May ‘26 enterprise roundup

May 11, 2026

Events

While GitHub hosts our own marquee events like Universe and Galaxy each year, you will also find GitHub participating in other industry events. Here is the latest news about upcoming conferences and webinars.

📅 GitHub at Microsoft Build 2026 – Microsoft Build is happening in San Francisco and online June 2-3, 2026. GitHub will be front and center at the event and will be participating across all session types, expert meet up spaces, and event activations. At Microsoft Build, you'll go deep on real code, real systems, and real workflows with the teams building and scaling AI. GitHub will be there to show how developers can build, collaborate, and ship with AI more effectively. Whether you’re looking to expand your networking reach, hear from the experts or do some hands on building, we have you covered! Explore GitHub at Build.
📅 Making AI a Developer Team Sport - This "Keeping Up with Copilot" webinar explores the next frontier of AI-assisted software delivery—team-level collaboration—showing how GitHub Copilot can help developers learn from one another, align on best practices, and ship faster together rather than just accelerating individual workflows. Enterprise engineering leaders who have already adopted Copilot for individual productivity and want to scale that benefit across the entire organization will find concrete examples, best practices, and live Q&A.

GitHub Platform

The team at GitHub is incredibly passionate about our work. We read every email, social post, support ticket, and we take it all to heart. We are committed to improving availability, increasing resilience, scaling for the future of software development, and communicating more transparently along the way.

📢 An update on GitHub availability - GitHub is rapidly refining its platform to handle a 30× surge in scale driven by AI agent–based development workflows, but recent incidents highlight where reliability and isolation still need improvement. For enterprise teams relying on GitHub for mission-critical workflows, this update reveals both the immediate risks (e.g., merge queue regressions, search outages) and the concrete engineering investments underway to improve availability, resilience, and transparency—critical signals for how dependable the platform will be as your software development velocity accelerates.
📢 Bringing more transparency to GitHub's status page - GitHub is introducing three improvements that give enterprise teams more accurate and actionable status information: a new "Degraded Performance" tier that prevents minor latency spikes from being misclassified as outages, per-service 90-day uptime percentages weighted by incident severity, and a new "Copilot AI Model Providers" component that isolates model-level outages from the broader Copilot service. For teams managing SLAs, escalation runbooks, or availability reviews tied to GitHub, these changes make the status page a more reliable signal and reduce alert fatigue caused by over-classified incidents.
🚢 Pausing new self-serve signups for GitHub Copilot Business - GitHub is temporarily pausing new self-serve signups for Copilot Business for organizations on GitHub Free and GitHub Team plans to ensure service reliability for existing customers; current Copilot Business subscribers can continue adding seats and using the service normally.
📐 Implementing polyrepo on GitHub - Enterprises managing software as a polyrepo system gain team autonomy and clear ownership boundaries, but inherit cross-repo change coordination, dependency compatibility, CI/CD policy consistency, and release governance challenges that GitHub's native repo-scoped primitives weren't designed to solve. This Well-Architected recommendation provides a GitHub-first operating model centered on a manifest-driven integration layer (meta-repo) for composition validation, change-set tracking issues for cross-repo coordination with a single auditable spine, versioned reusable workflows as a product-grade platform interface, and a safety-model orchestrator for automated multi-repo execution with least-privilege GitHub App permissions. For engineering leaders managing large repository portfolios, the implementation checklist covers integration repo setup, branching conventions, release governance, security campaign coordination, and workflow telemetry for enterprise dashboards.
📢 Securing the git push pipeline: Responding to a critical remote code execution vulnerability - GitHub fixed a critical RCE vulnerability (CVE-2026-3854) in under two hours after discovery, where unsanitized git push option values could be used by any repository contributor to execute arbitrary commands on GitHub's servers handling the push operation. A thorough forensic investigation confirmed no exploitation occurred before the fix, and patches are now available for all supported GitHub Enterprise Server releases (3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, 3.20.0, or later). Enterprise teams running GHES should prioritize upgrading immediately.
🥼 GitHub Next's new micro-blog - GitHub Next has refreshed its website (https://githubnext.com) to enable the GitHub Next team to share quick learnings, screenshots, demos, and essays alongside formal project pages—providing a window into the research-in-progress that previously had no dedicated home. The new micro-blog format means developers can follow GitHub Next's work as it happens, without waiting for polished project announcements. The updated site signals increased transparency from GitHub's research team.
🚢 New PGP signing key for GitHub CLI Linux packages - If your organization installs or updates gh via apt, yum, or dnf on Linux, rerun the installation steps before September 5, 2026, to pick up the updated PGP keyring and avoid package update disruptions.
🚢 Sunsetting SHA-1 in HTTPS on GitHub - Starting July 14, 2026, GitHub will run a brownout disabling SHA-1 in HTTPS, followed by complete removal on September 15—any browser, API client, or Git client relying on SHA-1 for TLS against github.com or GitHub Enterprise Cloud (GHES is unaffected) will fail after that date. Enterprise teams should audit tooling now and verify compatibility by testing against https://github.dev, where SHA-1 is already disabled.
🚢 Global pull requests dashboard moves to opt-out public preview - The new global pull requests dashboard is now on by default for all GitHub users, featuring a unified inbox with org-level filtering, dedicated "Your drafts" and "Waiting for review" sections, team review grouping, and improved PR list views with status checks, filtering links, and assignee avatars—with durable saved view URLs that persist even after edits.
🚢 GitHub Changelog - GitHub Platform - Skim through all of the recent GitHub Platform related changes.

Enterprise Management & Governance

We have been listening to our enterprise customers for years. We are excited to share product updates and new guidance to assist those who manage GitHub for hundreds if not thousands of stakeholders. This month's updates demonstrate how we are acting on your feedback to address the issues in multiple areas you face managing GitHub Enterprise at scale not only with new features and capabilities but, with new guidance to properly manage it all in your world. General

🚢 Rule insights dashboard and unified filter bar - A new rule insights dashboard in repository Settings > Rules surfaces visual trends in ruleset evaluation successes, failures, and bypasses—plus identifies the most active bypassers—while a unified filter bar brings consistent alert management and custom property filtering to code scanning, Dependabot, and secret scanning dismissal and bypass request pages at enterprise, organization, and repository levels.
🚢 Deprecation of security-related organization API fields - Seven organization-level security settings—covering Advanced Security, Dependabot alerts and updates, dependency graph, secret scanning, and push protection for new repositories—have been removed from GitHub's Organization REST API get and update endpoints, as GitHub Code Security configurations are now the canonical method for managing these settings at scale; enterprise admins who rely on these API fields for automation must update their scripts to use the Code Security API.
🚢 Notice about upcoming new format for GitHub App installation tokens - GitHub is rolling out a new stateless installation token format (staged April 27 through late June 2026) that changes token length from 40 to approximately 520 characters while retaining the ghs_ prefix—enterprise teams with GitHub Apps, CI/CD pipelines referencing GITHUB_TOKEN, or database schemas that store tokens must audit for hardcoded length assumptions or regex patterns like ghs_[A-Za-z0-9]{36} before the broad rollout to avoid authentication failures.

GitHub Copilot & AI

📢 GitHub Copilot is moving to usage-based billing - Starting June 1, 2026, all Copilot plans replace premium request units with a GitHub AI Credits model billed on token consumption (input, output, and cached), while base plan pricing remains unchanged (Business $19/user/month, Enterprise $39/user/month). A preview bill experience launches in early May so admins can see projected costs before the transition, and budget controls can be set to cap spending—enterprise admins should review Actions budgets, communicate changes to billing leads, and note that Copilot code review will also begin consuming GitHub Actions minutes on June 1.
🚢 Copilot data residency in US, EU, and FedRAMP compliance now available - Enterprise and organization admins can now restrict all Copilot inference to US or EU data-resident endpoints—or enforce FedRAMP Moderate-compliant model hosts for government deployments—covering every generally available Copilot feature from inline suggestions to CLI and cloud agent, with a 10% premium request cost increase reflecting provider pricing for certified endpoints.
📄 Building guardrails for GitHub Copilot cloud agent - Before enabling Copilot cloud agent broadly, this tutorial walks enterprise administrators through the key preparatory steps: reviewing built-in security protections, planning access policies to scope which organizations and repositories can use the agent, adapting branch rulesets to govern what the agent can push, and configuring GitHub Actions runners to ensure sessions run in ephemeral, isolated environments. It also covers protecting critical Copilot and MCP configuration files via CODEOWNERS and required reviews, and managing Actions workflow policies and token permissions for agent-created PRs. For admins responsible for AI governance, this tutorial is the authoritative pre-deployment checklist for a secure, compliant Copilot cloud agent rollout.
📐 Governing agents in GitHub Enterprise - As Copilot cloud agent, Copilot code review agent, and third-party agents like Claude and Codex become top contributors by pull request volume, enterprises face a new class of governance challenge: agents act faster and at broader scale than any individual, interact with external services through MCP, and execute code in environments that may hold secrets and infrastructure triggers. This Well-Architected recommendation covers the five key governance levers—enterprise-level Copilot and MCP policies, layered agentic configuration from enterprise to repository, security controls and human review gates on agent output, audit log streaming for agent observability, and spending limits with attributable cost controls—all designed to keep teams productive without creating bottlenecks. For enterprise admins and engineering leaders scaling agent adoption, this is the authoritative governance framework for ensuring every agent action is auditable, model and tool access is centrally managed, and cost exposure is predictable before the June 2026 billing changes take effect. See also the related discussion: 🗣️ How to govern AI agents in your GitHub Enterprise.
🚢 Enable Copilot cloud agent via custom properties - Enterprise admins can now enable Copilot cloud agent selectively for specific organizations—individually or by matching organization custom properties—using three new REST API endpoints or the AI Controls settings page, enabling phased rollouts and pilot programs without an all-or-nothing policy.
🚢 Organization runner controls for Copilot cloud agent - Organization admins can now set a default runner for all Copilot cloud agent tasks across repositories and optionally lock the setting to prevent individual repos from overriding it—making it straightforward to enforce consistent compute choices such as self-hosted runners or larger GitHub-hosted runners without per-repository copilot-setup-steps.yml configuration.
📄 Giving GitHub Copilot cloud agent access to resources in your organization - This tutorial explains how to securely extend Copilot cloud agent's capabilities to MCP servers, private packages, and external services by scoping secrets and authentication tokens inside a dedicated copilot GitHub Actions environment that the agent can access—while keeping organization-wide secrets out of reach. A worked example using Sentry for bug triage demonstrates how to store environment secrets, create a custom agent profile with MCP server configuration, and install private packages via copilot-setup-steps.yml without exposing broad organizational credentials. For enterprise teams building domain-specific AI workflows that require access to internal systems, this guide provides the governance-aware pattern for expanding agent access in a least-privilege, auditable way.
🚢 Organization firewall settings for Copilot cloud agent - Organization admins can now manage Copilot cloud agent's built-in internet firewall across all repositories from a single settings page—controlling firewall state, recommended allowlists, and organization-wide custom entries such as internal package registries—without requiring per-repository configuration by individual repo admins.
📐 Expanding the context of Enterprise Custom Agents - Enterprise custom agents defined in a single markdown file hit a 30,000-character limit that makes it difficult to provide comprehensive coding standards, security requirements, and architectural guidance to Copilot cloud agent when invoked from the GitHub UI. This Well-Architected recommendation details a prescriptive MCP-based approach: storing modular knowledge files in the .github-private repository and instructing agents to load additional context dynamically at runtime via the GitHub MCP server, bypassing the single-file limit without requiring changes to the agent definition itself. For enterprises on GitHub Enterprise Cloud, EMU, or Data Residency, the approach supports per-repository authentication via copilot environment secrets, keeping access governance fine-grained while enabling rich, domain-specific agent context.
📢 Developer policy update: Intermediary liability, copyright, and transparency - The U.S. Supreme Court's Cox v. Sony decision reinforced that platforms are not automatically liable for user copyright infringement without evidence of intent—a legal clarity that protects the collaborative infrastructure developers and enterprises rely on. GitHub also flags the upcoming 2027 DMCA Section 1201 triennial review, where new questions around AI model inspection, safety research, and interoperability will be debated, making this essential reading for enterprise legal and compliance teams working with AI tooling or open source. GitHub's Transparency Center has been updated with full-year 2025 data, showing record DMCA circumvention claim volumes that underscore why balanced copyright policy matters for open source ecosystems.
🚢 Upcoming change to Copilot usage metrics report download URLs - Starting May 20, 2026, Copilot usage metrics report download links will migrate from Azure Front Door domains to the stable GitHub-owned domain copilot-reports.github.com—enterprise teams with firewall or proxy allowlists should update them before that date to avoid disruption to report download automation.
🚢 GitHub CLI: Opt-out usage telemetry - Starting with v2.91.0, GitHub CLI collects pseudonymous usage telemetry by default to inform product improvements, with full transparency via log mode and simple opt-out options via GH_TELEMETRY=false, DO_NOT_TRACK=true, or gh config set telemetry disabled.
🚢 Copilot cloud agent fields added to usage metrics - The Copilot usage metrics API now includes a new used_copilot_cloud_agent boolean field in user-level enterprise and organization reports, mirroring the existing used_copilot_coding_agent flag under the updated product name, with backward compatibility for the old field name preserved until August 1, 2026.
🚢 Copilot-reviewed pull request merge metrics now in the usage metrics API - Enterprise and organization admins can now measure the impact of Copilot code review on PR velocity through two new usage metrics API fields tracking merged PRs reviewed by Copilot and their median time to merge.
🚢 Copilot usage metrics now identify active and passive Copilot code review users - Enterprise and organization admins can now distinguish whether users actively engage with Copilot code review (by assigning it, requesting reviews, or applying suggestions) versus having it run passively via a repo-level policy—enabling a clearer and more meaningful picture of true CCR adoption beyond simple coverage counts.
🚢 Copilot code review user counts now aggregate in usage metrics API - Six new fields in the Copilot usage metrics API provide daily, weekly, and monthly active and passive code review user counts at enterprise and organization levels, enabling admins to distinguish intentional adoption from policy-driven usage and track engagement trends over time.
🚢 Copilot usage metrics now aggregate Copilot cloud agent active user counts - Three new fields (daily, weekly, and monthly active cloud agent user counts) are now available in the Copilot usage metrics API at enterprise and organization level, giving admins a unified view of Copilot cloud agent adoption trends without needing to aggregate user-level data manually.
🚢 Copilot CLI activity now included in usage metrics totals and feature breakdowns - Copilot CLI usage is now integrated into the top-level Copilot usage metrics API totals and dimensional feature breakdowns alongside IDE usage—enterprise admins with CLI rollouts will see higher aggregate numbers and should review any dashboards or thresholds that previously assumed IDE-only totals.
🚢 GitHub Copilot code review will start consuming GitHub Actions minutes on June 1, 2026 - Starting June 1, each Copilot code review on a private repository will draw from your plan's included GitHub Actions minutes (billed at standard Actions rates for overages) in addition to the new AI Credits model—this applies to all plans (Pro, Pro+, Business, Enterprise) including reviews triggered by unlicensed users through direct org billing, so enterprise admins should audit current Actions minute usage and confirm budget controls before the change takes effect.

Developer Skills

General developer expertise based on our own experience and the collective experience of our customers and partners. It's time to start diving into how AI is going to work alongside you to make you a better, more productive developer, not replace you. This month we have a set of articles to help you better understand AI at its core and how it works.

📢, 📺 & 🙋‍♂️ GitHub for Beginners: Getting started with Markdown (5:57) - Markdown is the formatting language used across GitHub for READMEs, issues, pull requests, discussions, wikis, and agent instruction files—making it an essential skill for any developer contributing to or managing GitHub-hosted projects. This guide covers fundamental syntax including headers, emphasis, lists, links, images, tables, code blocks, and GitHub-specific extensions like task lists, with interactive examples developers can try directly in a GitHub repository editor. For enterprise teams onboarding new contributors or standardizing documentation and agent instruction file practices, this primer pays dividends across every project. I have been using markdown the entire time I have been at GitHub and I learned a few new things from the noted cheat sheet on formatting Markdown.
📚 What is Deep Learning? - Deep learning's ability to automatically discover complex patterns in raw, unstructured data—without manual feature engineering—makes it the foundational technology behind breakthroughs in computer vision, NLP, speech recognition, and generative AI tools like GitHub Copilot. Understanding the distinction between training (resource-intensive, done once) and inference (applied at production scale and speed) is critical for engineering leaders planning AI infrastructure and allocating compute budgets. For development teams building or integrating AI-powered tooling, this primer also clarifies when deep learning is the right choice versus traditional machine learning, helping avoid costly architectural missteps.
📚 What are AI agents? - This primer explains how AI agents make autonomous decisions and why they're becoming central to modern software development—from automated code review and testing to CI/CD and vulnerability detection. For enterprise teams evaluating how to integrate agentic AI tools like GitHub Copilot into their workflows, understanding AI agents is foundational. Whether you're a developer or a leader, this article provides the context and vocabulary needed to navigate the rapidly evolving AI agent landscape.
📚 What is AI orchestration? - AI orchestration is the coordination layer that turns individual models, agents, tools, and APIs into reliable, production-grade workflows—adding the permissions, approvals, logging, retries, and traceability that development teams expect from any production system. This article cuts through terminology confusion by clearly distinguishing AI orchestration from agent orchestration, automation, and MLOps, and maps core orchestration concepts onto DevOps workflows developers already understand—like CI/CD pipelines with observable, auditable behavior. If your team is integrating AI into software delivery, this is an essential read for designing systems you can actually debug, audit, and scale safely.
📚 What is AI agent orchestration? - AI agent orchestration is the governance and execution layer that coordinates multiple AI agents to plan, decide, and collaborate toward shared goals—adding state management, policy enforcement, cost limits, and human-in-the-loop checkpoints that individual agents alone can't provide. This article explains how orchestration maps directly to developer workflows, from embedding policy-as-code into CI/CD pipelines to enforcing compliance rules like signed commits and issue linking automatically. For enterprise teams scaling beyond single agents, understanding orchestration is foundational to maintaining security, reliability, and audit trails as multi-agent systems grow.
📚 What is MCP? - Model Context Protocol (MCP) is the open-source client–server protocol co-developed by Anthropic and GitHub that defines a standardized "universal port" through which any compliant AI client can discover capabilities, retrieve live data, and invoke actions across external tools, APIs, internal systems, and knowledge bases—without requiring a custom integration for each one. For enterprise teams, MCP is the foundational standard that governs how GitHub Copilot and other AI tools interact with your existing development ecosystem—from internal wikis and ticketing systems to private package registries—at governed scale. Understanding MCP is essential for anyone designing agentic workflows, evaluating multi-tool AI automation, or setting organizational policies around how AI systems access organizational data.
📚 What is workflow orchestration? - Workflow orchestration is the governed control layer that coordinates multistep tasks across systems with explicit dependency ordering, state management, rollback, and human-in-the-loop checkpoints—ensuring that complex, cross-system workloads like CI/CD pipelines, ETL, and agentic AI workflows run predictably, auditably, and at scale. With GitHub's developer-native approach, orchestration lives next to code as version-controlled, reviewable workflows observable through GitHub Actions and audit logs, combining the speed of automation with the security and governance enterprise teams require. For teams adopting AI agents alongside traditional DevOps pipelines, this article provides the vocabulary and mental model to design governed, multi-step automation that stays reliable and compliant as complexity grows.

AI & ML - GitHub Copilot

Recent advancements and feature updates for GitHub Copilot, with a particular focus on the GitHub Copilot cloud agent, GitHub Copilot CLI and the GitHub Copilot SDK. GitHub Copilot cloud agent

📚 How to Orchestrate AI Agents - As teams move beyond single-agent workflows, preventing drift, merge conflicts, and governance gaps in multi-agent systems becomes the real engineering challenge. This guide provides a practical framework for structuring parallel and sequential agent pipelines, writing issues as step-by-step agent instructions, and establishing repo-level guardrails that scale to enterprise workflows. It also covers how to monitor, steer, and continuously improve agent sessions using logs and a structured review process before merging.
📄 Get started with Copilot agents on GitHub - This quick-start guide walks developers through the complete Copilot cloud agent experience in under ten minutes: assigning a coding task from a GitHub Issue, launching a second parallel research task at the same time, requesting a Copilot code review on the resulting pull request, and iterating on the agent's output—all via the GitHub UI without leaving the browser. For enterprise teams beginning to delegate development tasks to Copilot cloud agent, this end-to-end walkthrough anchors developers in the correct assign-review-iterate pattern and reduces time-to-first-success.
🚢 Fix merge conflicts in three clicks with Copilot cloud agent - A new "Fix with Copilot" button on github.com lets developers resolve pull request merge conflicts in three clicks by triggering Copilot cloud agent to autonomously fix the conflict, verify that the build and tests still pass, and push the solution—requiring Copilot Business or Enterprise with the cloud agent policy enabled by an admin.
📺 Fixing merge conflicts and PRs with Copilot cloud agent (11:55) - Merge conflicts, failing tests, messy PRs. What if you could just ask Copilot to fix all of it? Tim Rogers shows off what's new with Copilot Cloud Agent: private sessions before you open a PR, model choice, and just say "@Copilot fix the merge conflicts" and it handles it. Plus a sneak peek at what's coming next. Which one are you trying first?
🚢 Copilot cloud agent starts 20% faster with Actions custom images - Copilot cloud agent now starts over 20% faster, building on the 50% startup improvement shipped in March, through prebuilt runner environments using GitHub Actions custom images—reducing the time from assigning an issue or mentioning @copilot to the agent actively working on your code.
🚢 Copilot cloud agent's validation tools are now 20% faster - CodeQL, secret scanning, the GitHub Advisory Database, and Copilot code review now run in parallel when the cloud agent finishes writing code, cutting validation time by 20% and delivering faster, review-ready pull requests without any reduction in security or quality.
🚢 Model selection for Claude and Codex agents on GitHub.com - When assigning tasks to Claude or Codex third-party coding agents on github.com, users can now select specific Anthropic models (Sonnet 4.6, Opus 4.6, Sonnet 4.5, Opus 4.5) or OpenAI models (GPT-5.2-Codex, GPT-5.3-Codex, GPT-5.4)—Copilot Business and Enterprise admins must enable the Claude or Codex policy for their organization before users can access these options.
🚢 GitHub Copilot for Jira: Our latest enhancements - Custom agents, custom fields, custom branching rules, org-level custom instructions, and review request notifications in Jira give enterprise teams greater control over how Copilot cloud agent behaves within existing Jira workflows—all configurable without requiring per-ticket manual setup.
🚢 GitHub Mobile: Research and code with Copilot cloud agent anywhere - The Copilot cloud agent on GitHub Mobile now supports codebase research, implementation planning, and branch-based code changes—not just PR workflows—letting developers iterate and create PRs when ready, all from their mobile device.
🚢 Copilot cloud agent signs its commits - All commits made by Copilot cloud agent now appear as Verified on GitHub, enabling the agent to work in repositories with the "Require signed commits" branch protection rule or ruleset—removing a previous blocker for enterprise teams enforcing signed commit policies.

GitHub Copilot CLI

🚢 Copilot CLI now supports BYOK and local models - Copilot CLI now lets enterprise teams connect their own model providers (Azure OpenAI, Anthropic, or any OpenAI-compatible endpoint) or run fully local models such as Ollama and vLLM—including an air-gapped offline mode where GitHub authentication is not required and all telemetry is disabled.
📺& 🙋‍♂️ GitHub Copilot CLI for Beginners with Christopher Harrison and Kayla Cinnamon
- 📢 & 📺 GitHub Copilot CLI for Beginners: Getting started with GitHub Copilot CLI (3:48) - This step-by-step primer walks developers through installing, authenticating, and issuing their first prompts in GitHub Copilot CLI—the terminal-native agentic AI that autonomously builds code, runs tests, and self-corrects without breaking your workflow. Key use cases covered include project overviews, adding endpoints, and delegating issues to Copilot cloud agent via /delegate. Part of a growing beginner series that will cover interactive/non-interactive modes, slash commands, and MCP server integration.
- 📢 & 📺 GitHub Copilot CLI for Beginners: Interactive v. non-interactive mode (1:53) - Understanding the difference between Copilot CLI's interactive (conversational, session-based) and non-interactive (single-prompt, script-friendly) modes is essential for designing developer workflows that maximize the value of AI assistance at the terminal. Interactive mode supports iterative back-and-forth development within a context-aware session, while non-interactive mode is ideal for embedding Copilot into CI scripts, one-off lookups, or shell pipelines using copilot -p without starting a full session. The post also covers how to resume previous sessions with /resume or copilot --resume, helping developers maintain continuity across long-running tasks.
- 📺 How to use MCP servers with GitHub Copilot CLI | Tutorial for beginners (4:23) - In episode 5 of the GitHub Copilot CLI for beginners series, we dive into the model context protocol (MCP). Learn how to give your AI agent access to external documentation, databases, and testing tools. We walk you through using the /mcp command to set up both local and remote servers. Watch as we use the Playwright and Svelte MCP servers to test and improve a web application.
📢 GitHub Copilot CLI combines model families for a second opinion - GitHub Copilot CLI introduces "Rubber Duck" in experimental mode—a cross-model review mechanism that uses a second AI from a different model family (e.g., GPT-5.4 reviewing Claude Sonnet's plans) to catch planning blind spots before code is written. Evaluations on SWE-Bench Pro show the combination closes 74.7% of the performance gap between Sonnet and Opus on complex, multi-file tasks. Use /experimental in Copilot CLI to try it today.
🚢 Remote control CLI sessions on web and mobile in public preview - Enterprise teams can now monitor and steer a running Copilot CLI session from any browser or the GitHub Mobile app using copilot --remote, with real-time sync between CLI and web, including mid-session steering, plan review, and permission approvals—Copilot Business and Enterprise admins must enable the remote control policy before users can activate it.
📺 How to access your Copilot CLI session from anywhere (3:15) - Need to step away from your desk but want to keep working? The new remote feature for GitHub Copilot CLI lets you access your active terminal session from any device with a browser. Learn how to remote control your session allowing you to manage your work wherever and whenever you need to.
🚢 Manage agent skills with GitHub CLI - A new gh skill command (GitHub CLI v2.90.0+) lets developers install, update, pin, and publish agent skills—portable AI instruction sets compatible with GitHub Copilot, Claude Code, Cursor, Codex, and Gemini CLI—with built-in supply chain integrity through SHA-pinning, immutable releases, and frontmatter-based provenance tracking that travels with the skill wherever it's copied or moved.
📺 How to use agents, skills, and instructions in Copilot CLI (6:21) - In episode 6 of our GitHub Copilot CLI for beginners series, we explore how to deeply customize your AI coding assistant. We walk you through setting up instructions, skills, and custom agents to ensure Copilot follows your team's exact coding standards. Learn how to generate project-level instructions, automate pull requests with agent skills, and run specialized tasks like accessibility reviews. These tools work in perfect harmony to keep your codebase consistent.
📢 & 📺 Build a personal organization command center with GitHub Copilot CLI (5:47) - A GitHub staff software engineer shares how she used Copilot CLI and VS Code agent mode to go from idea to a working Electron desktop app in a single day—consolidating calendar, tasks, and M365 data into one unified command center without deep Electron expertise. Her workflow combines VS Code agent mode for synchronous development with Copilot cloud agent for async background tasks like bug fixes and tech debt, demonstrating a practical multi-agent development pattern ANY team can adapt. The project repository is open source and includes setup instructions for developers who want to replicate or extend the approach.
📄 Managing context in GitHub Copilot CLI - As Copilot CLI sessions grow longer, the context window fills with conversation history, tool results, and file contents—this page explains how automatic compaction at ~80% capacity summarizes and compresses that history so you can keep working without losing conversational continuity or hitting model limits. It covers how to monitor real-time context usage with /context, trigger manual compaction proactively with /compact, and understand what the resulting summary preserves and omits for session continuity. For enterprise developers running complex multi-step agentic sessions in Copilot CLI, understanding context management prevents unexpected session degradation and informs how to structure long-running tasks.
🚢 GitHub Copilot CLI now supports Copilot auto model selection - Auto model selection is now GA in Copilot CLI, dynamically routing requests across GPT-5.4, GPT-5.3-Codex, Sonnet 4.6, and Haiku 4.5 based on your plan and admin policies—reducing rate limit friction while honoring all administrator model settings—and paid subscribers get a 10% discount on premium request multipliers when auto is active.
📺 Copilot CLI update: chronicle, plugins, and fleet mode (14:03) - We sit down with Copilot CLI Product Manager Ryan Hecht to explore the latest experimental features. We dive into the new plugin marketplace, the powerful /chronicle slash command for self-healing prompts, and how to run Claude Opus 4.6, GPT-5.4, and Gemini 3 simultaneously. See how /fleet mode and autopilot can handle massive refactoring tasks while you step away.
🚢 Copilot CLI supports custom registry-based MCP allowlists - Enterprise and organization administrators can now configure a custom MCP registry allowlist in Copilot CLI (in public preview), ensuring developers can only use MCP servers approved by your organization at runtime—extending governance controls that previously existed for github.com-based Copilot experiences directly into terminal-based developer workflows.
📺 How to use hooks in the GitHub Copilot CLI (4:43) - Hooks are one of the most powerful tools in the GitHub Copilot CLI, but they can be confusing at first. In this video, we break down the entire agent lifecycle to show you exactly how and when hooks fire. You will learn about events like session start, pre tool use, and user prompt submitted. Watch to see how you can use these events to control tool calls and customize your workflow.
🚢 C++ code intelligence for GitHub Copilot CLI in public preview - The Microsoft C++ Language Server is now available in public preview for Copilot CLI, bringing IntelliSense-grade semantic understanding—symbol definitions, references, call hierarchies, and type information—directly to the command line, enabling more precise C++ code navigation and agent reasoning without IDE-dependent tooling.
📄 Using LSP servers with GitHub Copilot CLI - LSP (Language Server Protocol) integration gives Copilot CLI compiler-grade code intelligence—go-to-definition, find-references, safe project-wide rename, call hierarchy analysis, and type information—directly at the command line, significantly improving accuracy when navigating or refactoring large, multi-file codebases compared to text-based search. Unlike file scanning, LSP operations return compact structured results that reduce token consumption and speed up agent reasoning, while safe rename operations reliably update every reference across the entire project. For enterprise teams using Copilot CLI for complex code changes at scale, configuring project-level LSP servers is a straightforward way to measurably improve agent code quality and precision.

GitHub Copilot SDK

📄 GitHub Copilot SDK - The GitHub Copilot SDK documentation hub consolidates everything needed to embed GitHub Copilot AI capabilities into custom applications—covering installation and authentication, deployment configuration for different environments, session management with hooks for custom lifecycle control, observability and distributed tracing, and integration with third-party agent frameworks and orchestration platforms. For enterprise teams building internal developer tools, specialized AI coding assistants, or governance layers on top of Copilot, the SDK provides production-grade building blocks with full visibility and control over model interactions.
📺 Build a Personal Assistant with GitHub Copilot SDK + Copilot CLI (5:08) - In this video, we show you how to use the new /research command to learn the SDK, and then deploy fleet mode to write the code automatically.

IDE Related GitHub Copilot Updates

🚢 Bring your own language model key in VS Code now available - Copilot Business and Enterprise users can now bring their own API keys for Anthropic, Gemini, OpenAI, OpenRouter, Azure, Ollama, and Foundry Local models in VS Code—usage is billed directly by the provider and doesn't count against Copilot request quotas, while administrators can disable BYOK organization-wide via Copilot policy settings.
🚢 GitHub Copilot in Visual Studio Code – March releases - VS Code shipped five weekly releases throughout March and early April (v1.111–v1.115), delivering Autopilot for fully autonomous agent sessions (public preview), nested subagents, integrated browser debugging with breakpoints, image and video support in chat, and a unified chat customizations editor—all adding up to a significant leap in what agents can accomplish without leaving the IDE.
🚢 GitHub Copilot in Visual Studio: April update - Visual Studio's April 2026 update makes agentic workflows first-class in the IDE: cloud agent sessions launch directly from an in-IDE agent picker, a new Debugger agent can reproduce issues and validate fixes against live runtime behavior, and user-level custom agents defined in %USERPROFILE%/.github/agents/ travel with developers across projects. Enterprise teams using C++ will also benefit from generally available C++ Code Editing Tools that give agent mode language-aware semantic navigation—symbol definitions, call hierarchies, and type hierarchies—across large codebases.
🚢 Inline agent mode in preview and more in GitHub Copilot for JetBrains IDEs - Copilot for JetBrains now supports inline agent mode in public preview, bringing full agent capabilities directly into the editor's inline chat (Shift+Ctrl/Cmd+I) without switching to the chat panel—plus enhanced Next Edit Suggestions with inline previews and far-away edit navigation, and new global auto-approve controls with granular terminal command and file-edit settings for more flexible agentic workflows.

GitHub Copilot - New Models

🚢 Claude Opus 4.7 is generally available - Claude Opus 4.7 is rolling out across all Copilot tiers (Pro+, Business, Enterprise) and surfaces—VS Code, Visual Studio, Copilot CLI, Copilot cloud agent, GitHub Mobile, and more—with improvements in multi-step task performance and long-horizon reasoning; Enterprise and Business admins must explicitly enable the Claude Opus 4.7 policy in Copilot settings to give users access.
🚢 GPT-5.5 is generally available for GitHub Copilot - GPT-5.5, OpenAI's latest model optimized for complex multi-step agentic coding tasks, is now rolling out to Copilot Pro+, Business, and Enterprise subscribers across all surfaces—VS Code, Visual Studio, Copilot CLI, cloud agent, GitHub Mobile, JetBrains, Xcode, Eclipse, and github.com—with a 7.5× premium request multiplier and Enterprise/Business admins required to enable the GPT-5.5 policy to grant access.

Additional GitHub Copilot Updates

🗣️ The Difference Between “Using Copilot” and “Working With Copilot”: Using Copilot is interacting with it for individual outputs. Working with Copilot is integrating it into the way work moves through your development process. Learn how to take advantage of this distinction to use Copilot more strategically.
🚢 Copilot Chat improvements for pull requests - Copilot Chat now includes richer pull request context—comments, file changes, commits, and reviews—and can perform structured PR reviews and summaries from both on-page diff view and immersive github.com/copilot chat, surfacing key improvements through updated suggested prompts like "Help review this pull request."
🚢 Better debugging with GitHub Copilot on the web - Copilot Chat in github.com now performs structured root-cause analysis when you paste a stack trace, using your repository's code context to move from "where it crashed" to "why it happened"—delivering what failed, the root cause, relevant code evidence, confidence level, suggested fix, and next verification steps in a single structured response.
🥼 Repo Mind Light - Repo Mind Light is a GitHub Next research project that gives AI coding agents reliable, holistic understanding of a repository by combining an incremental local index of GitHub issues and pull requests with live code and documentation retrieval via GitHub Code Search. Unlike search tools that return isolated snippets, it uses GraphRAG Zero to answer architectural questions, ownership queries, and historical reasoning questions grounded in the full repository context—including design intent buried in review threads and old PR discussions. Delivered as a standalone Docker image plus local MCP server, it can be embedded into GitHub Actions agentic workflows to provide high-quality repository context without a separately managed service.
🥼 Autoloop - Autoloop is a GitHub Next agentic workflow that transforms a GitHub issue or markdown file into an autonomous improvement loop—you define a goal, target files, and an evaluation metric, and Autoloop runs on a schedule, proposing and testing changes, keeping only those that improve the metric. The system ships with two strategies: OpenEvolve (inspired by DeepMind's AlphaEvolve) for optimization and algorithmic improvement tasks, and test-driven for structured red-green-refactor development. For enterprise teams, Autoloop offers a governance-friendly autonomous development approach: all state lives in human-readable markdown on a dedicated branch, every change is a reviewable PR, and resource use is controlled by the schedule you define.
🚢 GitHub Changelog - Copilot - Skim through all of the recent Copilot changes.

CI/CD

Continuous Integration & Continuous Deployment with GitHub Actions. If you are involved in managing and authoring GitHub Actions workflows you'll want to dive into these updates to see how were are addressing enterprise needs in the areas of scalability, debugging, security and bringing AI to GitHub Actions with Agentic Workflows and the GitHub Copilot CLI.

📐 Securing GitHub Actions workflows - UPDATE: Enhanced the Actions security recommendation with detailed OIDC claims guidance, immutable subject identifiers, repository ruleset examples, and refined best practices for secure workflow patterns.
🚢 Actions workflows are limited to 50 reruns - GitHub Actions now enforces a hard cap of 50 reruns per workflow run (counting both full and partial job reruns) to prevent runaway automation from overloading shared infrastructure—teams relying on aggressive retry logic should audit their pipelines before hitting the limit.
🚢 GitHub Changelog - Actions - Skim through all of the recent security related changes.

Security

Application security with GitHub, ensuring the code that lives in GitHub and the dependencies that go into the solutions you build are secure and do not contain any secrets. Code Security

📢 Hack the AI agent: Build agentic AI security skills with the GitHub Secure Code Game - With 48% of cybersecurity professionals ranking agentic AI as the top attack vector by end of 2026, Season 4 of the free, open source Secure Code Game (used by 10,000+ developers) puts you inside "OpenClaw," a deliberately vulnerable AI assistant, to exploit real weaknesses—prompt injection, tool misuse, identity abuse, and memory poisoning—before attackers do. The game is browser-based, self-paced, and directly maps to the OWASP Top 10 for Agentic Applications 2026, making it essential preparation for any team deploying agentic AI in production.
📢 How exposed is your code? Find out in minutes—for free - The new Code Security Risk Assessment gives organization admins and security managers a free, one-click CodeQL scan of up to 20 active repositories—delivering a prioritized breakdown of vulnerabilities by severity, language, and rule type with no license required and no GitHub Actions minutes counted against your quota. Results appear alongside the existing Secret Risk Assessment in a unified dashboard, and every finding links to Copilot Autofix remediation for a clear path from visibility to resolution.
🚢 Code Security risk assessment available for organizations - Organization admins and security managers can now run a free Code Security risk assessment from the Security tab, providing a prioritized view of vulnerabilities by severity, rule type, and programming language—with Copilot Autofix remediation guidance highlighted throughout.
🚢 Ask Copilot in security assessments now available - Organization admins and security managers can now invoke Copilot directly from secret or Code Security risk assessment results to get contextual AI explanations and guided remediation next steps.
🗣️ GHAS CodeQL Series - Part 3: Blocking Vulnerable Code Merges: In Part 1 you established organization-wide scanning, and in Part 2 you implemented alert-mode rulesets to build security awareness. This final guide helps you implement the "stop the leaking bucket" philosophy: while your teams work to remediate existing vulnerabilities, we'll ensure no new ones are introduced.
🚢 OIDC support for Dependabot and code scanning - Organization admins can now configure OIDC-based credentials for private registries at the org level for both Dependabot and code scanning, eliminating long-lived credential storage across all repositories—available now for AWS CodeArtifact, Azure DevOps Artifacts, and JFrog Artifactory, with Cloudsmith and Google Artifact Registry support coming within four weeks.
🚢 Prioritize security alerts with runtime context from Dynatrace - GitHub Advanced Security now integrates with Dynatrace runtime context, letting you filter and prioritize code scanning and Dependabot alerts based on deployed artifacts and runtime risk signals like internet exposure and access to sensitive data—helping security teams focus remediation where it matters most in production.
🚢 Code scanning: batch apply security alert suggestions on pull requests - Code scanning alert fixes in the Files changed tab can now be batched into a single commit, triggering one scan instead of one per fix—cutting both remediation time and the number of CI scans needed to clear a pull request.
🚢 Deployment context in repository properties and alerts - Two new built-in repository properties (deployable and deployed) let enterprise admins automatically apply rulesets, branch protections, and compliance policies based on actual deployment state, while Dependabot and code scanning alert pages now surface runtime risk context so security teams can triage by real-world exposure rather than treating every alert with equal urgency.
🚢 Link code scanning alerts to GitHub Issues - Security engineers can now connect code scanning alerts to GitHub Issues from the alert page, with tracking status icons on alert lists and has:tracking/no:tracking filters to quickly surface untracked vulnerabilities and integrate security remediation into existing planning and sprint workflows—now in public preview.
🚢 CodeQL now supports sanitizers and validators in models-as-data - Teams can now declaratively define custom sanitizers and validators in YAML data extension files—using the new barrierModel and barrierGuardModel extensible predicates—without writing any custom CodeQL code, across C/C++, C#, Go, Java/Kotlin, JavaScript/TypeScript, Python, Ruby, and Rust, reducing false positives by teaching the analysis engine to recognize your project's own sanitization functions and packaging them into reusable CodeQL model packs.
🚢 CodeQL 2.25.2 adds Kotlin 2.3.20 support and other updates - CodeQL 2.25.2 extends Kotlin support to version 2.3.20, reduces false positives across Java, C/C++, and C# queries, and recalibrates security severity scores for log injection and XSS findings across eight languages—enterprise teams on GHES should plan to manually upgrade CodeQL if their version predates this release.

Secret Protection

📐 Anti-patterns - UPDATE: Added guidance on avoiding PII detection with secret scanning custom patterns, highlighting why repurposing secret scanning for personally identifiable information creates compliance risk and alert fatigue.
🚢 Secret scanning improvements to alert APIs, webhooks, and delegated workflows - Secret scanning gets several developer experience improvements: a new exclude_secret_types API filter, html_url fields on alert locations in the REST API and webhooks, expiry deadlines and developer confirmation emails for delegated bypass requests, and new closure request comment fields in API and webhook payloads.
🚢 Secret scanning pattern updates and product improvements - Cloudflare joins as a new secret scanning partner with three new default push protection patterns, push protection now extends to user-owned forks in EMU enterprises, and the alerts API gains a provider field with filtering support—along with a new enterprise endpoint for listing dismissal requests across all orgs and the ability to set custom pattern alert validity via the PATCH endpoint.

Supply Chain Security

📐 Defending against dependency supply chain attacks – UPDATE: Modern supply chain attacks—including self-replicating malware that infiltrates via compromised maintainer accounts and injects malicious post-install scripts into popular packages—require a defense-in-depth strategy where no single control is sufficient on its own. This GitHub Well-Architected recommendation covers a comprehensive layered approach: disabling lifecycle scripts by default, dev container isolation, signed commits with user interaction, mandatory pull-request workflows with code scanning status checks, OIDC-based trusted publishing to eliminate long-lived tokens, and Dependabot monitoring with auto-triage rules to reduce alert fatigue. For enterprise security teams building or auditing their supply chain posture, the detailed implementation checklist maps directly to GitHub Advanced Security capabilities available today.
🚢 Dependabot alerts are now assignable to AI agents for remediation - Dependabot alerts that require code changes beyond a version bump can now be assigned to Copilot, Claude, or Codex coding agents directly from the alert detail page, which will analyze the vulnerability and open a draft PR with a proposed fix.
🚢 Dependabot and code scanning org-level private registries - Organizations can now register multiple private feeds per ecosystem (npm, Maven, NuGet, Docker, pip, RubyGems, and all others) at the organization level—including OIDC authentication for Azure DevOps Artifacts, AWS CodeArtifact, and JFrog Artifactory—with this capability available on GitHub.com, GitHub Enterprise Cloud, and GHES 3.24.
🚢 SBOM exports are now computed asynchronously - SBOM generation for large repositories no longer times out—a new asynchronous workflow replaces the previous 10-second hard limit with a polling model, and two new REST API endpoints (generate-report and fetch-report) give pipeline automation reliable, non-blocking access to SBOMs for repos with complex dependency trees.
🚢 Dependabot-based dependency graphs for Python - Python projects now get more complete and accurate transitive dependency trees in their dependency graphs and SBOMs, powered by a new Dependabot job supporting pip, uv, and Poetry (v1 and v2) package managers—without consuming Actions minutes or requiring separate org-level registry configuration.
🚢 Dependabot version updates now support the Nix ecosystem - Dependabot now supports Nix flakes, monitoring flake.lock inputs and opening pull requests when newer commits are available—helping teams using the Nix ecosystem keep dependencies current automatically.
🚢 npm trusted publishing now supports CircleCI - npm trusted publishing now supports CircleCI as an OIDC provider alongside GitHub Actions and GitLab CI/CD, letting maintainers publishing npm packages from CircleCI workflows eliminate stored credentials entirely and authenticate directly through their CI/CD pipeline.

Additional Security Updates

📢 Securing the git push pipeline: Responding to a critical remote code execution vulnerability - GitHub fixed a critical RCE vulnerability (CVE-2026-3854) in under two hours after discovery, where unsanitized git push option values could be used by any repository contributor to execute arbitrary commands on GitHub's servers handling the push operation. A thorough forensic investigation confirmed no exploitation occurred before the fix, and patches are now available for all supported GitHub Enterprise Server releases (3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, 3.20.0, or later). Enterprise teams running GHES should prioritize upgrading immediately.
📐 Application Security design principles - UPDATE: Added a security-by-design approach and developer workspace security considerations to the Application Security pillar’s design principles.
📐 NIST SSDF implementation - UPDATE: Expanded the NIST Secure Software Development Framework scenario with updated guidance on security configurations, repository rulesets, and practical implementation steps across all SSDF practice areas.
📐 Securing GitHub Actions workflows - UPDATE: Enhanced the Actions security recommendation with detailed OIDC claims guidance, immutable subject identifiers, repository ruleset examples, and refined best practices for secure workflow patterns.
🚢 GitHub Changelog - Security - Skim through all of the recent security related changes.

GitHub Code Quality

GitHub Code Quality is now available in public preview! It turns every pull request into an opportunity to improve. With in-context findings, one-click Copilot fixes, and reliability and maintainability scores, you spend less time chasing nits and more time building. Check out the documentation to learn more.

🚢 GitHub Code Quality improvements to standard findings in public preview - New search by file path, bulk dismiss, and per-finding diagnostic message views make it significantly faster for enterprise teams to triage and remediate reliability and maintainability issues surfaced by the Code Quality public preview, with every finding backed by a Copilot Autofix suggestion for faster resolution.

Engineering

An inside look at how we’re building the home for all developers. Resources based on our internal experiences.

📢 How GitHub uses eBPF to improve deployment safety - Circular dependencies in deployment scripts are a hidden risk that can turn routine incident recovery into a recursive failure loop—for GitHub, a script that reaches back to github.com while fixing a github.com outage is exactly this failure mode. This post explains how GitHub uses eBPF's BPF_PROG_TYPE_CGROUP_SKB program type to isolate deployment process network access at the cgroup level, blocking outbound calls to circular dependencies without affecting production traffic on the same hosts. Complete Go code samples using the cilium/ebpf library are included, making this a practical reference for any engineering team building deployment safety controls in Linux environments.
📢 Securing the git push pipeline: Responding to a critical remote code execution vulnerability - GitHub fixed a critical RCE vulnerability (CVE-2026-3854) in under two hours after discovery, where unsanitized git push option values could be used by any repository contributor to execute arbitrary commands on GitHub's servers handling the push operation. A thorough forensic investigation confirmed no exploitation occurred before the fix, and patches are now available for all supported GitHub Enterprise Server releases (3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, 3.20.0, or later). Enterprise teams running GHES should prioritize upgrading immediately.

Legend

This legend represents the icons used above and links each icon to its corresponding resource page. These are the primary sources we review each month when compiling the Monthly Enterprise Roundup. Note that not every resource will appear in every edition.

📅 Events
📢 GitHub Blog
📺 GitHub on YouTube
🚢 The GitHub Changelog
🛡️ GitHub Copilot Trust Center
📚 GitHub Resources
📄 GitHub Docs
📐 GitHub Well-Architected
🗣️ GitHub public feedback & discussions
🙋‍♂️ Training, e.g. GitHub Skills, GitHub Copilot for Beginners
💡 Executive Insights
🥼 GitHub Next
🌐 Third Party Web Site, e.g. LinkedIn

That’s it for the May '26 edition of the MER. Follow GitHub Enterprise on LinkedIn to see when the next round of key updates become available. We want to hear from you! Did you find this curated list of updates from GitHub helpful? Do you have suggestions on how we can provide the information that is going to be the most useful and timely for your role? Provide your feedback in the GitHub Community: May ‘26 enterprise roundup.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly