diff --git a/content/actions/reference/workflows-and-actions/expressions.md b/content/actions/reference/workflows-and-actions/expressions.md
index c7c1915b7d16..0e06951605eb 100644
--- a/content/actions/reference/workflows-and-actions/expressions.md
+++ b/content/actions/reference/workflows-and-actions/expressions.md
@@ -297,12 +297,13 @@ Sets `MY_ENV_VAR` to `production` when the ref is `refs/heads/main`, otherwise s
 
 ```yaml
 env:
-  MY_ENV_VAR: ${{ case(
-    github.ref == 'refs/heads/main', 'production',
-    github.ref == 'refs/heads/staging', 'staging',
-    startsWith(github.ref, 'refs/heads/feature/'), 'development',
-    'unknown'
-  ) }}
+  MY_ENV_VAR: |-
+    ${{ case(
+      github.ref == 'refs/heads/main', 'production',
+      github.ref == 'refs/heads/staging', 'staging',
+      startsWith(github.ref, 'refs/heads/feature/'), 'development',
+      'unknown'
+    ) }}
 ```
 
 {% endraw %}
diff --git a/content/admin/backing-up-and-restoring-your-instance/backup-service-for-github-enterprise-server/about-the-backup-service-for-github-enterprise-server.md b/content/admin/backing-up-and-restoring-your-instance/backup-service-for-github-enterprise-server/about-the-backup-service-for-github-enterprise-server.md
index a7ae3fc8ffe5..dce8c90d94f2 100644
--- a/content/admin/backing-up-and-restoring-your-instance/backup-service-for-github-enterprise-server/about-the-backup-service-for-github-enterprise-server.md
+++ b/content/admin/backing-up-and-restoring-your-instance/backup-service-for-github-enterprise-server/about-the-backup-service-for-github-enterprise-server.md
@@ -12,7 +12,7 @@ topics:
   - Infrastructure
 ---
 
->[!NOTE] {% data variables.product.prodname_enterprise_backup_service %} is currently in {% data variables.release-phases.public_preview %} and is subject to change. During the public preview, the service is available at no additional cost.
+>[!NOTE] {% data variables.product.prodname_enterprise_backup_service %} is currently in {% data variables.release-phases.public_preview %} and subject to change. The service is available at no additional cost and will remain free.
 
 ## About the {% data variables.product.prodname_enterprise_backup_service %}
 
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups.md
index b5fe3aaa964a..daced6d3b310 100644
--- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups.md
+++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups.md
@@ -26,16 +26,15 @@ topics:
 
 ## About team management with {% ifversion ghec %}{% data variables.product.prodname_emus %}{% else %}SCIM{% endif %}
 
-{% data reusables.emus.about-team-management-with-idp %} When you connect a team in one of your enterprise's organizations to an IdP group, changes to membership from the IdP group are reflected in your enterprise automatically, reducing the need for manual updates and custom scripts.
+{% data reusables.emus.about-team-management-with-idp %}
 
-When a change to an IdP group or a new team connection results in a user joining a team in an organization they were not already a member of, the user will automatically be added to the organization. When you disconnect a group from a team, users who became members of the organization via team membership are removed from the organization if they are not assigned membership in the organization by any other means.
+The following sections explain how {% data variables.product.github %} uses SCIM provisioning and reconciliation jobs to keep team and organization membership in sync with your IdP.
 
-> [!NOTE]
-> Organization owners can also add users to organizations manually, as long as the accounts have already been provisioned via SCIM.
+When {% data variables.product.github %} receives a **Group SCIM API call** from your IdP, it generates an `external_group.scim_api_success` or `external_group.scim_api_failure` event in the enterprise audit log. These events capture detailed information about the call, including the payload and operation performed, and are recorded in the audit log with the **actor** set to the {% ifversion ghes %}built-in/local user{% else %}setup user{% endif %}, the account used to configure SCIM provisioning.
 
-When group membership changes on your IdP, your IdP sends a SCIM request with the changes to {% data variables.product.prodname_dotcom %} according to the schedule determined by your IdP, so change may not be immediate. Any requests that change team or organization membership will register in the audit log as changes made by the account used to configure user provisioning.
+Once {% data variables.product.github %} stores the group data at the enterprise level, it runs a daily reconciliation job to synchronize team membership with the stored IdP group data. This reconciliation also runs whenever a Group SCIM API call updates group membership, and if an admin links or unlinks a team to a stored group.
 
-{% data variables.product.prodname_dotcom %} also runs a reconciliation job once per day, which synchronizes team membership with IdP group membership that is stored on {% data variables.product.prodname_dotcom %}, based on information previously sent from the IdP via SCIM. If this job finds that a user is a member of an IdP group in the enterprise, but they are not a member of the mapped team or its organization, the job will attempt to add the user to the organization and team.
+When a change to an IdP group or a new team connection results in a user joining a team in an organization they were not already a member of, {% data variables.product.github %} automatically adds the user to the organization. When you disconnect a group from a team, {% data variables.product.github %} removes users who became members of the organization via team membership if they do not have membership in the organization by any other means.
 
 Teams connected to IdP groups cannot be parents of other teams nor a child of another team. If the team you want to connect to an IdP group is a parent or child team, we recommend creating a new team or removing the nested relationships that make your team a parent team.
 
@@ -43,7 +42,7 @@ To manage repository access for any team in your enterprise, including teams con
 
 ## Requirements for connecting IdP groups with teams
 
-Before you can connect an IdP group with a team on {% data variables.product.prodname_dotcom %}, you must assign the group to the {% ifversion ghec %}{% data variables.product.prodname_emu_idp_application %}{% else %}relevant{% endif %} application in your IdP. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users).
+Before you can connect an IdP group with a team on {% data variables.product.github %}, you must assign the group to the {% ifversion ghec %}{% data variables.product.prodname_emu_idp_application %}{% else %}relevant{% endif %} application in your IdP. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users).
 
 You can connect a team in your enterprise to one IdP group. You can assign the same IdP group to multiple teams in your enterprise.
 
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/troubleshooting-team-membership-with-identity-provider-groups.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/troubleshooting-team-membership-with-identity-provider-groups.md
index f1792b1065de..e4e69224e12a 100644
--- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/troubleshooting-team-membership-with-identity-provider-groups.md
+++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/troubleshooting-team-membership-with-identity-provider-groups.md
@@ -44,18 +44,33 @@ If {% data variables.product.prodname_dotcom %} is unable to synchronize team me
 
 ### Error: "Out of sync due to insufficient licenses"
 
-If your enterprise does not have sufficient licenses and {% data variables.product.prodname_dotcom %} is unable to synchronize team membership with a group on your IdP, you'll see a message that reads "Out of sync due to insufficient licenses".
+{% data variables.product.prodname_dotcom %} stores IdP group membership data for {% ifversion ghes %}SCIM-provisioned users{% else %}{% data variables.product.prodname_emus %}{% endif %} at the enterprise level. This data is populated and updated through Group SCIM API calls from your identity provider (IdP).
+
+For IdP groups that are mapped to teams, {% data variables.product.prodname_dotcom %} runs a **daily reconciliation job** to synchronize team membership with the stored enterprise-level IdP group data. The reconciliation also runs whenever a Group SCIM API call updates group membership, or when an admin links or unlinks a team to a stored group on GitHub.
+
+If your enterprise does not have enough licenses available, {% data variables.product.prodname_dotcom %} may be unable to complete this synchronization. When this occurs, you’ll see the message:
+> "Out of sync due to insufficient licenses"
+
+As a result, the affected team or organization may be missing members.
 
 ![Screenshot of the IdP group page. A warning that a team is out of sync due to insufficient licenses is outlined in dark orange.](/assets/images/help/enterprises/emu-group-team-not-synced-missing-licenses.png)
 
-The team may be missing members because your enterprise does not have sufficient licenses available. {% data variables.product.prodname_dotcom %} is unable to synchronize the team's membership with a group on your IdP, and any unlicensed user cannot be added to an organization.
+To investigate this issue, review your enterprise's total available licenses, as well as detailed information about which users are consuming licenses and why. For more information, see [AUTOTITLE](/billing/reference/github-license-users#organizations-on-github-enterprise-cloud) and [AUTOTITLE](/billing/managing-your-license-for-github-enterprise/viewing-license-usage-for-github-enterprise).
+
+#### Resolving the issue
+
+To allow synchronization to complete successfully, make additional enterprise licenses available using one of the following approaches:
 
-1. Review the available licenses for your enterprise. For more information, see [AUTOTITLE](/billing/managing-your-license-for-github-enterprise/viewing-license-usage-for-github-enterprise).
-1. To resolve the problem, choose one of the following solutions.
+* **Free up existing licenses**  
+  * Identify which users are consuming licenses and whether they still need access.  
+  * Remove users from organizations or IdP groups as needed, depending on how you manage organization and team membership (see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#filtering-by-member-type-in-an-enterprise-with-managed-users)):
+    * If you manage your organization's membership via IdP groups, remove users from the relevant group(s).
+  * Monitor these enterprise audit log events to track SCIM API calls that update group membership or managed user accounts (see [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise):  
+    * `external_group.scim_api_failure` / `external_group.scim_api_success`  
+    * `external_identity.scim_api_failure` / `external_identity.scim_api_success`
 
-   * Remove users from the IdP group.
-   * Deprovision users from your enterprise.
-   * Purchase additional licenses to allow synchronization to complete. For more information, see [AUTOTITLE](/billing/managing-the-plan-for-your-github-account/about-per-user-pricing#about-changes-to-your-subscription).
+* **Purchase additional licenses**  
+  * If all current users require access, purchase more licenses for your enterprise. For more information, see [AUTOTITLE](/billing/how-tos/manage-plan-and-licenses/manage-user-licenses#enterprises-on-github-enterprise-cloud).
 
 {% endif %}
 
diff --git a/content/code-security/concepts/supply-chain-security/about-dependabot-on-github-actions-runners.md b/content/code-security/concepts/supply-chain-security/about-dependabot-on-github-actions-runners.md
index a836eb578a65..83dd1ed9ca0a 100644
--- a/content/code-security/concepts/supply-chain-security/about-dependabot-on-github-actions-runners.md
+++ b/content/code-security/concepts/supply-chain-security/about-dependabot-on-github-actions-runners.md
@@ -24,104 +24,31 @@ contentType: concepts
 
 Using {% data variables.product.prodname_actions %} runners allows you to more easily identify {% data variables.product.prodname_dependabot %} job errors and manually detect and troubleshoot failed runs. You can also integrate {% data variables.product.prodname_dependabot %} into your CI/CD pipelines by using {% data variables.product.prodname_actions %} APIs and webhooks to detect {% data variables.product.prodname_dependabot %} job status such as failed runs, and perform downstream processing. For more information, see [AUTOTITLE](/rest/actions) and [AUTOTITLE](/webhooks/webhook-events-and-payloads).
 
-> [!NOTE]
-> Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_dotcom %}-hosted or self-hosted runners **does not** count towards your included {% data variables.product.prodname_actions %} minutes. For more information, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions).
-
-You can run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} using:
-* {% data variables.product.prodname_dotcom %}-hosted runners
-* {% data variables.actions.hosted_runners_caps %}. These runners are {% data variables.product.prodname_dotcom %}-hosted, with advanced features, such as more RAM, CPU, and disk space. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners).
-* Self-hosted runners. For more information on assigning a `dependabot` label on self-hosted runners, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners).
-
-{% data reusables.dependabot.vnet-arc-note %}
-
-Enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} may increase the number of concurrent jobs run in your account. If required, customers on enterprise plans can request a higher limit for concurrent jobs. For more information, contact us through the {% data variables.contact.contact_support_portal %}, or contact your sales representative.
-
-If you are transitioning to using {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners and you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses. For example, if you currently limit access to your private resources to the IP addresses that {% data variables.product.prodname_dependabot %} uses, you should update your allowlist to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses sourced from the meta API endpoint. For more information, see [AUTOTITLE](/rest/meta).
-
-{% data reusables.dependabot.dependabot-on-actions-enterprise-policy-condition %}
-
-> [!NOTE]
-> {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} relies on the `ubuntu-latest` label to select the appropriate runner. To ensure {% data variables.product.prodname_dependabot %}  runs on {% data variables.product.github %}-hosted runners, you should not use the label `ubuntu-latest` for self-hosted runners.
-
-## Enabling or disabling {% data variables.product.prodname_dependabot %} on {% data variables.product.github %}-hosted runners
-
-This section only applies to standard {% data variables.product.github %}-hosted runners, not larger runners.
-
-New repositories that you create in your user account or in your organization will automatically be configured to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} if any of the following is true:
+New repositories that you create in your user account or in your organization will automatically be configured to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} using standard {% data variables.product.github %}-hosted runners if any of the following is true:
 * {% data variables.product.prodname_dependabot %} is installed and enabled, and {% data variables.product.prodname_actions %} is enabled and in use.
 * The "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners" setting for your organization is enabled.
 
-For existing repositories, you can opt in to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} as follows.
-
 Future releases of {% data variables.product.github %} will remove the ability to disable running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}.
 
-If you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses prior to enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners. You can update your IP allow list to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses (instead of the {% data variables.product.prodname_dependabot %} IP addresses), sourced from the [meta](/rest/meta) REST API endpoint.
-
->[!WARNING] You should not rely on the {% data variables.product.prodname_actions %} IP addresses for authentication to private registries. These {% data variables.product.prodname_actions %} addresses are not only used by {% data variables.product.prodname_dotcom %}, and should not be trusted for authentication. Instead, use a self-hosted runner to ensure greater control over your network access. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners).
-
-Note, disabling and re-enabling the "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners" settings will not trigger a new {% data variables.product.prodname_dependabot %} run.
-
-### Enabling or disabling for your repository
-
-You can manage {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} for your public{% ifversion ghec %}, private or internal{% else %} or private{% endif %} repository.
+> [!NOTE] Enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} may increase the number of concurrent jobs run in your account. If required, customers on enterprise plans can request a higher limit for concurrent jobs. For more information, contact us through the {% data variables.contact.contact_support_portal %}, or contact your sales representative.
 
-{% data reusables.repositories.navigate-to-repo %}
-{% data reusables.repositories.sidebar-settings %}
-{% data reusables.repositories.navigate-to-code-security-and-analysis %}
-1. Under "Dependabot", to the right of "{% data variables.product.prodname_dependabot %} on Actions runners", click **Enable** to enable the feature or **Disable** to disable it.
+## Runner options
 
-### Enabling or disabling for your organization
-
-You can enable {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} for all existing repositories in an organization.
-
-Only repositories with the following configuration will be updated to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} the next time a {% data variables.product.prodname_dependabot %} job is triggered.
-
-  * {% data variables.product.prodname_dependabot %} is enabled in the repository.
-  * {% data variables.product.prodname_actions %} is enabled in the repository.
-
-If a repository in your organization has {% data variables.product.prodname_dependabot %} enabled but {% data variables.product.prodname_actions %} disabled, {% data variables.product.prodname_dependabot %} will not run on {% data variables.product.prodname_actions %}, but will continue to run using the built-in {% data variables.product.prodname_dependabot %} application.
-
-{% data reusables.profile.access_org %}
-{% data reusables.profile.org_settings %}
-{% data reusables.security-configurations.display-global-settings %}
-1. Under "Dependabot", select "{% data variables.product.prodname_dependabot %} on Actions runners" to enable the feature or deselect to disable it.
-
-For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#enabling-dependency-updates-on-github-actions-runners).
-
-## Enabling or disabling {% data variables.product.prodname_dependabot %} on {% data variables.actions.hosted_runners %}
-
-If you run into {% data variables.product.prodname_dependabot %} timeouts and out-of-memory errors, you may want to use {% data variables.actions.hosted_runners %}, as you can configure these runners to have more resources.
-
-> [!NOTE] You can only enable {% data variables.actions.hosted_runners %} for {% data variables.product.prodname_dependabot %} _at the organization level_. {% data variables.product.prodname_dotcom %} will bill your organization at the regular Actions runner pricing. See [AUTOTITLE](/billing/reference/actions-minute-multipliers).
-
-1. Add a {% data variables.actions.hosted_runner %} to your organization and ensure the name specified is `dependabot`. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization).
-1. Opt in the organization to self-hosted runners. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners#enabling-or-disabling-for-your-organization). This step is required, as it ensures that future {% data variables.product.prodname_dependabot %} jobs will run on the larger {% data variables.product.prodname_dotcom %}-hosted runner that has the `dependabot` name.
-
-## Managing {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners
-
-When a {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} job is run, you can review the workflow run history directly from the Dependabot job logs. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs).
-
-You can also navigate to a {% data variables.product.prodname_dependabot %} workflow run from the **Actions** tab in a repository. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history).
+You can run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} using:
+* **Standard {% data variables.product.prodname_dotcom %}-hosted runners.** These are the default runners used by {% data variables.product.github %} to execute {% data variables.product.prodname_actions %} jobs.
+* **{% data variables.actions.hosted_runners_caps %}.** These are {% data variables.product.prodname_dotcom %}-hosted runners with advanced features like more RAM, CPU, and disk space. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners).
+* **Self-hosted runners.** These runners grant you greater control over {% data variables.product.prodname_dependabot %} access to your private registries and internal network resources. Be aware that for security reasons, {% data variables.product.prodname_dependabot_updates %} on self-hosted runners will not run on public repositories. For more information on assigning a `dependabot` label on self-hosted runners, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners).
 
-To re-run a {% data variables.product.prodname_dependabot_version_updates %} or {% data variables.product.prodname_dependabot_security_updates %} job, use the appropriate procedure below. You cannot re-run a {% data variables.product.prodname_dependabot %} job on {% data variables.product.prodname_actions %} as you would for other {% data variables.product.prodname_actions %} workflows and jobs, that is, by using the **Actions** tab in a repository. You cannot view usage data for {% data variables.product.prodname_dependabot_updates %} workflows and jobs in your organization's {% data variables.product.prodname_actions %} usage metrics.
+Running {% data variables.product.prodname_dependabot %} on standard {% data variables.product.prodname_dotcom %}-hosted or self-hosted runners **does not** count towards your included {% data variables.product.prodname_actions %} minutes. For {% data variables.product.prodname_dependabot %} on {% data variables.actions.hosted_runners %}, {% data variables.product.prodname_dotcom %} will bill your organization at the regular rate. See [AUTOTITLE](/billing/reference/actions-minute-multipliers).
 
-### Re-running a {% data variables.product.prodname_dependabot_version_updates %} job
+{% data reusables.dependabot.vnet-arc-note %}
 
-{% data reusables.repositories.navigate-to-repo %}
-{% data reusables.repositories.accessing-repository-graphs %}
-{% data reusables.repositories.click-dependency-graph %}
-{% data reusables.dependabot.click-dependabot-tab %}
-1. To the right of the name of manifest file that you're interested in, click **Recent update jobs**.
-1. To the right of the affected manifest file, click **Check for updates** to re-run a {% data variables.product.prodname_dependabot_version_updates %} job and check for new updates to dependencies for that ecosystem.
+## Access and permissions
 
-### Re-running a {% data variables.product.prodname_dependabot_security_updates %} job
+If you are transitioning to using {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners and you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses. For example, if you currently limit access to your private resources to the IP addresses that {% data variables.product.prodname_dependabot %} uses, you should update your allowlist to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses sourced from the meta API endpoint. For more information, see [AUTOTITLE](/rest/meta).
 
-{% data reusables.repositories.navigate-to-repo %}
-1. Under your repository name, click **{% octicon "shield-lock" aria-hidden="true" aria-label="shield-lock" %} Security**.
-1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_dependabot %}**.
-1. Under "{% data variables.product.prodname_dependabot %}", click the alert you want to view.
-1. In the section displaying the error details for the alert, click **Try again** to re-run the {% data variables.product.prodname_dependabot_security_updates %} job.
+{% data reusables.dependabot.dependabot-on-actions-enterprise-policy-condition %}
 
-## Further reading
+## Next steps
 
-* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions)
+To enable {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-github-hosted-runners) and [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners).
diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configuring-global-security-settings-for-your-organization.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configuring-global-security-settings-for-your-organization.md
index 627f974cde4a..a3ef7220b029 100644
--- a/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configuring-global-security-settings-for-your-organization.md
+++ b/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configuring-global-security-settings-for-your-organization.md
@@ -33,7 +33,7 @@ You can customize several {% data variables.product.prodname_global_settings %}
 
 * [Creating and managing {% data variables.dependabot.auto_triage_rules %}](#creating-and-managing-dependabot-auto-triage-rules)
 * [Grouping {% data variables.product.prodname_dependabot %} security updates](#grouping-dependabot-security-updates){% ifversion dependabot-on-actions-opt-in %}
-* [Enabling dependency updates on {% data variables.product.prodname_actions %} runners](#enabling-dependency-updates-on-github-actions-runners){% endif %}{% ifversion dependabot-arc-support %}
+* [Enabling dependency updates on {% data variables.product.prodname_actions %} runners](#enabling-dependency-updates-on-github-actions-runners){% endif %}{% ifversion dependabot-self-hosted-labels %}
 * [Configuring the runner type for {% data variables.product.prodname_dependabot %}](#configuring-the-runner-type-for-dependabot){% endif %}{% ifversion fpt %}
 * [Granting {% data variables.product.prodname_dependabot %} access to private repositories](#granting-dependabot-access-to-private-repositories){% else %}
 * [Granting {% data variables.product.prodname_dependabot %} access to private and internal repositories](#granting-dependabot-access-to-private-and-internal-repositories){% endif %}
@@ -62,14 +62,14 @@ For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dep
 
 {% endif %}
 
-{% ifversion dependabot-arc-support %}
+{% ifversion dependabot-self-hosted-labels %}
 
 ### Configuring the runner type for {% data variables.product.prodname_dependabot %}
 
 You can configure which type of runner {% data variables.product.prodname_dependabot %} uses to scan for version and security updates. By default, {% data variables.product.prodname_dependabot %} uses standard **{% data variables.product.company_short %}-hosted runners**. You can configure {% data variables.product.prodname_dependabot %} to use **self-hosted runners** with custom labels, which allows you to integrate with existing runner infrastructure such as {% data variables.product.prodname_actions_runner_controller %} (ARC).
 
 > [!NOTE]
-> * For security reasons, {% data variables.product.prodname_dependabot %} uses {% data variables.product.company_short %}-hosted runners for public repositories, even when you configure labeled runners. 
+> * For security reasons, {% data variables.product.prodname_dependabot %} uses {% data variables.product.company_short %}-hosted runners for public repositories, even when you configure labeled runners.
 > * Labeled runners **do not work** for public repositories.
 
 To configure the runner type:
@@ -83,7 +83,6 @@ To configure the runner type:
    * Optionally, in "Runner group name", enter the name of a runner group if you want to target a specific group of runners.
 1. Click **Save runner selection**.
 
-
 {% endif %}
 
 {% ifversion dependabot-on-actions-self-hosted %}
diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-github-hosted-runners.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-github-hosted-runners.md
new file mode 100644
index 000000000000..a494371aedeb
--- /dev/null
+++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-github-hosted-runners.md
@@ -0,0 +1,61 @@
+---
+title: Configuring Dependabot on GitHub-hosted runners
+intro: Enable {% data variables.product.prodname_dependabot %} on {% data variables.product.github %}-hosted runners to more easily identify {% data variables.product.prodname_dependabot %} job errors and manually detect and troubleshoot failed runs.
+shortTitle: Configure on GitHub-hosted runners
+permissions: '{% data reusables.permissions.dependabot-actions %}'
+versions:
+  feature: dependabot-on-actions-opt-in
+topics:
+  - Dependabot
+  - Security updates
+  - Version updates
+  - Actions
+  - Dependencies
+  - Repositories
+contentType: how-tos
+---
+
+## Enabling or disabling {% data variables.product.prodname_dependabot %} on standard {% data variables.product.github %}-hosted runners
+
+You can configure {% data variables.product.prodname_dependabot %} on standard {% data variables.product.github %}-hosted runners:
+* [For your repository](#for-your-repository)
+* [For your organization](#for-your-organization)
+
+If you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses prior to enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners. You can update your IP allow list to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses (instead of the {% data variables.product.prodname_dependabot %} IP addresses), sourced from the [meta](/rest/meta) REST API endpoint.
+
+>[!WARNING] You should not rely on the {% data variables.product.prodname_actions %} IP addresses for authentication to private registries. These {% data variables.product.prodname_actions %} addresses are not only used by {% data variables.product.prodname_dotcom %}, and should not be trusted for authentication. Instead, use a self-hosted runner to ensure greater control over your network access. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners).
+
+### For your repository
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.navigate-to-code-security-and-analysis %}
+1. Under "Dependabot", to the right of "{% data variables.product.prodname_dependabot %} on Actions runners", click **Enable** to enable the feature or **Disable** to disable it.
+
+    {% data reusables.dependabot.no-ubuntu-latest-label-self-hosted %}
+
+### For your organization
+
+Only repositories meeting the following criteria will be updated to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} the next time a {% data variables.product.prodname_dependabot %} job is triggered.
+
+  * {% data variables.product.prodname_dependabot %} is enabled in the repository.
+  * {% data variables.product.prodname_actions %} is enabled in the repository.
+
+If a repository in your organization has {% data variables.product.prodname_dependabot %} enabled but {% data variables.product.prodname_actions %} disabled, {% data variables.product.prodname_dependabot %} will not run on {% data variables.product.prodname_actions %}, but will continue to run using the built-in {% data variables.product.prodname_dependabot %} application.
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.security-configurations.display-global-settings %}{% ifversion dependabot-self-hosted-labels %}
+1. In the "{% data variables.product.prodname_dependabot %}" section, next to "Runner type", confirm that you have selected "Standard {% data variables.product.github %} runner". If not, click {% octicon "pencil" aria-label="Edit runner type" %} and update your configuration.{% else %}
+1. Under "Dependabot", select "{% data variables.product.prodname_dependabot %} on Actions runners" to enable the feature or deselect to disable it.{% endif %}
+
+    {% data reusables.dependabot.no-ubuntu-latest-label-self-hosted %}
+
+## Enabling or disabling {% data variables.product.prodname_dependabot %} on {% data variables.actions.hosted_runners %}
+
+If you run into {% data variables.product.prodname_dependabot %} timeouts and out-of-memory errors, you may want to use {% data variables.actions.hosted_runners %}, as you can configure these runners to have more resources. You can only enable {% data variables.actions.hosted_runners %} for {% data variables.product.prodname_dependabot %} **for an organization**.
+
+1. Add a {% data variables.actions.hosted_runner %} to your organization and ensure the name specified is `dependabot`. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization).
+1. Opt in the organization to self-hosted runners. For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners#for-your-organization). This step is required, as it ensures that future {% data variables.product.prodname_dependabot %} jobs will run on the larger {% data variables.product.prodname_dotcom %}-hosted runner that has the `dependabot` name.
+
+    {% data reusables.dependabot.no-ubuntu-latest-label-self-hosted %}
diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners.md
new file mode 100644
index 000000000000..fe9e7fab2346
--- /dev/null
+++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configure-on-self-hosted-runners.md
@@ -0,0 +1,63 @@
+---
+title: Configuring Dependabot on self-hosted runners
+intro: You can configure self-hosted runners that {% data variables.product.prodname_dependabot %} uses to access your private registries and internal network resources.
+shortTitle: Configure on self-hosted runners
+permissions: '{% data reusables.permissions.dependabot-actions %}'
+versions:
+  feature: dependabot-on-actions-self-hosted
+topics:
+  - Dependabot
+  - Security updates
+  - Version updates
+  - Actions
+  - Dependencies
+  - Repositories
+redirect_from:
+  - /code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners
+  - /code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners
+  - /code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/managing-dependabot-on-self-hosted-runners
+contentType: how-tos
+---
+
+## Prerequisites
+
+* {% data variables.product.prodname_dependabot %} is installed and enabled.
+* {% data variables.product.prodname_actions %} is enabled and in use.
+
+{% data reusables.dependabot.dependabot-on-actions-enterprise-policy-condition %}
+
+## Adding self-hosted runners for {% data variables.product.prodname_dependabot %} updates
+
+1. Provision self-hosted runners, at the repository or organization level. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners).
+1. Configure your environment and runners to meet the requirements for {% data variables.product.prodname_dependabot %}. See [Requirements for using {% data variables.product.prodname_dependabot %} with self-hosted runners](/code-security/reference/supply-chain-security/dependabot-on-actions#requirements-for-using-dependabot-with-self-hosted-runners).{% ifversion dependabot-self-hosted-labels %}
+1. If you are configuring self-hosted runners for your organization, you can create and assign a custom label for your runners. Otherwise, if you are configuring self-hosted runners for a standalone repository, you need to apply the `dependabot` label. See [AUTOTITLE](/actions/how-tos/manage-runners/self-hosted-runners/apply-labels).{% else %}
+1. Assign a `dependabot` label to each runner you want {% data variables.product.prodname_dependabot %} to use. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners#assigning-a-label-to-a-self-hosted-runner).{% endif %}
+1. Optionally, enable workflows triggered by {% data variables.product.prodname_dependabot %} to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#restrictions-when-dependabot-triggers-events).
+
+## Enabling self-hosted runners for {% data variables.product.prodname_dependabot_updates %}
+
+Once you have configured self-hosted runners for {% data variables.product.prodname_dependabot_updates %}, you can enable or disable {% data variables.product.prodname_dependabot_updates %} on self-hosted runners at the organization or repository level.
+
+> [!NOTE]
+> Disabling and re-enabling the "{% data variables.product.prodname_dependabot %} on self-hosted runners" setting does not trigger a new {% data variables.product.prodname_dependabot %} run.
+
+### For your private{% ifversion ghec %} or internal{% endif %} repository
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.navigate-to-code-security-and-analysis %}
+1. Under "Dependabot", to the right of "{% data variables.product.prodname_dependabot %} on self-hosted runners", click **Enable** to enable the feature or **Disable** to disable it.
+
+    > [!NOTE] If you do not see the option to enable {% data variables.product.prodname_dependabot %} on self-hosted runners, your organization may have configured a policy to restrict actions and self-hosted runners from running in specific repositories. Contact your organization owner for more information.
+
+### For your organization
+
+You can enable {% data variables.product.prodname_dependabot %} on self-hosted runners for all existing private{% ifversion ghec %} or internal{% endif %} repositories in an organization. Only repositories already configured to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} will be updated to run {% data variables.product.prodname_dependabot %} on self-hosted runners the next time a {% data variables.product.prodname_dependabot %} job is triggered.
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.security-configurations.display-global-settings %}{% ifversion dependabot-self-hosted-labels %}
+1. In the "{% data variables.product.prodname_dependabot %}" section, next to "Runner type", click {% octicon "pencil" aria-label="Edit runner type" %}.
+1. Select the "Runner type" dropdown menu, then click **Labeled runner** and provide any additional information. If you applied a custom label to your self-hosted runners, type that label in the "Runner label" text box.
+1. To enable the feature for all new repositories in the organization, click **Save runner selection**.{% else %}
+1. Under "{% data variables.product.prodname_dependabot %}", select "{% data variables.product.prodname_dependabot %} on self-hosted runners" to enable the feature for all new repositories in the organization.{% endif %}
diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/index.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/index.md
index baf1e01b9726..9bc769b84863 100644
--- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/index.md
+++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/index.md
@@ -18,11 +18,12 @@ children:
   - /configuring-access-to-private-registries-for-dependabot
   - /removing-dependabot-access-to-public-registries
   - /managing-pull-requests-for-dependency-updates
-  - /managing-dependabot-on-self-hosted-runners
+  - /configure-on-github-hosted-runners
+  - /configure-on-self-hosted-runners
+  - /re-run-dependabot-jobs
   - /listing-dependencies-configured-for-version-updates
   - /guidance-for-the-configuration-of-private-registries-for-dependabot
 redirect_from:
   - /code-security/dependabot/maintain-dependencies
   - /code-security/dependabot/dependabot-security-updates
 ---
-
diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/managing-dependabot-on-self-hosted-runners.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/managing-dependabot-on-self-hosted-runners.md
deleted file mode 100644
index 2a79d8697e82..000000000000
--- a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/managing-dependabot-on-self-hosted-runners.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: Managing Dependabot on self-hosted runners
-intro: You can configure self-hosted runners that {% data variables.product.prodname_dependabot %} uses to access your private registries and internal network resources.
-shortTitle: Manage Dependabot on self-hosted runners
-permissions: '{% data reusables.permissions.dependabot-actions %}'
-versions:
-  feature: dependabot-on-actions-self-hosted
-topics:
-  - Dependabot
-  - Security updates
-  - Version updates
-  - Actions
-  - Dependencies
-  - Repositories
-redirect_from:
-  - /code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners
-  - /code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners
-contentType: how-tos
----
-
-## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners
-
-You can help users of your organization and repositories to create and maintain secure code by setting up {% data variables.product.prodname_dependabot %} security and version updates. With {% data variables.product.prodname_dependabot_updates %}, developers can configure repositories so that their dependencies are updated and kept secure automatically. Running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} allows for better performance, and increased visibility and control of {% data variables.product.prodname_dependabot %} jobs.
-
-{% data reusables.dependabot.vnet-arc-note %}
-
-To have greater control over {% data variables.product.prodname_dependabot %} access to your private registries and internal network resources, you can configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners.
-
-For security reasons, when running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners, {% data variables.product.prodname_dependabot_updates %} will not be run on public repositories.
-
-For more information about configuring {% data variables.product.prodname_dependabot %} access to private registries when using {% data variables.product.company_short %}-hosted runners, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot). For information about which ecosystems are supported as private registries, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries).
-
-## Prerequisites
-
-You must have {% data variables.product.prodname_dependabot %} installed and enabled, and {% data variables.product.prodname_actions %} enabled and in use. The "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} Runners" setting for your organization should also be enabled. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners).
-
-Your organization may have configured a policy to restrict actions and self-hosted runners from running in specific repositories, which in turn will not allow {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. In this case, the organization or repository level setting to enable "{% data variables.product.prodname_dependabot %} on self-hosted runners" will not be visible in the web UI. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization).
-
-{% data reusables.dependabot.dependabot-on-actions-enterprise-policy-condition %}
-
-## Configuring self-hosted runners for {% data variables.product.prodname_dependabot_updates %}
-
-After you configure your organization or repository to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}, and before you enable {% data variables.product.prodname_dependabot %} on self-hosted runners, you need to configure self-hosted runners for {% data variables.product.prodname_dependabot_updates %}.
-
-### System requirements for {% data variables.product.prodname_dependabot %} runners
-
-{% data reusables.dependabot.dependabot-runners-system-requirements %}
-
-### Network requirements for {% data variables.product.prodname_dependabot %} runners
-
-{% data reusables.dependabot.dependabot-runners-network-requirements %}
-
-### Certificate configuration for {% data variables.product.prodname_dependabot %} runners
-
-If {% data variables.product.prodname_dependabot %} needs to interact with registries that use self-signed certificates, those certificates must also be installed on the self-hosted runners that run {% data variables.product.prodname_dependabot %} jobs. This security hardens the connection. You must also configure Node.js to use the certificate, because most actions are written in JavaScript and run using Node.js, which does not use the operating system certificate store.
-
-### Adding self-hosted runners for {% data variables.product.prodname_dependabot %} updates
-
-1. Provision self-hosted runners, at the repository or organization level. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners) and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners).
-
-1. Set up the self-hosted runners with the requirements described above. For example, on a VM running Ubuntu 20.04 you would:
-   * Install Docker and ensure that the runner users have access to Docker. For more information, see the Docker documentation.
-     * [Install Docker Engine on Ubuntu](https://docs.docker.com/engine/install/ubuntu/)
-     * Recommended approach: [Run the Docker daemon as a non-root user (Rootless mode)](https://docs.docker.com/engine/security/rootless/)
-     * Alternative approach: [Manage Docker as a non-root user](https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user)
-   * Verify that the runners have access to the public internet and can only access the internal networks that {% data variables.product.prodname_dependabot %} needs.
-   * Install any self-signed certificates for registries that {% data variables.product.prodname_dependabot %} will need to interact with.
-
-1. Assign a `dependabot` label to each runner you want {% data variables.product.prodname_dependabot %} to use. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners#assigning-a-label-to-a-self-hosted-runner).
-1. Optionally, enable workflows triggered by {% data variables.product.prodname_dependabot %} to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#restrictions-when-dependabot-triggers-events).
-
-## Enabling self-hosted runners for {% data variables.product.prodname_dependabot_updates %}
-
-Once you have configured self-hosted runners for {% data variables.product.prodname_dependabot_updates %}, you can enable or disable {% data variables.product.prodname_dependabot_updates %} on self-hosted runners at the organization or repository level.
-
-Note, disabling and re-enabling the "{% data variables.product.prodname_dependabot %} on self-hosted runners" settings will not trigger a new {% data variables.product.prodname_dependabot %} run.
-
-### Enabling or disabling for your repository
-
-You can manage {% data variables.product.prodname_dependabot %} on self-hosted runners for your {% ifversion ghec %}private or internal{% else %}private{% endif %} repository.
-
-{% data reusables.repositories.navigate-to-repo %}
-{% data reusables.repositories.sidebar-settings %}
-{% data reusables.repositories.navigate-to-code-security-and-analysis %}
-1. Under "Dependabot", to the right of "{% data variables.product.prodname_dependabot %} on self-hosted runners", click **Enable** to enable the feature or **Disable** to disable it.
-
-### Enabling or disabling for your organization
-
-You can enable {% data variables.product.prodname_dependabot %} on self-hosted runners for all existing {% ifversion ghec %}private or internal{% else %}private{% endif %} repositories in an organization. Only repositories already configured to run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} will be updated to run {% data variables.product.prodname_dependabot %} on self-hosted runners the next time a {% data variables.product.prodname_dependabot %} job is triggered.
-
-> [!NOTE] You need to enable self-hosted runners for your organization if you use {% data variables.actions.hosted_runners %}. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-dependabot-on-larger-runners).
-
-{% data reusables.profile.access_org %}
-{% data reusables.profile.org_settings %}
-{% data reusables.security-configurations.display-global-settings %}
-1. Under "Dependabot", select "{% data variables.product.prodname_dependabot %} on self-hosted runners" to enable the feature or deselect to disable it. This action enables or disables the feature for all new repositories in the organization.
-
-For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization).
diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/re-run-dependabot-jobs.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/re-run-dependabot-jobs.md
new file mode 100644
index 000000000000..4e75f90f4c80
--- /dev/null
+++ b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/re-run-dependabot-jobs.md
@@ -0,0 +1,33 @@
+---
+title: Re-running Dependabot jobs on GitHub Actions
+shortTitle: Re-run Dependabot jobs
+intro: Resolve run failures and manually update your dependencies by re-running {% data variables.product.prodname_dependabot %} jobs.
+permissions: '{% data reusables.permissions.dependabot-actions %}'
+versions:
+  feature: dependabot-on-actions-opt-in
+topics:
+  - Dependabot
+  - Security updates
+  - Version updates
+  - Actions
+  - Dependencies
+  - Repositories
+contentType: how-tos
+---
+
+## Re-running a {% data variables.product.prodname_dependabot_version_updates %} job
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.accessing-repository-graphs %}
+{% data reusables.repositories.click-dependency-graph %}
+{% data reusables.dependabot.click-dependabot-tab %}
+1. To the right of the name of manifest file that you're interested in, click **Recent update jobs**.
+1. To the right of the affected manifest file, click **Check for updates** to re-run a {% data variables.product.prodname_dependabot_version_updates %} job and check for new updates to dependencies for that ecosystem.
+
+## Re-running a {% data variables.product.prodname_dependabot_security_updates %} job
+
+{% data reusables.repositories.navigate-to-repo %}
+1. Under your repository name, click **{% octicon "shield-lock" aria-hidden="true" aria-label="shield-lock" %} Security**.
+1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_dependabot %}**.
+1. Under "{% data variables.product.prodname_dependabot %}", click the alert you want to view.
+1. In the section displaying the error details for the alert, click **Try again** to re-run the {% data variables.product.prodname_dependabot_security_updates %} job.
diff --git a/content/code-security/how-tos/secure-your-supply-chain/troubleshoot-dependency-security/troubleshooting-dependabot-on-github-actions.md b/content/code-security/how-tos/secure-your-supply-chain/troubleshoot-dependency-security/troubleshooting-dependabot-on-github-actions.md
index 6aba778bc07a..b5b24d2cf743 100644
--- a/content/code-security/how-tos/secure-your-supply-chain/troubleshoot-dependency-security/troubleshooting-dependabot-on-github-actions.md
+++ b/content/code-security/how-tos/secure-your-supply-chain/troubleshoot-dependency-security/troubleshooting-dependabot-on-github-actions.md
@@ -20,21 +20,6 @@ redirect_from:
 contentType: how-tos
 ---
 
-## Restrictions when {% data variables.product.prodname_dependabot %} triggers events
-
-{% data reusables.dependabot.working-with-actions-considerations %}
-
-For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request`, `pull_request_review`, `pull_request_review_comment`, `push`, `create`, `deployment`, and `deployment_status` events, these restrictions apply:
-
-* `GITHUB_TOKEN` has read-only permissions by default.
-* Secrets are populated from {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are not available.
-
-For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request_target` event, if the base ref of the pull request was created by {% data variables.product.prodname_dependabot %} (`github.event.pull_request.user.login == 'dependabot[bot]'`), the `GITHUB_TOKEN` will be read-only and secrets are not available.
-
-These restrictions apply even if the workflow is re-run by a different actor.
-
-For more information, see [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
-
 ## Troubleshooting failures when {% data variables.product.prodname_dependabot %} triggers existing workflows
 
 {% data reusables.dependabot.dependabot-on-actions-troubleshooting-workflows %}
diff --git a/content/code-security/reference/supply-chain-security/dependabot-on-actions.md b/content/code-security/reference/supply-chain-security/dependabot-on-actions.md
new file mode 100644
index 000000000000..8c9329a4afe4
--- /dev/null
+++ b/content/code-security/reference/supply-chain-security/dependabot-on-actions.md
@@ -0,0 +1,46 @@
+---
+title: Dependabot on GitHub Actions
+shortTitle: Dependabot on Actions
+intro: Detailed information on using {% data variables.product.prodname_dependabot %} with {% data variables.product.prodname_actions %}.
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '*'
+topics:
+  - Dependabot
+  - Actions
+  - Version updates
+  - Dependencies
+contentType: reference
+---
+
+## Restrictions when {% data variables.product.prodname_dependabot %} triggers events
+
+{% data reusables.dependabot.working-with-actions-considerations %}
+
+For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request`, `pull_request_review`, `pull_request_review_comment`, `push`, `create`, `deployment`, and `deployment_status` events, these restrictions apply:
+
+* `GITHUB_TOKEN` has read-only permissions by default.
+* Secrets are populated from {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are not available.
+
+For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request_target` event, if the base ref of the pull request was created by {% data variables.product.prodname_dependabot %} (`github.event.pull_request.user.login == 'dependabot[bot]'`), the `GITHUB_TOKEN` will be read-only and secrets are not available.
+
+These restrictions apply even if the workflow is re-run by a different actor.
+
+For more information, see [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
+
+## Requirements for using {% data variables.product.prodname_dependabot %} with self-hosted runners
+
+To generate {% data variables.product.prodname_dependabot_updates %} using self-hosted runners, you need to properly configure your system, network, and certificates.
+
+### System requirements
+
+{% data reusables.dependabot.dependabot-runners-system-requirements %}
+
+### Network requirements
+
+{% data reusables.dependabot.dependabot-runners-network-requirements %}
+
+### Certificate configuration
+
+If {% data variables.product.prodname_dependabot %} needs to interact with registries that use self-signed certificates, those certificates must also be installed on the self-hosted runners that run {% data variables.product.prodname_dependabot %} jobs. This security hardens the connection. You must also configure Node.js to use the certificate, because most actions are written in JavaScript and run using Node.js, which does not use the operating system certificate store.
diff --git a/content/code-security/reference/supply-chain-security/index.md b/content/code-security/reference/supply-chain-security/index.md
index e22da354e832..5b8ed1f82cf7 100644
--- a/content/code-security/reference/supply-chain-security/index.md
+++ b/content/code-security/reference/supply-chain-security/index.md
@@ -23,6 +23,7 @@ children:
   - /dependabot-pull-request-comment-commands
   - /supported-ecosystems-and-repositories
   - /dependency-graph-supported-package-ecosystems
+  - /dependabot-on-actions
 redirect_from:
   - /code-security/dependabot/ecosystems-supported-by-dependabot
 ---
diff --git a/content/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp.md b/content/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp.md
index 7123f160737e..1c14f67c3778 100644
--- a/content/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp.md
+++ b/content/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp.md
@@ -50,7 +50,7 @@ Repository administrators can configure MCP servers by following these steps:
 
    Your configuration will be validated to ensure proper syntax.
 
-1. If your MCP server requires a key or secret, add a secret to your {% data variables.product.prodname_copilot_short %} environment. Only secrets with names prefixed with `COPILOT_MCP_` will be available to your MCP configuration. See [Setting up a {% data variables.product.prodname_copilot_short %} environment for {% data variables.copilot.copilot_coding_agent %}](#setting-up-a-copilot-environment-for-copilot-coding-agent).
+1. If your MCP server requires a variable, key, or secret, add a variable or secret to your {% data variables.product.prodname_copilot_short %} environment. Only variables and secrets with names prefixed with `COPILOT_MCP_` will be available to your MCP configuration. See [Setting up a {% data variables.product.prodname_copilot_short %} environment for {% data variables.copilot.copilot_coding_agent %}](#setting-up-a-copilot-environment-for-copilot-coding-agent).
 
 ## Writing a JSON configuration for MCP servers
 
@@ -78,20 +78,23 @@ The configuration object can contain the following keys:
 
 **Required keys for local and remote MCP servers**
 * `tools` (`string[]`): The tools from the MCP server to enable. You may be able to find a list of tools in the server's documentation, or in its code. We strongly recommend that you allowlist specific read-only tools, since the agent will be able to use these tools autonomously and will not ask you for approval first. You can also enable all tools by including `*` in the array.
-* `type` (`string`): {% data variables.copilot.copilot_coding_agent %} accepts `"local"`, `"http"`, or `"sse"`.
+* `type` (`string`): {% data variables.copilot.copilot_coding_agent %} accepts `"local"`, `"stdio"`, `"http"`, or `"sse"`.
 
 **Local MCP specific keys**
 * `command` (`string`): Required. The command to run to start the MCP server.
 * `args` (`string[]`): Required. The arguments to pass to the `command`.
 * `env` (`object`): Optional. The environment variables to pass to the server. This object should map the name of the environment variable that should be exposed to your MCP server to either of the following:
-  * The name of a {% data variables.product.prodname_actions %} secret you have configured, beginning with `COPILOT_MCP_`.
-  * A string value.
+  * The name of a secret you have configured in your {% data variables.product.prodname_copilot_short %} environment, beginning with `COPILOT_MCP_`.
+  * The name of a variable you have configured in your {% data variables.product.prodname_copilot_short %} environment, beginning with `COPILOT_MCP_`.
 
 **Remote MCP specific keys**
 * `url` (`string`): Required. The MCP server's URL.
 * `headers` (`object`): Optional. The headers to attach to requests to the server. This object should map the name of header keys to either of the following:
-  * The name of a {% data variables.product.prodname_actions %} secret you have configured, beginning with `COPILOT_MCP_` preceded by a `$`
-  * A string value
+  * The name of a secret you have configured in your {% data variables.product.prodname_copilot_short %} environment, beginning with `COPILOT_MCP_` preceded by a `$`.
+  * The name of a variable you have configured in your {% data variables.product.prodname_copilot_short %} environment, beginning with `COPILOT_MCP_` preceded by a `$`.
+  * A string value.
+
+Note that all `string` and `string[]` fields besides `tools` & `type` support substitution with a variable or secret you have configured in your {% data variables.product.prodname_copilot_short %} environment, beginning with `COPILOT_MCP_` preceded by a `$`.
 
 ## Example configurations
 
@@ -111,10 +114,12 @@ The [Sentry MCP server](https://github.com/getsentry/sentry-mcp) gives {% data v
       "args": ["@sentry/mcp-server@latest", "--host=$SENTRY_HOST"],
       "tools": ["get_issue_details", "get_issue_summary"],
       "env": {
-        // We can specify an environment variable value as a string...
-        "SENTRY_HOST": "https://contoso.sentry.io",
-        // or refer to a {% data variables.product.prodname_actions %} secret with a name starting with
-        // `COPILOT_MCP_`
+        // We can specify an environment variable value as
+        // a variable in your {% data variables.product.prodname_copilot_short %} environment
+        // where `COPILOT_MCP_SENTRY_HOST` = "https://contoso.sentry.io"...
+        "SENTRY_HOST": "COPILOT_MCP_SENTRY_HOST",
+        // or refer to a secret with a name starting with
+        // `COPILOT_MCP_`.
         "SENTRY_ACCESS_TOKEN": "COPILOT_MCP_SENTRY_ACCESS_TOKEN"
       }
     }
diff --git a/content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets.md b/content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets.md
index 95edbe3c99ff..7c61a876801a 100644
--- a/content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets.md
+++ b/content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets.md
@@ -135,7 +135,25 @@ Optionally, you can require a merge type of merge, squash, or rebase. This means
 {% endif %}
 
 {% ifversion repo-rules-required-reviewer %}
-Optionally, you can require review from specific teams. This means you can add a select number of reviewers who must submit a specific number of reviews for specific files and folders.
+
+#### Required reviewers
+
+Optionally, you can require review or approval from specific teams when a pull request changes certain files or directories. You can specify up to 15 different teams, and for each team you can require a certain number of approvals from team members.
+
+The **Reviewer** dropdown allows you to select any team which is in scope where the rule is being defined. 
+
+* **Organization-wide rules**: The team must belong to the organization.
+* **Repository-level rules**: The team must belong to the organization that owns the repository.
+
+This rule is not available on user-owned repositories as they do not contain teams.
+
+Required approvals can be set from 0 (zero) to 10. Requiring zero approvals means that the team will be added for visibility, but the team does not need to approve the request.
+
+For each team, you can specify a list of file patterns which determines what files the setting applies to. The format of this file list is the same as a standard [`.gitignore`](/get-started/git-basics/ignoring-files) file:
+
+* A pattern starting with an exclamation mark (`!`) is a negation. This will cause paths matching earlier patterns to *not* require approvals.
+* Patterns are matched in order, so negated patterns can "unmatch" files which matched previous rules.
+
 {% endif %}
 
 ## Require status checks to pass before merging
diff --git a/data/features/dependabot-self-hosted-labels.yml b/data/features/dependabot-self-hosted-labels.yml
new file mode 100644
index 000000000000..edf6345af946
--- /dev/null
+++ b/data/features/dependabot-self-hosted-labels.yml
@@ -0,0 +1,6 @@
+# Reference: #19800
+# Custom labels for Dependabot self-hosted runners [GA]
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '> 3.19'
diff --git a/data/reusables/dependabot/no-ubuntu-latest-label-self-hosted.md b/data/reusables/dependabot/no-ubuntu-latest-label-self-hosted.md
new file mode 100644
index 000000000000..fd20ad046f68
--- /dev/null
+++ b/data/reusables/dependabot/no-ubuntu-latest-label-self-hosted.md
@@ -0,0 +1,2 @@
+> [!NOTE]
+> {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} relies on the `ubuntu-latest` label to select the appropriate runner. To ensure {% data variables.product.prodname_dependabot %} runs on {% data variables.product.github %}-hosted runners, you should not use the label `ubuntu-latest` for self-hosted runners.
diff --git a/data/reusables/dependabot/vnet-arc-note.md b/data/reusables/dependabot/vnet-arc-note.md
index d08e19885220..7442b271204c 100644
--- a/data/reusables/dependabot/vnet-arc-note.md
+++ b/data/reusables/dependabot/vnet-arc-note.md
@@ -1,7 +1,7 @@
 {% ifversion dependabot-vnet-support or dependabot-arc-support %}
 
 >[!NOTE]
-> Private networking is supported with either an Azure Virtual Network (VNET) or the Actions Runner Controller (ARC) for {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}. See [AUTOTITLE](/code-security/dependabot/working-with-dependabot/setting-dependabot-to-run-on-self-hosted-runners-using-arc) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/setting-dependabot-to-run-on-github-hosted-runners-using-vnet) for more information, and instruction.
+> Private networking is supported with either an Azure Virtual Network (VNET) or the Actions Runner Controller (ARC) for {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}. See [AUTOTITLE](/code-security/dependabot/working-with-dependabot/setting-dependabot-to-run-on-self-hosted-runners-using-arc) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/setting-dependabot-to-run-on-github-hosted-runners-using-vnet).
 
 {% else %}
 
diff --git a/src/landings/components/ProductArticlesList.tsx b/src/landings/components/ProductArticlesList.tsx
index f025e1376a6a..83f7ccba3b7c 100644
--- a/src/landings/components/ProductArticlesList.tsx
+++ b/src/landings/components/ProductArticlesList.tsx
@@ -2,6 +2,7 @@ import { ActionList } from '@primer/react'
 
 import { ProductTreeNode, useMainContext } from '@/frame/components/context/MainContext'
 import { Link } from '@/frame/components/Link'
+import { countArticles } from '@/landings/lib/count-articles'
 import clsx from 'clsx'
 import styles from './ProductArticlesList.module.scss'
 
@@ -44,7 +45,7 @@ const ProductTreeNodeList = ({ treeNode }: { treeNode: ProductTreeNode }) => {
               {childNode.title}
               {childNode.childPages.length > 0 ? (
                 <small className="color-fg-muted d-inline-block">
-                  &nbsp;&bull; {childNode.childPages.length} articles
+                  &nbsp;&bull; {countArticles(childNode)} articles
                 </small>
               ) : null}
             </ActionList.LinkItem>
diff --git a/src/landings/lib/count-articles.ts b/src/landings/lib/count-articles.ts
new file mode 100644
index 000000000000..7934b31b43d7
--- /dev/null
+++ b/src/landings/lib/count-articles.ts
@@ -0,0 +1,9 @@
+import type { ProductTreeNode } from '@/frame/components/context/MainContext'
+
+// Recursively counts all leaf articles (nodes without children) under a given node
+export const countArticles = (node: ProductTreeNode): number => {
+  if (node.childPages.length === 0) {
+    return 1
+  }
+  return node.childPages.reduce((sum, child) => sum + countArticles(child), 0)
+}
diff --git a/src/landings/tests/count-articles.ts b/src/landings/tests/count-articles.ts
new file mode 100644
index 000000000000..de2291cb2eb0
--- /dev/null
+++ b/src/landings/tests/count-articles.ts
@@ -0,0 +1,51 @@
+import { describe, expect, test } from 'vitest'
+
+import { countArticles } from '@/landings/lib/count-articles'
+import type { ProductTreeNode } from '@/frame/components/context/MainContext'
+
+// Helper to create a minimal ProductTreeNode for testing
+const createNode = (childPages: ProductTreeNode[] = []): ProductTreeNode => ({
+  title: 'Test',
+  href: '/test',
+  childPages,
+})
+
+describe('countArticles', () => {
+  test('returns 1 for a leaf node (no children)', () => {
+    const leaf = createNode()
+    expect(countArticles(leaf)).toBe(1)
+  })
+
+  test('counts direct children when all are leaf nodes', () => {
+    const node = createNode([createNode(), createNode(), createNode()])
+    expect(countArticles(node)).toBe(3)
+  })
+
+  test('counts all nested leaf articles recursively', () => {
+    // Structure: parent -> 2 sections -> each with 3 articles = 6 total
+    const section1 = createNode([createNode(), createNode(), createNode()])
+    const section2 = createNode([createNode(), createNode(), createNode()])
+    const parent = createNode([section1, section2])
+
+    expect(countArticles(parent)).toBe(6)
+  })
+
+  test('handles deeply nested structure', () => {
+    // 3 levels deep: parent -> section -> subsection -> 2 articles
+    const subsection = createNode([createNode(), createNode()])
+    const section = createNode([subsection])
+    const parent = createNode([section])
+
+    expect(countArticles(parent)).toBe(2)
+  })
+
+  test('handles mixed depth structure', () => {
+    // parent -> section with 2 articles + section with subsection with 3 articles = 5 total
+    const section1 = createNode([createNode(), createNode()])
+    const subsection = createNode([createNode(), createNode(), createNode()])
+    const section2 = createNode([subsection])
+    const parent = createNode([section1, section2])
+
+    expect(countArticles(parent)).toBe(5)
+  })
+})