@@ -0,0 +1,55 @@
+---
+title: 'About CodeQL code scanning for compiled languages'
+shortTitle: CodeQL for compiled languages
+intro: Understand how {% data variables.product.prodname_codeql %} analyzes compiled languages, the build options available, and learn how you can customize the database generation process if you need to.
+permissions: '{% data reusables.permissions.code-scanning-all-alerts %} if [advanced setup](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning) is already enabled'
+product: '{% data reusables.gated-features.code-scanning %}'
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
+topics:
+  - Code Security
+  - Code scanning
+  - CodeQL
+  - C/C++
+  - C#
+  - Java
+  - Kotlin
+contentType: concepts
+---
+
+## About the {% data variables.code-scanning.codeql_workflow %} and compiled languages
+
+{% data variables.product.prodname_code_scanning_caps %} works by running queries against one or more {% data variables.product.prodname_codeql %} databases. Each database contains a representation of the code in a single language in your repository. For the compiled languages {% data variables.code-scanning.compiled_languages %}, the process of populating this database often involves building the code and extracting data.
+
+When you enable {% data variables.product.prodname_code_scanning %}, both default and advanced setup generate a {% data variables.product.prodname_codeql %} database for analysis using the simplest method available. For {% data variables.code-scanning.no_build_support %}, the {% data variables.product.prodname_codeql %} database is generated directly from the codebase without requiring a build (`none` build mode). For other compiled languages, {% data variables.product.prodname_codeql %} builds the codebase using the `autobuild` build mode. Alternatively, you can use the `manual` build mode to specify explicit build commands to analyze only the files that are built by these custom commands.
+
+{% ifversion codeql-dependency-caching %}
+
+You can use dependency caching with {% data variables.product.prodname_codeql %} to store dependencies as a {% data variables.product.prodname_actions %} cache instead of downloading them from registries. See [About dependency caching for {% data variables.product.prodname_codeql %}](#about-dependency-caching-for-codeql) later in this article.
+
+{% endif %}
+
+## {% data variables.product.prodname_codeql %} build modes
+
+The {% data variables.product.prodname_codeql %} action supports three different build modes for compiled languages:
+
+* `none` - the {% data variables.product.prodname_codeql %} database is created directly from the codebase without building the codebase (supported for all interpreted languages, and additionally supported for {% data variables.code-scanning.no_build_support %}).
+* `autobuild` - {% data variables.product.prodname_codeql %} detects the most likely build method and uses this to attempt to build the codebase and create a database for analysis (supported for {% data variables.code-scanning.autobuild_support %}).
+* `manual` - you define the build steps to use for the codebase in the workflow (supported for {% data variables.code-scanning.manual_build_support %}).
+
+For language-specific `autobuild` behavior, runner requirements, and guidance for manual builds, see [AUTOTITLE](/code-security/reference/code-scanning/codeql/codeql-build-options-and-steps-for-compiled-languages).
+
+{% ifversion codeql-dependency-caching %}
+
+## About dependency caching for {% data variables.product.prodname_codeql %}
+
+You can use dependency caching with {% data variables.product.prodname_codeql %} to store dependencies as a {% data variables.product.prodname_actions %} cache instead of downloading them from registries. This reduces the risk of losing alerts when third party registries don't work well, and may result in a performance improvement for projects that have a large number of dependencies or work with slow registries. To read more about how caching dependencies can speed up workflows, see [AUTOTITLE](/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows).
+
+Dependency caching works with all build modes, and is supported by {% data variables.code-scanning.codeql_dependency_caching_languages %}.
+
+>[!NOTE]
+> Using dependency caching will store {% data variables.product.prodname_codeql %}-specific caches that will be subject to cache quotas for a repository. See [AUTOTITLE](/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policy).
+
+{% endif %}
\ No newline at end of file
diff --git a/content/code-security/concepts/code-scanning/codeql/index.md b/content/code-security/concepts/code-scanning/codeql/index.md
index f833f34d073a..75ffd2323cd2 100644
--- a/content/code-security/concepts/code-scanning/codeql/index.md
+++ b/content/code-security/concepts/code-scanning/codeql/index.md
@@ -11,6 +11,7 @@ topics:
 contentType: concepts
 children:
   - /about-code-scanning-with-codeql
+  - /about-codeql-code-scanning-for-compiled-languages
   - /codeql-query-suites
   - /custom-codeql-queries
   - /about-the-codeql-cli
diff --git a/content/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/codeql-code-scanning-for-compiled-languages.md b/content/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/codeql-code-scanning-for-compiled-languages.md
index 30c6ef444e52..10aa0ed1e392 100644
--- a/content/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/codeql-code-scanning-for-compiled-languages.md
+++ b/content/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/codeql-code-scanning-for-compiled-languages.md
@@ -33,27 +33,7 @@ contentType: how-tos
 
 {% data reusables.code-scanning.enterprise-enable-code-scanning-actions %}
 
-## About the {% data variables.code-scanning.codeql_workflow %} and compiled languages
-
-{% data variables.product.prodname_code_scanning_caps %} works by running queries against one or more {% data variables.product.prodname_codeql %} databases. Each database contains a representation of the code in a single language in your repository. For the compiled languages {% data variables.code-scanning.compiled_languages %}, the process of populating this database often involves building the code and extracting data.
-
-When you enable {% data variables.product.prodname_code_scanning %}, both default and advanced setup generate a {% data variables.product.prodname_codeql %} database for analysis using the simplest method available. For {% data variables.code-scanning.no_build_support %}, the {% data variables.product.prodname_codeql %} database is generated directly from the codebase without requiring a build (`none` build mode). For other compiled languages, {% data variables.product.prodname_codeql %} builds the codebase using the `autobuild` build mode. Alternatively, you can use the `manual` build mode to specify explicit build commands to analyze only the files that are built by these custom commands.
-
-{% ifversion codeql-dependency-caching %}
-
-You can use dependency caching with {% data variables.product.prodname_codeql %} to store dependencies as a {% data variables.product.prodname_actions %} cache instead of downloading them from registries. For more information, see [About dependency caching for {% data variables.product.prodname_codeql %}](#about-dependency-caching-for-codeql) later in this article.
-
-{% endif %}
-
-## {% data variables.product.prodname_codeql %} build modes
-
-The {% data variables.product.prodname_codeql %} action supports three different build modes for compiled languages:
-
-* `none` - the {% data variables.product.prodname_codeql %} database is created directly from the codebase without building the codebase (supported for all interpreted languages, and additionally supported for {% data variables.code-scanning.no_build_support %}).
-* `autobuild` - {% data variables.product.prodname_codeql %} detects the most likely build method and uses this to attempt to build the codebase and create a database for analysis (supported for {% data variables.code-scanning.autobuild_support %}).
-* `manual` - you define the build steps to use for the codebase in the workflow (supported for {% data variables.code-scanning.manual_build_support %}).
-
-### Comparison of the build modes
+## Compare build modes
 
 {% rowheaders %}
 
@@ -66,11 +46,13 @@ The {% data variables.product.prodname_codeql %} action supports three different
 
 {% endrowheaders %}
 
-### Recommendations
+## Choose a build mode
 
 When you are setting up {% data variables.product.prodname_code_scanning %} for the first time, or across multiple repositories, it's best to use default setup. Default setup uses the simplest method available to generate a {% data variables.product.prodname_codeql %} database and analyze your code, so that you can start fixing alerts as soon as possible. Once you have resolved the initial alerts, you may want to switch to advanced setup with a manual build process for high risk repositories.
 
-### Using multiple build modes in a multi-language repository
+For language-specific `autobuild` behavior, runner requirements, and build-mode details for compiled languages, see [AUTOTITLE](/code-security/reference/code-scanning/codeql/codeql-build-options-and-steps-for-compiled-languages).
+
+## Use multiple build modes in a multi-language repository
 
 For repositories with multiple compiled languages, you can use different build modes for different languages. For example, if your repository contains C/C++, C# and Java, you might want to provide manual build steps for one language (here C/C++). This workflow specifies a different build mode for each language.
 
@@ -111,16 +93,7 @@ For information about the languages, libraries, and frameworks that are supporte
 
 {% ifversion codeql-dependency-caching %}
 
-## About dependency caching for {% data variables.product.prodname_codeql %}
-
-You can use dependency caching with {% data variables.product.prodname_codeql %} to store dependencies as a {% data variables.product.prodname_actions %} cache instead of downloading them from registries. This reduces the risk of losing alerts when third party registries don't work well, and may result in a performance improvement for projects that have a large number of dependencies or work with slow registries. To read more about how caching dependencies can speed up workflows, see [AUTOTITLE](/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows).
-
-Dependency caching works with all build modes, and is supported by {% data variables.code-scanning.codeql_dependency_caching_languages %}.
-
->[!NOTE]
-> Using dependency caching will store {% data variables.product.prodname_codeql %}-specific caches that will be subject to cache quotas for a repository. See [AUTOTITLE](/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policy).
-
-### Enabling dependency caching for {% data variables.product.prodname_codeql %}
+## Enable dependency caching for {% data variables.product.prodname_codeql %}
 
 For default setup workflows, dependency caching is enabled only for {% data variables.product.github %}-hosted runners in public and private repositories.
 
@@ -144,7 +117,7 @@ For example, the following settings would enable dependency caching for the {% d
 
 {% endif %}
 
-## About build mode None for {% data variables.product.prodname_codeql %}
+## Use `none` build mode for {% data variables.product.prodname_codeql %}
 
 For {% data variables.code-scanning.no_build_support %}, {% data variables.product.prodname_codeql %} creates a database without requiring a build when you enable default setup for {% data variables.product.prodname_code_scanning %} unless the repository also includes Kotlin code. If a repository contains Kotlin code in addition to Java code, default setup is enabled with the autobuild process because Kotlin analysis requires a build.
 
@@ -155,9 +128,9 @@ Creating a {% data variables.product.prodname_codeql %} database without a build
 
 To use `autobuild` or manual build steps, you can use advanced setup.
 
->[!NOTE] For Java analysis, if `build-mode` is set to `none` and Kotlin code is found in the repository, the Kotlin code will not be analyzed and a warning will be produced. See [Building Java and Kotlin](#building-java-and-kotlin).
+>[!NOTE] For Java analysis, if `build-mode` is set to `none` and Kotlin code is found in the repository, the Kotlin code will not be analyzed and a warning will be produced. See [AUTOTITLE](/code-security/reference/code-scanning/codeql/codeql-build-options-and-steps-for-compiled-languages#building-java-and-kotlin).
 
-## About Autobuild for {% data variables.product.prodname_codeql %}
+## Use `autobuild` for {% data variables.product.prodname_codeql %}
 
 The {% data variables.product.prodname_codeql %} action uses `autobuild` to analyze compiled languages in the following cases.
 
@@ -165,7 +138,7 @@ The {% data variables.product.prodname_codeql %} action uses `autobuild` to anal
 * Advanced setup is enabled and the workflow specifies `build-mode: autobuild`.
 * Advanced setup is enabled and the workflow has an Autobuild step for the language using the `autobuild` action (`{% data reusables.actions.action-codeql-action-autobuild %}`).
 
-### Example using the `build-mode` option
+### Use the `build-mode` option
 
 ```yaml
 # Initializes the CodeQL tools for scanning.
@@ -187,7 +160,7 @@ steps:
       build-mode: {% raw %}${{ matrix.build-mode }}{% endraw %}
 ```
 
-### Example using the Autobuild step
+### Use the Autobuild step
 
 ```yaml
     # Initializes the CodeQL tools for scanning.
@@ -200,7 +173,7 @@ steps:
       uses: {% data reusables.actions.action-codeql-action-autobuild %}
 ```
 
-## About specifying build steps manually
+## Specify build steps manually
 
 You can only specify manual build steps if you have enabled advanced setup, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-a-repository).
 
@@ -228,7 +201,7 @@ Alternatively, update your workflow to comment out the "Autobuild" step.
     #  uses: {% data reusables.actions.action-codeql-action-autobuild %}
 ```
 
-### Specifying build commands
+### Add build commands
 
 When manual building is enabled, uncomment the `run` step in the workflow and add build commands that are suitable for your repository. The `run` step runs command-line programs using the operating system's shell. You can modify these commands and add more commands to customize the build process.
 
@@ -244,312 +217,4 @@ For more information about the `run` keyword, see [AUTOTITLE](/actions/using-wor
 
 If you added manual build steps for compiled languages and {% data variables.product.prodname_code_scanning %} is still not working on your repository, contact {% data variables.contact.contact_support %}.
 
-## Autobuild steps for compiled languages
-
-{% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %}-hosted runners are always run with the software required by `autobuild`.{% endif %} If you use self-hosted runners for {% data variables.product.prodname_actions %}, you may need to install additional software to use the `autobuild` process. Additionally, if your repository requires a specific version of a build tool, you may need to install it manually. {% ifversion ghes or default-setup-self-hosted-runners-GHEC %} For self-hosted runners, you should install dependencies directly in the runners themselves. We provide examples of common dependencies for C/C++, C#, and Java in each of the `autobuild` sections of this article for those languages. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners).{% endif %}
-
-* [Building C/C++](#building-cc)
-* [Building C#](#building-c)
-* [Building Go](#building-go)
-* [Building Java and Kotlin](#building-java-and-kotlin)
-{% ifversion codeql-rust-available %}
-* [Building Rust](#building-rust)
-{% endif %}
-* [Building Swift](#building-swift)
-
-> [!NOTE]
-> If your workflow uses a `language` matrix, `autobuild` attempts to build each of the compiled languages listed in the matrix. Without a matrix `autobuild` attempts to build the supported compiled language that has the most source files in the repository. With the exception of Go, analysis of other compiled languages in your repository will fail unless you supply explicit build commands.
-
-## Building C/C++
-
-{% data variables.product.prodname_codeql %} supports build modes {% ifversion codeql-no-build-c-cpp %}`none`, {% endif %}`autobuild` or `manual` for C/C++ code.
-
-{% ifversion codeql-no-build-c-cpp %}
-
-When you enable default setup for a repository that contains C/C++ code, the build mode is set to `none` automatically.
-
-### No build for C/C++
-
-{% data variables.product.prodname_codeql %} will infer C/C++ compilation units through source file extensions. For each source file found, compilation flags and include paths are inferred by inspecting the codebase without the need for a working build command.
-
-#### Accuracy of no build analysis for C/C++
-
-Creating a {% data variables.product.prodname_codeql %} C/C++ database without a build may produce less accurate results than using `autobuild` or manual build steps in some cases; for example, if:
-
-* The code depends heavily on custom macros/defines not available in existing headers
-* The codebase has many external dependencies
-
-You can ensure a more accurate analysis by taking the following steps:
-
-* Place custom macros and defines in header files that are included in relevant source files
-* Ensure external dependencies (headers) are available in system include directories or in the workspace
-* Run the extraction on the target platform. For example, choose a Windows runner to analyze Windows projects to give access to platform specific headers and compilers
-
-{% endif %}
-
-### Autobuild summary for C/C++
-
-| Supported system type | System name |
-|----|----|
-| Operating system | Windows, macOS, and Linux |
-| Build system | Windows: MSbuild and build scripts<br/>Linux and macOS: Autoconf, Make, CMake, qmake, Meson, Waf, SCons, Linux Kbuild, and build scripts |
-
-The behavior of the `autobuild` step varies according to the operating system that the extraction runs on.
-
-### Windows autodetection
-
-On Windows, the `autobuild` step attempts to autodetect a suitable build method for C/C++ using the following approach:
-
-1. Invoke `MSBuild.exe` on the solution (`.sln`) or project (`.vcxproj`) file closest to the root.
-If `autobuild` detects multiple solution or project files at the same (shortest) depth from the top level directory, it will attempt to build all of them.
-1. Invoke a script that looks like a build script—_build.bat_, _build.cmd_, _and build.exe_ (in that order).
-
-### Linux and macOS autodetection
-
-On Linux and macOS, the `autobuild` step reviews the files present in the repository to determine the build system used:
-
-1. Look for a build system in the root directory.
-1. If none are found, search subdirectories for a unique directory with a build system for C/C++.
-1. Run an appropriate command to configure the system.
-
-#### Runner requirements for C/C++
-
-On Ubuntu Linux runners, `autobuild` may try to automatically install dependencies required by the detected configuration and build steps. By default, this behavior is enabled on {% data variables.product.prodname_dotcom %}-hosted runners and disabled on self-hosted runners. You can enable or disable this feature explicitly by setting `CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES` to `true` or `false` in the environment. For more information about defining environment variables, see [AUTOTITLE](/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow).
-
-For self-hosted runners, unless automatic installation of dependencies is enabled, you will likely need to install the `gcc` compiler, and specific projects may also require access to `clang` or `msvc` executables. You will also need to install the build system (for example `msbuild`, `make`, `cmake`, `bazel`) and utilities (such as `python`, `perl`, `lex`, and `yacc`) that your projects depend on.
-If you enable automatic installation of dependencies, you must ensure that the runner is using Ubuntu and that it can run `sudo apt-get` without requiring a password.
-
-Windows runners require `powershell.exe` to be on the `PATH`.
-
-## Building C#
-
-{% data variables.product.prodname_codeql %} supports build modes {% ifversion codeql-no-build-csharp %}`none`, {% endif %}`autobuild` or `manual` for C# code.
-
-{% ifversion codeql-no-build-csharp %}
-
-When you enable default setup for a repository that contains C# code, the build mode is set to `none` automatically.
-
-### No build for C#
-
-{% data variables.product.prodname_codeql %} restores dependencies and generates a few additional source files, to give more accurate results, before creating a database from all the source files and dependencies.
-
-Dependencies are restored using multiple heuristics and strategies. The following files are the primary source of information: `*.csproj`, `*.sln`, `nuget.config`, `packages.config`, `global.json`, and `project.assets.json`. {% ifversion org-private-registry %}If a private NuGet feed is defined for the organization, this is also used, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries) and [AUTOTITLE](/code-security/reference/code-scanning/code-scanning-logs#diagnostic-information-for-private-package-registries).{% endif %}
-
-The following generated source files are optional, but significantly increase the correctness of the {% data variables.product.prodname_codeql %} database:
-
-* `global` generated `using` directives to handle the implicit `using` feature of MSbuild.
-* ASP.NET core view files, `.cshtml` files are converted to `.cs` files.
-
-The information from the dependency assembly names, generated source files, {% ifversion org-private-registry %}dependencies stored in private feeds, {% endif %}and the source files in the repository is compiled and used to create a {% data variables.product.prodname_codeql %} database.
-
-#### Accuracy of no build analysis for C#
-
-Creating a {% data variables.product.prodname_codeql %} database without building the full code relies on being able to restore dependencies and being able to compile together the source files in the repository. When there are problems restoring dependencies or compiling the source code, this can affect the accuracy of the {% data variables.product.prodname_codeql %} database and {% data variables.product.prodname_code_scanning %} analysis results.
-
-You can ensure a more accurate analysis by taking the following steps:
-
-* Provide access to the public internet or ensure that access to a private NuGet feed is available{% ifversion org-private-registry %}, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries){% endif %}.
-* Check whether the repository requires multiple versions of the same NuGet dependency. {% data variables.product.prodname_codeql %} can use only one version and usually chooses the newer version where there are multiple versions. This approach may not work for all repositories.
-* Check whether multiple versions of .NET are referenced, for example, `net48`, `net5.0`, and `netstandard1.6`. {% data variables.product.prodname_codeql %} can use only one version and this may affect accuracy.
-* Avoid colliding class names, otherwise this may cause missing method call targets, which has an impact on dataflow analysis.
-
-### Autobuild summary for C#{% endif %}
-
-| Supported system type | System name |
-|----|----|
-| Operating system | Windows, macOS, and Linux |
-| Build system | .NET and MSbuild, as well as build scripts |
-
-#### Windows autodetection
-
-The `autobuild` process attempts to autodetect a suitable build method for C# using the following approach:
-
-1. Invoke `dotnet build` on the solution (`.sln`) or project (`.csproj`) file closest to the root.
-1. Invoke `MSBuild.exe` on the solution or project file closest to the root.
-If `autobuild` detects multiple solution or project files at the same (shortest) depth from the top level directory, it will attempt to build all of them.
-1. Invoke a script that looks like a build script—`build.bat`, `build.cmd`, and `build.exe` (in that order).
-
-#### Runner requirements for C# on Windows
-
-For .NET Core application development on self-hosted runners, the .NET SDK is required (for `dotnet`).
-
-For .NET Framework application development, you will need Microsoft Build Tools (for `msbuild`) and NuGet CLI (for `nuget`).
-
-Windows runners require `powershell.exe` to be on the `PATH`.
-
-{% ifversion codeql-no-build-csharp %}
-
-If you plan to create {% data variables.product.prodname_codeql %} databases using `build-mode: none`, you also need to provide access to the public internet, or you must ensure that access to a private NuGet feed is available.
-
-{% endif %}
-
-#### Linux and macOS autodetection
-
-1. Invoke `dotnet build` on the solution (`.sln`) or project (`.csproj`) file closest to the root.
-1. Invoke `MSbuild` on the solution or project file closest to the root.
-If `autobuild` detects multiple solution or project files at the same (shortest) depth from the top level directory, it will attempt to build all of them.
-1. Invoke a script that looks like a build script—`build` and `build.sh` (in that order).
-
-#### Runner requirements for C# on Linux and macOS
-
-For .NET Core application development on self-hosted runners, the .NET SDK is required (for `dotnet`).
-
-For .NET Framework application development, you will require Mono Runtime (to run `mono`, `msbuild`, or `nuget`).
-
-{% ifversion codeql-no-build-csharp %}
-
-If you plan to create {% data variables.product.prodname_codeql %} databases using `build-mode: none`, you also need to provide access to the public internet, or you must ensure that access to a private NuGet feed is available.
-
-{% endif %}
-
-### C# compiler flags injected by {% data variables.product.prodname_codeql %} for manual builds
-
-The {% data variables.product.prodname_codeql %} tracer enables the extraction of all compiled languages by intercepting build processes and forwarding information to the relevant {% data variables.product.prodname_codeql %} language extractors. The tracer injects certain flags into the C# compiler invocation to ensure every component is built and included in the {% data variables.product.prodname_codeql %} database, which may cause your C# code to build in a different way to what you expect during {% data variables.product.prodname_codeql %} analysis.
-
-#### `/p:MvcBuildViews=true`
-
-When this option is set to `true`, the views in ASP.NET model-view-controller (MVC) projects are precompiled as part of the build process, which can help to catch errors and improve performance. The tracer injects this flag to make sure {% data variables.product.prodname_codeql %} finds and highlights security issues that may involve dataflow through the code generated from these views. For more information, see [Adding a View to an MVC Application](https://learn.microsoft.com/en-us/aspnet/mvc/overview/getting-started/introduction/adding-a-view) in Microsoft Learn.
-
-#### `/p:UseSharedCompilation=false`
-
-Setting this option to `false` disables the use of the shared compilation feature, which may result in slower build times. When `/p:UseSharedCompilation=false` is **not** specified, `msbuild` starts a compiler server process, and all the compilation will be done by that single process. However, the {% data variables.product.prodname_codeql %} tracer depends on inspecting the arguments of newly created processes.
-
-#### `/p:EmitCompilerGeneratedFiles=true`
-
-Setting this option to `true` will emit compiler-generated files during the build process. This option causes the compiler to generate additional source files that are used to support features such as improved regular expression support, serialization, and web application view generation. These generated artifacts are typically not written to disk by the compiler, but setting the option to `true` forces writing the files to disk, and so the extractor can process the files.
-
-For some legacy projects, and projects that use `.sqlproj` files, you may see that the injected `/p:EmitCompilerGeneratedFiles=true` property causes unexpected issues with `msbuild`. For information about troubleshooting this, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/c-sharp-compiler-unexpectedly-failing).
-
-## Building Go
-
-{% data variables.product.prodname_codeql %} supports build modes `autobuild` or `manual` for Go code.
-
-### Autobuild summary for Go
-
-| Supported system type | System name |
-|----|----|
-| Operating system | Windows, macOS, and Linux |
-| Build system | Go modules, `dep` and Glide, as well as build scripts including Makefiles and Ninja scripts |
-
-### Autodetection for Go
-
-The `autobuild` process attempts to autodetect a suitable way to install the dependencies needed by a Go repository before extracting all `.go` files:
-
-1. Invoke `make`, `ninja`, `./build` or `./build.sh` (in that order) until one of these commands succeeds and a subsequent `go list ./...` also succeeds, indicating that the needed dependencies have been installed.
-1. If none of those commands succeeded, look for `go.mod`, `Gopkg.toml` or `glide.yaml`, and run `go get` (unless vendoring is in use), `dep ensure -v` or `glide install` respectively to try to install dependencies.
-1. Finally, if configurations files for these dependency managers are not found, rearrange the repository directory structure suitable for addition to `GOPATH`, and use `go get` to install dependencies. The directory structure reverts to normal after extraction completes.
-1. Extract all Go code in the repository, similar to running `go build ./...`.
-
-> [!NOTE]
-> If you use default setup, it will look for a `go.mod` file to automatically install a compatible version of the Go language.{% ifversion ghes %} If you're using a self-hosted runner with default setup that doesn't have internet access, you can manually install a compatible version of Go.{% endif %}
-
-### Extractor options for Go
-
-By default, test code (code in files ending in `_test.go`) is not analyzed. You can override this with the option `--extractor-option extract_tests=true` when using the {% data variables.product.prodname_codeql_cli %}, or by setting the environment variable `CODEQL_EXTRACTOR_GO_OPTION_EXTRACT_TESTS` to `true`.
-
-Additionally, `vendor` directories are excluded from {% data variables.product.prodname_codeql %} Go analysis by default. You can override this by passing the `--extractor-option extract_vendor_dirs=true` option when using the {% data variables.product.prodname_codeql_cli %}, or by setting the environment variable `CODEQL_EXTRACTOR_GO_OPTION_EXTRACT_VENDOR_DIRS` to `true`.
-
-## Building Java and Kotlin
-
-{% data variables.product.prodname_codeql %} supports the following build modes.
-
-* Java: `none`, `autobuild`, or `manual`
-* Kotlin: `autobuild` or `manual`
-
-When you first enable default setup for a repository, if only Java code is detected then the build mode is set to `none`. If Kotlin or a combination of Java and Kotlin code is detected, then the build mode is set to `autobuild`.
-
-If you later add Kotlin code to a repository that uses the `none` build mode, {% data variables.product.prodname_codeql %} analysis reports a warning message explaining that Kotlin is not supported. You will need to disable default setup and re-enable it. When you re-enable default setup, the build mode will change to `autobuild` so that both languages can be analyzed. Alternatively, you can change to an advanced setup. For more information, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/kotlin-detected-in-no-build).
-
-### No build for Java
-
-{% data variables.product.prodname_codeql %} will attempt to run Gradle or Maven to extract accurate dependency information (but not to invoke a build), before creating a database from all Java files present. Every root Maven or Gradle project file (a build script without any build script present in an ancestor directory) is queried for dependency information, and more recent dependency versions are preferred if there is a clash. For information about the runner requirements to run Maven or Gradle, see [Runner requirements for Java](#runner-requirements-for-java).
-
-{% ifversion org-private-registry %}If a private Maven registry is defined for the organization, this is also used, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries) and [AUTOTITLE](/code-security/reference/code-scanning/code-scanning-logs##diagnostic-information-for-private-package-registries).{% endif %}
-
-#### Accuracy of no build analysis for Java
-
-Creating a {% data variables.product.prodname_codeql %} Java database without a build may produce less accurate results than using `autobuild` or manual build steps if:
-
-* Gradle or Maven build scripts cannot be queried for dependency information, and dependency guesses (based on Java package names) are inaccurate.
-* The repository normally generates code during the build process. This would be analyzed if you created the {% data variables.product.prodname_codeql %} database using a different mode.
-
-You can ensure a more accurate analysis by taking the following steps:
-
-* Provide access to the public internet or ensure that access to a private artifact repository is available{% ifversion org-private-registry %}, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries){% endif %}.
-* Check whether the repository requires multiple versions of the same dependency. {% data variables.product.prodname_codeql %} can use only one version and usually chooses the newer version where there are multiple versions. This approach may not work for all repositories.
-* Check whether more than one version of the JDK API is required by different source Java files. When multiple versions are seen, {% data variables.product.prodname_codeql %} will use the highest version required by any build script. This may mean that some files that require a lower version of the JDK will be partially analyzed. For example, if some files require JDK 8 but a JDK 17 requirement is found in one or more build scripts, {% data variables.product.prodname_codeql %} will use JDK 17. Any files that require JDK 8 and could not be built using JDK 17 will be partially analyzed.
-* Avoid colliding class names (for example, multiple files defining `org.myproject.Test`), otherwise this may cause missing method call targets, which has an impact on dataflow analysis.
-
-### Autobuild summary for Java
-
-| Supported system type | System name |
-|----|----|
-| Operating system | Windows, macOS, and Linux (no restriction) |
-| Build system | Gradle, Maven and Ant |
-
-### Autodetection for Java
-
-The `autobuild` process tries to determine the build system for Java codebases by applying this strategy:
-
-1. Search for a build file in the root directory. Check for Gradle then Maven then Ant build files.
-1. Run the first build file found. If both Gradle and Maven files are present, the Gradle file is used.
-1. Otherwise, search for build files in direct subdirectories of the root directory. If only one subdirectory contains build files, run the first file identified in that subdirectory (using the same preference as for 1). If more than one subdirectory contains build files, report an error.
-
-### Runner requirements for Java
-
-If you're using self-hosted runners, the required version(s) of Java should be present:
-
-* If the runner will be used for analyzing repositories that need a single version of Java, then the appropriate JDK version needs to be installed, and needs to be present in the PATH variable (so that `java` and `javac` can be found).
-
-* If the runner will be used for analyzing repositories that need multiple versions of Java, then the appropriate JDK versions need to be installed, and can be specified via the `toolchains.xml` file. This is a configuration file, typically used by Apache Maven, that allows you to specify the location of the tools, the version of the tools, and any additional configuration that is required to use the tools. For more information, see [Guide to Using Toolchains](https://maven.apache.org/guides/mini/guide-using-toolchains.html) in the Apache Maven documentation.
-
-The following executables will likely be required for a range of Java projects, and should be present in the PATH variable, but they will not be essential in all cases:
-
-* `mvn` (Apache Maven)
-* `gradle` (Gradle)
-* `ant` (Apache Ant)
-
-You will also need to install the build system (for example `make`, `cmake`, `bazel`) and utilities (such as `python`, `perl`, `lex`, and `yacc`) that your projects depend on.
-
-Windows runners require `powershell.exe` to be on the `PATH`.
-
-{% ifversion codeql-rust-available %}
-
-## Building Rust
-
-{% data variables.product.prodname_codeql %} supports build mode `none` for Rust code.
-
-### No build for Rust
-
-{% data variables.product.prodname_codeql %} uses `rust-analyzer` to compile and run build scripts (`build.rs` files) and compile macro code, but does not invoke a full build. A database is created from all Rust files present. A `Cargo.toml` or `rust-project.json` file must be present.
-
-### Runner requirements for Rust
-
-Rust analysis requires `rustup` and `cargo` to be installed.
-
-{% endif %}
-
-## Building Swift
-
-{% data variables.product.prodname_codeql %} supports build modes `autobuild` or `manual` for Swift code.
-
-### Autobuild summary for Swift
-
-| Supported system type | System name |
-|----|----|
-| Operating system | macOS |
-| Build system | Xcode |
-
-The `autobuild` process tries to build the biggest target from an Xcode project or workspace.
-
-Code scanning of Swift code uses macOS runners by default. {% ifversion fpt or ghec %}Since {% data variables.product.company_short %}-hosted macOS runners are more expensive than Linux and Windows runners, we recommend that you build only the code that you want to analyze. For more information about pricing for {% data variables.product.company_short %}-hosted runners, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions).{% endif %}
-
-{% data reusables.code-scanning.default-setup-swift-self-hosted-runners %}
-
-### Customizing Swift compilation in a {% data variables.code-scanning.codeql_workflow %}
-
-`xcodebuild` and `swift build` are both supported for Swift builds. We recommend only targeting one architecture during the build. For example, `ARCH=arm64` for `xcodebuild`, or `--arch arm64` for `swift build`.
-
-You can pass the `archive` and `test` options to `xcodebuild`. However, the standard `xcodebuild` command is recommended as it should be the fastest, and should be all that {% data variables.product.prodname_codeql %} requires for a successful scan.
 
-For Swift analysis, you must always explicitly install dependencies managed via CocoaPods or Carthage before generating the {% data variables.product.prodname_codeql %} database.
diff --git a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-automatic-dependency-submission-for-your-repository.md b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-automatic-dependency-submission-for-your-repository.md
index c68d47eca9ef..b4211e49229d 100644
--- a/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-automatic-dependency-submission-for-your-repository.md
+++ b/content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-automatic-dependency-submission-for-your-repository.md
@@ -15,8 +15,6 @@ topics:
 contentType: how-tos
 ---
 
-Automatic dependency submission is a method of submitting data to the dependency graph. It allows you to automatically resolve and submit indirect dependencies that are not captured by static analysis. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/dependency-graph-data).
-
 ## Prerequisites
 
 Dependency graph must be enabled for the repository for you to enable automatic dependency submission.
@@ -58,97 +56,10 @@ Once enabled, automatic dependency submission jobs will run on the self-hosted r
 
 >[!NOTE] For Maven or Gradle projects that use self-hosted runners with private Maven registries, you need to modify the Maven server settings file to allow the dependency submission workflows to connect to the registries. For more information about the Maven server settings file, see [Security and Deployment Settings](https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#transitive-dependencies) in the Maven documentation.
 
-### Configuring network access for self-hosted runners
-
-If your self-hosted runners operate behind a firewall with restricted outbound internet access, you must add certain URLs to the allowlist for automatic dependency submission. The required URLs depend on the ecosystems your repositories use.
-
-#### Required URLs for all ecosystems
-
-These URLs are required for all automatic dependency submission workflows:
-
-* `https://github.com`—Required for accessing {% data variables.product.github %} and downloading actions.
-* `https://api.github.com`—Required for {% data variables.product.github %} API access.
-* `https://*.githubusercontent.com`—Required for downloading action source code and releases (including `raw.githubusercontent.com`, `github-releases.githubusercontent.com`, and `objects.githubusercontent.com`).
-
-#### Ecosystem-specific URLs
-
-Depending on the ecosystems you use, you may need to allowlist additional URLs.
-
-##### Go
-
-* `https://go.dev`—For downloading the Go toolchain.
-* `https://golang.org`—Alternate domain for Go downloads.
-* `https://proxy.golang.org`—Official Go module proxy for downloading Go modules during dependency detection.
-
-> [!NOTE]
-> The `actions/go-versions` repository is accessed via `https://raw.githubusercontent.com`, which is already covered in the general requirements.
-
-##### Java (Maven and Gradle)
-
-* `https://repo.maven.apache.org`—Maven Central repository for downloading dependencies.
-* `https://api.adoptium.net`—For downloading Adoptium/Temurin JDK distributions (default distribution used by `actions/setup-java`).
-
-If you use a different JDK distribution, you may also need:
-* `https://aka.ms` and `https://download.microsoft.com`—For Microsoft Build of OpenJDK (note: `aka.ms` is also used for .NET downloads).
-* `https://download.oracle.com`—For Oracle JDK.
-* `https://api.azul.com`—For Azul Zulu OpenJDK.
-
-##### .NET (C#, F#, Visual Basic)
-
-* `https://aka.ms`—Microsoft URL shortener that redirects to .NET download locations.
-* `https://builds.dotnet.microsoft.com`—Primary feed for .NET SDK and runtime downloads.
-* `https://ci.dot.net`—Secondary feed for .NET builds.
-
-> [!NOTE]
-> The `microsoft/component-detection` tool used by .NET autosubmission is downloaded from  {% data variables.product.github %}  releases, which is already covered in the general requirements (`https://github.com` and `https://*.githubusercontent.com`).
-
-##### Python
-
-* `https://python.org`—For downloading Python interpreters.
-
-> [!NOTE]
-> The `actions/python-versions` repository and `microsoft/component-detection` releases are accessed via URLs already covered in the general requirements (`https://*.githubusercontent.com` and `https://github.com`).
-
-## Using {% data variables.product.company_short %}-hosted {% data variables.actions.hosted_runners %} for automatic dependency submission
-
-{% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} users can use {% data variables.actions.hosted_runners %} to run automatic dependency submissions jobs.
-
-1. Provision a larger runner at the organization level with the name `dependency-submission`. For more information, see [Adding a {% data variables.actions.hosted_runner %} to an organization](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization).
-1. Give your repository access to the runner. For more information, see [Allowing repositories to access {% data variables.actions.hosted_runners %}](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#allowing-repositories-to-access-larger-runners).
-1. Under "Dependency graph", click the dropdown menu next to “Automatic dependency submission”, then select **Enabled for labeled runners**.
-
-## Troubleshooting automatic dependency submission
-
-Automatic dependency submission makes a best effort to cache package downloads between runs using the [Cache](https://github.com/marketplace/actions/cache) action to speed up workflows. For self-hosted runners, you may want to manage this cache within your own infrastructure. To do this, you can disable the built-in caching by setting an environment variable of `GH_DEPENDENCY_SUBMISSION_SKIP_CACHE` to `true`. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables).
-
-### Manifest deduplication
-
-{% data reusables.dependency-graph.deduplication %}
-
-## Package ecosystem-specific information
-
-### Maven projects
-
-For Maven projects, automatic dependency submission runs an open source fork of the [Maven Dependency Tree Dependency Submission](https://github.com/marketplace/actions/maven-dependency-tree-dependency-submission). The fork allows {% data variables.product.github %} to stay in sync with the upstream repository plus maintain some changes that are only applicable to automatic submission. The fork's source is available at [advanced-security/maven-dependency-submission-action](https://github.com/advanced-security/maven-dependency-submission-action).
-
-If your repository's dependencies seem inaccurate, check that the timestamp of the last dependency graph build matches the last change to your `pom.xml` file. The timestamp is visible on the table of alerts in the repository's {% data variables.product.prodname_dependabot_alerts %} tab. Pushing a commit which updates `pom.xml` will trigger a new run of the Dependency Tree Submission action and force a rebuild of that repository's dependency graph.
-
-### Gradle projects
-
-For Gradle projects, automatic dependency submission runs a fork of the open source Gradle actions from [gradle/actions](https://github.com/gradle/actions). The fork is available at [actions/gradle-build-tools-actions](https://github.com/actions/gradle-build-tools-actions). You can view the results of the autosubmission action under your repository's **Actions** tab. Each run will be labeled "Automatic Dependency Submission (Gradle)" and its output will contain the JSON payload which the action submitted to the API.
-
-### .NET projects
-
-The .NET autosubmission action uses the open source [component-detection](https://github.com/microsoft/component-detection/) project as the engine for its dependency detection. It supports .NET 8.x, 9.x, and 10.x. .NET autosubmission runs if the repository's `dependabot.yml` defines `nuget` as a [`package-ecosystem`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem-) or when there is a supported manifest file in the root directory of the repository. Supported manifest files include `.sln`, `.csproj`, `packages.config`, `.vbproj`, `.vcxproj`, and `.fsproj`.
-
-### Python projects
-
-Python uses the open source [component-detection](https://github.com/microsoft/component-detection/) project as its underlying graph generation engine. The autosubmission action for Python will only run if there is a `requirements.txt` file in the root directory of the repository. Python autosubmission does not currently support private packages; packages referenced in `requirements.txt` which are not publicly available will cause the autosubmission action to fail.
-
-> [!NOTE]
-> This action uses [actions/setup-python](https://github.com/actions/setup-python) to install Python. You must include a .python-version file in your repository to specify the Python version to be installed.
+For network allowlist URLs, larger runner configuration, troubleshooting details, and package ecosystem-specific information, see [AUTOTITLE](/code-security/reference/supply-chain-security/automatic-dependency-submission).
 
 ## Further reading
 
+* [AUTOTITLE](/code-security/reference/supply-chain-security/automatic-dependency-submission)
 * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)
 * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)
diff --git a/content/code-security/reference/code-scanning/codeql/codeql-build-options-and-steps-for-compiled-languages.md b/content/code-security/reference/code-scanning/codeql/codeql-build-options-and-steps-for-compiled-languages.md
new file mode 100644
index 000000000000..53cd0f1455e2
--- /dev/null
+++ b/content/code-security/reference/code-scanning/codeql/codeql-build-options-and-steps-for-compiled-languages.md
@@ -0,0 +1,323 @@
+---
+title: CodeQL build options and steps for compiled languages
+shortTitle: Build options for compiled languages
+intro: Learn how {% data variables.product.prodname_codeql %} builds compiled languages, including available build modes and language-specific autobuild behavior for C/C++, C#, Go, Java, Kotlin, Rust, and Swift.
+permissions: '{% data reusables.permissions.code-scanning-all-alerts %} if [advanced setup](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning) is already enabled'
+product: '{% data reusables.gated-features.code-scanning %}'
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
+topics:
+  - Code Security
+  - Code scanning
+  - CodeQL
+  - Actions
+  - Repositories
+  - C/C++
+  - C#
+  - Java
+  - Kotlin
+contentType: reference
+---
+
+## Autobuild steps for compiled languages
+
+{% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %}-hosted runners are always run with the software required by `autobuild`.{% endif %} If you use self-hosted runners for {% data variables.product.prodname_actions %}, you may need to install additional software to use the `autobuild` process. Additionally, if your repository requires a specific version of a build tool, you may need to install it manually. {% ifversion ghes or default-setup-self-hosted-runners-GHEC %} For self-hosted runners, you should install dependencies directly in the runners themselves. We provide examples of common dependencies for C/C++, C#, and Java in each of the `autobuild` sections of this article for those languages. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners).{% endif %}
+
+> [!NOTE]
+> If your workflow uses a `language` matrix, `autobuild` attempts to build each of the compiled languages listed in the matrix. Without a matrix `autobuild` attempts to build the supported compiled language that has the most source files in the repository. With the exception of Go, analysis of other compiled languages in your repository will fail unless you supply explicit build commands.
+
+## Building C/C++
+
+{% data variables.product.prodname_codeql %} supports build modes {% ifversion codeql-no-build-c-cpp %}`none`, {% endif %}`autobuild` or `manual` for C/C++ code.
+
+{% ifversion codeql-no-build-c-cpp %}
+
+When you enable default setup for a repository that contains C/C++ code, the build mode is set to `none` automatically.
+
+### No build for C/C++
+
+{% data variables.product.prodname_codeql %} will infer C/C++ compilation units through source file extensions. For each source file found, compilation flags and include paths are inferred by inspecting the codebase without the need for a working build command.
+
+#### Accuracy of no build analysis for C/C++
+
+Creating a {% data variables.product.prodname_codeql %} C/C++ database without a build may produce less accurate results than using `autobuild` or manual build steps in some cases; for example, if:
+
+* The code depends heavily on custom macros/defines not available in existing headers
+* The codebase has many external dependencies
+
+You can ensure a more accurate analysis by taking the following steps:
+
+* Place custom macros and defines in header files that are included in relevant source files
+* Ensure external dependencies (headers) are available in system include directories or in the workspace
+* Run the extraction on the target platform. For example, choose a Windows runner to analyze Windows projects to give access to platform specific headers and compilers
+
+{% endif %}
+
+### Autobuild summary for C/C++
+
+| Supported system type | System name |
+|----|----|
+| Operating system | Windows, macOS, and Linux |
+| Build system | Windows: MSbuild and build scripts<br/>Linux and macOS: Autoconf, Make, CMake, qmake, Meson, Waf, SCons, Linux Kbuild, and build scripts |
+
+The behavior of the `autobuild` step varies according to the operating system that the extraction runs on.
+
+### Windows autodetection
+
+On Windows, the `autobuild` step attempts to autodetect a suitable build method for C/C++ using the following approach:
+
+1. Invoke `MSBuild.exe` on the solution (`.sln`) or project (`.vcxproj`) file closest to the root.
+If `autobuild` detects multiple solution or project files at the same (shortest) depth from the top level directory, it will attempt to build all of them.
+1. Invoke a script that looks like a build script—_build.bat_, _build.cmd_, _and build.exe_ (in that order).
+
+### Linux and macOS autodetection
+
+On Linux and macOS, the `autobuild` step reviews the files present in the repository to determine the build system used:
+
+1. Look for a build system in the root directory.
+1. If none are found, search subdirectories for a unique directory with a build system for C/C++.
+1. Run an appropriate command to configure the system.
+
+#### Runner requirements for C/C++
+
+On Ubuntu Linux runners, `autobuild` may try to automatically install dependencies required by the detected configuration and build steps. By default, this behavior is enabled on {% data variables.product.prodname_dotcom %}-hosted runners and disabled on self-hosted runners. You can enable or disable this feature explicitly by setting `CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES` to `true` or `false` in the environment. For more information about defining environment variables, see [AUTOTITLE](/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow).
+
+For self-hosted runners, unless automatic installation of dependencies is enabled, you will likely need to install the `gcc` compiler, and specific projects may also require access to `clang` or `msvc` executables. You will also need to install the build system (for example `msbuild`, `make`, `cmake`, `bazel`) and utilities (such as `python`, `perl`, `lex`, and `yacc`) that your projects depend on.
+If you enable automatic installation of dependencies, you must ensure that the runner is using Ubuntu and that it can run `sudo apt-get` without requiring a password.
+
+Windows runners require `powershell.exe` to be on the `PATH`.
+
+## Building C#
+
+{% data variables.product.prodname_codeql %} supports build modes {% ifversion codeql-no-build-csharp %}`none`, {% endif %}`autobuild` or `manual` for C# code.
+
+{% ifversion codeql-no-build-csharp %}
+
+When you enable default setup for a repository that contains C# code, the build mode is set to `none` automatically.
+
+### No build for C#
+
+{% data variables.product.prodname_codeql %} restores dependencies and generates a few additional source files, to give more accurate results, before creating a database from all the source files and dependencies.
+
+Dependencies are restored using multiple heuristics and strategies. The following files are the primary source of information: `*.csproj`, `*.sln`, `nuget.config`, `packages.config`, `global.json`, and `project.assets.json`. {% ifversion org-private-registry %}If a private NuGet feed is defined for the organization, this is also used, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries) and [Determining whether code scanning default setup used any private registries](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#determining-whether-code-scanning-default-setup-used-any-private-registries).{% endif %}
+
+The following generated source files are optional, but significantly increase the correctness of the {% data variables.product.prodname_codeql %} database:
+
+* `global` generated `using` directives to handle the implicit `using` feature of MSbuild.
+* ASP.NET core view files, `.cshtml` files are converted to `.cs` files.
+
+The information from the dependency assembly names, generated source files, {% ifversion org-private-registry %}dependencies stored in private feeds, {% endif %}and the source files in the repository is compiled and used to create a {% data variables.product.prodname_codeql %} database.
+
+#### Accuracy of no build analysis for C#
+
+Creating a {% data variables.product.prodname_codeql %} database without building the full code relies on being able to restore dependencies and being able to compile together the source files in the repository. When there are problems restoring dependencies or compiling the source code, this can affect the accuracy of the {% data variables.product.prodname_codeql %} database and {% data variables.product.prodname_code_scanning %} analysis results.
+
+You can ensure a more accurate analysis by taking the following steps:
+
+* Provide access to the public internet or ensure that access to a private NuGet feed is available{% ifversion org-private-registry %}, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries){% endif %}.
+* Check whether the repository requires multiple versions of the same NuGet dependency. {% data variables.product.prodname_codeql %} can use only one version and usually chooses the newer version where there are multiple versions. This approach may not work for all repositories.
+* Check whether multiple versions of .NET are referenced, for example, `net48`, `net5.0`, and `netstandard1.6`. {% data variables.product.prodname_codeql %} can use only one version and this may affect accuracy.
+* Avoid colliding class names, otherwise this may cause missing method call targets, which has an impact on dataflow analysis.
+
+### Autobuild summary for C#{% endif %}
+
+| Supported system type | System name |
+|----|----|
+| Operating system | Windows, macOS, and Linux |
+| Build system | .NET and MSbuild, as well as build scripts |
+
+#### Windows autodetection
+
+The `autobuild` process attempts to autodetect a suitable build method for C# using the following approach:
+
+1. Invoke `dotnet build` on the solution (`.sln`) or project (`.csproj`) file closest to the root.
+1. Invoke `MSBuild.exe` on the solution or project file closest to the root.
+If `autobuild` detects multiple solution or project files at the same (shortest) depth from the top level directory, it will attempt to build all of them.
+1. Invoke a script that looks like a build script—`build.bat`, `build.cmd`, and `build.exe` (in that order).
+
+#### Runner requirements for C# on Windows
+
+For .NET Core application development on self-hosted runners, the .NET SDK is required (for `dotnet`).
+
+For .NET Framework application development, you will need Microsoft Build Tools (for `msbuild`) and NuGet CLI (for `nuget`).
+
+Windows runners require `powershell.exe` to be on the `PATH`.
+
+{% ifversion codeql-no-build-csharp %}
+
+If you plan to create {% data variables.product.prodname_codeql %} databases using `build-mode: none`, you also need to provide access to the public internet, or you must ensure that access to a private NuGet feed is available.
+
+{% endif %}
+
+#### Linux and macOS autodetection
+
+1. Invoke `dotnet build` on the solution (`.sln`) or project (`.csproj`) file closest to the root.
+1. Invoke `MSbuild` on the solution or project file closest to the root.
+If `autobuild` detects multiple solution or project files at the same (shortest) depth from the top level directory, it will attempt to build all of them.
+1. Invoke a script that looks like a build script—`build` and `build.sh` (in that order).
+
+#### Runner requirements for C# on Linux and macOS
+
+For .NET Core application development on self-hosted runners, the .NET SDK is required (for `dotnet`).
+
+For .NET Framework application development, you will require Mono Runtime (to run `mono`, `msbuild`, or `nuget`).
+
+{% ifversion codeql-no-build-csharp %}
+
+If you plan to create {% data variables.product.prodname_codeql %} databases using `build-mode: none`, you also need to provide access to the public internet, or you must ensure that access to a private NuGet feed is available.
+
+{% endif %}
+
+### C# compiler flags injected by {% data variables.product.prodname_codeql %} for manual builds
+
+The {% data variables.product.prodname_codeql %} tracer enables the extraction of all compiled languages by intercepting build processes and forwarding information to the relevant {% data variables.product.prodname_codeql %} language extractors. The tracer injects certain flags into the C# compiler invocation to ensure every component is built and included in the {% data variables.product.prodname_codeql %} database, which may cause your C# code to build in a different way to what you expect during {% data variables.product.prodname_codeql %} analysis.
+
+#### `/p:MvcBuildViews=true`
+
+When this option is set to `true`, the views in ASP.NET model-view-controller (MVC) projects are precompiled as part of the build process, which can help to catch errors and improve performance. The tracer injects this flag to make sure {% data variables.product.prodname_codeql %} finds and highlights security issues that may involve dataflow through the code generated from these views. For more information, see [Adding a View to an MVC Application](https://learn.microsoft.com/en-us/aspnet/mvc/overview/getting-started/introduction/adding-a-view) in Microsoft Learn.
+
+#### `/p:UseSharedCompilation=false`
+
+Setting this option to `false` disables the use of the shared compilation feature, which may result in slower build times. When `/p:UseSharedCompilation=false` is **not** specified, `msbuild` starts a compiler server process, and all the compilation will be done by that single process. However, the {% data variables.product.prodname_codeql %} tracer depends on inspecting the arguments of newly created processes.
+
+#### `/p:EmitCompilerGeneratedFiles=true`
+
+Setting this option to `true` will emit compiler-generated files during the build process. This option causes the compiler to generate additional source files that are used to support features such as improved regular expression support, serialization, and web application view generation. These generated artifacts are typically not written to disk by the compiler, but setting the option to `true` forces writing the files to disk, and so the extractor can process the files.
+
+For some legacy projects, and projects that use `.sqlproj` files, you may see that the injected `/p:EmitCompilerGeneratedFiles=true` property causes unexpected issues with `msbuild`. For information about troubleshooting this, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/c-sharp-compiler-unexpectedly-failing).
+
+## Building Go
+
+{% data variables.product.prodname_codeql %} supports build modes `autobuild` or `manual` for Go code.
+
+### Autobuild summary for Go
+
+| Supported system type | System name |
+|----|----|
+| Operating system | Windows, macOS, and Linux |
+| Build system | Go modules, `dep` and Glide, as well as build scripts including Makefiles and Ninja scripts |
+
+### Autodetection for Go
+
+The `autobuild` process attempts to autodetect a suitable way to install the dependencies needed by a Go repository before extracting all `.go` files:
+
+1. Invoke `make`, `ninja`, `./build` or `./build.sh` (in that order) until one of these commands succeeds and a subsequent `go list ./...` also succeeds, indicating that the needed dependencies have been installed.
+1. If none of those commands succeeded, look for `go.mod`, `Gopkg.toml` or `glide.yaml`, and run `go get` (unless vendoring is in use), `dep ensure -v` or `glide install` respectively to try to install dependencies.
+1. Finally, if configurations files for these dependency managers are not found, rearrange the repository directory structure suitable for addition to `GOPATH`, and use `go get` to install dependencies. The directory structure reverts to normal after extraction completes.
+1. Extract all Go code in the repository, similar to running `go build ./...`.
+
+> [!NOTE]
+> If you use default setup, it will look for a `go.mod` file to automatically install a compatible version of the Go language.{% ifversion ghes %} If you're using a self-hosted runner with default setup that doesn't have internet access, you can manually install a compatible version of Go.{% endif %}
+
+### Extractor options for Go
+
+By default, test code (code in files ending in `_test.go`) is not analyzed. You can override this with the option `--extractor-option extract_tests=true` when using the {% data variables.product.prodname_codeql_cli %}, or by setting the environment variable `CODEQL_EXTRACTOR_GO_OPTION_EXTRACT_TESTS` to `true`.
+
+Additionally, `vendor` directories are excluded from {% data variables.product.prodname_codeql %} Go analysis by default. You can override this by passing the `--extractor-option extract_vendor_dirs=true` option when using the {% data variables.product.prodname_codeql_cli %}, or by setting the environment variable `CODEQL_EXTRACTOR_GO_OPTION_EXTRACT_VENDOR_DIRS` to `true`.
+
+## Building Java and Kotlin
+
+{% data variables.product.prodname_codeql %} supports the following build modes.
+
+* Java: `none`, `autobuild`, or `manual`
+* Kotlin: `autobuild` or `manual`
+
+When you first enable default setup for a repository, if only Java code is detected then the build mode is set to `none`. If Kotlin or a combination of Java and Kotlin code is detected, then the build mode is set to `autobuild`.
+
+If you later add Kotlin code to a repository that uses the `none` build mode, {% data variables.product.prodname_codeql %} analysis reports a warning message explaining that Kotlin is not supported. You will need to disable default setup and re-enable it. When you re-enable default setup, the build mode will change to `autobuild` so that both languages can be analyzed. Alternatively, you can change to an advanced setup. For more information, see [AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/kotlin-detected-in-no-build).
+
+### No build for Java
+
+{% data variables.product.prodname_codeql %} will attempt to run Gradle or Maven to extract accurate dependency information (but not to invoke a build), before creating a database from all Java files present. Every root Maven or Gradle project file (a build script without any build script present in an ancestor directory) is queried for dependency information, and more recent dependency versions are preferred if there is a clash. For information about the runner requirements to run Maven or Gradle, see [Runner requirements for Java](#runner-requirements-for-java).
+
+ {% ifversion org-private-registry %}If a private Maven registry is defined for the organization, this is also used, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries) and [Determining whether code scanning default setup used any private registries](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#determining-whether-code-scanning-default-setup-used-any-private-registries).{% endif %}
+
+#### Accuracy of no build analysis for Java
+
+Creating a {% data variables.product.prodname_codeql %} Java database without a build may produce less accurate results than using `autobuild` or manual build steps if:
+
+* Gradle or Maven build scripts cannot be queried for dependency information, and dependency guesses (based on Java package names) are inaccurate.
+* The repository normally generates code during the build process. This would be analyzed if you created the {% data variables.product.prodname_codeql %} database using a different mode.
+
+You can ensure a more accurate analysis by taking the following steps:
+
+* Provide access to the public internet or ensure that access to a private artifact repository is available{% ifversion org-private-registry %}, see [Code scanning default setup access to private registries](/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries#code-scanning-default-setup-access-to-private-registries){% endif %}.
+* Check whether the repository requires multiple versions of the same dependency. {% data variables.product.prodname_codeql %} can use only one version and usually chooses the newer version where there are multiple versions. This approach may not work for all repositories.
+* Check whether more than one version of the JDK API is required by different source Java files. When multiple versions are seen, {% data variables.product.prodname_codeql %} will use the highest version required by any build script. This may mean that some files that require a lower version of the JDK will be partially analyzed. For example, if some files require JDK 8 but a JDK 17 requirement is found in one or more build scripts, {% data variables.product.prodname_codeql %} will use JDK 17. Any files that require JDK 8 and could not be built using JDK 17 will be partially analyzed.
+* Avoid colliding class names (for example, multiple files defining `org.myproject.Test`), otherwise this may cause missing method call targets, which has an impact on dataflow analysis.
+
+### Autobuild summary for Java
+
+| Supported system type | System name |
+|----|----|
+| Operating system | Windows, macOS, and Linux (no restriction) |
+| Build system | Gradle, Maven and Ant |
+
+### Autodetection for Java
+
+The `autobuild` process tries to determine the build system for Java codebases by applying this strategy:
+
+1. Search for a build file in the root directory. Check for Gradle then Maven then Ant build files.
+1. Run the first build file found. If both Gradle and Maven files are present, the Gradle file is used.
+1. Otherwise, search for build files in direct subdirectories of the root directory. If only one subdirectory contains build files, run the first file identified in that subdirectory (using the same preference as for 1). If more than one subdirectory contains build files, report an error.
+
+### Runner requirements for Java
+
+If you're using self-hosted runners, the required version(s) of Java should be present:
+
+* If the runner will be used for analyzing repositories that need a single version of Java, then the appropriate JDK version needs to be installed, and needs to be present in the PATH variable (so that `java` and `javac` can be found).
+
+* If the runner will be used for analyzing repositories that need multiple versions of Java, then the appropriate JDK versions need to be installed, and can be specified via the `toolchains.xml` file. This is a configuration file, typically used by Apache Maven, that allows you to specify the location of the tools, the version of the tools, and any additional configuration that is required to use the tools. For more information, see [Guide to Using Toolchains](https://maven.apache.org/guides/mini/guide-using-toolchains.html) in the Apache Maven documentation.
+
+The following executables will likely be required for a range of Java projects, and should be present in the PATH variable, but they will not be essential in all cases:
+
+* `mvn` (Apache Maven)
+* `gradle` (Gradle)
+* `ant` (Apache Ant)
+
+You will also need to install the build system (for example `make`, `cmake`, `bazel`) and utilities (such as `python`, `perl`, `lex`, and `yacc`) that your projects depend on.
+
+Windows runners require `powershell.exe` to be on the `PATH`.
+
+{% ifversion codeql-rust-available %}
+
+## Building Rust
+
+{% data variables.product.prodname_codeql %} supports build mode `none` for Rust code.
+
+### No build for Rust
+
+{% data variables.product.prodname_codeql %} uses `rust-analyzer` to compile and run build scripts (`build.rs` files) and compile macro code, but does not invoke a full build. A database is created from all Rust files present. A `Cargo.toml` or `rust-project.json` file must be present.
+
+### Runner requirements for Rust
+
+Rust analysis requires `rustup` and `cargo` to be installed.
+
+{% endif %}
+
+## Building Swift
+
+{% data variables.product.prodname_codeql %} supports build modes `autobuild` or `manual` for Swift code.
+
+### Autobuild summary for Swift
+
+| Supported system type | System name |
+|----|----|
+| Operating system | macOS |
+| Build system | Xcode |
+
+The `autobuild` process tries to build the biggest target from an Xcode project or workspace.
+
+Code scanning of Swift code uses macOS runners by default. {% ifversion fpt or ghec %}Since {% data variables.product.company_short %}-hosted macOS runners are more expensive than Linux and Windows runners, we recommend that you build only the code that you want to analyze. For more information about pricing for {% data variables.product.company_short %}-hosted runners, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions).{% endif %}
+
+{% data reusables.code-scanning.default-setup-swift-self-hosted-runners %}
+
+### Customizing Swift compilation in a {% data variables.code-scanning.codeql_workflow %}
+
+`xcodebuild` and `swift build` are both supported for Swift builds. We recommend only targeting one architecture during the build. For example, `ARCH=arm64` for `xcodebuild`, or `--arch arm64` for `swift build`.
+
+You can pass the `archive` and `test` options to `xcodebuild`. However, the standard `xcodebuild` command is recommended as it should be the fastest, and should be all that {% data variables.product.prodname_codeql %} requires for a successful scan.
+
+For Swift analysis, you must always explicitly install dependencies managed via CocoaPods or Carthage before generating the {% data variables.product.prodname_codeql %} database.
\ No newline at end of file
diff --git a/content/code-security/reference/code-scanning/codeql/index.md b/content/code-security/reference/code-scanning/codeql/index.md
index 21c5a158f6e6..bcca7166a690 100644
--- a/content/code-security/reference/code-scanning/codeql/index.md
+++ b/content/code-security/reference/code-scanning/codeql/index.md
@@ -13,6 +13,7 @@ topics:
 contentType: reference
 children:
   - /recommended-hardware-resources-for-running-codeql
+  - /codeql-build-options-and-steps-for-compiled-languages
   - /codeql-queries
   - /codeql-cli
   - /codeql-cli-manual
diff --git a/content/code-security/reference/code-scanning/troubleshoot-analysis-errors/out-of-disk-or-memory.md b/content/code-security/reference/code-scanning/troubleshoot-analysis-errors/out-of-disk-or-memory.md
index aab3ed58f4d6..07247bd69e67 100644
--- a/content/code-security/reference/code-scanning/troubleshoot-analysis-errors/out-of-disk-or-memory.md
+++ b/content/code-security/reference/code-scanning/troubleshoot-analysis-errors/out-of-disk-or-memory.md
@@ -1,5 +1,5 @@
 ---
-title: 'Error: "Out of disk" or Error: "Out of memory"'
+title: '"Out of disk" and "Out of memory" errors'
 shortTitle: Out of disk or memory
 intro: If you see one of these errors with {% data variables.product.prodname_actions %}, {% ifversion ghes %}try reviewing the specifications of your self-hosted runners.{% else %}you can try alternative runners.{% endif %}
 allowTitleToDifferFromFilename: true
@@ -17,15 +17,10 @@ contentType: reference
 
 ## About these errors
 
-```text
-Out of disk
-```
+You may see these errors when running {% data variables.product.prodname_code_scanning %} if {% ifversion ghes %}the runners you're using do not have sufficient free memory or disk space.{% else %}the runners you're using don't meet the recommended hardware requirements.{% endif %}
 
-```text
-Out of memory
-```
-
-You may see these errors when running {% data variables.product.prodname_code_scanning %}.
+* `Out of disk`
+* `Out of memory`
 
 ## Confirming the cause of the problem
 
diff --git a/content/code-security/reference/supply-chain-security/automatic-dependency-submission.md b/content/code-security/reference/supply-chain-security/automatic-dependency-submission.md
new file mode 100644
index 000000000000..07b8af1cf43c
--- /dev/null
+++ b/content/code-security/reference/supply-chain-security/automatic-dependency-submission.md
@@ -0,0 +1,102 @@
+---
+title: Automatic dependency submission
+intro: Network access requirements, troubleshooting, and ecosystem-specific behavior for automatic dependency submission.
+versions:
+  feature: maven-transitive-dependencies
+topics:
+  - Dependency graph
+  - Dependencies
+  - Repositories
+contentType: reference
+---
+
+## Configure network access for self-hosted runners
+
+If your self-hosted runners operate behind a firewall with restricted outbound internet access, you must add certain URLs to the allowlist for automatic dependency submission. The required URLs depend on the ecosystems your repositories use.
+
+### Required URLs for all ecosystems
+
+These URLs are required for all automatic dependency submission workflows:
+
+* `https://github.com`—Required for accessing {% data variables.product.github %} and downloading actions.
+* `https://api.github.com`—Required for {% data variables.product.github %} API access.
+* `https://*.githubusercontent.com`—Required for downloading action source code and releases (including `raw.githubusercontent.com`, `github-releases.githubusercontent.com`, and `objects.githubusercontent.com`).
+
+### Ecosystem-specific URLs
+
+Depending on the ecosystems you use, you may need to allowlist additional URLs.
+
+#### Go
+
+* `https://go.dev`—For downloading the Go toolchain.
+* `https://golang.org`—Alternate domain for Go downloads.
+* `https://proxy.golang.org`—Official Go module proxy for downloading Go modules during dependency detection.
+
+> [!NOTE]
+> The `actions/go-versions` repository is accessed via `https://raw.githubusercontent.com`, which is already covered in the general requirements.
+
+#### Java (Maven and Gradle)
+
+* `https://repo.maven.apache.org`—Maven Central repository for downloading dependencies.
+* `https://api.adoptium.net`—For downloading Adoptium/Temurin JDK distributions (default distribution used by `actions/setup-java`).
+
+If you use a different JDK distribution, you may also need:
+
+* `https://aka.ms` and `https://download.microsoft.com`—For Microsoft Build of OpenJDK (note: `aka.ms` is also used for .NET downloads).
+* `https://download.oracle.com`—For Oracle JDK.
+* `https://api.azul.com`—For Azul Zulu OpenJDK.
+
+#### .NET (C#, F#, Visual Basic)
+
+* `https://aka.ms`—Microsoft URL shortener that redirects to .NET download locations.
+* `https://builds.dotnet.microsoft.com`—Primary feed for .NET SDK and runtime downloads.
+* `https://ci.dot.net`—Secondary feed for .NET builds.
+
+> [!NOTE]
+> The `microsoft/component-detection` tool used by .NET autosubmission is downloaded from {% data variables.product.github %} releases, which is already covered in the general requirements (`https://github.com` and `https://*.githubusercontent.com`).
+
+#### Python
+
+* `https://python.org`—For downloading Python interpreters.
+
+> [!NOTE]
+> The `actions/python-versions` repository and `microsoft/component-detection` releases are accessed via URLs already covered in the general requirements (`https://*.githubusercontent.com` and `https://github.com`).
+
+## Use {% data variables.product.company_short %}-hosted {% data variables.actions.hosted_runners %} for automatic dependency submission
+
+{% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} users can use {% data variables.actions.hosted_runners %} to run automatic dependency submissions jobs.
+
+1. Provision a larger runner at the organization level with the name `dependency-submission`. For more information, see [Adding a {% data variables.actions.hosted_runner %} to an organization](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization).
+1. Give your repository access to the runner. For more information, see [Allowing repositories to access {% data variables.actions.hosted_runners %}](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#allowing-repositories-to-access-larger-runners).
+1. Under "Dependency graph", click the dropdown menu next to “Automatic dependency submission”, then select **Enabled for labeled runners**.
+
+## Troubleshoot automatic dependency submission
+
+Automatic dependency submission makes a best effort to cache package downloads between runs using the [Cache](https://github.com/marketplace/actions/cache) action to speed up workflows. For self-hosted runners, you may want to manage this cache within your own infrastructure. To do this, you can disable the built-in caching by setting an environment variable of `GH_DEPENDENCY_SUBMISSION_SKIP_CACHE` to `true`. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables).
+
+### Manifest deduplication
+
+{% data reusables.dependency-graph.deduplication %}
+
+## Package ecosystem-specific information
+
+### Maven projects
+
+For Maven projects, automatic dependency submission runs an open source fork of the [Maven Dependency Tree Dependency Submission](https://github.com/marketplace/actions/maven-dependency-tree-dependency-submission). The fork allows {% data variables.product.github %} to stay in sync with the upstream repository plus maintain some changes that are only applicable to automatic submission. The fork's source is available at [advanced-security/maven-dependency-submission-action](https://github.com/advanced-security/maven-dependency-submission-action).
+
+If your repository's dependencies seem inaccurate, check that the timestamp of the last dependency graph build matches the last change to your `pom.xml` file. The timestamp is visible on the table of alerts in the repository's {% data variables.product.prodname_dependabot_alerts %} tab. Pushing a commit which updates `pom.xml` will trigger a new run of the Dependency Tree Submission action and force a rebuild of that repository's dependency graph.
+
+### Gradle projects
+
+For Gradle projects, automatic dependency submission runs a fork of the open source Gradle actions from [gradle/actions](https://github.com/gradle/actions). The fork is available at [actions/gradle-build-tools-actions](https://github.com/actions/gradle-build-tools-actions). You can view the results of the autosubmission action under your repository's **Actions** tab. Each run will be labeled "Automatic Dependency Submission (Gradle)" and its output will contain the JSON payload which the action submitted to the API.
+
+### .NET projects
+
+The .NET autosubmission action uses the open source [component-detection](https://github.com/microsoft/component-detection/) project as the engine for its dependency detection. It supports .NET 8.x, 9.x, and 10.x. .NET autosubmission runs if the repository's `dependabot.yml` defines `nuget` as a [`package-ecosystem`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem-) or when there is a supported manifest file in the root directory of the repository. Supported manifest files include `.sln`, `.csproj`, `packages.config`, `.vbproj`, `.vcxproj`, and `.fsproj`.
+
+### Python projects
+
+Python uses the open source [component-detection](https://github.com/microsoft/component-detection/) project as its underlying graph generation engine. The autosubmission action for Python will only run if there is a `requirements.txt` file in the root directory of the repository. Python autosubmission does not currently support private packages; packages referenced in `requirements.txt` which are not publicly available will cause the autosubmission action to fail.
+
+> [!NOTE]
+> This action uses [actions/setup-python](https://github.com/actions/setup-python) to install Python. You must include a .python-version file in your repository to specify the Python version to be installed.
diff --git a/content/code-security/reference/supply-chain-security/index.md b/content/code-security/reference/supply-chain-security/index.md
index 6c57e7b0e569..15636da69e94 100644
--- a/content/code-security/reference/supply-chain-security/index.md
+++ b/content/code-security/reference/supply-chain-security/index.md
@@ -17,6 +17,7 @@ topics:
   - Vulnerabilities
 contentType: reference
 children:
+  - /automatic-dependency-submission
   - /dependabot-options-reference
   - /dependabot-alerts-filters
   - /supported-ecosystems-and-manifests-for-dependency-scope
diff --git a/content/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/monitor-agentic-activity.md b/content/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/monitor-agentic-activity.md
index ecb611026e37..9ac7ab7979ae 100644
--- a/content/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/monitor-agentic-activity.md
+++ b/content/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/monitor-agentic-activity.md
@@ -15,7 +15,13 @@ category:
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.ai-controls-tab %}
 1. Towards the top of the page, in the "Agent sessions" section, you will see the three most recent agent sessions in your enterprise. To view all agent sessions from the last 24 hours, click **View all**.
-1. To see available filters for agent sessions, click the search bar at the top of the list, then press <kbd>Space</kbd>. Use the dropdown menu that appears to create your filter criteria.
+1. To filter agent sessions, click the search bar at the top of the list, then press <kbd>Space</kbd>. From the dropdown menu that appears, select your filter criteria. The following filters are available:
+
+   * **Agent**: Filter sessions by the agent used, including third-party coding agents and {% data variables.copilot.copilot_coding_agent %}.
+   * **Organization**: Filter sessions by the organization in which the session took place.
+   * **Status**: Filter sessions by their current status, such as queued, in progress, completed, failed, idle waiting for user, timed out, or cancelled.
+   * **Repository**: Filter sessions by the repository in which the session took place.
+   * **User**: Filter sessions by the user who initiated the session.
 
 ## Tracking agentic activity in your enterprise through the audit log
 
diff --git a/content/copilot/how-tos/copilot-cli/set-up-copilot-cli/configure-copilot-cli.md b/content/copilot/how-tos/copilot-cli/set-up-copilot-cli/configure-copilot-cli.md
index 5b68037200d9..1acdebde158d 100644
--- a/content/copilot/how-tos/copilot-cli/set-up-copilot-cli/configure-copilot-cli.md
+++ b/content/copilot/how-tos/copilot-cli/set-up-copilot-cli/configure-copilot-cli.md
@@ -40,10 +40,12 @@ If you choose to trust the directory for future sessions, the trusted directory
 You can edit the list of permanently trusted directories.
 
 1. Open the CLI’s `config.json` file. By default, it’s stored in a `.copilot` folder under your home directory:
+
    * **macOS/Linux**: `~/.copilot/config.json`
    * **Windows**: `$HOME\.copilot\config.json`
 
-  You can change the config location by setting the `XDG_CONFIG_HOME` environment variable (primarily on macOS/Linux).
+  You can change the config location by setting the `COPILOT_HOME` environment variable.
+
 1. Edit the contents of the `trusted_folders` array.
 
 ## Setting allowed tools
diff --git a/content/copilot/how-tos/copilot-cli/use-copilot-cli-agents/invoke-custom-agents.md b/content/copilot/how-tos/copilot-cli/use-copilot-cli-agents/invoke-custom-agents.md
index 01a308d59b92..02965fd1f124 100644
--- a/content/copilot/how-tos/copilot-cli/use-copilot-cli-agents/invoke-custom-agents.md
+++ b/content/copilot/how-tos/copilot-cli/use-copilot-cli-agents/invoke-custom-agents.md
@@ -1,5 +1,5 @@
 ---
-title: Invoking custom agents 
+title: Invoking custom agents
 shortTitle: Invoke custom agents
 intro: Use custom agents, skills, and MCP servers in {% data variables.copilot.copilot_cli_short %} to extend its capabilities.
 product: '{% data reusables.gated-features.copilot-cli %}'
@@ -102,7 +102,7 @@ To extend the functionality available to you in {% data variables.copilot.copilo
 1. Fill in the details for the MCP server you want to add, using the <kbd>Tab</kbd> key to move between fields.
 1. Press <kbd>Ctrl</kbd>+<kbd>S</kbd> to save the details.
 
-Details of your configured MCP servers are stored in the `mcp-config.json` file, which is located, by default, in the `~/.copilot` directory. This location can be changed by setting the `XDG_CONFIG_HOME` environment variable. For information about the JSON structure of a server definition, see [AUTOTITLE](/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp#writing-a-json-configuration-for-mcp-servers).
+Details of your configured MCP servers are stored in the `mcp-config.json` file, which is located, by default, in the `~/.copilot` directory. This location can be changed by setting the `COPILOT_HOME` environment variable. For information about the JSON structure of a server definition, see [AUTOTITLE](/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp#writing-a-json-configuration-for-mcp-servers).
 
 For more detailed information on adding and managing MCP servers in {% data variables.copilot.copilot_cli_short %}, see [AUTOTITLE](/copilot/how-tos/copilot-cli/customize-copilot/add-mcp-servers).
 
diff --git a/content/copilot/how-tos/copilot-cli/use-copilot-cli-agents/overview.md b/content/copilot/how-tos/copilot-cli/use-copilot-cli-agents/overview.md
index f747ed33c890..5162d1f29528 100644
--- a/content/copilot/how-tos/copilot-cli/use-copilot-cli-agents/overview.md
+++ b/content/copilot/how-tos/copilot-cli/use-copilot-cli-agents/overview.md
@@ -231,7 +231,7 @@ To extend the functionality available to you in {% data variables.copilot.copilo
 1. Fill in the details for the MCP server you want to add, using the <kbd>Tab</kbd> key to move between fields.
 1. Press <kbd>Ctrl</kbd>+<kbd>S</kbd> to save the details.
 
-Details of your configured MCP servers are stored in the `mcp-config.json` file, which is located, by default, in the `~/.copilot` directory. This location can be changed by setting the `XDG_CONFIG_HOME` environment variable. For information about the JSON structure of a server definition, see [AUTOTITLE](/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp#writing-a-json-configuration-for-mcp-servers).
+Details of your configured MCP servers are stored in the `mcp-config.json` file, which is located, by default, in the `~/.copilot` directory. This location can be changed by setting the `COPILOT_HOME` environment variable. For information about the JSON structure of a server definition, see [AUTOTITLE](/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp#writing-a-json-configuration-for-mcp-servers).
 
 ### Context management
 
@@ -269,7 +269,7 @@ For additional information use one of the following commands in your terminal:
 
   `copilot help config`
 
-  You can adjust the configuration settings by editing the `config.json` file, which is located, by default, in the `~/.copilot` directory. This location can be changed by setting the `XDG_CONFIG_HOME` environment variable.
+  You can adjust the configuration settings by editing the `config.json` file, which is located, by default, in the `~/.copilot` directory. This location can be changed by setting the `COPILOT_HOME` environment variable.
 
 * **Environment variables** that affect {% data variables.copilot.copilot_cli_short %}:
 
diff --git a/content/copilot/reference/cli-command-reference.md b/content/copilot/reference/cli-command-reference.md
index f3b16a9037e4..ac0eb2863f41 100644
--- a/content/copilot/reference/cli-command-reference.md
+++ b/content/copilot/reference/cli-command-reference.md
@@ -54,7 +54,7 @@ contentType: reference
 | <kbd>Ctrl</kbd>+<kbd>F</kbd>        | Move to the next character.                  |
 | <kbd>Ctrl</kbd>+<kbd>G</kbd>        | Edit the prompt in an external editor.       |
 | <kbd>Ctrl</kbd>+<kbd>H</kbd>        | Delete the previous character.               |
-| <kbd>Ctrl</kbd>+<kbd>K</kbd>        | Delete from cursor to end of the line.       |
+| <kbd>Ctrl</kbd>+<kbd>K</kbd>        | Delete from cursor to end of the line. If the cursor is at the end of the line, delete the line break. |
 | <kbd>Ctrl</kbd>+<kbd>U</kbd>        | Delete from cursor to beginning of the line. |
 | <kbd>Ctrl</kbd>+<kbd>W</kbd>        | Delete the previous word.                    |
 | <kbd>Home</kbd>                     | Move to the start of the current line.       |
@@ -152,6 +152,7 @@ For a complete list of available slash commands enter `/help` in the CLI's inter
 | `--no-color`                       | Disable all color output. |
 | `--no-custom-instructions`         | Disable loading of custom instructions from `AGENTS.md` and related files. |
 | `--no-experimental`                | Disable experimental features. |
+| `--output-format FORMAT`           | FORMAT can be `text` (default) or `json` (outputs JSONL: one JSON object per line). |
 | `-p PROMPT`, `--prompt PROMPT`     | Execute a prompt programmatically (exits after completion). |
 | `--plain-diff`                     | Disable rich diff rendering (syntax highlighting via the diff tool specified by your git config). |
 | `--resume [SESSION-ID]`            | Resume a previous interactive session by choosing from a list (optionally specify a session ID). |
@@ -204,10 +205,9 @@ copilot --allow-tool 'MyMCP'
 | `COPILOT_SKILLS_DIRS` | Comma-separated list of additional directories for skills. |
 | `COPILOT_EDITOR` | Editor command for interactive editing (checked after `$VISUAL` and `$EDITOR`). Defaults to `vi` if none are set. |
 | `COPILOT_GITHUB_TOKEN` | Authentication token. Takes precedence over `GH_TOKEN` and `GITHUB_TOKEN`. |
+| `COPILOT_HOME` | Override the configuration and state directory. Default: `$HOME/.copilot`. |
 | `GH_TOKEN` | Authentication token. Takes precedence over `GITHUB_TOKEN`. |
 | `GITHUB_TOKEN` | Authentication token. |
-| `XDG_CONFIG_HOME` | Override the configuration directory. Default: `$HOME/.copilot`. |
-| `XDG_STATE_HOME` | Override the state directory. Default: `$HOME/.copilot`. |
 | `USE_BUILTIN_RIPGREP` | Set to `false` to use the system ripgrep instead of the bundled version. |
 | `PLAIN_DIFF` | Set to `true` to disable rich diff rendering. |
 | `COLORFGBG` | Fallback for dark/light terminal background detection. |
@@ -215,7 +215,15 @@ copilot --allow-tool 'MyMCP'
 
 ## Configuration file settings
 
-User settings are stored in `~/.copilot/config.json`. Project-level settings can be placed in `.copilot/settings.json` (committed to the repository) or `.copilot/settings.local.json` (personal overrides—add to `.gitignore`). Settings cascade from user to project to local, with more specific scopes overriding more general ones. Command-line flags and environment variables always take the highest precedence.
+Settings cascade from user to repository to local, with more specific scopes overriding more general ones. Command-line flags and environment variables always take the highest precedence.
+
+| Scope | Location | Purpose |
+|-------|----------|---------|
+| User | `~/.copilot/config.json` | Global defaults for all repositories. Use the `COPILOT_HOME` environment variable to specify an alternative path. |
+| Repository | `.github/copilot/settings.json` | Shared repository configuration (committed to the repository). |
+| Local | `.github/copilot/settings.local.json` | Personal overrides (add this to `.gitignore`). |
+
+### User settings (`~/.copilot/config.json`)
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
@@ -230,7 +238,7 @@ User settings are stored in `~/.copilot/config.json`. Project-level settings can
 | `denied_urls` | `string[]` | `[]` | URLs or domains blocked (takes precedence over `allowed_urls`). |
 | `experimental` | `boolean` | `false` | Enable experimental features. |
 | `include_coauthor` | `boolean` | `true` | Add a `Co-authored-by` trailer to git commits made by the agent. |
-| `launch_messages` | `string[]` | `[]` | Custom messages shown randomly on startup. |
+| `companyAnnouncements` | `string[]` | `[]` | Custom messages shown randomly on startup. |
 | `log_level` | `"none"` \| `"error"` \| `"warning"` \| `"info"` \| `"debug"` \| `"all"` \| `"default"` | `"default"` | Logging verbosity. |
 | `model` | `string` | varies | AI model to use (see the `/model` command). |
 | `reasoning_effort` | `"low"` \| `"medium"` \| `"high"` \| `"xhigh"` | `"medium"` | Reasoning effort level for extended thinking. Higher levels use more compute. |
@@ -243,13 +251,33 @@ User settings are stored in `~/.copilot/config.json`. Project-level settings can
 | `trusted_folders` | `string[]` | `[]` | Folders with pre-granted file access. |
 | `update_terminal_title` | `boolean` | `true` | Show the current intent in the terminal title. |
 
+### Repository settings (`.github/copilot/settings.json`)
+
+Repository settings apply to everyone who works in the repository. Only a subset of settings is supported at the repository level. Unsupported keys are ignored.
+
+| Key | Type | Merge behavior | Description |
+|-----|------|---------------|-------------|
+| `companyAnnouncements` | `string[]` | Replaced—repository takes precedence | Messages shown randomly on startup. |
+| `enabledPlugins` | `Record<string, boolean>` | Merged—repository overrides user for same key | Declarative plugin auto-install. |
+| `marketplaces` | `Record<string, {...}>` | Merged—repository overrides user for same key | Plugin marketplaces available in this repository. |
+
+### Local settings (`.github/copilot/settings.local.json`)
+
+Create `.github/copilot/settings.local.json` in the repository, for personal overrides that should not be committed. Add this file to `.gitignore`.
+
+The local configuration file uses the same schema as the repository configuration file (`.github/copilot/settings.json`) and takes precedence over it.
+
 ## Hooks reference
 
 Hooks are external commands that execute at specific lifecycle points during a session, enabling custom automation, security controls, and integrations. Hook configuration files are loaded automatically from `.github/hooks/*.json` in your repository.
 
 ### Hook configuration format
 
-Hook configuration files use JSON format with version `1`:
+Hook configuration files use JSON format with version `1`.
+
+#### Command hooks
+
+Command hooks run shell scripts and are supported on all hook types.
 
 ```json
 {
@@ -278,6 +306,29 @@ Hook configuration files use JSON format with version `1`:
 | `env` | object | No | Environment variables to set (supports variable expansion). |
 | `timeoutSec` | number | No | Timeout in seconds. Default: `30`. |
 
+#### Prompt hooks
+
+Prompt hooks auto-submit text as if the user typed it. They are only supported on `sessionStart` and run before any initial prompt passed via `--prompt`. The text can be a natural language prompt or a slash command.
+
+```json
+{
+  "version": 1,
+  "hooks": {
+    "sessionStart": [
+      {
+        "type": "prompt",
+        "prompt": "Your prompt text or /slash-command"
+      }
+    ]
+  }
+}
+```
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `type` | `"prompt"` | Yes | Must be `"prompt"`. |
+| `prompt` | string | Yes | Text to submit—can be a natural language message or a slash command. |
+
 ### Hook events
 
 | Event | Fires when | Output processed |
diff --git a/content/get-started/accessibility/keyboard-shortcuts.md b/content/get-started/accessibility/keyboard-shortcuts.md
index 0b3ef9118799..b27352c7be33 100644
--- a/content/get-started/accessibility/keyboard-shortcuts.md
+++ b/content/get-started/accessibility/keyboard-shortcuts.md
@@ -51,6 +51,7 @@ The following sections list some of the available keyboard shortcuts, organized
 | {% endif %} |
 |<kbd>G</kbd> <kbd>W</kbd> | Go to the **Wiki** tab. For more information, see [AUTOTITLE](/communities/documenting-your-project-with-wikis/about-wikis). |
 |<kbd>G</kbd> <kbd>G</kbd> | Go to the **Discussions** tab. For more information, see [AUTOTITLE](/discussions/collaborating-with-your-community-using-discussions/about-discussions).
+|<kbd>G</kbd> <kbd>S</kbd> | Go to the repository's **Security** tab. For more information, see [AUTOTITLE](/code-security/getting-started/github-security-features).
 
 ## Source code editing
 
diff --git a/content/support/contacting-github-support/viewing-and-updating-support-tickets.md b/content/support/contacting-github-support/viewing-and-updating-support-tickets.md
index 408f3a60e013..9026479ccafd 100644
--- a/content/support/contacting-github-support/viewing-and-updating-support-tickets.md
+++ b/content/support/contacting-github-support/viewing-and-updating-support-tickets.md
@@ -36,11 +36,9 @@ Your capabilities in the {% data variables.contact.landing_page_portal %} depend
 You can only view archived tickets for an enterprise account. Archived tickets are retained for up to three years.
 
 {% data reusables.support.navigate-to-my-tickets %}
-1. Select the **My Tickets** drop-down menu and click the name of the enterprise account.
+1. Select the **Account** dropdown menu and click the name of the enterprise account.
 
 {% indented_data_reference reusables.support.entitlements-note spaces=3 %}
-
-   ![Screenshot showing the "My Tickets" dropdown menu highlighted in dark orange.](/assets/images/help/support/ticket-context.png)
 1. Under the "My tickets" table, click **View archived tickets**.
 
 {% endif %}
diff --git a/data/release-notes/enterprise-server/3-19/0-rc1.yml b/data/release-notes/enterprise-server/3-19/0-rc1.yml
index 4d3d1b3ad44c..fcd01218964e 100644
--- a/data/release-notes/enterprise-server/3-19/0-rc1.yml
+++ b/data/release-notes/enterprise-server/3-19/0-rc1.yml
@@ -244,6 +244,8 @@ sections:
       Users may see a mismatch between repository-level Dependabot alerts and the overall Security Risk dashboard metrics. This can be resolved by reloading the page.
     - |
       The setting to define private registries at the organization level for code scanning is only available if dependabot is also enabled for the instance.
+    - |
+      When viewing the status of an ongoing backup on the "Backups" page of the Management Console, the backup may initially report as "incomplete" instead of "in progress". You can ignore this initial "incomplete" status; the backup is still running and will report the correct status once it has progressed further. In some configurations, such as cluster topologies, this may take up to 5 minutes.
 
   closing_down:
     # https://github.com/github/releases/issues/7007
diff --git a/data/release-notes/enterprise-server/3-19/0.yml b/data/release-notes/enterprise-server/3-19/0.yml
index 96fe848360c0..63e65eb66e51 100644
--- a/data/release-notes/enterprise-server/3-19/0.yml
+++ b/data/release-notes/enterprise-server/3-19/0.yml
@@ -249,6 +249,8 @@ sections:
       Users may see a mismatch between repository-level Dependabot alerts and the overall Security Risk dashboard metrics. This can be resolved by reloading the page.
     - |
       The setting to define private registries at the organization level for code scanning is only available if dependabot is also enabled for the instance.
+    - |
+      When viewing the status of an ongoing backup on the "Backups" page of the Management Console, the backup may initially report as "incomplete" instead of "in progress". This initial status can be ignored; the backup is still running and will report the correct status once it has progressed further. In some configurations, such as cluster topologies, this may take up to 5 minutes.
 
   closing_down:
     # https://github.com/github/releases/issues/7007
diff --git a/data/release-notes/enterprise-server/3-19/1.yml b/data/release-notes/enterprise-server/3-19/1.yml
index 0fd33afefff3..33f10d1ce3d1 100644
--- a/data/release-notes/enterprise-server/3-19/1.yml
+++ b/data/release-notes/enterprise-server/3-19/1.yml
@@ -95,3 +95,5 @@ sections:
       The setting to define private registries at the organization level for code scanning is only available if Dependabot is enabled for the instance.
     - |
       In patch 3.19.1, we identified an issue in the Management Console where the Backups (Preview) and Updates tabs may fail to open and instead return an Internal Server Error. We recommend using the command line interface (CLI) for backups and updates until an updated patch is released. [Updated: 2026-01-13]
+    - |
+      When viewing the status of an ongoing backup on the "Backups" page of the Management Console, the backup may initially report as "incomplete" instead of "in progress." You can ignore this initial "incomplete" status; the backup is still running and will report the correct status once it has progressed further. In some configurations, such as cluster topologies, this may take up to 5 minutes.
diff --git a/data/release-notes/enterprise-server/3-19/2.yml b/data/release-notes/enterprise-server/3-19/2.yml
index baed67efcad7..84ad7d1ec51a 100644
--- a/data/release-notes/enterprise-server/3-19/2.yml
+++ b/data/release-notes/enterprise-server/3-19/2.yml
@@ -98,3 +98,5 @@ sections:
       Release Notes update issue -- https://github.com/github/docs-content/issues/20792
     - |
       When applying an enterprise security configuration to all repositories (for example, enabling Secret Scanning or Code Scanning across all repositories), the system immediately enqueues enablement jobs for every organization in the enterprise simultaneously. For enterprises with a large number of repositories, this can result in significant system load and potential performance degradation. If you manage a large enterprise with many organizations and repositories, we recommend applying security configurations at the organization level rather than at the enterprise level in the UI. This allows you to enable security features incrementally and monitor system performance as you roll out changes.
+    - |
+      When viewing the status of an ongoing backup on the "Backups" page of the Management Console, the backup may initially report as "incomplete" instead of "in progress". You can ignore the initial "incomplete" status because the backup is still running and will report the correct status once it has progressed further. In some configurations, such as cluster topologies, this may take up to 5 minutes.
diff --git a/data/release-notes/enterprise-server/3-20/0-rc1.yml b/data/release-notes/enterprise-server/3-20/0-rc1.yml
index 9c1195020a8a..4ab24556cb73 100644
--- a/data/release-notes/enterprise-server/3-20/0-rc1.yml
+++ b/data/release-notes/enterprise-server/3-20/0-rc1.yml
@@ -203,6 +203,8 @@ sections:
       When publishing npm packages in a workflow after restoring from a backup to GitHub Enterprise Server 3.13.5.gm4 or 3.14.2.gm3, you may encounter a `401 Unauthorized` error from the GitHub Packages service. This can happen if the restore is from an N-1 or N-2 version and the workflow targets the npm endpoint on the backup instance. To avoid this issue, ensure the access token is valid and includes the correct scopes for publishing to GitHub Packages.
     - |
       When applying an enterprise security configuration to all repositories (for example, enabling Secret Scanning or Code Scanning across all repositories), the system immediately enqueues enablement jobs for every organization in the enterprise simultaneously. For enterprises with a large number of repositories, this can result in significant system load and potential performance degradation. If you manage a large enterprise with many organizations and repositories, we recommend applying security configurations at the organization level rather than at the enterprise level in the UI. This allows you to enable security features incrementally and monitor system performance as you roll out changes.
+    - |
+      When viewing the status of an ongoing backup on the "Backups" page of the Management Console, the backup may initially report as "incomplete" instead of "in progress". You can ignore the initial "incomplete" status because the backup is still running and will report the correct status once it has progressed further. In some configurations, such as cluster topologies, this may take up to 5 minutes.
 
   closing_down:
     # https://github.com/github/releases/issues/6704
diff --git a/data/reusables/actions/azure-vnet-over-provisioning-resources.md b/data/reusables/actions/azure-vnet-over-provisioning-resources.md
index a7812eccbd37..0deb04e828e9 100644
--- a/data/reusables/actions/azure-vnet-over-provisioning-resources.md
+++ b/data/reusables/actions/azure-vnet-over-provisioning-resources.md
@@ -1 +1 @@
-Starting in November 2025, NICs created by the {% data variables.product.prodname_actions %} service will no longer appear in your Azure subscriptions. Moving forward, NICs are now provisioned in a service subscription and assigned IP addresses from your subnet.
+Soon, NICs created by the {% data variables.product.prodname_actions %} service will no longer appear in your Azure subscriptions. Moving forward, NICs will be provisioned in a service subscription and assigned IP addresses from your subnet.
diff --git a/data/reusables/copilot/coding-agent-required-hosts.md b/data/reusables/copilot/coding-agent-required-hosts.md
index 1acc40c0b7f1..623d382d795f 100644
--- a/data/reusables/copilot/coding-agent-required-hosts.md
+++ b/data/reusables/copilot/coding-agent-required-hosts.md
@@ -2,4 +2,10 @@
 * `user-images.githubusercontent.com`
 * `api.individual.githubcopilot.com` (if you expect {% data variables.copilot.copilot_pro_short %} or {% data variables.copilot.copilot_pro_plus_short %} users to use {% data variables.copilot.copilot_coding_agent %} in your repository)
 * `api.business.githubcopilot.com` (if you expect {% data variables.copilot.copilot_business_short %} users to use {% data variables.copilot.copilot_coding_agent %} in your repository)
-* `api.enterprise.githubcopilot.com` (if you expect {% data variables.copilot.copilot_enterprise_short %} users to use {% data variables.copilot.copilot_coding_agent %} in your repository)
\ No newline at end of file
+* `api.enterprise.githubcopilot.com` (if you expect {% data variables.copilot.copilot_enterprise_short %} users to use {% data variables.copilot.copilot_coding_agent %} in your repository)
+* If you are using the {% data variables.product.prodname_openai_codex %} third-party agent (for more information, see [AUTOTITLE](/copilot/concepts/agents/about-third-party-agents)):
+  * `npmjs.org`
+  * `npmjs.com`
+  * `registry.npmjs.com`
+  * `registry.npmjs.org`
+  * `skimdb.npmjs.com`
\ No newline at end of file
diff --git a/data/reusables/support/view-open-tickets.md b/data/reusables/support/view-open-tickets.md
index f67841c49ad1..9c56c0adbcc8 100644
--- a/data/reusables/support/view-open-tickets.md
+++ b/data/reusables/support/view-open-tickets.md
@@ -1,10 +1,8 @@
 {% data reusables.support.navigate-to-my-tickets %}
 {% ifversion ghec or ghes %}
-1. Optionally, to view tickets associated with an organization or enterprise account, select the **My Tickets** drop-down menu and click the name of the organization or enterprise account.
+1. Optionally, to view tickets associated with an organization or enterprise account, select the **Account** dropdown menu and click the name of the organization or enterprise account.
 
 {% indented_data_reference reusables.support.entitlements-note spaces=3 %}
-
-   ![Screenshot showing the "My Tickets" dropdown menu highlighted in dark orange.](/assets/images/help/support/ticket-context.png)
 {% endif %}
 1. In the list of tickets, click the subject of the ticket you want to view.
 ![Screenshot showing a list of support tickets. A ticket's subject, "Can't access my private repository," is highlighted in orange.](/assets/images/help/support/my-tickets-list.png)
diff --git a/src/content-pipelines/state/copilot-cli.sha b/src/content-pipelines/state/copilot-cli.sha
index 25684c7a2d2f..9eb6766b7479 100644
--- a/src/content-pipelines/state/copilot-cli.sha
+++ b/src/content-pipelines/state/copilot-cli.sha
@@ -1 +1 @@
-048ce959ac72b3507545101544155fecbc89f353
+632be5c3f07cff2d1b3de6e9215997d2c7d97a08