diff --git a/content/actions/reference/workflows-and-actions/expressions.md b/content/actions/reference/workflows-and-actions/expressions.md
index c7c1915b7d16..0e06951605eb 100644
--- a/content/actions/reference/workflows-and-actions/expressions.md
+++ b/content/actions/reference/workflows-and-actions/expressions.md
@@ -297,12 +297,13 @@ Sets `MY_ENV_VAR` to `production` when the ref is `refs/heads/main`, otherwise s
 
 ```yaml
 env:
-  MY_ENV_VAR: ${{ case(
-    github.ref == 'refs/heads/main', 'production',
-    github.ref == 'refs/heads/staging', 'staging',
-    startsWith(github.ref, 'refs/heads/feature/'), 'development',
-    'unknown'
-  ) }}
+  MY_ENV_VAR: |-
+    ${{ case(
+      github.ref == 'refs/heads/main', 'production',
+      github.ref == 'refs/heads/staging', 'staging',
+      startsWith(github.ref, 'refs/heads/feature/'), 'development',
+      'unknown'
+    ) }}
 ```
 
 {% endraw %}
diff --git a/content/admin/backing-up-and-restoring-your-instance/backup-service-for-github-enterprise-server/about-the-backup-service-for-github-enterprise-server.md b/content/admin/backing-up-and-restoring-your-instance/backup-service-for-github-enterprise-server/about-the-backup-service-for-github-enterprise-server.md
index a7ae3fc8ffe5..dce8c90d94f2 100644
--- a/content/admin/backing-up-and-restoring-your-instance/backup-service-for-github-enterprise-server/about-the-backup-service-for-github-enterprise-server.md
+++ b/content/admin/backing-up-and-restoring-your-instance/backup-service-for-github-enterprise-server/about-the-backup-service-for-github-enterprise-server.md
@@ -12,7 +12,7 @@ topics:
   - Infrastructure
 ---
 
->[!NOTE] {% data variables.product.prodname_enterprise_backup_service %} is currently in {% data variables.release-phases.public_preview %} and is subject to change. During the public preview, the service is available at no additional cost.
+>[!NOTE] {% data variables.product.prodname_enterprise_backup_service %} is currently in {% data variables.release-phases.public_preview %} and subject to change. The service is available at no additional cost and will remain free.
 
 ## About the {% data variables.product.prodname_enterprise_backup_service %}
 
diff --git a/content/admin/guides.md b/content/admin/guides.md
index b39b6d2800f7..1d717871908c 100644
--- a/content/admin/guides.md
+++ b/content/admin/guides.md
@@ -30,6 +30,7 @@ includeGuides:
   - /admin/concepts/identity-and-access-management/enterprise-managed-users
   - /admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users
   - /admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users
+  - /admin/managing-iam/provisioning-user-accounts-with-scim/migrating-from-ldap-to-saml-with-scim
   - /admin/identity-and-access-management/provisioning-user-accounts-with-scim/configuring-scim-provisioning-using-okta
   - /admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups
   - /admin/managing-iam/using-cas-for-enterprise-iam/using-cas
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/index.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/index.md
index 7fe30b9bae5e..eb4be09259de 100644
--- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/index.md
+++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/index.md
@@ -13,6 +13,7 @@ topics:
 children:
   - /user-provisioning-with-scim-on-ghes
   - /configuring-scim-provisioning-for-users
+  - /migrating-from-ldap-to-saml-with-scim
   - /configuring-authentication-and-provisioning-with-entra-id
   - /configuring-authentication-and-provisioning-with-pingfederate
   - /configuring-scim-provisioning-with-okta
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups.md
index b5fe3aaa964a..daced6d3b310 100644
--- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups.md
+++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups.md
@@ -26,16 +26,15 @@ topics:
 
 ## About team management with {% ifversion ghec %}{% data variables.product.prodname_emus %}{% else %}SCIM{% endif %}
 
-{% data reusables.emus.about-team-management-with-idp %} When you connect a team in one of your enterprise's organizations to an IdP group, changes to membership from the IdP group are reflected in your enterprise automatically, reducing the need for manual updates and custom scripts.
+{% data reusables.emus.about-team-management-with-idp %}
 
-When a change to an IdP group or a new team connection results in a user joining a team in an organization they were not already a member of, the user will automatically be added to the organization. When you disconnect a group from a team, users who became members of the organization via team membership are removed from the organization if they are not assigned membership in the organization by any other means.
+The following sections explain how {% data variables.product.github %} uses SCIM provisioning and reconciliation jobs to keep team and organization membership in sync with your IdP.
 
-> [!NOTE]
-> Organization owners can also add users to organizations manually, as long as the accounts have already been provisioned via SCIM.
+When {% data variables.product.github %} receives a **Group SCIM API call** from your IdP, it generates an `external_group.scim_api_success` or `external_group.scim_api_failure` event in the enterprise audit log. These events capture detailed information about the call, including the payload and operation performed, and are recorded in the audit log with the **actor** set to the {% ifversion ghes %}built-in/local user{% else %}setup user{% endif %}, the account used to configure SCIM provisioning.
 
-When group membership changes on your IdP, your IdP sends a SCIM request with the changes to {% data variables.product.prodname_dotcom %} according to the schedule determined by your IdP, so change may not be immediate. Any requests that change team or organization membership will register in the audit log as changes made by the account used to configure user provisioning.
+Once {% data variables.product.github %} stores the group data at the enterprise level, it runs a daily reconciliation job to synchronize team membership with the stored IdP group data. This reconciliation also runs whenever a Group SCIM API call updates group membership, and if an admin links or unlinks a team to a stored group.
 
-{% data variables.product.prodname_dotcom %} also runs a reconciliation job once per day, which synchronizes team membership with IdP group membership that is stored on {% data variables.product.prodname_dotcom %}, based on information previously sent from the IdP via SCIM. If this job finds that a user is a member of an IdP group in the enterprise, but they are not a member of the mapped team or its organization, the job will attempt to add the user to the organization and team.
+When a change to an IdP group or a new team connection results in a user joining a team in an organization they were not already a member of, {% data variables.product.github %} automatically adds the user to the organization. When you disconnect a group from a team, {% data variables.product.github %} removes users who became members of the organization via team membership if they do not have membership in the organization by any other means.
 
 Teams connected to IdP groups cannot be parents of other teams nor a child of another team. If the team you want to connect to an IdP group is a parent or child team, we recommend creating a new team or removing the nested relationships that make your team a parent team.
 
@@ -43,7 +42,7 @@ To manage repository access for any team in your enterprise, including teams con
 
 ## Requirements for connecting IdP groups with teams
 
-Before you can connect an IdP group with a team on {% data variables.product.prodname_dotcom %}, you must assign the group to the {% ifversion ghec %}{% data variables.product.prodname_emu_idp_application %}{% else %}relevant{% endif %} application in your IdP. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users).
+Before you can connect an IdP group with a team on {% data variables.product.github %}, you must assign the group to the {% ifversion ghec %}{% data variables.product.prodname_emu_idp_application %}{% else %}relevant{% endif %} application in your IdP. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users).
 
 You can connect a team in your enterprise to one IdP group. You can assign the same IdP group to multiple teams in your enterprise.
 
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/migrating-from-ldap-to-saml-with-scim.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/migrating-from-ldap-to-saml-with-scim.md
new file mode 100644
index 000000000000..43ed0da6d6af
--- /dev/null
+++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/migrating-from-ldap-to-saml-with-scim.md
@@ -0,0 +1,164 @@
+---
+title: 'Migrating from LDAP to SAML with SCIM'
+shortTitle: 'Migrate from LDAP'
+intro: 'Learn how to migrate your {% data variables.product.prodname_ghe_server %} instance from LDAP authentication to SAML single sign-on with SCIM provisioning for centralized user management.'
+permissions: 'Site administrators can migrate authentication methods on {% data variables.product.prodname_ghe_server %}.'
+versions:
+  ghes: '>=3.17'
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+  - SSO
+---
+
+## About migrating from LDAP to SAML and SCIM
+
+If your {% data variables.product.prodname_ghe_server %} instance currently uses LDAP authentication, you can migrate to SAML single sign-on (SSO) with SCIM provisioning for enhanced user lifecycle management capabilities. This migration allows you to automatically provision, update, and deprovision user accounts from your identity provider (IdP).
+
+{% data reusables.enterprise.saml-or-ldap %}
+
+**Prerequisites:**
+
+* You must be a site administrator on {% data variables.product.prodname_ghe_server %}.
+* You must have administrative access to your SAML identity provider.
+* Your IdP must support SAML 2.0 and SCIM 2.0 protocols.
+* You should complete a backup of your instance before beginning the migration.
+
+SCIM provisioning requires SAML authentication as a prerequisite, so this migration involves four distinct phases:
+
+1. **Migrate to SAML authentication**: Replace LDAP with SAML SSO.
+1. **Test and verify SAML**: Confirm authentication works and users link correctly.
+1. **Enable SCIM provisioning**: Add automated user management capabilities.
+1. **Test and verify SCIM**: Confirm provisioning links identities to existing accounts.
+
+This document assumes familiarity with SAML authentication and SCIM provisioning. For more information on these topics, please see [AUTOTITLE](/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise) and [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes).
+
+## 1. Understand LDAP vs SCIM user creation patterns
+
+Before you begin the migration, it's important to understand the key differences between how LDAP and SCIM handle user management on {% data variables.product.prodname_ghe_server %}.
+
+| Attribute | LDAP | SCIM |
+| --- | --- | --- |
+| **Appliance configuration** | You configure the user ID attribute (default `uid`) and other LDAP settings in the management console. This configuration determines how to map between LDAP users and GitHub users. For more information about configuring LDAP, see [AUTOTITLE](/admin/managing-iam/using-ldap-for-enterprise-iam/using-ldap#ldap-attributes). | Enable SAML authentication first, then configure SCIM provisioning with an authentication token. |
+| **User creation timing** | Just-in-time: Users are created on first sign-in after successful LDAP authentication. | Pre-authentication: Users must be provisioned via SCIM before they can authenticate. |
+| **Initial username source** | GitHub username is based on the normalized LDAP identifier configured during setup. | GitHub username is based on the normalized SCIM `userName` value from your IdP. |
+| **Username management** | Flexible: Administrators can change GitHub usernames independently of LDAP. Usernames can drift from LDAP identifiers over time while maintaining authentication through LDAP mappings. See [AUTOTITLE](/account-and-profile/reference/username-reference#changing-your-username). | Strict: GitHub usernames always correspond to the normalized SCIM `userName` from your IdP. Username changes on the GitHub side are not allowed. |
+| **User attribute control** | Hybrid: Some attributes managed by LDAP, others can be managed on the appliance. | Full IdP control: All user attributes are managed through SCIM updates from your IdP. |
+| **Authentication flow** | {% data variables.product.prodname_ghe_server %} authenticates with your LDAP server and looks up the existing LDAP mapping to locate  the user. | During SAML SSO, an external identity lookup is performed to locate the provisioned user for authentication. |
+| **Key characteristic** | Hybrid system where GitHub user data (especially usernames) can be partially managed on the appliance independently of the LDAP server. | Full identity provider control: The state of GitHub users depends entirely on what the IdP sends through SCIM, and usernames cannot drift from the source system. |
+
+### Username normalization and compatibility
+
+{% data variables.product.prodname_ghe_server %} normalizes usernames according to specific rules that apply consistently across LDAP, SAML, and SCIM. Understanding these rules is critical for successful migration.
+
+For more information about username normalization, see [AUTOTITLE](/admin/managing-iam/iam-configuration-reference/username-considerations-for-external-authentication#about-username-normalization).
+
+## 2. Plan your migration
+
+Before beginning the migration, you need to understand your current setup, prepare your identity provider, and establish backup access methods. The planning phase is critical to ensure a smooth transition.
+
+### Preparing to map from LDAP to SCIM
+
+The critical migration challenge is bridging between the LDAP and SCIM user management approaches:
+
+**LDAP users (existing state)**:
+
+* Have GitHub usernames that may have changed since initial creation
+* Retain authentication ability through LDAP mappings regardless of username changes  
+
+**SCIM users (target state)**:
+
+* Must be provisioned before authentication
+* Must have GitHub usernames that match their normalized SCIM `userName` values
+* Can be linked to an external identity with their existing GitHub account during SCIM user provisioning, but only if the normalized SCIM `userName` matches their existing GitHub username
+
+### Migration mapping requirements
+
+To successfully link SCIM identities to existing LDAP users, you'll need to capture the current state of the users on your instance:
+
+1. **Export existing GitHub usernames**: Use the site admin interface, API, or CLI to get a complete list of current GitHub usernames on your instance. For more information about the users API, see [AUTOTITLE](/rest/users/users?apiVersion=2022-11-28#list-users). For more information about the command-line utility to export users, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-user-csv).
+1. **Map GitHub usernames to real users in your IdP**: Determine which identities correspond to each GitHub username in your enterprise.
+1. **Configure the SCIM `userName` attribute**: Ensure your IdP provisions SCIM users with `userName` values that match the existing GitHub usernames you would like to link.
+
+**Important**: The target for mapping is always the **current GitHub username** on your instance, not the original LDAP User ID or any other identifier.
+
+### Key planning considerations
+
+**Important considerations:**
+
+* **Downtime required**: This migration requires downtime during a maintenance window to change authentication settings.
+* **User impact**: After the migration, users will need to authenticate through your SAML IdP instead of LDAP credentials.
+* **Team membership**: LDAP team synchronization will be replaced by SCIM group provisioning if supported by your IdP. LDAP-mapped teams will need to be updated with an appropriate SCIM group where applicable.
+
+### Capture the state of your LDAP configuration
+
+Record your current LDAP setup to plan equivalent SAML/SCIM mappings:
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.authentication %}
+1. Document the following LDAP settings:
+   * **Domain base** and restricted user groups
+   * **User ID attribute** (this was used to create GitHub usernames)
+   * **Profile name, email, and other attribute mappings**
+   * **Administrators group configuration**
+   * **Team synchronization settings**
+1. Ensure you have saved a list of existing users on your instance that you will be linking to a SCIM identity.
+
+## 3. Migrate to SAML and SCIM
+
+Once you've completed planning, you can begin migrating from LDAP to SAML authentication. This involves configuring SAML on both your identity provider and {% data variables.product.prodname_ghe_server %}, then carefully testing the configuration before proceeding to SCIM.
+
+**Important**: When configuring SAML, enable "Allow creation of accounts with built-in authentication" to reduce the number of steps required when enabling SCIM.
+
+### Enabling SAML authentication
+
+For detailed SAML configuration steps, see [AUTOTITLE](/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise).
+
+After enabling SAML, test the authentication system before proceeding to SCIM. With any IdP account assigned to the SAML application configured against your instance, verify that you are able to successfully perform an SSO login.
+
+**Do not proceed to SCIM until SAML authentication is working correctly.**
+
+### Enable SCIM provisioning
+
+After confirming SAML authentication works correctly, you can enable SCIM for automated user management. SCIM must be configured on both {% data variables.product.prodname_ghe_server %} and your identity provider.
+
+For detailed steps to enable SCIM, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users).
+
+#### Test SCIM provisioning
+
+Test SCIM provisioning to ensure the SCIM provisioned users are linked to existing user accounts correctly.
+
+For users who already have accounts from the LDAP/SAML migration:
+
+1. **Assign user to SCIM application** in your IdP.
+1. **Verify automatic linking**: Check that SCIM automatically links to the existing account:
+   * Users retain same username and account data
+   * No duplicate accounts are created
+   * SCIM identity shows as linked in the enterprise settings, and site admin interfaces. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise#viewing-a-linked-identity).
+1. **Review audit logs**: Look for `external_identity.scim_api_success` and `external_identity.provision` events showing successful linking to existing users.
+
+For new users not previously in your instance:
+
+1. **Verify user creation**: Check that the user appears in {% data variables.product.prodname_ghe_server %} with correct attributes.
+1. **Test authentication**: Confirm the new user can authenticate via SAML.
+1. **Test attribute updates**: Update user information in IdP and confirm changes sync.
+1. **Test deprovisioning**: Remove user access and confirm they are suspended.
+
+### Roll out SCIM to all users
+
+For all remaining users who aren't yet provisioned via SCIM:
+
+1. **Gradually assign users** to the {% data variables.product.prodname_ghe_server %} application in your IdP.
+1. **Monitor linking process**: Watch for successful automatic linking based on username matching.
+1. **Track progress**: Use audit logs to monitor `external_identity` events for linking progress.
+1. **Address any conflicts**: Resolve username conflicts or mapping issues as they arise.
+
+## 4. Update team and organization membership
+
+After your migration, if you previously used LDAP group synchronization to control team memberships, you can replace those team mappings with SCIM groups. If reusing existing an team, you will need to remove all team members prior to linking an IdP group.
+
+For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups).
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/troubleshooting-team-membership-with-identity-provider-groups.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/troubleshooting-team-membership-with-identity-provider-groups.md
index f1792b1065de..e4e69224e12a 100644
--- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/troubleshooting-team-membership-with-identity-provider-groups.md
+++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/troubleshooting-team-membership-with-identity-provider-groups.md
@@ -44,18 +44,33 @@ If {% data variables.product.prodname_dotcom %} is unable to synchronize team me
 
 ### Error: "Out of sync due to insufficient licenses"
 
-If your enterprise does not have sufficient licenses and {% data variables.product.prodname_dotcom %} is unable to synchronize team membership with a group on your IdP, you'll see a message that reads "Out of sync due to insufficient licenses".
+{% data variables.product.prodname_dotcom %} stores IdP group membership data for {% ifversion ghes %}SCIM-provisioned users{% else %}{% data variables.product.prodname_emus %}{% endif %} at the enterprise level. This data is populated and updated through Group SCIM API calls from your identity provider (IdP).
+
+For IdP groups that are mapped to teams, {% data variables.product.prodname_dotcom %} runs a **daily reconciliation job** to synchronize team membership with the stored enterprise-level IdP group data. The reconciliation also runs whenever a Group SCIM API call updates group membership, or when an admin links or unlinks a team to a stored group on GitHub.
+
+If your enterprise does not have enough licenses available, {% data variables.product.prodname_dotcom %} may be unable to complete this synchronization. When this occurs, you’ll see the message:
+> "Out of sync due to insufficient licenses"
+
+As a result, the affected team or organization may be missing members.
 
 ![Screenshot of the IdP group page. A warning that a team is out of sync due to insufficient licenses is outlined in dark orange.](/assets/images/help/enterprises/emu-group-team-not-synced-missing-licenses.png)
 
-The team may be missing members because your enterprise does not have sufficient licenses available. {% data variables.product.prodname_dotcom %} is unable to synchronize the team's membership with a group on your IdP, and any unlicensed user cannot be added to an organization.
+To investigate this issue, review your enterprise's total available licenses, as well as detailed information about which users are consuming licenses and why. For more information, see [AUTOTITLE](/billing/reference/github-license-users#organizations-on-github-enterprise-cloud) and [AUTOTITLE](/billing/managing-your-license-for-github-enterprise/viewing-license-usage-for-github-enterprise).
+
+#### Resolving the issue
+
+To allow synchronization to complete successfully, make additional enterprise licenses available using one of the following approaches:
 
-1. Review the available licenses for your enterprise. For more information, see [AUTOTITLE](/billing/managing-your-license-for-github-enterprise/viewing-license-usage-for-github-enterprise).
-1. To resolve the problem, choose one of the following solutions.
+* **Free up existing licenses**  
+  * Identify which users are consuming licenses and whether they still need access.  
+  * Remove users from organizations or IdP groups as needed, depending on how you manage organization and team membership (see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#filtering-by-member-type-in-an-enterprise-with-managed-users)):
+    * If you manage your organization's membership via IdP groups, remove users from the relevant group(s).
+  * Monitor these enterprise audit log events to track SCIM API calls that update group membership or managed user accounts (see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise):  
+    * `external_group.scim_api_failure` / `external_group.scim_api_success`  
+    * `external_identity.scim_api_failure` / `external_identity.scim_api_success`
 
-   * Remove users from the IdP group.
-   * Deprovision users from your enterprise.
-   * Purchase additional licenses to allow synchronization to complete. For more information, see [AUTOTITLE](/billing/managing-the-plan-for-your-github-account/about-per-user-pricing#about-changes-to-your-subscription).
+* **Purchase additional licenses**  
+  * If all current users require access, purchase more licenses for your enterprise. For more information, see [AUTOTITLE](/billing/how-tos/manage-plan-and-licenses/manage-user-licenses#enterprises-on-github-enterprise-cloud).
 
 {% endif %}
 
diff --git a/content/admin/managing-iam/understanding-iam-for-enterprises/changing-authentication-methods.md b/content/admin/managing-iam/understanding-iam-for-enterprises/changing-authentication-methods.md
index e60da2f68e65..cc9bd91ff9ea 100644
--- a/content/admin/managing-iam/understanding-iam-for-enterprises/changing-authentication-methods.md
+++ b/content/admin/managing-iam/understanding-iam-for-enterprises/changing-authentication-methods.md
@@ -42,3 +42,13 @@ Other issues you should take into consideration include:
 * **Two-factor authentication:** {% data reusables.enterprise_user_management.external_auth_disables_2fa %}
 
 * **Fallback authentication for users with no account on your external authentication provider:** You can invite users to authenticate to {% data variables.location.product_location %} without adding them to your identity provider. For more information, see [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/allowing-built-in-authentication-for-users-outside-your-provider).
+
+{% ifversion scim-for-ghes-ga %}
+
+## Migrating from LDAP to SAML and SCIM
+
+If you're currently using LDAP and want to enable automated user provisioning and deprovisioning capabilities, you can migrate to SAML authentication with SCIM provisioning. This provides enhanced user lifecycle management while maintaining centralized authentication.
+
+For detailed migration steps, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/migrating-from-ldap-to-saml-with-scim).
+
+{% endif %}
diff --git a/content/admin/managing-iam/using-ldap-for-enterprise-iam/using-ldap.md b/content/admin/managing-iam/using-ldap-for-enterprise-iam/using-ldap.md
index e79154094ec6..116ce5c84ecb 100644
--- a/content/admin/managing-iam/using-ldap-for-enterprise-iam/using-ldap.md
+++ b/content/admin/managing-iam/using-ldap-for-enterprise-iam/using-ldap.md
@@ -60,6 +60,7 @@ When you configure LDAP access for users via the {% data variables.enterprise.ma
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
 {% data reusables.enterprise_management_console.authentication %}
+
 1. Under "Authentication", select **LDAP**.
 1. {% data reusables.enterprise_user_management.built-in-authentication-option %}
 1. Add your configuration settings.
@@ -104,6 +105,7 @@ You can validate the LDAP server certificate you use with TLS by enabling LDAP c
 To enable LDAP certificate verification, select **Enable LDAP certificate verification** in your LDAP settings.
 
 When this option is selected, the certificate is validated to make sure:
+
 * If the certificate contains at least one Subject Alternative Name (SAN), one of the SANs matches the LDAP hostname. Otherwise, the Common Name (CN) matches the LDAP hostname.
 * The certificate is not expired.
 * The certificate is signed by a trusted certificate authority (CA).
@@ -185,6 +187,7 @@ You can view the full list of LDAP users who have access to your instance and pr
 
 {% data reusables.enterprise_site_admin_settings.sign-in %}
 {% data reusables.enterprise_site_admin_settings.access-settings %}
+
 1. In the left sidebar, click **LDAP users**.
 1. To search for a user, type a full or partial username and click **Search**. Existing users will be displayed in search results. If a user doesn’t exist, click **Create** to provision the new user account.
 
@@ -203,6 +206,7 @@ Unless [LDAP Sync is enabled](#enabling-ldap-sync), changes to LDAP accounts are
 {% data reusables.enterprise_site_admin_settings.search-user %}
 {% data reusables.enterprise_site_admin_settings.click-user %}
 {% data reusables.enterprise_site_admin_settings.admin-top-tab %}
+
 1. Under "LDAP," click **Sync now** to manually update the account with data from your LDAP server.
 
 You can also [use the API to trigger a manual sync](/rest/enterprise-admin/ldap).
@@ -221,4 +225,14 @@ Log events for LDAP appear in systemd journal logs on {% data variables.location
 
 The {% data variables.product.prodname_ghe_server %} LDAP authentication timeout setting is 10 seconds. This means that all LDAP queries required for user authentication and group membership queries (when Administrators and Restricted User Groups are configured in the management console) must successfully complete within 10 seconds for an LDAP user who is logging into {% data variables.product.prodname_ghe_server %}. {% data variables.product.prodname_ghe_server %} does not currently support extending this 10 second LDAP authentication timeout as this can have a negative impact on other services on the appliance and lead to poor performance or unexpected outages. We recommend limiting the network latency between {% data variables.product.prodname_ghe_server %} and LDAP server(s) to help prevent authentication timeouts.
 
-{% data variables.product.prodname_ghe_server %} does not support user LDAP DNs with special characters. If there is an LDAP user with a special character in their LDAP DN, {% data variables.product.prodname_ghe_server %} may not be able to accurately determine the group membership of a user who is authenticating or being synced by LDAP Sync.  
+{% data variables.product.prodname_ghe_server %} does not support user LDAP DNs with special characters. If there is an LDAP user with a special character in their LDAP DN, {% data variables.product.prodname_ghe_server %} may not be able to accurately determine the group membership of a user who is authenticating or being synced by LDAP Sync.
+
+{% ifversion scim-for-ghes-ga %}
+
+## Migrating from LDAP to SAML and SCIM
+
+If your organization needs automated user provisioning and lifecycle management capabilities beyond what LDAP provides, you can migrate from LDAP authentication to SAML single sign-on with SCIM provisioning. This migration enables centralized user provisioning, deprovisioning, and attribute synchronization from your identity provider.
+
+For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/migrating-from-ldap-to-saml-with-scim).  
+
+{% endif %}
diff --git a/content/code-security/concepts/supply-chain-security/about-dependabot-on-github-actions-runners.md b/content/code-security/concepts/supply-chain-security/about-dependabot-on-github-actions-runners.md
index a836eb578a65..83dd1ed9ca0a 100644
--- a/content/code-security/concepts/supply-chain-security/about-dependabot-on-github-actions-runners.md
+++ b/content/code-security/concepts/supply-chain-security/about-dependabot-on-github-actions-runners.md
@@ -24,104 +24,31 @@ contentType: concepts
 
 Using {% data variables.product.prodname_actions %} runners allows you to more easily identify {% data variables.product.prodname_dependabot %} job errors and manually detect and troubleshoot failed runs. You can also integrate {% data variables.product.prodname_dependabot %} into your CI/CD pipelines by using {% data variables.product.prodname_actions %} APIs and webhooks to detect {% data variables.product.prodname_dependabot %} job status such as failed runs, and perform downstream processing. For more information, see [AUTOTITLE](/rest/actions) and [AUTOTITLE](/webhooks/webhook-events-and-payloads).
 
-> [!NOTE]
-> Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_dotcom %}-hosted or self-hosted runners **does not** count towards your included {% data variables.product.prodname_actions %} minutes. For more information, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions).
-
-You can run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} using:
-* {% data variables.product.prodname_dotcom %}-hosted runners
-* {% data variables.actions.hosted_runners_caps %}. These runners are {% data variables.product.prodname_dotcom %}-hosted, with advanced features, such as more RAM, CPU, and disk space. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners).
-* Self-hosted runners. For more information on assigning a `dependabot` label on self-hosted runners, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners).
-
-{% data reusables.dependabot.vnet-arc-note %}
-
-Enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} may increase the number of concurrent jobs run in your account. If required, customers on enterprise plans can request a higher limit for concurrent jobs. For more information, contact us through the {% data variables.contact.contact_support_portal %}, or contact your sales representative.
-
-If you are transitioning to using {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners and you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses. For example, if you currently limit access to your private resources to the IP addresses that {% data variables.product.prodname_dependabot %} uses, you should update your allowlist to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses sourced from the meta API endpoint. For more information, see [AUTOTITLE](/rest/meta).
-
-{% data reusables.dependabot.dependabot-on-actions-enterprise-policy-condition %}
-
-> [!NOTE]
-> {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} relies on the `ubuntu-latest` label to select the appropriate runner. To ensure {% data variables.product.prodname_dependabot %}  runs on {% data variables.product.github %}-hosted runners, you should not use the label `ubuntu-latest` for self-hosted runners.
-
-## Enabling or disabling {% data variables.product.prodname_dependabot %} on {% data variables.product.github %}-hosted runners
-
-This section only applies to standard {% data variables.product.github %}-hosted runners, not larger runners.
-
-New repositories that you create in your user account or in your organization will automatically be configured to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} if any of the following is true:
+New repositories that you create in your user account or in your organization will automatically be configured to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} using standard {% data variables.product.github %}-hosted runners if any of the following is true:
 * {% data variables.product.prodname_dependabot %} is installed and enabled, and {% data variables.product.prodname_actions %} is enabled and in use.
 * The "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners" setting for your organization is enabled.
 
-For existing repositories, you can opt in to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} as follows.
-
 Future releases of {% data variables.product.github %} will remove the ability to disable running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}.
 
-If you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses prior to enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners. You can update your IP allow list to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses (instead of the {% data variables.product.prodname_dependabot %} IP addresses), sourced from the [meta](/rest/meta) REST API endpoint.
-
->[!WARNING] You should not rely on the {% data variables.product.prodname_actions %} IP addresses for authentication to private registries. These {% data variables.product.prodname_actions %} addresses are not only used by {% data variables.product.prodname_dotcom %}, and should not be trusted for authentication. Instead, use a self-hosted runner to ensure greater control over your network access. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners).
-
-Note, disabling and re-enabling the "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners" settings will not trigger a new {% data variables.product.prodname_dependabot %} run.
-
-### Enabling or disabling for your repository
-
-You can manage {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} for your public{% ifversion ghec %}, private or internal{% else %} or private{% endif %} repository.
+> [!NOTE] Enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} may increase the number of concurrent jobs run in your account. If required, customers on enterprise plans can request a higher limit for concurrent jobs. For more information, contact us through the {% data variables.contact.contact_support_portal %}, or contact your sales representative.
 
-{% data reusables.repositories.navigate-to-repo %}
-{% data reusables.repositories.sidebar-settings %}
-{% data reusables.repositories.navigate-to-code-security-and-analysis %}
-1. Under "Dependabot", to the right of "{% data variables.product.prodname_dependabot %} on Actions runners", click **Enable** to enable the feature or **Disable** to disable it.
+## Runner options
 
-### Enabling or disabling for your organization
-
-You can enable {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} for all existing repositories in an organization.
-
-Only repositories with the following configuration will be updated to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} the next time a {% data variables.product.prodname_dependabot %} job is triggered.
-
-  * {% data variables.product.prodname_dependabot %} is enabled in the repository.
-  * {% data variables.product.prodname_actions %} is enabled in the repository.
-
-If a repository in your organization has {% data variables.product.prodname_dependabot %} enabled but {% data variables.product.prodname_actions %} disabled, {% data variables.product.prodname_dependabot %} will not run on {% data variables.product.prodname_actions %}, but will continue to run using the built-in {% data variables.product.prodname_dependabot %} application.
-
-{% data reusables.profile.access_org %}
-{% data reusables.profile.org_settings %}
-{% data reusables.security-configurations.display-global-settings %}
-1. Under "Dependabot", select "{% data variables.product.prodname_dependabot %} on Actions runners" to enable the feature or deselect to disable it.
-
-For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#enabling-dependency-updates-on-github-actions-runners).
-
-## Enabling or disabling {% data variables.product.prodname_dependabot %} on {% data variables.actions.hosted_runners %}
-
-If you run into {% data variables.product.prodname_dependabot %} timeouts and out-of-memory errors, you may want to use {% data variables.actions.hosted_runners %}, as you can configure these runners to have more resources.
-
-> [!NOTE] You can only enable {% data variables.actions.hosted_runners %} for {% data variables.product.prodname_dependabot %} _at the organization level_. {% data variables.product.prodname_dotcom %} will bill your organization at the regular Actions runner pricing. See [AUTOTITLE](/billing/reference/actions-minute-multipliers).
-
-1. Add a {% data variables.actions.hosted_runner %} to your organization and ensure the name specified is `dependabot`. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization).
-1. Opt in the organization to self-hosted runners. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners#enabling-or-disabling-for-your-organization). This step is required, as it ensures that future {% data variables.product.prodname_dependabot %} jobs will run on the larger {% data variables.product.prodname_dotcom %}-hosted runner that has the `dependabot` name.
-
-## Managing {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners
-
-When a {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} job is run, you can review the workflow run history directly from the Dependabot job logs. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs).
-
-You can also navigate to a {% data variables.product.prodname_dependabot %} workflow run from the **Actions** tab in a repository. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history).
+You can run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} using:
+* **Standard {% data variables.product.prodname_dotcom %}-hosted runners.** These are the default runners used by {% data variables.product.github %} to execute {% data variables.product.prodname_actions %} jobs.
+* **{% data variables.actions.hosted_runners_caps %}.** These are {% data variables.product.prodname_dotcom %}-hosted runners with advanced features like more RAM, CPU, and disk space. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners).
+* **Self-hosted runners.** These runners grant you greater control over {% data variables.product.prodname_dependabot %} access to your private registries and internal network resources. Be aware that for security reasons, {% data variables.product.prodname_dependabot_updates %} on self-hosted runners will not run on public repositories. For more information on assigning a `dependabot` label on self-hosted runners, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners).
 
-To re-run a {% data variables.product.prodname_dependabot_version_updates %} or {% data variables.product.prodname_dependabot_security_updates %} job, use the appropriate procedure below. You cannot re-run a {% data variables.product.prodname_dependabot %} job on {% data variables.product.prodname_actions %} as you would for other {% data variables.product.prodname_actions %} workflows and jobs, that is, by using the **Actions** tab in a repository. You cannot view usage data for {% data variables.product.prodname_dependabot_updates %} workflows and jobs in your organization's {% data variables.product.prodname_actions %} usage metrics.
+Running {% data variables.product.prodname_dependabot %} on standard {% data variables.product.prodname_dotcom %}-hosted or self-hosted runners **does not** count towards your included {% data variables.product.prodname_actions %} minutes. For {% data variables.product.prodname_dependabot %} on {% data variables.actions.hosted_runners %}, {% data variables.product.prodname_dotcom %} will bill your organization at the regular rate. See [AUTOTITLE](/billing/reference/actions-minute-multipliers).
 
-### Re-running a {% data variables.product.prodname_dependabot_version_updates %} job
+{% data reusables.dependabot.vnet-arc-note %}
 
-{% data reusables.repositories.navigate-to-repo %}
-{% data reusables.repositories.accessing-repository-graphs %}
-{% data reusables.repositories.click-dependency-graph %}
-{% data reusables.dependabot.click-dependabot-tab %}
-1. To the right of the name of manifest file that you're interested in, click **Recent update jobs**.
-1. To the right of the affected manifest file, click **Check for updates** to re-run a {% data variables.product.prodname_dependabot_version_updates %} job and check for new updates to dependencies for that ecosystem.
+## Access and permissions
 
-### Re-running a {% data variables.product.prodname_dependabot_security_updates %} job
+If you are transitioning to using {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners and you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses. For example, if you currently limit access to your private resources to the IP addresses that {% data variables.product.prodname_dependabot %} uses, you should update your allowlist to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses sourced from the meta API endpoint. For more information, see [AUTOTITLE](/rest/meta).
 
-{% data reusables.repositories.navigate-to-repo %}
-1. Under your repository name, click **{% octicon "shield-lock" aria-hidden="true" aria-label="shield-lock" %} Security**.
-1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_dependabot %}**.
-1. Under "{% data variables.product.prodname_dependabot %}", click the alert you want to view.
-1. In the section displaying the error details for the alert, click **Try again** to re-run the {% data variables.product.prodname_dependabot_security_updates %} job.
+{% data reusables.dependabot.dependabot-on-actions-enterprise-policy-condition %}
 
-## Further reading
+## Next steps
 
-* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions)
+To enable {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-github-hosted-runners) and [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners).
diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configuring-global-security-settings-for-your-organization.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configuring-global-security-settings-for-your-organization.md
index 627f974cde4a..a3ef7220b029 100644
--- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configuring-global-security-settings-for-your-organization.md
+++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configuring-global-security-settings-for-your-organization.md
@@ -33,7 +33,7 @@ You can customize several {% data variables.product.prodname_global_settings %}
 
 * [Creating and managing {% data variables.dependabot.auto_triage_rules %}](#creating-and-managing-dependabot-auto-triage-rules)
 * [Grouping {% data variables.product.prodname_dependabot %} security updates](#grouping-dependabot-security-updates){% ifversion dependabot-on-actions-opt-in %}
-* [Enabling dependency updates on {% data variables.product.prodname_actions %} runners](#enabling-dependency-updates-on-github-actions-runners){% endif %}{% ifversion dependabot-arc-support %}
+* [Enabling dependency updates on {% data variables.product.prodname_actions %} runners](#enabling-dependency-updates-on-github-actions-runners){% endif %}{% ifversion dependabot-self-hosted-labels %}
 * [Configuring the runner type for {% data variables.product.prodname_dependabot %}](#configuring-the-runner-type-for-dependabot){% endif %}{% ifversion fpt %}
 * [Granting {% data variables.product.prodname_dependabot %} access to private repositories](#granting-dependabot-access-to-private-repositories){% else %}
 * [Granting {% data variables.product.prodname_dependabot %} access to private and internal repositories](#granting-dependabot-access-to-private-and-internal-repositories){% endif %}
@@ -62,14 +62,14 @@ For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dep
 
 {% endif %}
 
-{% ifversion dependabot-arc-support %}
+{% ifversion dependabot-self-hosted-labels %}
 
 ### Configuring the runner type for {% data variables.product.prodname_dependabot %}
 
 You can configure which type of runner {% data variables.product.prodname_dependabot %} uses to scan for version and security updates. By default, {% data variables.product.prodname_dependabot %} uses standard **{% data variables.product.company_short %}-hosted runners**. You can configure {% data variables.product.prodname_dependabot %} to use **self-hosted runners** with custom labels, which allows you to integrate with existing runner infrastructure such as {% data variables.product.prodname_actions_runner_controller %} (ARC).
 
 > [!NOTE]
-> * For security reasons, {% data variables.product.prodname_dependabot %} uses {% data variables.product.company_short %}-hosted runners for public repositories, even when you configure labeled runners. 
+> * For security reasons, {% data variables.product.prodname_dependabot %} uses {% data variables.product.company_short %}-hosted runners for public repositories, even when you configure labeled runners.
 > * Labeled runners **do not work** for public repositories.
 
 To configure the runner type:
@@ -83,7 +83,6 @@ To configure the runner type:
    * Optionally, in "Runner group name", enter the name of a runner group if you want to target a specific group of runners.
 1. Click **Save runner selection**.
 
-
 {% endif %}
 
 {% ifversion dependabot-on-actions-self-hosted %}
diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-github-hosted-runners.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-github-hosted-runners.md
new file mode 100644
index 000000000000..a494371aedeb
--- /dev/null
+++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-github-hosted-runners.md
@@ -0,0 +1,61 @@
+---
+title: Configuring Dependabot on GitHub-hosted runners
+intro: Enable {% data variables.product.prodname_dependabot %} on {% data variables.product.github %}-hosted runners to more easily identify {% data variables.product.prodname_dependabot %} job errors and manually detect and troubleshoot failed runs.
+shortTitle: Configure on GitHub-hosted runners
+permissions: '{% data reusables.permissions.dependabot-actions %}'
+versions:
+  feature: dependabot-on-actions-opt-in
+topics:
+  - Dependabot
+  - Security updates
+  - Version updates
+  - Actions
+  - Dependencies
+  - Repositories
+contentType: how-tos
+---
+
+## Enabling or disabling {% data variables.product.prodname_dependabot %} on standard {% data variables.product.github %}-hosted runners
+
+You can configure {% data variables.product.prodname_dependabot %} on standard {% data variables.product.github %}-hosted runners:
+* [For your repository](#for-your-repository)
+* [For your organization](#for-your-organization)
+
+If you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses prior to enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners. You can update your IP allow list to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses (instead of the {% data variables.product.prodname_dependabot %} IP addresses), sourced from the [meta](/rest/meta) REST API endpoint.
+
+>[!WARNING] You should not rely on the {% data variables.product.prodname_actions %} IP addresses for authentication to private registries. These {% data variables.product.prodname_actions %} addresses are not only used by {% data variables.product.prodname_dotcom %}, and should not be trusted for authentication. Instead, use a self-hosted runner to ensure greater control over your network access. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners).
+
+### For your repository
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.navigate-to-code-security-and-analysis %}
+1. Under "Dependabot", to the right of "{% data variables.product.prodname_dependabot %} on Actions runners", click **Enable** to enable the feature or **Disable** to disable it.
+
+    {% data reusables.dependabot.no-ubuntu-latest-label-self-hosted %}
+
+### For your organization
+
+Only repositories meeting the following criteria will be updated to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} the next time a {% data variables.product.prodname_dependabot %} job is triggered.
+
+  * {% data variables.product.prodname_dependabot %} is enabled in the repository.
+  * {% data variables.product.prodname_actions %} is enabled in the repository.
+
+If a repository in your organization has {% data variables.product.prodname_dependabot %} enabled but {% data variables.product.prodname_actions %} disabled, {% data variables.product.prodname_dependabot %} will not run on {% data variables.product.prodname_actions %}, but will continue to run using the built-in {% data variables.product.prodname_dependabot %} application.
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.security-configurations.display-global-settings %}{% ifversion dependabot-self-hosted-labels %}
+1. In the "{% data variables.product.prodname_dependabot %}" section, next to "Runner type", confirm that you have selected "Standard {% data variables.product.github %} runner". If not, click {% octicon "pencil" aria-label="Edit runner type" %} and update your configuration.{% else %}
+1. Under "Dependabot", select "{% data variables.product.prodname_dependabot %} on Actions runners" to enable the feature or deselect to disable it.{% endif %}
+
+    {% data reusables.dependabot.no-ubuntu-latest-label-self-hosted %}
+
+## Enabling or disabling {% data variables.product.prodname_dependabot %} on {% data variables.actions.hosted_runners %}
+
+If you run into {% data variables.product.prodname_dependabot %} timeouts and out-of-memory errors, you may want to use {% data variables.actions.hosted_runners %}, as you can configure these runners to have more resources. You can only enable {% data variables.actions.hosted_runners %} for {% data variables.product.prodname_dependabot %} **for an organization**.
+
+1. Add a {% data variables.actions.hosted_runner %} to your organization and ensure the name specified is `dependabot`. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization).
+1. Opt in the organization to self-hosted runners. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners#for-your-organization). This step is required, as it ensures that future {% data variables.product.prodname_dependabot %} jobs will run on the larger {% data variables.product.prodname_dotcom %}-hosted runner that has the `dependabot` name.
+
+    {% data reusables.dependabot.no-ubuntu-latest-label-self-hosted %}
diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners.md
new file mode 100644
index 000000000000..fe9e7fab2346
--- /dev/null
+++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners.md
@@ -0,0 +1,63 @@
+---
+title: Configuring Dependabot on self-hosted runners
+intro: You can configure self-hosted runners that {% data variables.product.prodname_dependabot %} uses to access your private registries and internal network resources.
+shortTitle: Configure on self-hosted runners
+permissions: '{% data reusables.permissions.dependabot-actions %}'
+versions:
+  feature: dependabot-on-actions-self-hosted
+topics:
+  - Dependabot
+  - Security updates
+  - Version updates
+  - Actions
+  - Dependencies
+  - Repositories
+redirect_from:
+  - /code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners
+  - /code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners
+  - /code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/managing-dependabot-on-self-hosted-runners
+contentType: how-tos
+---
+
+## Prerequisites
+
+* {% data variables.product.prodname_dependabot %} is installed and enabled.
+* {% data variables.product.prodname_actions %} is enabled and in use.
+
+{% data reusables.dependabot.dependabot-on-actions-enterprise-policy-condition %}
+
+## Adding self-hosted runners for {% data variables.product.prodname_dependabot %} updates
+
+1. Provision self-hosted runners, at the repository or organization level. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners).
+1. Configure your environment and runners to meet the requirements for {% data variables.product.prodname_dependabot %}. See [Requirements for using {% data variables.product.prodname_dependabot %} with self-hosted runners](/code-security/reference/supply-chain-security/dependabot-on-actions#requirements-for-using-dependabot-with-self-hosted-runners).{% ifversion dependabot-self-hosted-labels %}
+1. If you are configuring self-hosted runners for your organization, you can create and assign a custom label for your runners. Otherwise, if you are configuring self-hosted runners for a standalone repository, you need to apply the `dependabot` label. See [AUTOTITLE](/actions/how-tos/manage-runners/self-hosted-runners/apply-labels).{% else %}
+1. Assign a `dependabot` label to each runner you want {% data variables.product.prodname_dependabot %} to use. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners#assigning-a-label-to-a-self-hosted-runner).{% endif %}
+1. Optionally, enable workflows triggered by {% data variables.product.prodname_dependabot %} to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#restrictions-when-dependabot-triggers-events).
+
+## Enabling self-hosted runners for {% data variables.product.prodname_dependabot_updates %}
+
+Once you have configured self-hosted runners for {% data variables.product.prodname_dependabot_updates %}, you can enable or disable {% data variables.product.prodname_dependabot_updates %} on self-hosted runners at the organization or repository level.
+
+> [!NOTE]
+> Disabling and re-enabling the "{% data variables.product.prodname_dependabot %} on self-hosted runners" setting does not trigger a new {% data variables.product.prodname_dependabot %} run.
+
+### For your private{% ifversion ghec %} or internal{% endif %} repository
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.navigate-to-code-security-and-analysis %}
+1. Under "Dependabot", to the right of "{% data variables.product.prodname_dependabot %} on self-hosted runners", click **Enable** to enable the feature or **Disable** to disable it.
+
+    > [!NOTE] If you do not see the option to enable {% data variables.product.prodname_dependabot %} on self-hosted runners, your organization may have configured a policy to restrict actions and self-hosted runners from running in specific repositories. Contact your organization owner for more information.
+
+### For your organization
+
+You can enable {% data variables.product.prodname_dependabot %} on self-hosted runners for all existing private{% ifversion ghec %} or internal{% endif %} repositories in an organization. Only repositories already configured to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} will be updated to run {% data variables.product.prodname_dependabot %} on self-hosted runners the next time a {% data variables.product.prodname_dependabot %} job is triggered.
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.security-configurations.display-global-settings %}{% ifversion dependabot-self-hosted-labels %}
+1. In the "{% data variables.product.prodname_dependabot %}" section, next to "Runner type", click {% octicon "pencil" aria-label="Edit runner type" %}.
+1. Select the "Runner type" dropdown menu, then click **Labeled runner** and provide any additional information. If you applied a custom label to your self-hosted runners, type that label in the "Runner label" text box.
+1. To enable the feature for all new repositories in the organization, click **Save runner selection**.{% else %}
+1. Under "{% data variables.product.prodname_dependabot %}", select "{% data variables.product.prodname_dependabot %} on self-hosted runners" to enable the feature for all new repositories in the organization.{% endif %}
diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/index.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/index.md
index baf1e01b9726..9bc769b84863 100644
--- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/index.md
+++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/index.md
@@ -18,11 +18,12 @@ children:
   - /configuring-access-to-private-registries-for-dependabot
   - /removing-dependabot-access-to-public-registries
   - /managing-pull-requests-for-dependency-updates
-  - /managing-dependabot-on-self-hosted-runners
+  - /configure-on-github-hosted-runners
+  - /configure-on-self-hosted-runners
+  - /re-run-dependabot-jobs
   - /listing-dependencies-configured-for-version-updates
   - /guidance-for-the-configuration-of-private-registries-for-dependabot
 redirect_from:
   - /code-security/dependabot/maintain-dependencies
   - /code-security/dependabot/dependabot-security-updates
 ---
-
diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/managing-dependabot-on-self-hosted-runners.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/managing-dependabot-on-self-hosted-runners.md
deleted file mode 100644
index 2a79d8697e82..000000000000
--- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/managing-dependabot-on-self-hosted-runners.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: Managing Dependabot on self-hosted runners
-intro: You can configure self-hosted runners that {% data variables.product.prodname_dependabot %} uses to access your private registries and internal network resources.
-shortTitle: Manage Dependabot on self-hosted runners
-permissions: '{% data reusables.permissions.dependabot-actions %}'
-versions:
-  feature: dependabot-on-actions-self-hosted
-topics:
-  - Dependabot
-  - Security updates
-  - Version updates
-  - Actions
-  - Dependencies
-  - Repositories
-redirect_from:
-  - /code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners
-  - /code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners
-contentType: how-tos
----
-
-## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners
-
-You can help users of your organization and repositories to create and maintain secure code by setting up {% data variables.product.prodname_dependabot %} security and version updates. With {% data variables.product.prodname_dependabot_updates %}, developers can configure repositories so that their dependencies are updated and kept secure automatically. Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} allows for better performance, and increased visibility and control of {% data variables.product.prodname_dependabot %} jobs.
-
-{% data reusables.dependabot.vnet-arc-note %}
-
-To have greater control over {% data variables.product.prodname_dependabot %} access to your private registries and internal network resources, you can configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners.
-
-For security reasons, when running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners, {% data variables.product.prodname_dependabot_updates %} will not be run on public repositories.
-
-For more information about configuring {% data variables.product.prodname_dependabot %} access to private registries when using {% data variables.product.company_short %}-hosted runners, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot). For information about which ecosystems are supported as private registries, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries).
-
-## Prerequisites
-
-You must have {% data variables.product.prodname_dependabot %} installed and enabled, and {% data variables.product.prodname_actions %} enabled and in use. The "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners" setting for your organization should also be enabled. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners).
-
-Your organization may have configured a policy to restrict actions and self-hosted runners from running in specific repositories, which in turn will not allow {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. In this case, the organization or repository level setting to enable "{% data variables.product.prodname_dependabot %} on self-hosted runners" will not be visible in the web UI. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization).
-
-{% data reusables.dependabot.dependabot-on-actions-enterprise-policy-condition %}
-
-## Configuring self-hosted runners for {% data variables.product.prodname_dependabot_updates %}
-
-After you configure your organization or repository to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}, and before you enable {% data variables.product.prodname_dependabot %} on self-hosted runners, you need to configure self-hosted runners for {% data variables.product.prodname_dependabot_updates %}.
-
-### System requirements for {% data variables.product.prodname_dependabot %} runners
-
-{% data reusables.dependabot.dependabot-runners-system-requirements %}
-
-### Network requirements for {% data variables.product.prodname_dependabot %} runners
-
-{% data reusables.dependabot.dependabot-runners-network-requirements %}
-
-### Certificate configuration for {% data variables.product.prodname_dependabot %} runners
-
-If {% data variables.product.prodname_dependabot %} needs to interact with registries that use self-signed certificates, those certificates must also be installed on the self-hosted runners that run {% data variables.product.prodname_dependabot %} jobs. This security hardens the connection. You must also configure Node.js to use the certificate, because most actions are written in JavaScript and run using Node.js, which does not use the operating system certificate store.
-
-### Adding self-hosted runners for {% data variables.product.prodname_dependabot %} updates
-
-1. Provision self-hosted runners, at the repository or organization level. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners).
-
-1. Set up the self-hosted runners with the requirements described above. For example, on a VM running Ubuntu 20.04 you would:
-   * Install Docker and ensure that the runner users have access to Docker. For more information, see the Docker documentation.
-     * [Install Docker Engine on Ubuntu](https://docs.docker.com/engine/install/ubuntu/)
-     * Recommended approach: [Run the Docker daemon as a non-root user (Rootless mode)](https://docs.docker.com/engine/security/rootless/)
-     * Alternative approach: [Manage Docker as a non-root user](https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user)
-   * Verify that the runners have access to the public internet and can only access the internal networks that {% data variables.product.prodname_dependabot %} needs.
-   * Install any self-signed certificates for registries that {% data variables.product.prodname_dependabot %} will need to interact with.
-
-1. Assign a `dependabot` label to each runner you want {% data variables.product.prodname_dependabot %} to use. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners#assigning-a-label-to-a-self-hosted-runner).
-1. Optionally, enable workflows triggered by {% data variables.product.prodname_dependabot %} to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#restrictions-when-dependabot-triggers-events).
-
-## Enabling self-hosted runners for {% data variables.product.prodname_dependabot_updates %}
-
-Once you have configured self-hosted runners for {% data variables.product.prodname_dependabot_updates %}, you can enable or disable {% data variables.product.prodname_dependabot_updates %} on self-hosted runners at the organization or repository level.
-
-Note, disabling and re-enabling the "{% data variables.product.prodname_dependabot %} on self-hosted runners" settings will not trigger a new {% data variables.product.prodname_dependabot %} run.
-
-### Enabling or disabling for your repository
-
-You can manage {% data variables.product.prodname_dependabot %} on self-hosted runners for your {% ifversion ghec %}private or internal{% else %}private{% endif %} repository.
-
-{% data reusables.repositories.navigate-to-repo %}
-{% data reusables.repositories.sidebar-settings %}
-{% data reusables.repositories.navigate-to-code-security-and-analysis %}
-1. Under "Dependabot", to the right of "{% data variables.product.prodname_dependabot %} on self-hosted runners", click **Enable** to enable the feature or **Disable** to disable it.
-
-### Enabling or disabling for your organization
-
-You can enable {% data variables.product.prodname_dependabot %} on self-hosted runners for all existing {% ifversion ghec %}private or internal{% else %}private{% endif %} repositories in an organization. Only repositories already configured to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} will be updated to run {% data variables.product.prodname_dependabot %} on self-hosted runners the next time a {% data variables.product.prodname_dependabot %} job is triggered.
-
-> [!NOTE] You need to enable self-hosted runners for your organization if you use {% data variables.actions.hosted_runners %}. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-dependabot-on-larger-runners).
-
-{% data reusables.profile.access_org %}
-{% data reusables.profile.org_settings %}
-{% data reusables.security-configurations.display-global-settings %}
-1. Under "Dependabot", select "{% data variables.product.prodname_dependabot %} on self-hosted runners" to enable the feature or deselect to disable it. This action enables or disables the feature for all new repositories in the organization.
-
-For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization).
diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/re-run-dependabot-jobs.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/re-run-dependabot-jobs.md
new file mode 100644
index 000000000000..4e75f90f4c80
--- /dev/null
+++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/re-run-dependabot-jobs.md
@@ -0,0 +1,33 @@
+---
+title: Re-running Dependabot jobs on GitHub Actions
+shortTitle: Re-run Dependabot jobs
+intro: Resolve run failures and manually update your dependencies by re-running {% data variables.product.prodname_dependabot %} jobs.
+permissions: '{% data reusables.permissions.dependabot-actions %}'
+versions:
+  feature: dependabot-on-actions-opt-in
+topics:
+  - Dependabot
+  - Security updates
+  - Version updates
+  - Actions
+  - Dependencies
+  - Repositories
+contentType: how-tos
+---
+
+## Re-running a {% data variables.product.prodname_dependabot_version_updates %} job
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.accessing-repository-graphs %}
+{% data reusables.repositories.click-dependency-graph %}
+{% data reusables.dependabot.click-dependabot-tab %}
+1. To the right of the name of manifest file that you're interested in, click **Recent update jobs**.
+1. To the right of the affected manifest file, click **Check for updates** to re-run a {% data variables.product.prodname_dependabot_version_updates %} job and check for new updates to dependencies for that ecosystem.
+
+## Re-running a {% data variables.product.prodname_dependabot_security_updates %} job
+
+{% data reusables.repositories.navigate-to-repo %}
+1. Under your repository name, click **{% octicon "shield-lock" aria-hidden="true" aria-label="shield-lock" %} Security**.
+1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_dependabot %}**.
+1. Under "{% data variables.product.prodname_dependabot %}", click the alert you want to view.
+1. In the section displaying the error details for the alert, click **Try again** to re-run the {% data variables.product.prodname_dependabot_security_updates %} job.
diff --git a/content/code-security/how-tos/secure-your-supply-chain/troubleshoot-dependency-security/troubleshooting-dependabot-on-github-actions.md b/content/code-security/how-tos/secure-your-supply-chain/troubleshoot-dependency-security/troubleshooting-dependabot-on-github-actions.md
index 6aba778bc07a..b5b24d2cf743 100644
--- a/content/code-security/how-tos/secure-your-supply-chain/troubleshoot-dependency-security/troubleshooting-dependabot-on-github-actions.md
+++ b/content/code-security/how-tos/secure-your-supply-chain/troubleshoot-dependency-security/troubleshooting-dependabot-on-github-actions.md
@@ -20,21 +20,6 @@ redirect_from:
 contentType: how-tos
 ---
 
-## Restrictions when {% data variables.product.prodname_dependabot %} triggers events
-
-{% data reusables.dependabot.working-with-actions-considerations %}
-
-For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request`, `pull_request_review`, `pull_request_review_comment`, `push`, `create`, `deployment`, and `deployment_status` events, these restrictions apply:
-
-* `GITHUB_TOKEN` has read-only permissions by default.
-* Secrets are populated from {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are not available.
-
-For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request_target` event, if the base ref of the pull request was created by {% data variables.product.prodname_dependabot %} (`github.event.pull_request.user.login == 'dependabot[bot]'`), the `GITHUB_TOKEN` will be read-only and secrets are not available.
-
-These restrictions apply even if the workflow is re-run by a different actor.
-
-For more information, see [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
-
 ## Troubleshooting failures when {% data variables.product.prodname_dependabot %} triggers existing workflows
 
 {% data reusables.dependabot.dependabot-on-actions-troubleshooting-workflows %}
diff --git a/content/code-security/reference/supply-chain-security/dependabot-on-actions.md b/content/code-security/reference/supply-chain-security/dependabot-on-actions.md
new file mode 100644
index 000000000000..8c9329a4afe4
--- /dev/null
+++ b/content/code-security/reference/supply-chain-security/dependabot-on-actions.md
@@ -0,0 +1,46 @@
+---
+title: Dependabot on GitHub Actions
+shortTitle: Dependabot on Actions
+intro: Detailed information on using {% data variables.product.prodname_dependabot %} with {% data variables.product.prodname_actions %}.
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '*'
+topics:
+  - Dependabot
+  - Actions
+  - Version updates
+  - Dependencies
+contentType: reference
+---
+
+## Restrictions when {% data variables.product.prodname_dependabot %} triggers events
+
+{% data reusables.dependabot.working-with-actions-considerations %}
+
+For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request`, `pull_request_review`, `pull_request_review_comment`, `push`, `create`, `deployment`, and `deployment_status` events, these restrictions apply:
+
+* `GITHUB_TOKEN` has read-only permissions by default.
+* Secrets are populated from {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are not available.
+
+For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request_target` event, if the base ref of the pull request was created by {% data variables.product.prodname_dependabot %} (`github.event.pull_request.user.login == 'dependabot[bot]'`), the `GITHUB_TOKEN` will be read-only and secrets are not available.
+
+These restrictions apply even if the workflow is re-run by a different actor.
+
+For more information, see [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
+
+## Requirements for using {% data variables.product.prodname_dependabot %} with self-hosted runners
+
+To generate {% data variables.product.prodname_dependabot_updates %} using self-hosted runners, you need to properly configure your system, network, and certificates.
+
+### System requirements
+
+{% data reusables.dependabot.dependabot-runners-system-requirements %}
+
+### Network requirements
+
+{% data reusables.dependabot.dependabot-runners-network-requirements %}
+
+### Certificate configuration
+
+If {% data variables.product.prodname_dependabot %} needs to interact with registries that use self-signed certificates, those certificates must also be installed on the self-hosted runners that run {% data variables.product.prodname_dependabot %} jobs. This security hardens the connection. You must also configure Node.js to use the certificate, because most actions are written in JavaScript and run using Node.js, which does not use the operating system certificate store.
diff --git a/content/code-security/reference/supply-chain-security/index.md b/content/code-security/reference/supply-chain-security/index.md
index e22da354e832..5b8ed1f82cf7 100644
--- a/content/code-security/reference/supply-chain-security/index.md
+++ b/content/code-security/reference/supply-chain-security/index.md
@@ -23,6 +23,7 @@ children:
   - /dependabot-pull-request-comment-commands
   - /supported-ecosystems-and-repositories
   - /dependency-graph-supported-package-ecosystems
+  - /dependabot-on-actions
 redirect_from:
   - /code-security/dependabot/ecosystems-supported-by-dependabot
 ---
diff --git a/content/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp.md b/content/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp.md
index 7123f160737e..1c14f67c3778 100644
--- a/content/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp.md
+++ b/content/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp.md
@@ -50,7 +50,7 @@ Repository administrators can configure MCP servers by following these steps:
 
    Your configuration will be validated to ensure proper syntax.
 
-1. If your MCP server requires a key or secret, add a secret to your {% data variables.product.prodname_copilot_short %} environment. Only secrets with names prefixed with `COPILOT_MCP_` will be available to your MCP configuration. See [Setting up a {% data variables.product.prodname_copilot_short %} environment for {% data variables.copilot.copilot_coding_agent %}](#setting-up-a-copilot-environment-for-copilot-coding-agent).
+1. If your MCP server requires a variable, key, or secret, add a variable or secret to your {% data variables.product.prodname_copilot_short %} environment. Only variables and secrets with names prefixed with `COPILOT_MCP_` will be available to your MCP configuration. See [Setting up a {% data variables.product.prodname_copilot_short %} environment for {% data variables.copilot.copilot_coding_agent %}](#setting-up-a-copilot-environment-for-copilot-coding-agent).
 
 ## Writing a JSON configuration for MCP servers
 
@@ -78,20 +78,23 @@ The configuration object can contain the following keys:
 
 **Required keys for local and remote MCP servers**
 * `tools` (`string[]`): The tools from the MCP server to enable. You may be able to find a list of tools in the server's documentation, or in its code. We strongly recommend that you allowlist specific read-only tools, since the agent will be able to use these tools autonomously and will not ask you for approval first. You can also enable all tools by including `*` in the array.
-* `type` (`string`): {% data variables.copilot.copilot_coding_agent %} accepts `"local"`, `"http"`, or `"sse"`.
+* `type` (`string`): {% data variables.copilot.copilot_coding_agent %} accepts `"local"`, `"stdio"`, `"http"`, or `"sse"`.
 
 **Local MCP specific keys**
 * `command` (`string`): Required. The command to run to start the MCP server.
 * `args` (`string[]`): Required. The arguments to pass to the `command`.
 * `env` (`object`): Optional. The environment variables to pass to the server. This object should map the name of the environment variable that should be exposed to your MCP server to either of the following:
-  * The name of a {% data variables.product.prodname_actions %} secret you have configured, beginning with `COPILOT_MCP_`.
-  * A string value.
+  * The name of a secret you have configured in your {% data variables.product.prodname_copilot_short %} environment, beginning with `COPILOT_MCP_`.
+  * The name of a variable you have configured in your {% data variables.product.prodname_copilot_short %} environment, beginning with `COPILOT_MCP_`.
 
 **Remote MCP specific keys**
 * `url` (`string`): Required. The MCP server's URL.
 * `headers` (`object`): Optional. The headers to attach to requests to the server. This object should map the name of header keys to either of the following:
-  * The name of a {% data variables.product.prodname_actions %} secret you have configured, beginning with `COPILOT_MCP_` preceded by a `$`
-  * A string value
+  * The name of a secret you have configured in your {% data variables.product.prodname_copilot_short %} environment, beginning with `COPILOT_MCP_` preceded by a `$`.
+  * The name of a variable you have configured in your {% data variables.product.prodname_copilot_short %} environment, beginning with `COPILOT_MCP_` preceded by a `$`.
+  * A string value.
+
+Note that all `string` and `string[]` fields besides `tools` & `type` support substitution with a variable or secret you have configured in your {% data variables.product.prodname_copilot_short %} environment, beginning with `COPILOT_MCP_` preceded by a `$`.
 
 ## Example configurations
 
@@ -111,10 +114,12 @@ The [Sentry MCP server](https://github.com/getsentry/sentry-mcp) gives {% data v
       "args": ["@sentry/mcp-server@latest", "--host=$SENTRY_HOST"],
       "tools": ["get_issue_details", "get_issue_summary"],
       "env": {
-        // We can specify an environment variable value as a string...
-        "SENTRY_HOST": "https://contoso.sentry.io",
-        // or refer to a {% data variables.product.prodname_actions %} secret with a name starting with
-        // `COPILOT_MCP_`
+        // We can specify an environment variable value as
+        // a variable in your {% data variables.product.prodname_copilot_short %} environment
+        // where `COPILOT_MCP_SENTRY_HOST` = "https://contoso.sentry.io"...
+        "SENTRY_HOST": "COPILOT_MCP_SENTRY_HOST",
+        // or refer to a secret with a name starting with
+        // `COPILOT_MCP_`.
         "SENTRY_ACCESS_TOKEN": "COPILOT_MCP_SENTRY_ACCESS_TOKEN"
       }
     }
diff --git a/content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets.md b/content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets.md
index 95edbe3c99ff..7c61a876801a 100644
--- a/content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets.md
+++ b/content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets.md
@@ -135,7 +135,25 @@ Optionally, you can require a merge type of merge, squash, or rebase. This means
 {% endif %}
 
 {% ifversion repo-rules-required-reviewer %}
-Optionally, you can require review from specific teams. This means you can add a select number of reviewers who must submit a specific number of reviews for specific files and folders.
+
+#### Required reviewers
+
+Optionally, you can require review or approval from specific teams when a pull request changes certain files or directories. You can specify up to 15 different teams, and for each team you can require a certain number of approvals from team members.
+
+The **Reviewer** dropdown allows you to select any team which is in scope where the rule is being defined. 
+
+* **Organization-wide rules**: The team must belong to the organization.
+* **Repository-level rules**: The team must belong to the organization that owns the repository.
+
+This rule is not available on user-owned repositories as they do not contain teams.
+
+Required approvals can be set from 0 (zero) to 10. Requiring zero approvals means that the team will be added for visibility, but the team does not need to approve the request.
+
+For each team, you can specify a list of file patterns which determines what files the setting applies to. The format of this file list is the same as a standard [`.gitignore`](/get-started/git-basics/ignoring-files) file:
+
+* A pattern starting with an exclamation mark (`!`) is a negation. This will cause paths matching earlier patterns to *not* require approvals.
+* Patterns are matched in order, so negated patterns can "unmatch" files which matched previous rules.
+
 {% endif %}
 
 ## Require status checks to pass before merging
diff --git a/data/features/dependabot-self-hosted-labels.yml b/data/features/dependabot-self-hosted-labels.yml
new file mode 100644
index 000000000000..edf6345af946
--- /dev/null
+++ b/data/features/dependabot-self-hosted-labels.yml
@@ -0,0 +1,6 @@
+# Reference: #19800
+# Custom labels for Dependabot self-hosted runners [GA]
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '> 3.19'
diff --git a/data/reusables/dependabot/no-ubuntu-latest-label-self-hosted.md b/data/reusables/dependabot/no-ubuntu-latest-label-self-hosted.md
new file mode 100644
index 000000000000..fd20ad046f68
--- /dev/null
+++ b/data/reusables/dependabot/no-ubuntu-latest-label-self-hosted.md
@@ -0,0 +1,2 @@
+> [!NOTE]
+> {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} relies on the `ubuntu-latest` label to select the appropriate runner. To ensure {% data variables.product.prodname_dependabot %} runs on {% data variables.product.github %}-hosted runners, you should not use the label `ubuntu-latest` for self-hosted runners.
diff --git a/data/reusables/dependabot/vnet-arc-note.md b/data/reusables/dependabot/vnet-arc-note.md
index d08e19885220..7442b271204c 100644
--- a/data/reusables/dependabot/vnet-arc-note.md
+++ b/data/reusables/dependabot/vnet-arc-note.md
@@ -1,7 +1,7 @@
 {% ifversion dependabot-vnet-support or dependabot-arc-support %}
 
 >[!NOTE]
-> Private networking is supported with either an Azure Virtual Network (VNET) or the Actions Runner Controller (ARC) for {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}. See [AUTOTITLE](/code-security/dependabot/working-with-dependabot/setting-dependabot-to-run-on-self-hosted-runners-using-arc) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/setting-dependabot-to-run-on-github-hosted-runners-using-vnet) for more information, and instruction.
+> Private networking is supported with either an Azure Virtual Network (VNET) or the Actions Runner Controller (ARC) for {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}. See [AUTOTITLE](/code-security/dependabot/working-with-dependabot/setting-dependabot-to-run-on-self-hosted-runners-using-arc) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/setting-dependabot-to-run-on-github-hosted-runners-using-vnet).
 
 {% else %}
 
diff --git a/src/landings/components/ProductArticlesList.tsx b/src/landings/components/ProductArticlesList.tsx
index f025e1376a6a..83f7ccba3b7c 100644
--- a/src/landings/components/ProductArticlesList.tsx
+++ b/src/landings/components/ProductArticlesList.tsx
@@ -2,6 +2,7 @@ import { ActionList } from '@primer/react'
 
 import { ProductTreeNode, useMainContext } from '@/frame/components/context/MainContext'
 import { Link } from '@/frame/components/Link'
+import { countArticles } from '@/landings/lib/count-articles'
 import clsx from 'clsx'
 import styles from './ProductArticlesList.module.scss'
 
@@ -44,7 +45,7 @@ const ProductTreeNodeList = ({ treeNode }: { treeNode: ProductTreeNode }) => {
               {childNode.title}
               {childNode.childPages.length > 0 ? (
                 <small className="color-fg-muted d-inline-block">
-                  &nbsp;&bull; {childNode.childPages.length} articles
+                  &nbsp;&bull; {countArticles(childNode)} articles
                 </small>
               ) : null}
             </ActionList.LinkItem>
diff --git a/src/landings/lib/count-articles.ts b/src/landings/lib/count-articles.ts
new file mode 100644
index 000000000000..7934b31b43d7
--- /dev/null
+++ b/src/landings/lib/count-articles.ts
@@ -0,0 +1,9 @@
+import type { ProductTreeNode } from '@/frame/components/context/MainContext'
+
+// Recursively counts all leaf articles (nodes without children) under a given node
+export const countArticles = (node: ProductTreeNode): number => {
+  if (node.childPages.length === 0) {
+    return 1
+  }
+  return node.childPages.reduce((sum, child) => sum + countArticles(child), 0)
+}
diff --git a/src/landings/tests/count-articles.ts b/src/landings/tests/count-articles.ts
new file mode 100644
index 000000000000..de2291cb2eb0
--- /dev/null
+++ b/src/landings/tests/count-articles.ts
@@ -0,0 +1,51 @@
+import { describe, expect, test } from 'vitest'
+
+import { countArticles } from '@/landings/lib/count-articles'
+import type { ProductTreeNode } from '@/frame/components/context/MainContext'
+
+// Helper to create a minimal ProductTreeNode for testing
+const createNode = (childPages: ProductTreeNode[] = []): ProductTreeNode => ({
+  title: 'Test',
+  href: '/test',
+  childPages,
+})
+
+describe('countArticles', () => {
+  test('returns 1 for a leaf node (no children)', () => {
+    const leaf = createNode()
+    expect(countArticles(leaf)).toBe(1)
+  })
+
+  test('counts direct children when all are leaf nodes', () => {
+    const node = createNode([createNode(), createNode(), createNode()])
+    expect(countArticles(node)).toBe(3)
+  })
+
+  test('counts all nested leaf articles recursively', () => {
+    // Structure: parent -> 2 sections -> each with 3 articles = 6 total
+    const section1 = createNode([createNode(), createNode(), createNode()])
+    const section2 = createNode([createNode(), createNode(), createNode()])
+    const parent = createNode([section1, section2])
+
+    expect(countArticles(parent)).toBe(6)
+  })
+
+  test('handles deeply nested structure', () => {
+    // 3 levels deep: parent -> section -> subsection -> 2 articles
+    const subsection = createNode([createNode(), createNode()])
+    const section = createNode([subsection])
+    const parent = createNode([section])
+
+    expect(countArticles(parent)).toBe(2)
+  })
+
+  test('handles mixed depth structure', () => {
+    // parent -> section with 2 articles + section with subsection with 3 articles = 5 total
+    const section1 = createNode([createNode(), createNode()])
+    const subsection = createNode([createNode(), createNode(), createNode()])
+    const section2 = createNode([subsection])
+    const parent = createNode([section1, section2])
+
+    expect(countArticles(parent)).toBe(5)
+  })
+})