diff --git a/content/copilot/concepts/agents/about-github-agentic-workflows.md b/content/copilot/concepts/agents/about-github-agentic-workflows.md
new file mode 100644
index 000000000000..f587d6f19b43
--- /dev/null
+++ b/content/copilot/concepts/agents/about-github-agentic-workflows.md
@@ -0,0 +1,157 @@
+---
+title: About GitHub Agentic Workflows
+shortTitle: Agentic Workflows
+intro: 'Automate repetitive repository work with natural language instructions executed by AI coding agents in {% data variables.product.prodname_actions %}.'
+versions:
+  feature: copilot
+contentType: concepts
+category:
+  - Learn about Copilot
+---
+
+{% data reusables.copilot.agentic-workflows-preview-note %}
+
+## About {% data variables.copilot.agentic_workflows_short %}
+
+{% data variables.copilot.github_agentic_workflows %} are AI-powered repository automations that you define in markdown and run as {% data variables.product.prodname_actions %} workflows. Unlike traditional automation with fixed if-then rules, {% data variables.copilot.agentic_workflows_short %} use coding agents to understand context, make decisions, and take meaningful actions—all from natural language instructions.
+
+In practice, compared with traditional workflows that execute predefined steps:
+
+* {% data variables.copilot.agentic_workflows_short_cap %} execute natural language instructions with contextual reasoning.
+* You still define guardrails in frontmatter, such as triggers, permissions, and safe outputs.
+
+With {% data variables.copilot.agentic_workflows_short %}, you can automate tasks like:
+
+* Triaging incoming issues and labeling them by type and priority
+* Investigating CI failures and suggesting fixes
+* Generating daily or weekly repository status reports
+* Keeping documentation up to date with code changes
+* Improving test coverage
+
+## Benefits of using {% data variables.copilot.agentic_workflows_short %}
+
+* **Automate repetitive repository work**. Define issue triage, CI investigation, documentation updates, and reporting in natural language.
+* **Reduce workflow complexity**. Write markdown instructions instead of building complex procedural scripts for every scenario.
+* **Keep human review in the loop**. {% data variables.copilot.agentic_workflows_short_cap %} can generate ready-to-review outputs, such as issues, comments, and pull requests, while you control approvals and merges.
+* **Run agents with layered security**. Agents run in firewalled containers with read-only tokens by default. Write actions are limited to declared "safe outputs" that you have defined, and checked by agentic threat detection.
+
+## Requirements
+
+To create and use {% data variables.copilot.agentic_workflows_short %}, you need:
+
+* {% data variables.product.prodname_actions %} enabled for your repository.
+* An account with an AI engine (agent), such as {% data variables.product.prodname_copilot %}, {% data variables.product.prodname_anthropic_claude %}, {% data variables.product.prodname_openai_codex %}, or Google Gemini.
+* {% data variables.product.prodname_cli %} installed and authenticated
+
+## How {% data variables.copilot.agentic_workflows_short %} work
+
+Each workflow markdown file has two parts:
+
+* **Frontmatter** (YAML between `---` markers): Configures when the workflow runs, what permissions it has, and what write operations are allowed.
+* **Markdown body**: Contains your natural language instructions that the AI agent follows.
+
+At a high level, the process to create and use {% data variables.copilot.agentic_workflows_short %} is:
+
+1. Define the agentic workflow `.md` file, including YAML frontmatter and markdown instructions.
+1. Compile the markdown workflow file into a hardened `.lock.yml` {% data variables.product.prodname_actions %} workflow file.
+1. Commit and push both files to the default branch of your repository.
+1. Run the workflow like any other {% data variables.product.prodname_actions %} workflow, on a trigger or in the {% data variables.product.github %} web interface for your repository. You can also run it from the {% data variables.product.prodname_cli %}.
+
+Here's an example of a workflow to create a daily status report issue for a repository:
+
+```markdown
+---
+on: daily
+
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+  copilot-requests: write
+
+network: defaults
+
+tools:
+  github:
+    toolsets: [default]
+
+safe-outputs:
+  create-issue:
+
+---
+
+# Daily Repo Status Report
+
+Review recent activity in the repository, including issues, pull requests, discussions, and code changes.
+
+Create a {% data variables.product.github %} issue summarizing what changed in the last 24 hours (merged pull requests, closed issues, and new discussions), any blockers or open questions mentioned in comments, progress toward visible goals, and recommended next steps for maintainers.
+
+Keep the summary concise. Adjust the level of detail based on how much activity occurred.
+```
+
+For detailed steps on creating and updating {% data variables.copilot.agentic_workflows_short %}, see [AUTOTITLE](/copilot/how-tos/github-agentic-workflows/creating-github-agentic-workflows).
+
+## Supported coding agents
+
+{% data variables.copilot.github_agentic_workflows %} support multiple coding agents, including:
+
+* {% data variables.product.prodname_copilot %} (requires a {% data variables.product.prodname_copilot %} plan)
+* {% data variables.product.prodname_anthropic_claude %}
+* {% data variables.product.prodname_openai_codex %}
+* Google Gemini
+
+You specify which agent to use in the workflow frontmatter property `engine`. Each engine requires its own authentication secret configured in your repository. {% data variables.product.prodname_copilot %} is the default engine if none is specified.
+
+For more information, see the [engine reference](https://github.github.com/gh-aw/reference/engines/).
+
+## Security guardrails
+
+{% data variables.copilot.github_agentic_workflows %} are designed with security as a priority:
+
+* **Read-only by default**: Workflows have read-only repository permissions unless you explicitly grant more.
+* **Safe outputs**: Write operations (such as creating issues, adding comments, or opening pull requests) are only allowed through validated `safe-outputs` declared in the frontmatter.
+* **Secrets stay outside the agent runtime**: Sensitive credentials are kept in isolated downstream jobs instead of being exposed directly to the agent.
+* **Threat detection**: Proposed outputs are scanned for suspicious or unsafe changes before write actions are applied.
+* **Firewalled execution**: Agents run in isolated {% data variables.product.prodname_actions %} environments.
+* **Role-based access**: You can restrict who can trigger or modify {% data variables.copilot.agentic_workflows_short %} using role-based access controls.
+
+For a full architecture walkthrough, see the [security documentation](https://github.github.com/gh-aw/introduction/architecture/).
+
+## Usage and billing
+
+The total cost of {% data variables.copilot.agentic_workflows_short %} has two parts:
+
+* {% data variables.product.prodname_actions %} minutes consumed by workflow jobs.
+* Inference costs from the configured AI engine.
+
+For inference, {% data variables.copilot.github_agentic_workflows %} use AI Credits (AIC) as a general metric for monitoring and budgeting across engines. `1 AIC = $0.01 USD`.
+
+How billing applies depends on the engine:
+
+* Default {% data variables.product.prodname_copilot %} engine: AIC usage maps to {% data variables.product.prodname_ai_credits_short %} in {% data variables.product.prodname_copilot %} billing.
+* Third-party engine: Inference is billed by that provider.
+
+You can use the {% data variables.product.prodname_cli %} to review usage and estimated cost for {% data variables.copilot.agentic_workflows_short %}. Use `gh aw logs` to view recent workflow runs, including duration, token usage, and AIC estimates across runs. Use `gh aw audit RUN-ID` to inspect a single run in more detail, including token usage and estimated inference cost. AIC values are best-effort estimates and may not exactly match provider invoices, so verify final charges in your provider's billing dashboard.
+
+You can also set `max-ai-credits` in workflow frontmatter to cap inference usage for a single run. The default cap is 1,000 AIC per run.
+
+For an overview of billing for {% data variables.copilot.github_agentic_workflows %} and cost optimization guidance, see [Cost management](https://github.github.com/gh-aw/reference/cost-management/) on the {% data variables.copilot.github_agentic_workflows %} documentation site.
+
+### Enabling organization billing for {% data variables.copilot.github_agentic_workflows %}
+
+For {% data variables.product.prodname_copilot %} agentic workflows in organization-owned repositories, if the organization has a {% data variables.product.prodname_copilot %} plan, we strongly recommend using {% data variables.product.prodname_actions %}' built-in `GITHUB_TOKEN`. This approach bills to the organization and avoids using a {% data variables.product.pat_generic %}.
+
+To bill to the organization, you need:
+
+1. An organization administrator to enable "Copilot CLI" and "Allow use of Copilot CLI billed to the organization" in {% data variables.product.prodname_copilot %} policy settings. If "Copilot CLI" is already enabled, the billing policy is enabled by default.
+1. In each workflow frontmatter, include `copilot-requests: write` under the `permissions` object.
+
+When `copilot-requests: write` is set in workflow frontmatter permissions, the {% data variables.product.prodname_actions %}' token is used for Copilot requests, so you don't need a `COPILOT_GITHUB_TOKEN`. If the {% data variables.product.prodname_actions %} token does not have {% data variables.product.prodname_copilot %} access from the organization, the workflow fails when it sends Copilot requests, and you should configure `COPILOT_GITHUB_TOKEN` instead.
+
+For detailed setup instructions, see [Using the built-in `GITHUB_TOKEN`](/copilot/how-tos/github-agentic-workflows/creating-github-agentic-workflows#using-the-built-in-github_token).
+
+## Next steps
+
+* To add your first agentic workflow, see [AUTOTITLE](/copilot/how-tos/github-agentic-workflows/quickstart).
+* For more information on creating and using {% data variables.copilot.agentic_workflows_short %}, see [AUTOTITLE](/copilot/how-tos/github-agentic-workflows/creating-github-agentic-workflows).
+* For the full reference documentation, including advanced patterns and examples, see the [{% data variables.copilot.github_agentic_workflows %} documentation site](https://github.github.com/gh-aw/).
diff --git a/content/copilot/concepts/agents/index.md b/content/copilot/concepts/agents/index.md
index 11f47ff66c09..cd59c9404674 100644
--- a/content/copilot/concepts/agents/index.md
+++ b/content/copilot/concepts/agents/index.md
@@ -10,6 +10,7 @@ children:
   - /copilot-cli
   - /github-copilot-app
   - /code-review
+  - /about-github-agentic-workflows
   - /copilot-memory
   - /hooks
   - /about-enterprise-plugin-standards
diff --git a/content/copilot/how-tos/github-agentic-workflows/creating-github-agentic-workflows.md b/content/copilot/how-tos/github-agentic-workflows/creating-github-agentic-workflows.md
new file mode 100644
index 000000000000..7731fc18f5b1
--- /dev/null
+++ b/content/copilot/how-tos/github-agentic-workflows/creating-github-agentic-workflows.md
@@ -0,0 +1,207 @@
+---
+title: Creating GitHub Agentic Workflows
+shortTitle: Creating agentic workflows
+intro: 'Build custom AI-powered automations tailored to your repository''s needs.'
+versions:
+  feature: copilot
+contentType: how-tos
+category:
+  - Build with Copilot
+---
+
+{% data reusables.copilot.agentic-workflows-preview-note %}
+
+## About creating {% data variables.copilot.github_agentic_workflows %}
+
+You can create {% data variables.copilot.github_agentic_workflows %} with a coding agent (recommended) or manually. A workflow is a markdown file in `.github/workflows/` that contains YAML frontmatter for configuration and natural language instructions for the AI agent.
+
+To create an agentic workflow, you define the workflow in markdown, compile it into a `.lock.yml` file, commit both files, then run it through {% data variables.product.prodname_actions %} triggers or the {% data variables.product.prodname_cli %}.
+
+This article focuses on the core tasks: creating, updating, and reusing workflows. For complete technical detail and additional patterns, use the [{% data variables.copilot.github_agentic_workflows %} documentation site](https://github.github.com/gh-aw/).
+
+## Prerequisites
+
+{% data reusables.copilot.agentic-workflows-prerequisites %}
+
+* The {% data variables.copilot.github_agentic_workflows %} extension for the {% data variables.product.prodname_cli %} installed:
+
+   ```shell
+   gh extension install github/gh-aw
+   ```
+
+   If you're using {% data variables.product.prodname_cli %} version 2.90.0 or later, running any `gh aw` command will prompt you to install the extension automatically if it is not yet installed.
+
+## Authentication
+
+You can set up authentication with your chosen AI engine (coding agent) in two ways:
+
+* [Using the built-in `GITHUB_TOKEN`](#using-the-built-in-github_token) for organization billing (recommended). This option is specifically for the {% data variables.product.prodname_copilot %} engine, and can only be used by repositories owned by an organization with a {% data variables.product.prodname_copilot %} plan.
+* [Using a {% data variables.product.pat_generic %} or API key](#using-a-personal-access-token-or-api-key) for personal repositories and third-party AI engines.
+
+### Using the built-in `GITHUB_TOKEN`
+
+> [!TIP]
+> If you use {% data variables.product.prodname_copilot %} in an organization-owned repository, the built-in `GITHUB_TOKEN` approach in this section is strongly recommended.
+
+If you are using {% data variables.product.prodname_copilot %} in an organization-owned repository, you can use {% data variables.product.prodname_actions %}' built-in `GITHUB_TOKEN` instead of a {% data variables.product.pat_generic %}. This bills the workflow's usage directly to your organization and avoids the need to manage a {% data variables.product.pat_generic %} secret for Copilot requests. To set this up:
+
+1. Your organization administrator should enable the policy "Allow use of Copilot CLI billed to the organization", if not already enabled, in Copilot settings.
+1. For workflows that you want to bill to an organization, put `copilot-requests: write` in the workflow frontmatter `permissions`.
+
+#### Enabling organization billing
+
+"Allow use of Copilot CLI billed to the organization" must be enabled in {% data variables.product.prodname_copilot %} policy settings. If the "Copilot CLI" policy is already enabled, the billing policy is enabled by default.
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+
+1. In the sidebar, click **{% octicon "copilot" aria-hidden="true" aria-label="copilot" %} {% data variables.product.prodname_copilot_short %}**, then click **Policies**.
+1. Enable "Copilot CLI", then enable "Allow use of Copilot CLI billed to the organization."
+
+#### Billing a workflow to an organization
+
+When creating a workflow, you must include `copilot-requests: write` under `permissions` in the workflow frontmatter. When this permission is set, the {% data variables.product.prodname_actions %}' token is used for Copilot requests, and `COPILOT_GITHUB_TOKEN` is ignored for those requests. If the {% data variables.product.prodname_actions %} token does not have {% data variables.product.prodname_copilot %} access from the organization, the workflow fails when it sends Copilot requests, and you should configure `COPILOT_GITHUB_TOKEN` instead.
+
+```yaml
+permissions:
+  contents: read
+  copilot-requests: write
+```
+
+### Using a {% data variables.product.pat_generic %} or API key
+
+For personal repositories or third-party AI engines, you need to create a repository secret storing a {% data variables.product.pat_generic %} or API key. For {% data variables.product.prodname_copilot %}, the secret is `COPILOT_GITHUB_TOKEN`, which stores a fine-grained {% data variables.product.pat_generic %}.
+
+If you use `gh aw add-wizard`, the setup flow prompts you to create that secret. If you are creating an agentic workflow from the {% data variables.product.github %} web interface or manually, you will first need to add the secret yourself in your repository's {% data variables.product.prodname_actions %} secrets, either in the {% data variables.product.github %} UI or with `gh aw secrets set` in the CLI. For instructions, see [authentication reference](https://github.github.com/gh-aw/reference/auth/).
+
+## Creating a workflow
+
+The recommended way to create {% data variables.copilot.agentic_workflows_short %} is to use a CLI coding agent or VS Code. This gives you one guided path for authoring, compiling, and committing the workflow.
+
+### Using a CLI coding agent or VS Code
+
+1. Using the {% data variables.product.prodname_cli %} {% data variables.copilot.github_agentic_workflows %} extension (`gh aw`), initialize the repository for agentic authoring (recommended for first-time setup in a repository):
+
+   ```shell
+   gh aw init
+   ```
+
+   This adds skills, instructions, and a custom agent related to agentic workflow authoring, so coding agents can create and edit workflows more effectively.
+1. Start your coding agent in the context of your repository (for example, {% data variables.copilot.copilot_cli_short %} or VS Code agent mode).
+1. Enter a prompt mentioning the `agentic-workflows` skill and describing your desired workflow:
+
+   ```copilot copy
+   /agentic-workflows Create a new workflow that creates a daily report on
+   recent activity in the repository, delivered as
+   an issue.
+   ```
+
+1. The agent will create the workflow, and compile the workflow using the {% data variables.product.prodname_cli %}.
+1. Review the workflow, then ask the agent to commit and push the files.
+1. Trigger the workflow from the {% data variables.product.prodname_actions %} tab, or with the {% data variables.product.prodname_cli %} run:
+
+   ```shell
+   gh aw run YOUR-WORKFLOW-NAME
+   ```
+
+### Other creation methods
+
+You can also create agentic workflows:
+
+* In the {% data variables.product.github %} web interface. See [creating workflows in the GitHub web interface](https://github.github.com/gh-aw/setup/creating-workflows/#github-web-interface).
+* Manually. See [creating workflows by manual editing](https://github.github.com/gh-aw/setup/creating-workflows/#manual-editing).
+
+## Workflow structure reference
+
+Each workflow markdown file has two parts:
+
+| Section | Purpose |
+| --- | --- |
+| **YAML frontmatter** | Defines triggers (`on`), permissions, safe outputs, and the AI engine. |
+| **Markdown body** | Natural language instructions the AI agent follows when the workflow runs. |
+
+Key frontmatter fields:
+
+| Field | Description |
+| --- | --- |
+| `on` | The event trigger (same syntax as {% data variables.product.prodname_actions %} triggers). |
+| `permissions` | Repository permissions granted to the agent. Defaults to `read-all`. |
+| `safe-outputs` | Write operations the agent is allowed to perform (for example, `create-issue`, `add-comment`, `create-pull-request`). |
+| `engine` | The AI engine to use (`copilot` is the default; `claude`, `codex`, and `gemini` are also supported). |
+
+For the full frontmatter reference, see the [{% data variables.copilot.github_agentic_workflows %} frontmatter documentation](https://github.github.com/gh-aw/reference/frontmatter/).
+
+## Example agentic workflow
+
+The following example is a simplified weekly issue activity report for a repository.
+
+```markdown
+---
+on: weekly on monday
+
+permissions:
+  issues: read
+  copilot-requests: write
+
+network: defaults
+
+tools:
+  github:
+    toolsets: [issues]
+
+safe-outputs:
+  create-issue:
+
+---
+
+# Weekly issue activity report
+
+Review issue activity from the last 7 days in this repository.
+
+Create a {% data variables.product.github %} issue that includes:
+
+- Total issues opened and closed this week.
+- The top recurring themes from issue titles and descriptions.
+- A short list of notable issues that still need attention.
+- Two or three actionable recommendations for maintainers.
+
+Keep the report concise and action-oriented.
+```
+
+## Updating a workflow
+
+To update an existing workflow:
+
+1. Edit the workflow markdown file in `.github/workflows/`.
+1. Recompile to refresh the lock file:
+
+   ```shell
+   gh aw compile
+   ```
+
+1. Commit and push both updated files.
+1. Open a pull request and verify {% data variables.product.prodname_actions %} checks.
+
+For detailed editing guidance, see [Editing Workflows](https://github.github.com/gh-aw/guides/editing-workflows/).
+
+## Reusing workflows
+
+You can also import workflows from external repositories that you can access. For example, you can add a workflow from `githubnext/agentics`:
+
+```shell
+gh aw add-wizard githubnext/agentics/daily-repo-status
+```
+
+For non-interactive setup, you can use `gh aw add` and optionally pin a version.
+
+When you import a workflow, {% data variables.product.prodname_cli %} stores a `source:` value in frontmatter so you can update from upstream later with `gh aw update`.
+
+Only import workflows from sources you trust, and review what a workflow does before adding it to your repository. Workflows marked `private: true` can't be imported into other repositories.
+
+When you update an imported workflow, {% data variables.product.prodname_cli %} tries to preserve local changes. If there are merge conflicts, resolve them and run `gh aw compile` again.
+
+For more information, see [Reusing Workflows](https://github.github.com/gh-aw/guides/reusing-workflows/).
+
+## Next steps
+
+* For workflow examples, advanced patterns, guides, and troubleshooting information, see the [{% data variables.copilot.github_agentic_workflows %} documentation site](https://github.github.com/gh-aw/).
diff --git a/content/copilot/how-tos/github-agentic-workflows/index.md b/content/copilot/how-tos/github-agentic-workflows/index.md
new file mode 100644
index 000000000000..48041f1e653a
--- /dev/null
+++ b/content/copilot/how-tos/github-agentic-workflows/index.md
@@ -0,0 +1,11 @@
+---
+title: GitHub Agentic Workflows
+shortTitle: GitHub Agentic Workflows
+intro: 'Create AI-powered automations that run in your repositories on a schedule or in response to events.'
+versions:
+  feature: copilot
+children:
+  - /quickstart
+  - /creating-github-agentic-workflows
+contentType: how-tos
+---
diff --git a/content/copilot/how-tos/github-agentic-workflows/quickstart.md b/content/copilot/how-tos/github-agentic-workflows/quickstart.md
new file mode 100644
index 000000000000..3b0a8d7c7f0e
--- /dev/null
+++ b/content/copilot/how-tos/github-agentic-workflows/quickstart.md
@@ -0,0 +1,87 @@
+---
+title: 'Your first agentic workflow'
+shortTitle: Quickstart
+intro: 'Get your first AI-powered automation running using a pre-built workflow and the GitHub CLI.'
+versions:
+  feature: copilot
+contentType: how-tos
+category:
+  - Quickstarts
+---
+
+{% data reusables.copilot.agentic-workflows-preview-note %}
+
+## Introduction
+
+{% data variables.copilot.github_agentic_workflows %} let you automate repository tasks using AI-powered workflows. For an overview of {% data variables.copilot.github_agentic_workflows %}, see [AUTOTITLE](/copilot/concepts/agents/about-github-agentic-workflows).
+
+In this guide, you'll add a pre-built agentic workflow—a daily repository status report—to an existing repository. This takes about 10 minutes and gives you a working example of automated agents running in {% data variables.product.prodname_actions %}.
+
+This quickstart focuses on getting your first workflow running. For deeper setup and troubleshooting guidance, see the [{% data variables.copilot.github_agentic_workflows %} documentation site](https://github.github.com/gh-aw/).
+
+## Prerequisites
+
+{% data reusables.copilot.agentic-workflows-prerequisites %}
+
+You can complete this quickstart with any supported engine. {% data variables.product.prodname_copilot %} is the default engine, and a {% data variables.product.prodname_copilot %} plan is only required when you choose it.
+
+Supported operating systems are Linux, macOS, and Windows with WSL.
+
+## Step 1: Install the `gh aw` extension
+
+Install the {% data variables.copilot.github_agentic_workflows %} extension for the {% data variables.product.prodname_cli %}:
+
+```shell
+gh extension install github/gh-aw
+```
+
+## Step 2: Add a workflow and trigger a run
+
+From your repository root, run:
+
+```shell
+gh aw add-wizard githubnext/agentics/daily-repo-status
+```
+
+The `add-wizard` command accepts workflow references in `OWNER/REPO/WORKFLOW-NAME` format. This interactive process will:
+
+1. Check repository prerequisites.
+1. Prompt you to select an AI engine ({% data variables.product.prodname_copilot_short %} is the default, or choose from other engines).
+1. Guide you through secret and authentication setup for your chosen engine. Depending on the engine you choose, the wizard may prompt you to configure `COPILOT_GITHUB_TOKEN`, `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, or `GEMINI_API_KEY`. See the [authentication reference](https://github.github.com/gh-aw/reference/auth/) article for setup instructions.
+1. Generate the workflow markdown file and compile the corresponding `.lock.yml` file.
+1. Open a pull request that adds both generated files in `.github/workflows/`.
+1. Let you review and merge the pull request yourself, or choose a flow that merges it for you.
+
+Once the workflow is created, you will be asked if you want to run it immediately. Select **Yes** to trigger the workflow.
+
+## Step 3: Wait for the workflow to complete
+
+An automated workflow run typically takes 2-3 minutes. Once complete, a new issue appears in your repository with a daily status report that analyzes:
+
+* Recent repository activity (issues, pull requests, discussions, releases)
+* Progress tracking and highlights
+* Actionable next steps for maintainers
+
+## Step 4: Customize the workflow (optional)
+
+You can edit the workflow to match your priorities:
+
+1. Open `.github/workflows/daily-repo-status.md` in your repository.
+1. Edit the markdown body to describe what you want the report to cover—your issue backlog, CI setup, testing, performance, or roadmap.
+1. If you changed the frontmatter configuration, recompile the workflow:
+
+   ```shell
+   gh aw compile
+   ```
+
+1. Commit and push your changes.
+1. Optionally trigger another run:
+
+   ```shell
+   gh aw run daily-repo-status
+   ```
+
+## Next steps
+
+* To create your own custom {% data variables.copilot.agentic_workflows_short %}, see [AUTOTITLE](/copilot/how-tos/github-agentic-workflows/creating-github-agentic-workflows).
+* For advanced patterns and the full reference, see the [{% data variables.copilot.github_agentic_workflows %} documentation site](https://github.github.com/gh-aw/).
diff --git a/content/copilot/how-tos/index.md b/content/copilot/how-tos/index.md
index 89dee28075b0..1306151effec 100644
--- a/content/copilot/how-tos/index.md
+++ b/content/copilot/how-tos/index.md
@@ -13,6 +13,7 @@ children:
   - /cloud-and-local-sandboxes
   - /github-copilot-app
   - /copilot-sdk
+  - /github-agentic-workflows
   - /use-copilot-agents
   - /use-ai-models
   - /provide-context
diff --git a/data/release-notes/enterprise-server/3-21/0-rc1.yml b/data/release-notes/enterprise-server/3-21/0-rc1.yml
index b11d57ca154f..36cff4591555 100644
--- a/data/release-notes/enterprise-server/3-21/0-rc1.yml
+++ b/data/release-notes/enterprise-server/3-21/0-rc1.yml
@@ -1,6 +1,6 @@
 date: '2026-05-12'
 release_candidate: true
-deprecated: false
+deprecated: true
 intro: |
   > [!NOTE] Release candidate (RC) builds are intended solely for use in a test environment. Do not install an RC in a production environment.
   >
@@ -280,8 +280,6 @@ sections:
       When applying an enterprise security configuration to all repositories (for example, enabling Secret Scanning or Code Scanning across all repositories), the system immediately enqueues enablement jobs for every organization in the enterprise simultaneously. For enterprises with a large number of repositories, this can result in significant system load and potential performance degradation. If you manage a large enterprise with many organizations and repositories, we recommend applying security configurations at the organization level rather than at the enterprise level in the UI. This allows you to enable security features incrementally and monitor system performance as you roll out changes.
     - |
       On instances with multiple Git storage nodes in a voting configuration, including cluster and geo-replication high availability topologies, upgrading may fail to correctly install Actions that ship with the new version. In some cases, previous versions of these Actions remain on the instance. To resolve this issue, run the following commands on the primary node: `ghe-config --unset 'app.actions.actions-repos-sha1sum'`, `ghe-config-apply`, and `/usr/local/share/enterprise/ghe-run-init-actions-graph`.
-    - |
-      `git clone` may fail after upgrading to the {% data variables.product.prodname_ghe_server %} version 3.21 release candidate image.
 
   closing_down:
     # https://github.com/github/releases/issues/7007
diff --git a/data/release-notes/enterprise-server/3-21/0.yml b/data/release-notes/enterprise-server/3-21/0.yml
new file mode 100644
index 000000000000..b71e029a8e69
--- /dev/null
+++ b/data/release-notes/enterprise-server/3-21/0.yml
@@ -0,0 +1,300 @@
+date: '2026-06-11'
+release_candidate: false
+deprecated: false
+intro: |
+sections:
+
+  features:
+
+    - heading: Instance administration
+      notes:
+        # https://github.com/github/releases/issues/7382
+        - |
+          Enterprise owners and organization owners can configure whether profile names (first and last names) are displayed alongside {% data variables.product.prodname_dotcom %} handles across the product. This helps collaborators quickly identify contributors without needing to look up who a handle belongs to.
+        # https://github.com/github/releases/issues/8864
+        - |
+          You can configure a dedicated disk for log storage, mounted at `/var/log` and configured as an LVM volume, to isolate logs from the root disk. This capability applies only to standalone and high availability topologies and does not apply to cluster topology. This is now generally available in {% data variables.product.prodname_ghe_server %} versions 3.20 and 3.21. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/multiple-data-disks/configuring-multiple-data-disks).
+        # https://github.com/github/releases/issues/8869
+        - |
+          Starting in 3.21, {% data variables.product.prodname_ghe_server %} will have OpenTelemetry metrics enabled and Collectd metrics disabled by default. Both new installations and upgrades will have OpenTelemetry metrics enabled. Users still have the option to toggle between OTel metrics and Collectd metrics, although it is not recommended. For more information on OpenTelemetry metrics, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/monitoring-your-instance/opentelemetry-metrics).
+        # https://github.com/github/releases/issues/8862
+        - |
+          The capability to configure multiple data disks to host MySQL and repository data is now generally available in {% data variables.product.prodname_ghe_server %} version 3.21 and the latest patch versions of 3.17, 3.18, 3.19, and 3.20. This applies to standalone and high availability topologies. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/multiple-data-disks/configuring-multiple-data-disks).
+        # https://github.com/github/releases/issues/9571
+        - |
+          You can add additional nodes to a high-availability datacenter to offload CPU-intensive tasks from the primary data node, allowing horizontal scaling for {% data variables.product.prodname_ghe_server %}. This capability applies only to high-availability topologies. It does not apply to standalone or to cluster topologies. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/additional-nodes/configuring-additional-nodes).
+                  
+    - heading: Authentication
+      notes:
+        # https://github.com/github/releases/issues/6243
+        - |
+          The permissions selection UI for {% data variables.product.pat_v2_plural %} has been updated with a tabbed layout and searchable permissions, making it easier to find and select the appropriate token scopes. Additionally, administrators and developers can create deep links that pre-fill fields in the {% data variables.product.pat_v2 %} creation flow, allowing teams to share ready-made token templates that guide users toward creating tokens with the correct permissions.
+
+    - heading: APIs
+      notes:
+        # https://github.com/github/releases/issues/7936
+        - |
+          REST API version `2026-03-10` is available on {% data variables.product.prodname_ghe_server %}. This is the first calendar-based breaking-change version and introduces breaking changes across several REST API endpoints. For more information about the breaking changes, see [AUTOTITLE](/rest/about-the-rest-api/breaking-changes?apiVersion=2026-03-10). Requests that do not specify the `X-GitHub-Api-Version: 2026-03-10` header will continue to use the `2022-11-28` version. With the release of `2026-03-10`, the `2022-11-28` version has entered its closing down period and will be retired in the next enterprise server release after `2028-03-10`. We recommend planning your migration ahead of this date to avoid any disruption. For more information, see [AUTOTITLE](/rest/about-the-rest-api/api-versions).
+        # https://github.com/github/releases/issues/7511
+        - |
+          Organization administrators can now see enterprise teams in API responses for endpoints that involve team interactions, such as listing all teams in an organization. Previously, only enterprise administrators could view enterprise teams through the API. This feature is in public preview and subject to change. For details, see the [changelog](https://github.blog/changelog/2026-02-23-enterprise-team-support-in-organization-apis/).
+        # https://github.com/github/releases/issues/7504
+        - |
+          Organization owners can manage enterprise teams more securely by using GitHub Apps with fine-grained permissions on the Enterprise Teams API endpoints, instead of relying on {% data variables.product.pat_v1_plural %}. This feature is in public preview and subject to change. For details, see the [changelog](https://github.blog/changelog/2026-02-09-github-apps-can-now-utilize-public-preview-enterprise-teams-apis-via-fine-grained-permissions/).
+        # https://github.com/github/releases/issues/4366
+        - |
+          The workflow dispatch API endpoint now returns metadata, including the run ID, in the response, allowing developers to map a dispatch request to a workflow run. Previously, the endpoint only returned an HTTP response code, requiring extensive API polling or custom solutions to correlate dispatch requests with their resulting workflow runs.
+   
+    - heading: Audit logs
+      notes:
+        # https://github.com/github/releases/issues/7681
+        - |
+          New audit log events are now generally available to give security teams visibility into changes to {% data variables.product.prodname_dependabot %} settings. For details, see the [changelog](https://github.blog/changelog/2026-02-10-track-additional-dependabot-configuration-changes-in-audit-logs/).
+
+    - heading: Code scanning
+      notes:
+        # https://github.com/github/releases/issues/6984
+        - |
+          Assigning {% data variables.product.prodname_code_scanning %} alerts to individual users, previously available as a public preview, is now generally available. Users can assign themselves or others to {% data variables.product.prodname_code_scanning %} alerts to help track and plan work related to addressing security problems. As part of general availability, the feature now includes notifications on assignment, webhooks for assignee changes, and API support for updating assignees.
+        - |
+          This release comes installed with CodeQL 2.24.3. Significant updates since the previous version include:
+
+          * CodeQL can analyze projects using Java 26. Framework models were added for Couchbase, Struts 7.x, and expanded Spring RestTemplate SSRF sinks. The @javax.validation.constraints.Pattern annotation is now recognized as a sanitizer for log injection, SSRF, and path injection queries.
+          * Users working with Kotlin can analyze projects using Kotlin up to 2.3.10. Support for the Kotlin 1.6.x and 1.7.x series has been dropped.
+          * CodeQL can analyze .NET 10 and C# 14 projects, including new language features such as extension members, null-conditional assignments, partial events, and the field keyword in properties. The extractor also adds support for .slnx solution files.
+          * CodeQL can analyze projects using Go 1.26.
+          * CodeQL can analyze projects using Swift 6.2.2 and 6.2.3.
+          * A new experimental py/prompt-injection query for Python detects potential prompt injection vulnerabilities in code using LLMs.
+          * Users working with C/C++ can analyze code using C23/C++26 #embed directives and C++23 multidimensional subscript operators. New remote flow source models have been added for winhttp.h and the Azure SDK for C/C++.
+          * Users working with JavaScript/TypeScript benefit from new framework models for Next.js 16, MobX observer-wrapped React components, and improved vue-router taint detection.
+          * Read more in the changelogs for the CodeQL versions included in this release:
+
+            * [CodeQL 2.24.0](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.24.0/)
+            * [CodeQL 2.24.1](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.24.1/)
+            * [CodeQL 2.24.2](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.24.2/)
+            * [CodeQL 2.24.3](https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.24.3/)
+        
+    - heading: Secret scanning
+      notes:    
+        # https://github.com/github/releases/issues/8228
+        - |
+          Organization owners and enterprise administrators can designate specific roles, teams, and GitHub apps as exempt from secret scanning push protection enforcement. When an exempt actor pushes content containing secrets, push protection is silently skipped with no blocks, prompts, or bypass requests. This supports trusted automation like migration bots and service accounts that need to push at high volume without push protection friction, while keeping enforcement in place for all other contributors. For details, see the [changelog](https://github.blog/changelog/2026-03-17-push-protection-exemptions-for-apps-teams-and-roles/).
+        # https://github.com/github/releases/issues/6813
+        - |
+          Site administrators and security managers benefit from several improvements to fine-grained permissions for {% data variables.product.prodname_secret_scanning %}:
+
+          * Anyone with the ability to dismiss or reopen a {% data variables.product.prodname_secret_scanning %} alert can now add or remove alert assignees.
+          * Alert assignees can now modify alerts, including resolving alerts and removing themselves as assignees.
+          * Enterprise teams, roles, and apps can be added as bypass reviewers from security configurations.
+          * Enterprise owners and enterprise security managers can edit any custom patterns, regardless of whether they created them.
+
+          For details, see the [changelog](https://github.blog/changelog/2025-12-16-enterprise-governance-and-policy-improvements-for-secret-scanning-now-generally-available/).
+        # https://github.com/github/releases/issues/6411
+        - |
+          {% data variables.product.prodname_secret_scanning_caps %} includes new and updated patterns for the default pattern set, improving detection coverage across different secret types. Updates include new patterns, expanded validators for more secret types, and more secret scanning detectors included in the default set for push protection. For details, see the changelog. 
+    
+    - heading: Dependabot
+      notes:
+        # https://github.com/github/releases/issues/7257
+        - |
+          Organization owners and security managers can assign {% data variables.product.prodname_dependabot %} alerts to specific users, bringing clear ownership and accountability to vulnerability remediation. Assignees help teams route work, track progress at alert-level granularity, and standardize triage across all security signals.
+        # https://github.com/github/releases/issues/7523
+        - |
+          {% data variables.product.prodname_dependabot %} can automatically group version updates by dependency name across multiple directories in a monorepo, consolidating redundant pull requests into a single pull request per dependency. This reduces PR noise and simplifies maintenance for teams managing monorepos with shared dependencies across many services. For details, see the [changelog](https://github.blog/changelog/2026-02-24-dependabot-can-group-updates-by-dependency-name-across-multiple-directories/).
+        # https://github.com/github/releases/issues/7258
+        - |
+          {% data variables.product.prodname_dependabot %} natively supports pre-commit, a popular multi-language framework for managing Git hooks. {% data variables.product.prodname_dependabot %} automatically detects `.pre-commit-config.yaml` files and creates pull requests to update the pinned versions of pre-commit hook repositories, eliminating the need to manually run `pre-commit autoupdate` or track new releases of configured hooks.
+        # https://github.com/github/releases/issues/7148
+        - |
+          {% data variables.product.prodname_dependabot %} can authenticate with private package registries using OpenID Connect (OIDC) tokens, eliminating the need to store and rotate long-lived credentials as repository secrets. OIDC-based authentication is supported for registries hosted on AWS CodeArtifact, Azure DevOps Artifacts, and JFrog Artifactory. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot#using-oidc-for-authentication). For details, see the [changelog](https://github.blog/changelog/2026-02-03-dependabot-now-supports-oidc-authentication/).
+        # https://github.com/github/releases/issues/7146
+        - |
+          {% data variables.product.prodname_dependabot %} security updates now support the uv package manager for Python projects. Users who manage Python dependencies with uv can receive automatic security updates from {% data variables.product.prodname_dependabot %}.
+        # https://github.com/github/releases/issues/7132
+        - |
+          {% data variables.product.prodname_dependabot %} version updates now support the OpenTofu ecosystem. Users who manage infrastructure with OpenTofu can receive automated pull requests to keep their dependencies up to date. For details, see the [changelog](https://github.blog/changelog/2025-12-16-dependabot-version-updates-now-support-opentofu/).
+        # https://github.com/github/releases/issues/7015
+        - |
+          Organization owners and security managers can configure delegated dismissal controls for {% data variables.product.prodname_dependabot %} alerts, similar to the existing controls for {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_secret_scanning %} alerts. This increases accountability across development teams, prevents unauthorized alert closures, and improves the ability to manage alerts at scale. Delegated alert dismissals for {% data variables.product.prodname_dependabot %} are now generally available. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts). For details, see the [changelog](https://github.blog/changelog/2025-12-19-you-can-now-require-reviews-before-closing-dependabot-alerts-with-delegated-alert-dismissal/).
+        # https://github.com/github/releases/issues/6983
+        - |
+          {% data variables.product.prodname_dependabot %} version updates now support the Bazel ecosystem. Users with Bazel projects that use `MODULE.bazel` (bzlmod) can enable automated dependency updates through {% data variables.product.prodname_dependabot %}. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates). For details, see the [changelog](https://github.blog/changelog/2025-12-16-dependabot-version-updates-now-support-bazel/).
+        # https://github.com/github/releases/issues/6832
+        - |
+          {% data variables.product.prodname_dependabot %} version updates now support the Julia ecosystem. Users can configure {% data variables.product.prodname_dependabot %} to keep Julia dependencies up to date automatically. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates). For details, see the [changelog](https://github.blog/changelog/2025-12-16-dependabot-version-updates-now-support-julia/).
+    
+    - heading: GitHub Actions
+      notes:
+        # Required Actions Runner version: 2.331.0
+        - |
+          {% data reusables.actions.actions-runner-release-note %}     
+        # https://github.com/github/releases/issues/7290
+        - |
+          When a workflow job is skipped because of an `if:` conditional, the job log now shows how the conditional expression was evaluated. This helps users verify whether a job was skipped for the expected reason or if there is an error in their workflow logic.
+        # https://github.com/github/releases/issues/7112
+        - |
+          {% data variables.product.prodname_actions %} expressions support a new `case` function that enables conditional logic (if/else if/else) directly within workflow expressions. Users can use the `case` function to select values based on conditions without needing to store that logic externally.
+        # https://github.com/github/releases/issues/7074
+        - |
+          The {% data variables.product.prodname_actions %} workflow visualization page now supports rendering workflows with more than 300 jobs. Jobs are lazy loaded to prevent page errors when viewing large workflows. This feature is in public preview and subject to change.
+        # https://github.com/github/releases/issues/6898
+        - |
+          {% data variables.product.prodname_actions %} workflows triggered by `pull_request_target` events now always source workflow files and the checkout commit from the repository's default branch, preventing untrusted code from running via outdated or less-protected branches. Additionally, `GITHUB_REF` for `pull_request_target` now points to the default branch instead of the base branch, and environment branch protection rules evaluate against the ref actually used during execution: `merge_ref` for `pull_request`, `pull_request_review`, and `pull_request_review_comment` events, and the default branch for `pull_request_target` events. These changes ensure consistent, security-focused ref handling and close potential gaps in secret governance.
+        # https://github.com/github/releases/issues/5706
+        - |
+          {% data variables.product.prodname_actions %} expressions support the ternary operator, allowing users to select values based on conditionals directly in workflow configuration. This gives users more power to create complex expressions without storing logic outside of their workflow files.
+        # https://github.com/github/releases/issues/4371
+        - |
+          Organization owners can create and share {% data variables.product.prodname_actions %} workflow templates (starter workflows) using the organization's private `.github` repository. Previously, the `.github` repository had to be public to store workflow templates. This allows organizations with private environment configurations or policies against public repositories to use workflow templates. For more information, see [AUTOTITLE](/actions/sharing-automations/creating-workflow-templates-for-your-organization).
+        # https://github.com/github/releases/issues/7473
+        - |
+          Organization and repository owners can define exactly which actions and reusable workflows are permitted to run, regardless of plan type or repository visibility. Previously, action allowlist settings were restricted to certain plans. For more information, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise).
+        # https://github.com/github/releases/issues/7292
+        - |
+          {% data variables.product.prodname_actions %} workflows now detect and flag malformed `if` conditions that always evaluate to true, which could cause jobs to run unintentionally. This includes literals in the `if` condition, invalid format strings, and trailing newlines. Annotations and editor errors help users identify and correct these issues.
+
+    - heading: Organizations
+      notes:
+        # https://github.com/github/releases/issues/7596
+        - |
+          Organization owners can require that contributors explicitly select a value for required custom properties when creating a repository, rather than relying on a default value. This ensures repositories meet organizational policy requirements at creation time, improving adoption of rulesets and accuracy of property values. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). For details, see the [changelog](https://github.blog/changelog/2026-02-17-custom-properties-and-rule-insights-improvements/).
+        # https://github.com/github/releases/issues/7590
+        - |
+          The capability for enterprise owners to define custom organization roles at the enterprise level that apply consistently across all downstream organizations is now generally available. These enterprise-defined roles cannot be altered by organization administrators, enabling centralized role-based access control standards. Enterprise owners can create roles through the UI or the organization role assignment API. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-roles-in-your-enterprise/create-custom-roles) and the [changelog](https://github.blog/changelog/2026-02-23-enterprise-defined-custom-organization-roles-are-generally-available/).
+        # https://github.com/github/releases/issues/7190
+        - |
+          Organization owners can control who can request {% data variables.product.prodname_github_app %} installations for their organization. Three options are available: allow all installation requests, allow requests from organization members only, or disable all installation requests entirely. Previously, organizations could only disable requests from outside collaborators. For more information, see [AUTOTITLE](/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests).
+        # https://github.com/github/releases/issues/7101
+        - |
+          Organization owners can define repository custom properties with a URL value type, which validates that values conform to URL format and limits. This expands the flexibility of custom properties, allowing teams to associate relevant URLs with repositories. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
+
+    - heading: Repositories
+      notes:
+        # https://github.com/github/releases/issues/7708
+        - |
+          Users experience faster page loads and quicker interactions when browsing code. Performance improvements include reduced load times for repository overview and code view pages, optimized soft navigations, and improved interaction responsiveness. This feature is in public preview and subject to change.
+        # https://github.com/github/releases/issues/6622
+        - |
+          Organization owners and repository administrators can exempt specific actors from all ruleset behaviors, including bypass warnings and ruleset evaluation. This is useful for migrations and other scenarios where elevated access should not be visible. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
+        # https://github.com/github/releases/issues/7385
+        - |
+          Repository administrators can disable pull requests entirely or restrict pull request creation to collaborators only. These settings are available under **Repository settings > General > Features**. When pull requests are disabled, the pull requests tab is hidden and existing pull request URLs return a 404. When pull requests are restricted, only collaborators can create pull requests, but anyone can view existing ones. In both cases, users see a banner when forking the repository indicating the restriction. This feature is in public preview and subject to change.
+        - |
+          Enterprise owners can designate enterprise roles, teams, and apps as bypass actors on enterprise rulesets. This makes it easier to manage ruleset exceptions consistently across all organizations and repositories within an enterprise.
+
+    - heading: Issues
+      notes:
+        # https://github.com/github/releases/issues/6413
+        - |
+          Organization owners and repository administrators can define custom fields directly on issues, making it easier to share and sync item information across projects. By using issue fields, teams can maintain a single source of truth where critical details remain consistent and up to date without manual effort. This feature is in public preview and subject to change.
+        # https://github.com/github/releases/issues/7534
+        - |
+          Organization owners and repository administrators can add file upload fields to issue forms, allowing contributors to attach required files such as logs or screenshots when submitting an issue. This reduces back-and-forth by collecting necessary information upfront.
+        # https://github.com/github/releases/issues/7244
+        - |
+          When users attempt to add low-quality comments to issues, such as "+1" or "Subscribe," a message is displayed to guide them toward more constructive contributions. This reduces noise in issue threads and makes it easier to find important information.
+        # https://github.com/github/releases/issues/7235
+        - |
+          Users can pin a comment on an issue to surface important information, such as workarounds, key updates, or decisions, at the top of the conversation. This improves the discoverability of critical context in long-running issue threads.
+
+    - heading: Projects
+      notes:
+        # https://github.com/github/releases/issues/5245
+        - |
+          The hierarchy view in projects, previously in public preview, is now generally available. Users can visualize and work with sub-issues directly within their projects, making it easier to manage work and understand the full scope of epics and initiatives. For details, see the [changelog](https://github.blog/changelog/2026-01-15-hierarchy-view-now-available-in-github-projects/).
+        # https://github.com/github/releases/issues/7237
+        - |
+          Users can import items into a project based on a repository issues query. This makes it easier to get started with a project by providing more flexibility and control over which items are added. For details, see the [changelog](https://github.blog/changelog/2026-02-19-github-projects-import-items-based-on-a-query-and-hierarchy-view-improvements/).
+
+    - heading: GitHub Discussions
+      notes:
+        # https://github.com/github/releases/issues/5488
+        - |
+          Repository administrators can post in {% data variables.product.prodname_discussions %} using an anonymous "Admin" alias, helping protect their personal identity. For details, see the [changelog](https://github.blog/changelog/2025-12-11-post-as-admin-now-available-in-github-discussions/).
+
+    - heading: Pull requests
+      notes:
+        # https://github.com/github/releases/issues/7252
+        - |
+          Test merge commits for open pull requests are now generated less frequently, improving performance and reducing repository bloat from loose Git objects. The test merge commit associated with a pull request is updated when the pull request itself changes, when the merge base between the two branches changes, or when the current test merge is older than 12 hours. All mergeability checks and rules continue to be honored.
+        # https://github.com/github/releases/issues/6670
+        - |
+          Pull request reviewers can comment on any line of a changed file, not just lines within the diff. Previously, comments could only be placed on the three lines before or after a changed line. This allows reviewers to leave feedback on unchanged lines that need attention and to place comments directly on the relevant line, making review feedback clearer and easier for authors to act on. This feature is in public preview and subject to change.
+        # https://github.com/github/releases/issues/7688
+        - |
+          Users can view PR-level discussion comments in the side panel of the new Files Changed tab, allowing them to follow conversations while reviewing code without switching between the Files Changed and Conversation tabs. The side panel also supports filtering review and discussion comments. This feature is in public preview and subject to change.
+
+    - heading: Integrations and extensions
+      notes:
+        # https://github.com/github/releases/issues/7229
+        - |
+          When users authorize a GitHub App that only requests read-level user permissions, the authorization consent screen no longer displays the "Act on your behalf" warning. This reduces unnecessary friction for apps that use {% data variables.product.prodname_dotcom %} only for identity purposes and do not perform actions on behalf of the user. This feature is in public preview and subject to change.
+        # https://github.com/github/releases/issues/7220
+        - |
+          Developers can build custom integrations, automated workflows, and AI-powered experiences using the {% data variables.product.prodname_copilot %} SDK. The SDK provides a unified API across TypeScript, Python, Go, and .NET, featuring real-time event streaming, multi-turn conversations, and full lifecycle control with minimal dependencies. This feature is in technical preview and subject to change.
+
+  changes:
+    # https://github.com/github/releases/issues/7108
+    - |
+      The **Teams** option has been removed from the left-hand navigation menu to streamline the experience. To manage team-related settings, users can navigate to **Settings > Teams**. A dismissible banner notifies users of the new location.
+    - |
+      Starting in {% data variables.product.prodname_ghe_server %} version 3.20, we have reserved the `/repos` path for a forthcoming product feature. If you currently use `/repos` for a route (for example, a username, organization name, a GitHub App, an OAuth app, reverse proxy, or internal integration), you may need to update your configuration to avoid routing conflicts.
+
+  known_issues:
+    # Known issues from "GHES Release Note Tracking" project
+    - |
+      During an upgrade of GitHub Enterprise Server, custom firewall rules are removed. If you use custom firewall rules, you must reapply them after upgrading.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [Troubleshooting access to the Management Console](/admin/administering-your-instance/administering-your-instance-from-the-web-ui/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
+    - |
+      When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration.
+    - |
+      Admins setting up cluster high availability (HA) may encounter a spokes error when running ghe-cluster-repl-status if a new organization and repositories are created before using the ghe-cluster-repl-bootstrap command. To avoid this issue, complete the cluster HA setup with ghe-cluster-repl-bootstrap before creating new organizations and repositories.
+    - |
+      In a cluster, the host running restore requires access the storage nodes via their private IPs.
+    - |
+      On an instance hosted on Azure, commenting on an issue via email meant the comment was not added to the issue.
+    - |
+      After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
+    - |
+      After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows.
+    - |
+      When publishing npm packages in a workflow after restoring from a backup to GitHub Enterprise Server 3.13.5.gm4 or 3.14.2.gm3, you may encounter a `401 Unauthorized` error from the GitHub Packages service. This can happen if the restore is from an N-1 or N-2 version and the workflow targets the npm endpoint on the backup instance. To avoid this issue, ensure the access token is valid and includes the correct scopes for publishing to GitHub Packages.
+    - |
+      When applying an enterprise security configuration to all repositories (for example, enabling Secret Scanning or Code Scanning across all repositories), the system immediately enqueues enablement jobs for every organization in the enterprise simultaneously. For enterprises with a large number of repositories, this can result in significant system load and potential performance degradation. If you manage a large enterprise with many organizations and repositories, we recommend applying security configurations at the organization level rather than at the enterprise level in the UI. This allows you to enable security features incrementally and monitor system performance as you roll out changes.
+    - |
+      On instances with multiple Git storage nodes in a voting configuration, including cluster and geo-replication high availability topologies, upgrading may fail to correctly install Actions that ship with the new version. In some cases, previous versions of these Actions remain on the instance. To resolve this issue, run the following commands on the primary node: `ghe-config --unset 'app.actions.actions-repos-sha1sum'`, `ghe-config-apply`, and `/usr/local/share/enterprise/ghe-run-init-actions-graph`.
+
+  closing_down:
+    # https://github.com/github/releases/issues/7007
+    - |
+      Closing down: Password authentication for programmatic access to {% data variables.product.prodname_dotcom %} APIs is no longer supported as of this version of {% data variables.product.prodname_ghe_server %}. Instead, [create a {% data variables.product.pat_generic %}](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) in limited situations like testing. You should authenticate apps in production by using the web applications flow. For more information, see [AUTOTITLE](/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps).
+    # https://github.com/github/releases/issues/7137
+    - |
+      Closing down: The user-to-organization transformation flow is closing down. Instead, users are prompted to move their work to a new organization or repository. This change reduces confusion and the need for account name changes for both users and organizations.
+   # https://github.com/github/releases/issues/6794
+    - |
+      Closing down: {% data variables.product.prodname_dependabot %} comment commands that duplicate functionality native to the {% data variables.product.prodname_dotcom %} platform are closing down. The affected commands are `@dependabot merge`, `@dependabot cancel merge`, `@dependabot squash and merge`, `@dependabot close`, and `@dependabot reopen`. Instead, use the equivalent built-in features of {% data variables.product.prodname_dotcom %} directly. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates).
+    - |
+      Closing down: {% data variables.product.prodname_dotcom %} plans to deprecate support for LDAP and CAS in version 3.26 of {% data variables.product.prodname_ghe_server %}. This change aligns with {% data variables.product.prodname_dotcom %}’s continued investment in System for Cross-domain Identity Management (SCIM), a widely adopted standard for user lifecycle management in SaaS applications. {% data variables.product.prodname_ghe_server %} supports SCIM with paved-path integrations for popular identity providers and also for any IdP through the SCIM API. Administrators using LDAP or CAS should begin planning a migration to SAML authentication with SCIM provisioning. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/migrating-from-ldap-to-saml-with-scim) and [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api).  
+    - |
+      Closing down: [Collectd metrics](/admin/monitoring-and-managing-your-instance/monitoring-your-instance/collectd-metrics/about-collectd-metrics) will be retired starting in {% data variables.product.prodname_ghe_server %} version 3.23. There will not be a Collectd metrics stack in 3.23. We will continue to support the Collectd stack in 3.22 and earlier versions during their respective support windows.
+    - |
+      Closing down: High availability replication for cluster topologies will be retired starting in {% data variables.product.prodname_ghe_server %} version 3.22. You will no longer be able to configure or use the feature, and we will remove the supporting code from the product.
+    # https://github.com/github/releases/issues/6651
+    - |
+      Closing down: Networking-related syscalls will be disabled by default in the pre-receive hook environment starting in {% data variables.product.prodname_ghe_server %} version 3.22. For enhanced security, hook environments will be placed in dedicated network namespaces. You will be able to override the default setting by setting `pre-receive-hook-networking` to `enabled`. In many cases, [push rulesets](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#push-rulesets) are an alternative for many pre-receive hooks.
diff --git a/data/reusables/actions/supported-github-runners.md b/data/reusables/actions/supported-github-runners.md
index 952101c236fb..4041204de88f 100644
--- a/data/reusables/actions/supported-github-runners.md
+++ b/data/reusables/actions/supported-github-runners.md
@@ -24,7 +24,8 @@ For public repositories, jobs using the workflow labels shown in the table below
       <td>
         <code><a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md">ubuntu-latest</a></code>,
         <code><a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md">ubuntu-24.04</a></code>,
-        <code><a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md">ubuntu-22.04</a></code>
+        <code><a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md">ubuntu-22.04</a></code>,
+        <code><a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2604-Readme.md">ubuntu-26.04</a></code> ({% data variables.release-phases.public_preview_caps %})
       </td>
     </tr>
     <tr>
@@ -47,8 +48,9 @@ For public repositories, jobs using the workflow labels shown in the table below
       <td>14 GB</td>
       <td> arm64 </td>
       <td>
-        <code><a href="https://github.com/actions/partner-runner-images/blob/main/images/arm-ubuntu-24-image.md">ubuntu-24.04-arm</a></code>,
-        <code><a href="https://github.com/actions/partner-runner-images/blob/main/images/arm-ubuntu-22-image.md">ubuntu-22.04-arm</a></code>
+        <code><a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Arm64-Readme.md">ubuntu-24.04-arm</a></code>,
+        <code><a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Arm64-Readme.md">ubuntu-22.04-arm</a></code>,
+        <code><a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2604-Arm64-Readme.md">ubuntu-26.04-arm</a></code> ({% data variables.release-phases.public_preview_caps %})
       </td>
     </tr>
     <tr>
@@ -58,7 +60,8 @@ For public repositories, jobs using the workflow labels shown in the table below
       <td>14 GB</td>
       <td>arm64</td>
       <td>
-        <code><a href="https://github.com/actions/runner-images/blob/main/images/windows/Windows11-Arm64-Readme.md">windows-11-arm</a></code>
+        <code><a href="https://github.com/actions/runner-images/blob/main/images/windows/Windows11-Arm64-Readme.md">windows-11-arm</a></code>,
+        <code><a href="https://github.com/actions/runner-images/blob/main/images/windows/Windows11-VS2026-Arm64-Readme.md">windows-11-vs2026-arm</a></code> ({% data variables.release-phases.public_preview_caps %})
       </td>
     </tr>
     <tr>
@@ -115,7 +118,8 @@ For {% ifversion ghec %}internal and{% endif %} private repositories, jobs using
       <td>
         <code><a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md">ubuntu-latest</a></code>,
         <code><a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md">ubuntu-24.04</a></code>,
-        <code><a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md">ubuntu-22.04</a></code>
+        <code><a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md">ubuntu-22.04</a></code>,
+        <code><a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2604-Readme.md">ubuntu-26.04</a></code> ({% data variables.release-phases.public_preview_caps %})
       </td>
     </tr>
     <tr>
@@ -137,8 +141,9 @@ For {% ifversion ghec %}internal and{% endif %} private repositories, jobs using
       <td>14 GB</td>
       <td> arm64 </td>
       <td>
-        <code><a href="https://github.com/actions/partner-runner-images/blob/main/images/arm-ubuntu-24-image.md">ubuntu-24.04-arm</a></code>,
-        <code><a href="https://github.com/actions/partner-runner-images/blob/main/images/arm-ubuntu-22-image.md">ubuntu-22.04-arm</a></code>
+        <code><a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Arm64-Readme.md">ubuntu-24.04-arm</a></code>,
+        <code><a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Arm64-Readme.md">ubuntu-22.04-arm</a></code>,
+        <code><a href="https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2604-Arm64-Readme.md">ubuntu-26.04-arm</a></code> ({% data variables.release-phases.public_preview_caps %})
       </td>
     </tr>
     <tr>
@@ -148,7 +153,8 @@ For {% ifversion ghec %}internal and{% endif %} private repositories, jobs using
       <td>14 GB</td>
       <td> arm64 </td>
       <td>
-        <code><a href="https://github.com/actions/runner-images/blob/main/images/windows/Windows11-Arm64-Readme.md">windows-11-arm</a></code>
+        <code><a href="https://github.com/actions/runner-images/blob/main/images/windows/Windows11-Arm64-Readme.md">windows-11-arm</a></code>,
+        <code><a href="https://github.com/actions/runner-images/blob/main/images/windows/Windows11-Arm64-VS2026-Readme.md">windows-11-vs2026-arm</a></code> ({% data variables.release-phases.public_preview_caps %})
       </td>
     </tr>
     <tr>
diff --git a/data/reusables/copilot/agentic-workflows-prerequisites.md b/data/reusables/copilot/agentic-workflows-prerequisites.md
new file mode 100644
index 000000000000..3fa8f2516b04
--- /dev/null
+++ b/data/reusables/copilot/agentic-workflows-prerequisites.md
@@ -0,0 +1,12 @@
+Before you begin, make sure you have:
+
+* An AI account: {% data variables.product.prodname_copilot %}, {% data variables.product.prodname_anthropic_claude %}, {% data variables.product.prodname_openai_codex %}, or Google Gemini
+* A {% data variables.product.github %} repository where you have write access
+* {% data variables.product.prodname_actions %} enabled for the repository
+* {% data variables.product.prodname_cli %} (`gh`) v2.0.0 or later installed and authenticated
+
+  To check your version, run `gh --version`. To authenticate, run:
+
+  ```shell
+  gh auth login --scopes repo,workflow
+  ```
\ No newline at end of file
diff --git a/data/reusables/copilot/agentic-workflows-preview-note.md b/data/reusables/copilot/agentic-workflows-preview-note.md
new file mode 100644
index 000000000000..c6f654582eaa
--- /dev/null
+++ b/data/reusables/copilot/agentic-workflows-preview-note.md
@@ -0,0 +1,2 @@
+> [!NOTE]
+> {% data variables.copilot.github_agentic_workflows %} are in {% data variables.release-phases.public_preview %} and subject to change.
diff --git a/data/reusables/enterprise_deprecation/deprecation_details.md b/data/reusables/enterprise_deprecation/deprecation_details.md
index 9d2172f6d91d..bd9018fbe979 100644
--- a/data/reusables/enterprise_deprecation/deprecation_details.md
+++ b/data/reusables/enterprise_deprecation/deprecation_details.md
@@ -1,3 +1,3 @@
-Discontinued releases are not supported. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features in {% data variables.product.prodname_ghe_server %}, see [AUTOTITLE](/admin/upgrading-your-instance/preparing-to-upgrade/overview-of-the-upgrade-process).
+Discontinued releases are not supported. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features in GitHub Enterprise Server, see <a href="/admin/upgrading-your-instance/preparing-to-upgrade/overview-of-the-upgrade-process">Overview of the upgrade process</a>.
 
-For help with the upgrade, {% data variables.contact.enterprise_support %}.
+For help with the upgrade, GitHub Enterprise Support.
diff --git a/data/variables/copilot.yml b/data/variables/copilot.yml
index 6cc184033fd1..04a26817dc47 100644
--- a/data/variables/copilot.yml
+++ b/data/variables/copilot.yml
@@ -69,6 +69,11 @@ copilot_cloud_agent_short: 'cloud agent'
 copilot_cloud_agent_short_cap_c: 'Cloud agent'
 copilot_cloud_agent_tmp: 'Copilot cloud agent (formerly Copilot coding agent)'
 
+## GitHub Agentic Workflows -> {% data variables.copilot.github_agentic_workflows %}
+github_agentic_workflows: 'GitHub Agentic Workflows'
+agentic_workflows_short: 'agentic workflows'
+agentic_workflows_short_cap: 'Agentic workflows'
+
 ## Copilot automations (powered by Copilot cloud agent)
 copilot_automations_cap: 'Automations'
 copilot_automations: 'automations'
diff --git a/src/fixtures/fixtures/data/reusables/enterprise_deprecation/deprecation_details.md b/src/fixtures/fixtures/data/reusables/enterprise_deprecation/deprecation_details.md
index 9d2172f6d91d..bd9018fbe979 100644
--- a/src/fixtures/fixtures/data/reusables/enterprise_deprecation/deprecation_details.md
+++ b/src/fixtures/fixtures/data/reusables/enterprise_deprecation/deprecation_details.md
@@ -1,3 +1,3 @@
-Discontinued releases are not supported. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features in {% data variables.product.prodname_ghe_server %}, see [AUTOTITLE](/admin/upgrading-your-instance/preparing-to-upgrade/overview-of-the-upgrade-process).
+Discontinued releases are not supported. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features in GitHub Enterprise Server, see <a href="/admin/upgrading-your-instance/preparing-to-upgrade/overview-of-the-upgrade-process">Overview of the upgrade process</a>.
 
-For help with the upgrade, {% data variables.contact.enterprise_support %}.
+For help with the upgrade, GitHub Enterprise Support.
diff --git a/src/graphql/data/fpt/category-map.json b/src/graphql/data/fpt/category-map.json
index 26b817ed2421..048dcab89f50 100644
--- a/src/graphql/data/fpt/category-map.json
+++ b/src/graphql/data/fpt/category-map.json
@@ -227,6 +227,7 @@
     "updateprojectv2itemfieldvalue": "projects",
     "updateprojectv2itemposition": "projects",
     "updateprojectv2statusupdate": "projects",
+    "addpullrequestcreationcapbypassusers": "pulls",
     "addpullrequestreview": "pulls",
     "addpullrequestreviewcomment": "pulls",
     "addpullrequestreviewthread": "pulls",
@@ -245,6 +246,7 @@
     "markfileasviewed": "pulls",
     "markpullrequestreadyforreview": "pulls",
     "mergepullrequest": "pulls",
+    "removepullrequestcreationcapbypassusers": "pulls",
     "reopenpullrequest": "pulls",
     "requestreviews": "pulls",
     "requestreviewsbylogin": "pulls",
@@ -823,6 +825,7 @@
     "pullrequestcommitedge": "pulls",
     "pullrequestconnection": "pulls",
     "pullrequestcontributionsbyrepository": "pulls",
+    "pullrequestcreationcapconfig": "pulls",
     "pullrequestedge": "pulls",
     "pullrequestparameters": "pulls",
     "pullrequestreview": "pulls",
@@ -1666,6 +1669,7 @@
     "updateprojectv2itemfieldvalueinput": "projects",
     "updateprojectv2itempositioninput": "projects",
     "updateprojectv2statusupdateinput": "projects",
+    "addpullrequestcreationcapbypassusersinput": "pulls",
     "addpullrequestreviewcommentinput": "pulls",
     "addpullrequestreviewinput": "pulls",
     "addpullrequestreviewthreadinput": "pulls",
@@ -1690,6 +1694,7 @@
     "mergequeueparametersinput": "pulls",
     "pullrequestorder": "pulls",
     "pullrequestparametersinput": "pulls",
+    "removepullrequestcreationcapbypassusersinput": "pulls",
     "reopenpullrequestinput": "pulls",
     "requestreviewsbylogininput": "pulls",
     "requestreviewsinput": "pulls",
diff --git a/src/graphql/data/fpt/changelog.json b/src/graphql/data/fpt/changelog.json
index 60fd1ac3a1e4..3c9fb775d66e 100644
--- a/src/graphql/data/fpt/changelog.json
+++ b/src/graphql/data/fpt/changelog.json
@@ -1,4 +1,42 @@
 [
+  {
+    "schemaChanges": [
+      {
+        "title": "The GraphQL schema includes these changes:",
+        "changes": [
+          "<p>Type <code>AddPullRequestCreationCapBypassUsersInput</code> was added</p>",
+          "<p>Input field <code>clientMutationId</code> of type <code>String</code> was added to input object type <code>AddPullRequestCreationCapBypassUsersInput</code></p>",
+          "<p>Input field <code>repositoryId</code> of type <code>ID!</code> was added to input object type <code>AddPullRequestCreationCapBypassUsersInput</code></p>",
+          "<p>Input field <code>userIds</code> of type '[ID!]!<code>was added to input object type</code>AddPullRequestCreationCapBypassUsersInput'</p>",
+          "<p>Type <code>AddPullRequestCreationCapBypassUsersPayload</code> was added</p>",
+          "<p>Field <code>clientMutationId</code> was added to object type <code>AddPullRequestCreationCapBypassUsersPayload</code></p>",
+          "<p>Field <code>repository</code> was added to object type <code>AddPullRequestCreationCapBypassUsersPayload</code></p>",
+          "<p>Type <code>PullRequestCreationCapConfig</code> was added</p>",
+          "<p>Field <code>bypassedUsers</code> was added to object type <code>PullRequestCreationCapConfig</code></p>",
+          "<p>Argument <code>after: String</code> added to field <code>PullRequestCreationCapConfig.bypassedUsers</code></p>",
+          "<p>Argument <code>before: String</code> added to field <code>PullRequestCreationCapConfig.bypassedUsers</code></p>",
+          "<p>Argument <code>first: Int</code> added to field <code>PullRequestCreationCapConfig.bypassedUsers</code></p>",
+          "<p>Argument <code>last: Int</code> added to field <code>PullRequestCreationCapConfig.bypassedUsers</code></p>",
+          "<p>Type <code>RemovePullRequestCreationCapBypassUsersInput</code> was added</p>",
+          "<p>Input field <code>clientMutationId</code> of type <code>String</code> was added to input object type <code>RemovePullRequestCreationCapBypassUsersInput</code></p>",
+          "<p>Input field <code>repositoryId</code> of type <code>ID!</code> was added to input object type <code>RemovePullRequestCreationCapBypassUsersInput</code></p>",
+          "<p>Input field <code>userIds</code> of type '[ID!]!<code>was added to input object type</code>RemovePullRequestCreationCapBypassUsersInput'</p>",
+          "<p>Type <code>RemovePullRequestCreationCapBypassUsersPayload</code> was added</p>",
+          "<p>Field <code>clientMutationId</code> was added to object type <code>RemovePullRequestCreationCapBypassUsersPayload</code></p>",
+          "<p>Field <code>repository</code> was added to object type <code>RemovePullRequestCreationCapBypassUsersPayload</code></p>",
+          "<p>Field <code>addPullRequestCreationCapBypassUsers</code> was added to object type <code>Mutation</code></p>",
+          "<p>Argument <code>input: AddPullRequestCreationCapBypassUsersInput!</code> added to field <code>Mutation.addPullRequestCreationCapBypassUsers</code></p>",
+          "<p>Field <code>removePullRequestCreationCapBypassUsers</code> was added to object type <code>Mutation</code></p>",
+          "<p>Argument <code>input: RemovePullRequestCreationCapBypassUsersInput!</code> added to field <code>Mutation.removePullRequestCreationCapBypassUsers</code></p>",
+          "<p>Field <code>pullRequestCreationCapConfig</code> was added to object type <code>Repository</code></p>",
+          "<p>Field <code>updatedAt</code> was added to object type <code>StatusContext</code></p>"
+        ]
+      }
+    ],
+    "previewChanges": [],
+    "upcomingChanges": [],
+    "date": "2026-06-11"
+  },
   {
     "schemaChanges": [
       {
diff --git a/src/graphql/data/fpt/schema-commits.json b/src/graphql/data/fpt/schema-commits.json
index 68a9d4250a07..c517be6cb3bc 100644
--- a/src/graphql/data/fpt/schema-commits.json
+++ b/src/graphql/data/fpt/schema-commits.json
@@ -2189,6 +2189,13 @@
           "type": "URI",
           "id": "uri",
           "href": "/graphql/reference/other#scalar-uri"
+        },
+        {
+          "name": "updatedAt",
+          "description": "<p>Identifies the date and time when the object was last updated.</p>",
+          "type": "DateTime!",
+          "id": "datetime",
+          "href": "/graphql/reference/other#scalar-datetime"
         }
       ],
       "category": "commits"
diff --git a/src/graphql/data/fpt/schema-pulls.json b/src/graphql/data/fpt/schema-pulls.json
index 925b84da2d37..8ae21384d4c1 100644
--- a/src/graphql/data/fpt/schema-pulls.json
+++ b/src/graphql/data/fpt/schema-pulls.json
@@ -1,5 +1,37 @@
 {
   "mutations": [
+    {
+      "name": "addPullRequestCreationCapBypassUsers",
+      "id": "addpullrequestcreationcapbypassusers",
+      "href": "/graphql/reference/pulls#mutation-addpullrequestcreationcapbypassusers",
+      "description": "<p>Add users to the pull request creation cap bypass list. Bypassed users can\ncreate pull requests regardless of the configured cap. Only repository admins\ncan manage the bypass list. You can add a maximum of 100 users per request.\nThe bypass list can only hold a maximum of 100 users.</p>",
+      "isDeprecated": false,
+      "inputFields": [
+        {
+          "name": "input",
+          "type": "AddPullRequestCreationCapBypassUsersInput!",
+          "id": "addpullrequestcreationcapbypassusersinput",
+          "href": "/graphql/reference/pulls#input-object-addpullrequestcreationcapbypassusersinput"
+        }
+      ],
+      "returnFields": [
+        {
+          "name": "clientMutationId",
+          "type": "String",
+          "id": "string",
+          "href": "/graphql/reference/other#scalar-string",
+          "description": "<p>A unique identifier for the client performing the mutation.</p>"
+        },
+        {
+          "name": "repository",
+          "type": "Repository",
+          "id": "repository",
+          "href": "/graphql/reference/repos#object-repository",
+          "description": "<p>The repository with the updated bypass list.</p>"
+        }
+      ],
+      "category": "pulls"
+    },
     {
       "name": "addPullRequestReview",
       "id": "addpullrequestreview",
@@ -618,6 +650,38 @@
       ],
       "category": "pulls"
     },
+    {
+      "name": "removePullRequestCreationCapBypassUsers",
+      "id": "removepullrequestcreationcapbypassusers",
+      "href": "/graphql/reference/pulls#mutation-removepullrequestcreationcapbypassusers",
+      "description": "<p>Remove users from the pull request creation cap bypass list. Only repository admins can manage the bypass list.</p>",
+      "isDeprecated": false,
+      "inputFields": [
+        {
+          "name": "input",
+          "type": "RemovePullRequestCreationCapBypassUsersInput!",
+          "id": "removepullrequestcreationcapbypassusersinput",
+          "href": "/graphql/reference/pulls#input-object-removepullrequestcreationcapbypassusersinput"
+        }
+      ],
+      "returnFields": [
+        {
+          "name": "clientMutationId",
+          "type": "String",
+          "id": "string",
+          "href": "/graphql/reference/other#scalar-string",
+          "description": "<p>A unique identifier for the client performing the mutation.</p>"
+        },
+        {
+          "name": "repository",
+          "type": "Repository",
+          "id": "repository",
+          "href": "/graphql/reference/repos#object-repository",
+          "description": "<p>The repository with the updated bypass list.</p>"
+        }
+      ],
+      "category": "pulls"
+    },
     {
       "name": "reopenPullRequest",
       "id": "reopenpullrequest",
@@ -4892,6 +4956,61 @@
       ],
       "category": "pulls"
     },
+    {
+      "name": "PullRequestCreationCapConfig",
+      "id": "pullrequestcreationcapconfig",
+      "href": "/graphql/reference/pulls#object-pullrequestcreationcapconfig",
+      "description": "<p>Users who are exempt from the pull request creation cap on a repository.</p>",
+      "isDeprecated": false,
+      "fields": [
+        {
+          "name": "bypassedUsers",
+          "description": "<p>Users who are exempt from the pull request creation cap.</p>",
+          "type": "UserConnection!",
+          "id": "userconnection",
+          "href": "/graphql/reference/users#object-userconnection",
+          "arguments": [
+            {
+              "name": "after",
+              "description": "<p>Returns the elements in the list that come after the specified cursor.</p>",
+              "type": {
+                "name": "String",
+                "id": "string",
+                "href": "/graphql/reference/other#scalar-string"
+              }
+            },
+            {
+              "name": "before",
+              "description": "<p>Returns the elements in the list that come before the specified cursor.</p>",
+              "type": {
+                "name": "String",
+                "id": "string",
+                "href": "/graphql/reference/other#scalar-string"
+              }
+            },
+            {
+              "name": "first",
+              "description": "<p>Returns the first <em>n</em> elements from the list.</p>",
+              "type": {
+                "name": "Int",
+                "id": "int",
+                "href": "/graphql/reference/other#scalar-int"
+              }
+            },
+            {
+              "name": "last",
+              "description": "<p>Returns the last <em>n</em> elements from the list.</p>",
+              "type": {
+                "name": "Int",
+                "id": "int",
+                "href": "/graphql/reference/other#scalar-int"
+              }
+            }
+          ]
+        }
+      ],
+      "category": "pulls"
+    },
     {
       "name": "PullRequestEdge",
       "id": "pullrequestedge",
@@ -8615,6 +8734,38 @@
     }
   ],
   "inputObjects": [
+    {
+      "name": "AddPullRequestCreationCapBypassUsersInput",
+      "id": "addpullrequestcreationcapbypassusersinput",
+      "href": "/graphql/reference/pulls#input-object-addpullrequestcreationcapbypassusersinput",
+      "description": "<p>Autogenerated input type of AddPullRequestCreationCapBypassUsers.</p>",
+      "inputFields": [
+        {
+          "name": "clientMutationId",
+          "description": "<p>A unique identifier for the client performing the mutation.</p>",
+          "type": "String",
+          "id": "string",
+          "href": "/graphql/reference/other#scalar-string"
+        },
+        {
+          "name": "repositoryId",
+          "description": "<p>The Node ID of the repository.</p>",
+          "type": "ID!",
+          "id": "id",
+          "href": "/graphql/reference/other#scalar-id",
+          "isDeprecated": false
+        },
+        {
+          "name": "userIds",
+          "description": "<p>The Node IDs of the users to add to the bypass list.</p>",
+          "type": "[ID!]!",
+          "id": "id",
+          "href": "/graphql/reference/other#scalar-id",
+          "isDeprecated": false
+        }
+      ],
+      "category": "pulls"
+    },
     {
       "name": "AddPullRequestReviewCommentInput",
       "id": "addpullrequestreviewcommentinput",
@@ -9595,6 +9746,38 @@
       ],
       "category": "pulls"
     },
+    {
+      "name": "RemovePullRequestCreationCapBypassUsersInput",
+      "id": "removepullrequestcreationcapbypassusersinput",
+      "href": "/graphql/reference/pulls#input-object-removepullrequestcreationcapbypassusersinput",
+      "description": "<p>Autogenerated input type of RemovePullRequestCreationCapBypassUsers.</p>",
+      "inputFields": [
+        {
+          "name": "clientMutationId",
+          "description": "<p>A unique identifier for the client performing the mutation.</p>",
+          "type": "String",
+          "id": "string",
+          "href": "/graphql/reference/other#scalar-string"
+        },
+        {
+          "name": "repositoryId",
+          "description": "<p>The Node ID of the repository.</p>",
+          "type": "ID!",
+          "id": "id",
+          "href": "/graphql/reference/other#scalar-id",
+          "isDeprecated": false
+        },
+        {
+          "name": "userIds",
+          "description": "<p>The Node IDs of the users to remove from the bypass list.</p>",
+          "type": "[ID!]!",
+          "id": "id",
+          "href": "/graphql/reference/other#scalar-id",
+          "isDeprecated": false
+        }
+      ],
+      "category": "pulls"
+    },
     {
       "name": "ReopenPullRequestInput",
       "id": "reopenpullrequestinput",
diff --git a/src/graphql/data/fpt/schema-repos.json b/src/graphql/data/fpt/schema-repos.json
index 44b83a6cf091..734c46aa8c2e 100644
--- a/src/graphql/data/fpt/schema-repos.json
+++ b/src/graphql/data/fpt/schema-repos.json
@@ -5338,6 +5338,13 @@
             }
           ]
         },
+        {
+          "name": "pullRequestCreationCapConfig",
+          "description": "<p>A list of users who are exempt from the pull request creation cap on this repository. Only visible to repository admins.</p>",
+          "type": "PullRequestCreationCapConfig",
+          "id": "pullrequestcreationcapconfig",
+          "href": "/graphql/reference/pulls#object-pullrequestcreationcapconfig"
+        },
         {
           "name": "pullRequestCreationPolicy",
           "description": "<p>The policy controlling who can create pull requests in this repository.</p>",
diff --git a/src/graphql/data/fpt/schema.docs.graphql b/src/graphql/data/fpt/schema.docs.graphql
index 1b0bc6696e5a..d62d035bf8a0 100644
--- a/src/graphql/data/fpt/schema.docs.graphql
+++ b/src/graphql/data/fpt/schema.docs.graphql
@@ -842,6 +842,41 @@ type AddProjectV2ItemByIdPayload {
   item: ProjectV2Item
 }
 
+"""
+Autogenerated input type of AddPullRequestCreationCapBypassUsers
+"""
+input AddPullRequestCreationCapBypassUsersInput {
+  """
+  A unique identifier for the client performing the mutation.
+  """
+  clientMutationId: String
+
+  """
+  The Node ID of the repository.
+  """
+  repositoryId: ID! @possibleTypes(concreteTypes: ["Repository"])
+
+  """
+  The Node IDs of the users to add to the bypass list.
+  """
+  userIds: [ID!]! @possibleTypes(concreteTypes: ["User"])
+}
+
+"""
+Autogenerated return type of AddPullRequestCreationCapBypassUsers.
+"""
+type AddPullRequestCreationCapBypassUsersPayload {
+  """
+  A unique identifier for the client performing the mutation.
+  """
+  clientMutationId: String
+
+  """
+  The repository with the updated bypass list.
+  """
+  repository: Repository
+}
+
 """
 Autogenerated input type of AddPullRequestReviewComment
 """
@@ -26510,6 +26545,19 @@ type Mutation @docsCategory(name: "meta") {
     input: AddProjectV2ItemByIdInput!
   ): AddProjectV2ItemByIdPayload @docsCategory(name: "projects")
 
+  """
+  Add users to the pull request creation cap bypass list. Bypassed users can
+  create pull requests regardless of the configured cap. Only repository admins
+  can manage the bypass list. You can add a maximum of 100 users per request.
+  The bypass list can only hold a maximum of 100 users.
+  """
+  addPullRequestCreationCapBypassUsers(
+    """
+    Parameters for AddPullRequestCreationCapBypassUsers
+    """
+    input: AddPullRequestCreationCapBypassUsersInput!
+  ): AddPullRequestCreationCapBypassUsersPayload @docsCategory(name: "pulls")
+
   """
   Adds a review to a Pull Request.
   """
@@ -27951,6 +27999,16 @@ type Mutation @docsCategory(name: "meta") {
     input: RemoveOutsideCollaboratorInput!
   ): RemoveOutsideCollaboratorPayload @docsCategory(name: "orgs")
 
+  """
+  Remove users from the pull request creation cap bypass list. Only repository admins can manage the bypass list.
+  """
+  removePullRequestCreationCapBypassUsers(
+    """
+    Parameters for RemovePullRequestCreationCapBypassUsers
+    """
+    input: RemovePullRequestCreationCapBypassUsersInput!
+  ): RemovePullRequestCreationCapBypassUsersPayload @docsCategory(name: "pulls")
+
   """
   Removes a reaction from a subject.
   """
@@ -44120,6 +44178,36 @@ type PullRequestContributionsByRepository @docsCategory(name: "pulls") {
   repository: Repository!
 }
 
+"""
+Users who are exempt from the pull request creation cap on a repository.
+"""
+type PullRequestCreationCapConfig @docsCategory(name: "pulls") {
+  """
+  Users who are exempt from the pull request creation cap.
+  """
+  bypassedUsers(
+    """
+    Returns the elements in the list that come after the specified cursor.
+    """
+    after: String
+
+    """
+    Returns the elements in the list that come before the specified cursor.
+    """
+    before: String
+
+    """
+    Returns the first _n_ elements from the list.
+    """
+    first: Int
+
+    """
+    Returns the last _n_ elements from the list.
+    """
+    last: Int
+  ): UserConnection!
+}
+
 """
 The policy controlling who can create pull requests in a repository.
 """
@@ -48393,6 +48481,41 @@ type RemoveOutsideCollaboratorPayload {
   removedUser: User
 }
 
+"""
+Autogenerated input type of RemovePullRequestCreationCapBypassUsers
+"""
+input RemovePullRequestCreationCapBypassUsersInput {
+  """
+  A unique identifier for the client performing the mutation.
+  """
+  clientMutationId: String
+
+  """
+  The Node ID of the repository.
+  """
+  repositoryId: ID! @possibleTypes(concreteTypes: ["Repository"])
+
+  """
+  The Node IDs of the users to remove from the bypass list.
+  """
+  userIds: [ID!]! @possibleTypes(concreteTypes: ["User"])
+}
+
+"""
+Autogenerated return type of RemovePullRequestCreationCapBypassUsers.
+"""
+type RemovePullRequestCreationCapBypassUsersPayload {
+  """
+  A unique identifier for the client performing the mutation.
+  """
+  clientMutationId: String
+
+  """
+  The repository with the updated bypass list.
+  """
+  repository: Repository
+}
+
 """
 Autogenerated input type of RemoveReaction
 """
@@ -53655,6 +53778,11 @@ type Repository implements Node & PackageOwner & ProjectOwner & ProjectV2Recent
     number: Int!
   ): PullRequest
 
+  """
+  A list of users who are exempt from the pull request creation cap on this repository. Only visible to repository admins.
+  """
+  pullRequestCreationCapConfig: PullRequestCreationCapConfig
+
   """
   The policy controlling who can create pull requests in this repository.
   """
@@ -62840,6 +62968,11 @@ type StatusContext implements Node & RequirableByPullRequest @docsCategory(name:
   The URL for this status context.
   """
   targetUrl: URI
+
+  """
+  Identifies the date and time when the object was last updated.
+  """
+  updatedAt: DateTime!
 }
 
 """
diff --git a/src/graphql/data/ghec/category-map.json b/src/graphql/data/ghec/category-map.json
index 26b817ed2421..048dcab89f50 100644
--- a/src/graphql/data/ghec/category-map.json
+++ b/src/graphql/data/ghec/category-map.json
@@ -227,6 +227,7 @@
     "updateprojectv2itemfieldvalue": "projects",
     "updateprojectv2itemposition": "projects",
     "updateprojectv2statusupdate": "projects",
+    "addpullrequestcreationcapbypassusers": "pulls",
     "addpullrequestreview": "pulls",
     "addpullrequestreviewcomment": "pulls",
     "addpullrequestreviewthread": "pulls",
@@ -245,6 +246,7 @@
     "markfileasviewed": "pulls",
     "markpullrequestreadyforreview": "pulls",
     "mergepullrequest": "pulls",
+    "removepullrequestcreationcapbypassusers": "pulls",
     "reopenpullrequest": "pulls",
     "requestreviews": "pulls",
     "requestreviewsbylogin": "pulls",
@@ -823,6 +825,7 @@
     "pullrequestcommitedge": "pulls",
     "pullrequestconnection": "pulls",
     "pullrequestcontributionsbyrepository": "pulls",
+    "pullrequestcreationcapconfig": "pulls",
     "pullrequestedge": "pulls",
     "pullrequestparameters": "pulls",
     "pullrequestreview": "pulls",
@@ -1666,6 +1669,7 @@
     "updateprojectv2itemfieldvalueinput": "projects",
     "updateprojectv2itempositioninput": "projects",
     "updateprojectv2statusupdateinput": "projects",
+    "addpullrequestcreationcapbypassusersinput": "pulls",
     "addpullrequestreviewcommentinput": "pulls",
     "addpullrequestreviewinput": "pulls",
     "addpullrequestreviewthreadinput": "pulls",
@@ -1690,6 +1694,7 @@
     "mergequeueparametersinput": "pulls",
     "pullrequestorder": "pulls",
     "pullrequestparametersinput": "pulls",
+    "removepullrequestcreationcapbypassusersinput": "pulls",
     "reopenpullrequestinput": "pulls",
     "requestreviewsbylogininput": "pulls",
     "requestreviewsinput": "pulls",
diff --git a/src/graphql/data/ghec/schema-commits.json b/src/graphql/data/ghec/schema-commits.json
index 68a9d4250a07..c517be6cb3bc 100644
--- a/src/graphql/data/ghec/schema-commits.json
+++ b/src/graphql/data/ghec/schema-commits.json
@@ -2189,6 +2189,13 @@
           "type": "URI",
           "id": "uri",
           "href": "/graphql/reference/other#scalar-uri"
+        },
+        {
+          "name": "updatedAt",
+          "description": "<p>Identifies the date and time when the object was last updated.</p>",
+          "type": "DateTime!",
+          "id": "datetime",
+          "href": "/graphql/reference/other#scalar-datetime"
         }
       ],
       "category": "commits"
diff --git a/src/graphql/data/ghec/schema-pulls.json b/src/graphql/data/ghec/schema-pulls.json
index 925b84da2d37..8ae21384d4c1 100644
--- a/src/graphql/data/ghec/schema-pulls.json
+++ b/src/graphql/data/ghec/schema-pulls.json
@@ -1,5 +1,37 @@
 {
   "mutations": [
+    {
+      "name": "addPullRequestCreationCapBypassUsers",
+      "id": "addpullrequestcreationcapbypassusers",
+      "href": "/graphql/reference/pulls#mutation-addpullrequestcreationcapbypassusers",
+      "description": "<p>Add users to the pull request creation cap bypass list. Bypassed users can\ncreate pull requests regardless of the configured cap. Only repository admins\ncan manage the bypass list. You can add a maximum of 100 users per request.\nThe bypass list can only hold a maximum of 100 users.</p>",
+      "isDeprecated": false,
+      "inputFields": [
+        {
+          "name": "input",
+          "type": "AddPullRequestCreationCapBypassUsersInput!",
+          "id": "addpullrequestcreationcapbypassusersinput",
+          "href": "/graphql/reference/pulls#input-object-addpullrequestcreationcapbypassusersinput"
+        }
+      ],
+      "returnFields": [
+        {
+          "name": "clientMutationId",
+          "type": "String",
+          "id": "string",
+          "href": "/graphql/reference/other#scalar-string",
+          "description": "<p>A unique identifier for the client performing the mutation.</p>"
+        },
+        {
+          "name": "repository",
+          "type": "Repository",
+          "id": "repository",
+          "href": "/graphql/reference/repos#object-repository",
+          "description": "<p>The repository with the updated bypass list.</p>"
+        }
+      ],
+      "category": "pulls"
+    },
     {
       "name": "addPullRequestReview",
       "id": "addpullrequestreview",
@@ -618,6 +650,38 @@
       ],
       "category": "pulls"
     },
+    {
+      "name": "removePullRequestCreationCapBypassUsers",
+      "id": "removepullrequestcreationcapbypassusers",
+      "href": "/graphql/reference/pulls#mutation-removepullrequestcreationcapbypassusers",
+      "description": "<p>Remove users from the pull request creation cap bypass list. Only repository admins can manage the bypass list.</p>",
+      "isDeprecated": false,
+      "inputFields": [
+        {
+          "name": "input",
+          "type": "RemovePullRequestCreationCapBypassUsersInput!",
+          "id": "removepullrequestcreationcapbypassusersinput",
+          "href": "/graphql/reference/pulls#input-object-removepullrequestcreationcapbypassusersinput"
+        }
+      ],
+      "returnFields": [
+        {
+          "name": "clientMutationId",
+          "type": "String",
+          "id": "string",
+          "href": "/graphql/reference/other#scalar-string",
+          "description": "<p>A unique identifier for the client performing the mutation.</p>"
+        },
+        {
+          "name": "repository",
+          "type": "Repository",
+          "id": "repository",
+          "href": "/graphql/reference/repos#object-repository",
+          "description": "<p>The repository with the updated bypass list.</p>"
+        }
+      ],
+      "category": "pulls"
+    },
     {
       "name": "reopenPullRequest",
       "id": "reopenpullrequest",
@@ -4892,6 +4956,61 @@
       ],
       "category": "pulls"
     },
+    {
+      "name": "PullRequestCreationCapConfig",
+      "id": "pullrequestcreationcapconfig",
+      "href": "/graphql/reference/pulls#object-pullrequestcreationcapconfig",
+      "description": "<p>Users who are exempt from the pull request creation cap on a repository.</p>",
+      "isDeprecated": false,
+      "fields": [
+        {
+          "name": "bypassedUsers",
+          "description": "<p>Users who are exempt from the pull request creation cap.</p>",
+          "type": "UserConnection!",
+          "id": "userconnection",
+          "href": "/graphql/reference/users#object-userconnection",
+          "arguments": [
+            {
+              "name": "after",
+              "description": "<p>Returns the elements in the list that come after the specified cursor.</p>",
+              "type": {
+                "name": "String",
+                "id": "string",
+                "href": "/graphql/reference/other#scalar-string"
+              }
+            },
+            {
+              "name": "before",
+              "description": "<p>Returns the elements in the list that come before the specified cursor.</p>",
+              "type": {
+                "name": "String",
+                "id": "string",
+                "href": "/graphql/reference/other#scalar-string"
+              }
+            },
+            {
+              "name": "first",
+              "description": "<p>Returns the first <em>n</em> elements from the list.</p>",
+              "type": {
+                "name": "Int",
+                "id": "int",
+                "href": "/graphql/reference/other#scalar-int"
+              }
+            },
+            {
+              "name": "last",
+              "description": "<p>Returns the last <em>n</em> elements from the list.</p>",
+              "type": {
+                "name": "Int",
+                "id": "int",
+                "href": "/graphql/reference/other#scalar-int"
+              }
+            }
+          ]
+        }
+      ],
+      "category": "pulls"
+    },
     {
       "name": "PullRequestEdge",
       "id": "pullrequestedge",
@@ -8615,6 +8734,38 @@
     }
   ],
   "inputObjects": [
+    {
+      "name": "AddPullRequestCreationCapBypassUsersInput",
+      "id": "addpullrequestcreationcapbypassusersinput",
+      "href": "/graphql/reference/pulls#input-object-addpullrequestcreationcapbypassusersinput",
+      "description": "<p>Autogenerated input type of AddPullRequestCreationCapBypassUsers.</p>",
+      "inputFields": [
+        {
+          "name": "clientMutationId",
+          "description": "<p>A unique identifier for the client performing the mutation.</p>",
+          "type": "String",
+          "id": "string",
+          "href": "/graphql/reference/other#scalar-string"
+        },
+        {
+          "name": "repositoryId",
+          "description": "<p>The Node ID of the repository.</p>",
+          "type": "ID!",
+          "id": "id",
+          "href": "/graphql/reference/other#scalar-id",
+          "isDeprecated": false
+        },
+        {
+          "name": "userIds",
+          "description": "<p>The Node IDs of the users to add to the bypass list.</p>",
+          "type": "[ID!]!",
+          "id": "id",
+          "href": "/graphql/reference/other#scalar-id",
+          "isDeprecated": false
+        }
+      ],
+      "category": "pulls"
+    },
     {
       "name": "AddPullRequestReviewCommentInput",
       "id": "addpullrequestreviewcommentinput",
@@ -9595,6 +9746,38 @@
       ],
       "category": "pulls"
     },
+    {
+      "name": "RemovePullRequestCreationCapBypassUsersInput",
+      "id": "removepullrequestcreationcapbypassusersinput",
+      "href": "/graphql/reference/pulls#input-object-removepullrequestcreationcapbypassusersinput",
+      "description": "<p>Autogenerated input type of RemovePullRequestCreationCapBypassUsers.</p>",
+      "inputFields": [
+        {
+          "name": "clientMutationId",
+          "description": "<p>A unique identifier for the client performing the mutation.</p>",
+          "type": "String",
+          "id": "string",
+          "href": "/graphql/reference/other#scalar-string"
+        },
+        {
+          "name": "repositoryId",
+          "description": "<p>The Node ID of the repository.</p>",
+          "type": "ID!",
+          "id": "id",
+          "href": "/graphql/reference/other#scalar-id",
+          "isDeprecated": false
+        },
+        {
+          "name": "userIds",
+          "description": "<p>The Node IDs of the users to remove from the bypass list.</p>",
+          "type": "[ID!]!",
+          "id": "id",
+          "href": "/graphql/reference/other#scalar-id",
+          "isDeprecated": false
+        }
+      ],
+      "category": "pulls"
+    },
     {
       "name": "ReopenPullRequestInput",
       "id": "reopenpullrequestinput",
diff --git a/src/graphql/data/ghec/schema-repos.json b/src/graphql/data/ghec/schema-repos.json
index 44b83a6cf091..734c46aa8c2e 100644
--- a/src/graphql/data/ghec/schema-repos.json
+++ b/src/graphql/data/ghec/schema-repos.json
@@ -5338,6 +5338,13 @@
             }
           ]
         },
+        {
+          "name": "pullRequestCreationCapConfig",
+          "description": "<p>A list of users who are exempt from the pull request creation cap on this repository. Only visible to repository admins.</p>",
+          "type": "PullRequestCreationCapConfig",
+          "id": "pullrequestcreationcapconfig",
+          "href": "/graphql/reference/pulls#object-pullrequestcreationcapconfig"
+        },
         {
           "name": "pullRequestCreationPolicy",
           "description": "<p>The policy controlling who can create pull requests in this repository.</p>",
diff --git a/src/graphql/data/ghec/schema.docs.graphql b/src/graphql/data/ghec/schema.docs.graphql
index 1b0bc6696e5a..d62d035bf8a0 100644
--- a/src/graphql/data/ghec/schema.docs.graphql
+++ b/src/graphql/data/ghec/schema.docs.graphql
@@ -842,6 +842,41 @@ type AddProjectV2ItemByIdPayload {
   item: ProjectV2Item
 }
 
+"""
+Autogenerated input type of AddPullRequestCreationCapBypassUsers
+"""
+input AddPullRequestCreationCapBypassUsersInput {
+  """
+  A unique identifier for the client performing the mutation.
+  """
+  clientMutationId: String
+
+  """
+  The Node ID of the repository.
+  """
+  repositoryId: ID! @possibleTypes(concreteTypes: ["Repository"])
+
+  """
+  The Node IDs of the users to add to the bypass list.
+  """
+  userIds: [ID!]! @possibleTypes(concreteTypes: ["User"])
+}
+
+"""
+Autogenerated return type of AddPullRequestCreationCapBypassUsers.
+"""
+type AddPullRequestCreationCapBypassUsersPayload {
+  """
+  A unique identifier for the client performing the mutation.
+  """
+  clientMutationId: String
+
+  """
+  The repository with the updated bypass list.
+  """
+  repository: Repository
+}
+
 """
 Autogenerated input type of AddPullRequestReviewComment
 """
@@ -26510,6 +26545,19 @@ type Mutation @docsCategory(name: "meta") {
     input: AddProjectV2ItemByIdInput!
   ): AddProjectV2ItemByIdPayload @docsCategory(name: "projects")
 
+  """
+  Add users to the pull request creation cap bypass list. Bypassed users can
+  create pull requests regardless of the configured cap. Only repository admins
+  can manage the bypass list. You can add a maximum of 100 users per request.
+  The bypass list can only hold a maximum of 100 users.
+  """
+  addPullRequestCreationCapBypassUsers(
+    """
+    Parameters for AddPullRequestCreationCapBypassUsers
+    """
+    input: AddPullRequestCreationCapBypassUsersInput!
+  ): AddPullRequestCreationCapBypassUsersPayload @docsCategory(name: "pulls")
+
   """
   Adds a review to a Pull Request.
   """
@@ -27951,6 +27999,16 @@ type Mutation @docsCategory(name: "meta") {
     input: RemoveOutsideCollaboratorInput!
   ): RemoveOutsideCollaboratorPayload @docsCategory(name: "orgs")
 
+  """
+  Remove users from the pull request creation cap bypass list. Only repository admins can manage the bypass list.
+  """
+  removePullRequestCreationCapBypassUsers(
+    """
+    Parameters for RemovePullRequestCreationCapBypassUsers
+    """
+    input: RemovePullRequestCreationCapBypassUsersInput!
+  ): RemovePullRequestCreationCapBypassUsersPayload @docsCategory(name: "pulls")
+
   """
   Removes a reaction from a subject.
   """
@@ -44120,6 +44178,36 @@ type PullRequestContributionsByRepository @docsCategory(name: "pulls") {
   repository: Repository!
 }
 
+"""
+Users who are exempt from the pull request creation cap on a repository.
+"""
+type PullRequestCreationCapConfig @docsCategory(name: "pulls") {
+  """
+  Users who are exempt from the pull request creation cap.
+  """
+  bypassedUsers(
+    """
+    Returns the elements in the list that come after the specified cursor.
+    """
+    after: String
+
+    """
+    Returns the elements in the list that come before the specified cursor.
+    """
+    before: String
+
+    """
+    Returns the first _n_ elements from the list.
+    """
+    first: Int
+
+    """
+    Returns the last _n_ elements from the list.
+    """
+    last: Int
+  ): UserConnection!
+}
+
 """
 The policy controlling who can create pull requests in a repository.
 """
@@ -48393,6 +48481,41 @@ type RemoveOutsideCollaboratorPayload {
   removedUser: User
 }
 
+"""
+Autogenerated input type of RemovePullRequestCreationCapBypassUsers
+"""
+input RemovePullRequestCreationCapBypassUsersInput {
+  """
+  A unique identifier for the client performing the mutation.
+  """
+  clientMutationId: String
+
+  """
+  The Node ID of the repository.
+  """
+  repositoryId: ID! @possibleTypes(concreteTypes: ["Repository"])
+
+  """
+  The Node IDs of the users to remove from the bypass list.
+  """
+  userIds: [ID!]! @possibleTypes(concreteTypes: ["User"])
+}
+
+"""
+Autogenerated return type of RemovePullRequestCreationCapBypassUsers.
+"""
+type RemovePullRequestCreationCapBypassUsersPayload {
+  """
+  A unique identifier for the client performing the mutation.
+  """
+  clientMutationId: String
+
+  """
+  The repository with the updated bypass list.
+  """
+  repository: Repository
+}
+
 """
 Autogenerated input type of RemoveReaction
 """
@@ -53655,6 +53778,11 @@ type Repository implements Node & PackageOwner & ProjectOwner & ProjectV2Recent
     number: Int!
   ): PullRequest
 
+  """
+  A list of users who are exempt from the pull request creation cap on this repository. Only visible to repository admins.
+  """
+  pullRequestCreationCapConfig: PullRequestCreationCapConfig
+
   """
   The policy controlling who can create pull requests in this repository.
   """
@@ -62840,6 +62968,11 @@ type StatusContext implements Node & RequirableByPullRequest @docsCategory(name:
   The URL for this status context.
   """
   targetUrl: URI
+
+  """
+  Identifies the date and time when the object was last updated.
+  """
+  updatedAt: DateTime!
 }
 
 """
diff --git a/src/languages/lib/correct-translation-content.ts b/src/languages/lib/correct-translation-content.ts
index 24639eebcaac..2b05a40af3f9 100644
--- a/src/languages/lib/correct-translation-content.ts
+++ b/src/languages/lib/correct-translation-content.ts
@@ -240,6 +240,15 @@ export function correctTranslatedContentStrings(
         'tienen prioridad sobre el envío automático de dependencias.{% endif %}\n',
       )
     }
+
+    // [SCRAPE-6642] admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-with-okta.md
+    // (title): `{% ifversion ghec %}SCIM{% else %} con Okta` is never closed —
+    // the `{% endif %}` is missing. The corrector runs on the PARSED title
+    // value, so match the unquoted substring (no trailing YAML quote).
+    content = content.replaceAll(
+      '{% ifversion ghec %}SCIM{% else %} con Okta',
+      '{% ifversion ghec %}SCIM{% else %} con Okta{% endif %}',
+    )
   }
 
   if (context.code === 'ja') {
@@ -864,6 +873,15 @@ export function correctTranslatedContentStrings(
       '{% else %} 的访问权限。',
       '{% else %}组织的设置{% endif %} 的访问权限。',
     )
+
+    // [SCRAPE-6642] admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-with-okta.md
+    // (intro): `{% endif %}` appears before `{% ifversion ghec %}` — the two
+    // tags are swapped, leaving an orphan endif and an unclosed ifversion.
+    // Restore the English pattern: enterprise{% ifversion ghec %} on X or Y{% endif %}.
+    content = content.replaceAll(
+      '在{% data variables.product.prodname_dotcom_the_website %}或{% data variables.enterprise.data_residency_site %}{% endif %}上的企业{% ifversion ghec %}进行通信。',
+      '的企业{% ifversion ghec %}在{% data variables.product.prodname_dotcom_the_website %}或{% data variables.enterprise.data_residency_site %}{% endif %}进行通信。',
+    )
   }
 
   if (context.code === 'ru') {
@@ -1178,6 +1196,17 @@ export function correctTranslatedContentStrings(
       '{% ifversion enterprise-licensing-language %}license-language%else %}licenses{% license seats{% endif %}',
       '{% ifversion enterprise-licensing-language %}licenses{% else %}licensed seats{% endif %}',
     )
+
+    // [SCRAPE-6642] admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-with-okta.md
+    // (title): translator swapped the ghec/non-ghec branches and the `{% else %}`
+    // ended up as an orphan after the `{% endif %}` already closed the block.
+    // Reconstruct to match English: Configuring {% ifversion ghec %}SCIM{% else %}authentication and{% endif %} provisioning with Okta.
+    // The corrector runs on the PARSED title value, so match the unquoted
+    // substring (no trailing YAML quote).
+    content = content.replaceAll(
+      '{% ifversion ghec %}аутентификации и{% endif %} провизионирования SCIM{% else %}с помощью Okta',
+      '{% ifversion ghec %}SCIM{% else %}аутентификации и{% endif %} провизионирования с помощью Okta',
+    )
   }
 
   if (context.code === 'fr') {
@@ -1535,6 +1564,16 @@ export function correctTranslatedContentStrings(
       '{% else %}에 대한 액세스를 제어할 수 있습니다.',
       '{% else %}조직의 설정{% endif %}에 대한 액세스를 제어할 수 있습니다.',
     )
+
+    // [SCRAPE-6642] code-security/how-tos/secure-at-scale/configure-enterprise-security/configure-specific-tools/configuring-code-scanning-for-your-appliance.md
+    // (intro): the second `{% ifversion default-setup-self-hosted-runners-GHEC %}`
+    // is a corruption — it should be `{% endif %}` to close the first one.
+    // This left the `{% ifversion %}` block unclosed and broke the
+    // /ko/code-security landing page scrape. Restore the endif.
+    content = content.replaceAll(
+      '{% data variables.product.prodname_dotcom %}.{% ifversion default-setup-self-hosted-runners-GHEC %}',
+      '{% data variables.product.prodname_dotcom %}.{% endif %}',
+    )
   }
 
   if (context.code === 'de') {
@@ -1718,6 +1757,26 @@ export function correctTranslatedContentStrings(
       'Mit angepassten Organisationsrollen kannst du den Zugriff auf die Einstellungen deiner {% ifversion org-custom-role-with-repo-permissions %}Organisation und die Repositories{% else %}einer Organisation steuern.',
       'Mit angepassten Organisationsrollen kannst du den Zugriff auf die Einstellungen deiner {% ifversion org-custom-role-with-repo-permissions %}Organisation und die Repositories{% else %}einer Organisation{% endif %} steuern.',
     )
+
+    // [SCRAPE-6642] admin/managing-iam/provisioning-user-accounts-with-scim/configuring-authentication-and-provisioning-with-pingfederate.md
+    // (intro): translator swapped the ghes/non-ghes branches. The EMU/dotcom/data-residency
+    // text ended up inside `{% ifversion ghes %}...{% endif %}`, the `{% endif %}` closed
+    // the block too early, and `{% else %}` was left as an orphan after it.
+    // Reconstruct to match English: {% ifversion ghes %}centrally manage...{% else %}for EMUs on dotcom...{% endif %}.
+    content = content.replaceAll(
+      '{% ifversion ghes %}ein, um Authentifizierung und Provisionierung für {% data variables.product.prodname_emus %} auf {% data variables.product.prodname_dotcom_the_website %} oder {% data variables.enterprise.data_residency_site %}{% endif %} für Ihr Unternehmen{% else %} zentral zu verwalten.',
+      '{% ifversion ghes %}ein, um Authentifizierung und Provisionierung für Ihr Unternehmen zentral zu verwalten{% else %}für {% data variables.product.prodname_emus %} auf {% data variables.product.prodname_dotcom_the_website %} oder {% data variables.enterprise.data_residency_site %}{% endif %}.',
+    )
+
+    // [SCRAPE-6642] code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-access-to-private-registries.md
+    // (intro): `{% endif %}` was replaced by a duplicate
+    // `{% data variables.product.prodname_dependabot %}` reference, leaving
+    // `{% ifversion dependabot-on-actions-self-hosted %}` unclosed. This broke
+    // the /de/code-security landing page scrape. Restore the endif.
+    content = content.replaceAll(
+      'auf selbst-gehosteten Runnern ausführen.{% data variables.product.prodname_dependabot %}',
+      'auf selbst-gehosteten Runnern ausführen.{% endif %}',
+    )
   }
 
   // --- Generic fixes (all languages) ---
diff --git a/src/languages/tests/correct-translation-content.ts b/src/languages/tests/correct-translation-content.ts
index 4bbe0be711e5..0295d2980da9 100644
--- a/src/languages/tests/correct-translation-content.ts
+++ b/src/languages/tests/correct-translation-content.ts
@@ -2285,4 +2285,57 @@ Para más información, consulta "[AUTOTITLE](/path)".
       )
     })
   })
+
+  // ─── SCRAPE-6642: search-scrape failures ─────────────────────────────
+  // Six translated title/intro corruptions from the June 10 batch broke the
+  // admin and code-security index scrapes (github/docs-engineering#6642).
+  // The corrector runs on the PARSED title/intro value, so the title fixes
+  // must match the unquoted substring (no surrounding YAML quote).
+  describe('SCRAPE-6642 per-file fixes', () => {
+    test('es: configuring-scim-provisioning-with-okta title closes ghec conditional', () => {
+      const broken =
+        'Configuración de la autenticación de {% ifversion ghec %}SCIM{% else %} con Okta'
+      expect(fix(broken, 'es')).toBe(
+        'Configuración de la autenticación de {% ifversion ghec %}SCIM{% else %} con Okta{% endif %}',
+      )
+    })
+
+    test('zh: configuring-scim-provisioning-with-okta intro unswaps endif/ifversion', () => {
+      const broken =
+        '在{% data variables.product.prodname_dotcom_the_website %}或{% data variables.enterprise.data_residency_site %}{% endif %}上的企业{% ifversion ghec %}进行通信。'
+      expect(fix(broken, 'zh')).toBe(
+        '的企业{% ifversion ghec %}在{% data variables.product.prodname_dotcom_the_website %}或{% data variables.enterprise.data_residency_site %}{% endif %}进行通信。',
+      )
+    })
+
+    test('ru: configuring-scim-provisioning-with-okta title unswaps branches', () => {
+      const broken =
+        'Настройка {% ifversion ghec %}аутентификации и{% endif %} провизионирования SCIM{% else %}с помощью Okta'
+      expect(fix(broken, 'ru')).toBe(
+        'Настройка {% ifversion ghec %}SCIM{% else %}аутентификации и{% endif %} провизионирования с помощью Okta',
+      )
+    })
+
+    test('ko: configuring-code-scanning-for-your-appliance intro closes ifversion', () => {
+      const broken =
+        '에서 {% data variables.product.prodname_dotcom %}.{% ifversion default-setup-self-hosted-runners-GHEC %}'
+      expect(fix(broken, 'ko')).toBe(
+        '에서 {% data variables.product.prodname_dotcom %}.{% endif %}',
+      )
+    })
+
+    test('de: configuring-authentication-and-provisioning-with-pingfederate intro unswaps branches', () => {
+      const broken =
+        '{% ifversion ghes %}ein, um Authentifizierung und Provisionierung für {% data variables.product.prodname_emus %} auf {% data variables.product.prodname_dotcom_the_website %} oder {% data variables.enterprise.data_residency_site %}{% endif %} für Ihr Unternehmen{% else %} zentral zu verwalten.'
+      expect(fix(broken, 'de')).toBe(
+        '{% ifversion ghes %}ein, um Authentifizierung und Provisionierung für Ihr Unternehmen zentral zu verwalten{% else %}für {% data variables.product.prodname_emus %} auf {% data variables.product.prodname_dotcom_the_website %} oder {% data variables.enterprise.data_residency_site %}{% endif %}.',
+      )
+    })
+
+    test('de: configure-access-to-private-registries intro restores endif', () => {
+      const broken =
+        'auf selbst-gehosteten Runnern ausführen.{% data variables.product.prodname_dependabot %}'
+      expect(fix(broken, 'de')).toBe('auf selbst-gehosteten Runnern ausführen.{% endif %}')
+    })
+  })
 })
diff --git a/src/versions/lib/enterprise-server-releases.ts b/src/versions/lib/enterprise-server-releases.ts
index 150a4ec68890..16f90b8d93ee 100644
--- a/src/versions/lib/enterprise-server-releases.ts
+++ b/src/versions/lib/enterprise-server-releases.ts
@@ -36,7 +36,7 @@ export const nextNext = '3.23'
 export const supported = ['3.21', '3.20', '3.19', '3.18', '3.17']
 
 // Set to version number when in RC phase, null when no RC is active
-export const releaseCandidate = '3.21'
+export const releaseCandidate = null
 
 // Deprecated versions with functional redirect handling (3.0+)
 // When archiving a new version, add it here and update the archival process