github · docs-bot · Jun 19, 2026 · Jun 18, 2026
diff --git a/content/copilot/how-tos/github-copilot-app/getting-started.md b/content/copilot/how-tos/github-copilot-app/getting-started.md
@@ -48,7 +48,7 @@ To work on code, you need at least one repository connected to the app. If you s
 
 The sidebar gives you access to the main areas of the app:
 
-* **My work** - Browse and filter issues and pull requests from your repositories, check CI status, and leave reviews.
+* **My work** — Browse and filter issues and pull requests from your repositories, check CI status, and leave reviews.
 * **Automations** — Saved agent tasks that run on a schedule or on demand.
 * **Search** — Search across your repositories directly from the app.
 * **Sessions** — Active agent sessions, grouped by repository. This also includes **Quick chats**, which are general chat conversations.

diff --git a/content/rest/repos/index.md b/content/rest/repos/index.md
@@ -19,6 +19,7 @@ children:
   - /contents
   - /custom-properties
   - /forks
+  - /issue-types
   - /lfs
   - /repos
   - /rule-suites

diff --git a/content/rest/repos/issue-types.md b/content/rest/repos/issue-types.md
@@ -0,0 +1,14 @@
+---
+title: REST API endpoints for issue types
+shortTitle: Issue types
+intro: Use the REST API to manage issue types for a repository.
+versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖
+  fpt: '*'
+  ghec: '*'
+autogenerated: rest
+allowTitleToDifferFromFilename: true
+category:
+  - Manage repositories and code
+---
+
+<!-- Content after this section is automatically generated -->
diff --git a/data/release-notes/enterprise-server/3-21/1.yml b/data/release-notes/enterprise-server/3-21/1.yml
@@ -0,0 +1,40 @@
+date: '2026-06-18'
+sections:
+  security_fixes:
+    - |
+       **CRITICAL:** An attacker could exploit a pre-authentication server-side request forgery (SSRF) vulnerability in an upload endpoint to send crafted requests to internal services by exploiting insufficient input validation, potentially accessing internal services and exposing sensitive credentials. This attack required network access to the GHES instance. The vulnerability was addressed by adding input validation to request parameters. GitHub has requested CVE ID [CVE-2026-9312](https://www.cve.org/cverecord?id=CVE-2026-9312) for this vulnerability, which was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
+  known_issues:
+    - |
+      During an upgrade of GitHub Enterprise Server, custom firewall rules are removed. If you use custom firewall rules, you must reapply them after upgrading.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [Troubleshooting access to the Management Console](/enterprise-server@latest/admin/administering-your-instance/administering-your-instance-from-the-web-ui/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration.
+    - |
+      In a cluster, the host running restore requires access the storage nodes via their private IPs.
+    - |
+      On an instance hosted on Azure, commenting on an issue via email meant the comment was not added to the issue.
+    - |
+      After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
+    - |
+      After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows.
+    - |
+      When publishing npm packages in a workflow after restoring from a backup to GitHub Enterprise Server 3.13.5.gm4 or 3.14.2.gm3, you may encounter a `401 Unauthorized` error from the GitHub Packages service. This can happen if the restore is from an N-1 or N-2 version and the workflow targets the npm endpoint on the backup instance. To avoid this issue, ensure the access token is valid and includes the correct scopes for publishing to GitHub Packages.
+    - |
+      When applying an enterprise security configuration to all repositories (for example, enabling Secret Scanning or Code Scanning across all repositories), the system immediately enqueues enablement jobs for every organization in the enterprise simultaneously. For enterprises with a large number of repositories, this can result in significant system load and potential performance degradation. If you manage a large enterprise with many organizations and repositories, we recommend applying security configurations at the organization level rather than at the enterprise level in the UI. This allows you to enable security features incrementally and monitor system performance as you roll out changes.
+    - |
+      On instances with multiple Git storage nodes in a voting configuration, including cluster and geo-replication high availability topologies, upgrading may fail to correctly install Actions that ship with the new version. In some cases, previous versions of these Actions remain on the instance. To resolve this issue, run the following commands on the primary node: `ghe-config --unset 'app.actions.actions-repos-sha1sum'`, `ghe-config-apply`, and `/usr/local/share/enterprise/ghe-run-init-actions-graph`.
+    - |
+      Users attempting to clone repositories via HTTPS receive an "Internal Server Error" message, and the clone operation fails with a 500 error. This issue affects all deployment topologies including cluster, standalone, high availability, and geo-replication configurations.
diff --git a/eslint.config.ts b/eslint.config.ts
@@ -233,10 +233,7 @@ export default [
 
   // Legacy files with @typescript-eslint/no-explicit-any violations (see github/docs-engineering#5797)
   {
-    files: [
-      'src/article-api/transformers/rest-transformer.ts',
-      'src/frame/components/context/MainContext.tsx',
-    ],
+    files: ['src/frame/components/context/MainContext.tsx'],
     rules: {
       '@typescript-eslint/no-explicit-any': 'off',
     },

diff --git a/src/article-api/transformers/rest-transformer.ts b/src/article-api/transformers/rest-transformer.ts
@@ -14,11 +14,43 @@ import GithubSlugger from 'github-slugger'
 // These are only used by REST templates and kept here (not in engine.ts)
 // to avoid a circular dependency: rest-tags → renderContent → engine.
 for (const [tagName, tagClass] of Object.entries(apiTransformerTags)) {
-  engine.registerTag(tagName, tagClass as any)
+  engine.registerTag(tagName, tagClass as unknown as Parameters<typeof engine.registerTag>[1])
 }
 
 const DEBUG = process.env.RUNNER_DEBUG === '1' || process.env.DEBUG === '1'
 
+type PreparedCodeExample = {
+  request: {
+    description: string
+    url: string
+    acceptHeader?: string
+    bodyParameters: string | null
+  }
+  response: {
+    statusCode?: string
+    schema: string | null
+  }
+}
+
+type PreparedOperation = Omit<Operation, 'statusCodes' | 'codeExamples'> & {
+  description: string
+  hasParameters: boolean
+  showHeaders: boolean
+  needsContentTypeHeader: boolean
+  statusCodes?: Array<{ httpStatusCode: string; description?: string }>
+  codeExamples: PreparedCodeExample[]
+}
+
+type PreparedTemplateData = {
+  page: {
+    title: Page['title']
+    intro: string
+  }
+  manualContent: string
+  restOperations: PreparedOperation[]
+  apiVersion?: string
+}
+
 /**
  * Transformer for REST API pages
  * Converts REST operations and their data into markdown format using a Liquid template
@@ -114,12 +146,14 @@ export class RestTransformer implements PageTransformer {
     // Load and render template
     const templateContent = loadTemplate(this.templateName)
 
-    // Render the template with Liquid
+    // Render the template with Liquid. templateData intentionally replaces
+    // context.page with a simplified, text-rendered {title, intro} for the
+    // template, so the merged object is not a strict Context.
     const rendered = await renderContent(templateContent, {
       ...context,
       ...templateData,
       markdownRequested: true,
-    })
+    } as unknown as Context)
 
     if (DEBUG) console.log(`[DEBUG] RestTransformer completed in ${Date.now() - startTime}ms`)
     return rendered
@@ -134,7 +168,7 @@ export class RestTransformer implements PageTransformer {
     context: Context,
     manualContent: string,
     apiVersion?: string,
-  ): Promise<Record<string, any>> {
+  ): Promise<PreparedTemplateData> {
     // Prepare page intro
     const intro = page.intro ? await page.renderProp('intro', context, { textOnly: true }) : ''
 
@@ -152,8 +186,7 @@ export class RestTransformer implements PageTransformer {
     }
     const schemaMap = new Map<string, string>()
     for (const op of preparedOperations) {
-      if (!op.codeExamples) continue
-      for (const example of op.codeExamples as any[]) {
+      for (const example of op.codeExamples) {
         const schema = example.response?.schema
         if (!schema || typeof schema !== 'string') continue
 
@@ -181,7 +214,7 @@ export class RestTransformer implements PageTransformer {
   /**
    * Prepare a single operation for template rendering
    */
-  private async prepareOperation(operation: Operation): Promise<Record<string, any>> {
+  private async prepareOperation(operation: Operation): Promise<PreparedOperation> {
     // Convert HTML description to text
     const description = operation.descriptionHTML ? fastTextOnly(operation.descriptionHTML) : ''
 
@@ -213,6 +246,9 @@ export class RestTransformer implements PageTransformer {
           }
         }
 
+        const responseSchema = (
+          example.response as { schema?: Parameters<typeof summarizeSchema>[0] } | undefined
+        )?.schema
         return {
           request: {
             description: example.request?.description
@@ -226,9 +262,7 @@ export class RestTransformer implements PageTransformer {
           },
           response: {
             statusCode: example.response?.statusCode,
-            schema: (example.response as any)?.schema
-              ? summarizeSchema((example.response as any).schema)
-              : null,
+            schema: responseSchema ? summarizeSchema(responseSchema) : null,
           },
         }
       }) || []

diff --git a/src/github-apps/data/fpt-2022-11-28/fine-grained-pat-permissions.json b/src/github-apps/data/fpt-2022-11-28/fine-grained-pat-permissions.json
@@ -720,15 +720,6 @@
         "additional-permissions": true,
         "access": "write"
       },
-      {
-        "category": "copilot",
-        "slug": "get-copilot-metrics-for-an-organization",
-        "subcategory": "copilot-metrics",
-        "verb": "get",
-        "requestPath": "/orgs/{org}/copilot/metrics",
-        "additional-permissions": true,
-        "access": "read"
-      },
       {
         "category": "dependabot",
         "slug": "lists-the-repositories-dependabot-can-access-in-an-organization",
@@ -981,15 +972,6 @@
         "additional-permissions": true,
         "access": "write"
       },
-      {
-        "category": "copilot",
-        "slug": "get-copilot-metrics-for-a-team",
-        "subcategory": "copilot-metrics",
-        "verb": "get",
-        "requestPath": "/orgs/{org}/team/{team_slug}/copilot/metrics",
-        "additional-permissions": true,
-        "access": "read"
-      },
       {
         "category": "orgs",
         "slug": "enable-or-disable-a-security-feature-for-an-organization",
@@ -1650,15 +1632,6 @@
         "additional-permissions": true,
         "access": "write"
       },
-      {
-        "category": "copilot",
-        "slug": "get-copilot-metrics-for-an-organization",
-        "subcategory": "copilot-metrics",
-        "verb": "get",
-        "requestPath": "/orgs/{org}/copilot/metrics",
-        "additional-permissions": true,
-        "access": "read"
-      },
       {
         "category": "copilot",
         "slug": "get-copilot-seat-assignment-details-for-a-user",
@@ -1667,15 +1640,6 @@
         "requestPath": "/orgs/{org}/members/{username}/copilot",
         "additional-permissions": true,
         "access": "read"
-      },
-      {
-        "category": "copilot",
-        "slug": "get-copilot-metrics-for-a-team",
-        "subcategory": "copilot-metrics",
-        "verb": "get",
-        "requestPath": "/orgs/{org}/team/{team_slug}/copilot/metrics",
-        "additional-permissions": true,
-        "access": "read"
       }
     ]
   },
@@ -5184,7 +5148,7 @@
         "subcategory": "artifact-metadata",
         "verb": "post",
         "requestPath": "/orgs/{org}/artifacts/metadata/deployment-record",
-        "additional-permissions": true,
+        "additional-permissions": false,
         "access": "write"
       },
       {
@@ -5193,7 +5157,7 @@
         "subcategory": "artifact-metadata",
         "verb": "post",
         "requestPath": "/orgs/{org}/artifacts/metadata/deployment-record/cluster/{cluster}",
-        "additional-permissions": true,
+        "additional-permissions": false,
         "access": "write"
       },
       {
@@ -5202,7 +5166,7 @@
         "subcategory": "artifact-metadata",
         "verb": "post",
         "requestPath": "/orgs/{org}/artifacts/metadata/storage-record",
-        "additional-permissions": true,
+        "additional-permissions": false,
         "access": "write"
       },
       {
@@ -5211,7 +5175,7 @@
         "subcategory": "artifact-metadata",
         "verb": "get",
         "requestPath": "/orgs/{org}/artifacts/{subject_digest}/metadata/deployment-records",
-        "additional-permissions": true,
+        "additional-permissions": false,
         "access": "read"
       },
       {
@@ -5220,7 +5184,7 @@
         "subcategory": "artifact-metadata",
         "verb": "get",
         "requestPath": "/orgs/{org}/artifacts/{subject_digest}/metadata/storage-records",
-        "additional-permissions": true,
+        "additional-permissions": false,
         "access": "read"
       }
     ]
@@ -5739,51 +5703,6 @@
         "additional-permissions": false,
         "access": "read"
       },
-      {
-        "category": "orgs",
-        "slug": "create-an-artifact-deployment-record",
-        "subcategory": "artifact-metadata",
-        "verb": "post",
-        "requestPath": "/orgs/{org}/artifacts/metadata/deployment-record",
-        "additional-permissions": true,
-        "access": "write"
-      },
-      {
-        "category": "orgs",
-        "slug": "set-cluster-deployment-records",
-        "subcategory": "artifact-metadata",
-        "verb": "post",
-        "requestPath": "/orgs/{org}/artifacts/metadata/deployment-record/cluster/{cluster}",
-        "additional-permissions": true,
-        "access": "write"
-      },
-      {
-        "category": "orgs",
-        "slug": "create-artifact-metadata-storage-record",
-        "subcategory": "artifact-metadata",
-        "verb": "post",
-        "requestPath": "/orgs/{org}/artifacts/metadata/storage-record",
-        "additional-permissions": true,
-        "access": "write"
-      },
-      {
-        "category": "orgs",
-        "slug": "list-artifact-deployment-records",
-        "subcategory": "artifact-metadata",
-        "verb": "get",
-        "requestPath": "/orgs/{org}/artifacts/{subject_digest}/metadata/deployment-records",
-        "additional-permissions": true,
-        "access": "read"
-      },
-      {
-        "category": "orgs",
-        "slug": "list-artifact-storage-records",
-        "subcategory": "artifact-metadata",
-        "verb": "get",
-        "requestPath": "/orgs/{org}/artifacts/{subject_digest}/metadata/storage-records",
-        "additional-permissions": true,
-        "access": "read"
-      },
       {
         "category": "repos",
         "slug": "list-repository-activities",
@@ -7461,6 +7380,15 @@
         "additional-permissions": false,
         "access": "read"
       },
+      {
+        "category": "repos",
+        "slug": "list-issue-types-for-a-repository",
+        "subcategory": "issue-types",
+        "verb": "get",
+        "requestPath": "/repos/{owner}/{repo}/issue-types",
+        "additional-permissions": false,
+        "access": "read"
+      },
       {
         "category": "repos",
         "slug": "list-repository-languages",