Merge branch 'main' into yizcheng/nonazregion

Author: Danipocket

.gdn/.gdnbaselines

@@ -39,18 +39,6 @@
       "tool": "psscriptanalyzer",
       "ruleId": "PSAvoidUsingConvertToSecureStringWithPlainText",
       "createdDate": "2026-02-24 12:06:54Z"
-    },
-    "3a37bf64f23749ac738b5da94bdc0511f105855aee640971733d155dad1f9915": {
-      "signature": "3a37bf64f23749ac738b5da94bdc0511f105855aee640971733d155dad1f9915",
-      "alternativeSignatures": [],
-      "target": "scripts/update-permissions-reference-fic.ps1",
-      "line": 179,
-      "memberOf": [
-        "default"
-      ],
-      "tool": "psscriptanalyzer",
-      "ruleId": "PSAvoidUsingConvertToSecureStringWithPlainText",
-      "createdDate": "2026-03-24 12:06:54Z"
     }
   }
 }

.gdn/.gdnsuppress

@@ -39,18 +39,6 @@
       "tool": "psscriptanalyzer",
       "ruleId": "PSAvoidUsingConvertToSecureStringWithPlainText",
       "createdDate": "2026-02-24 12:06:54Z"
-    },
-    "3a37bf64f23749ac738b5da94bdc0511f105855aee640971733d155dad1f9915": {
-      "signature": "3a37bf64f23749ac738b5da94bdc0511f105855aee640971733d155dad1f9915",
-      "alternativeSignatures": [],
-      "target": "scripts/update-permissions-reference-fic.ps1",
-      "line": 179,
-      "memberOf": [
-        "default"
-      ],
-      "tool": "psscriptanalyzer",
-      "ruleId": "PSAvoidUsingConvertToSecureStringWithPlainText",
-      "createdDate": "2026-03-24 12:06:54Z"
     }
   }
 }

.github/copilot-instructions.md

@@ -1014,6 +1014,33 @@ configuration:
       then:
       - addLabel:
           label: ready to merge
+    - description: Remove do not merge label when pull request is labeled ready to merge
+      if:
+      - payloadType: Pull_Request
+      - labelAdded:
+          label: ready to merge
+      - isOpen
+      then:
+      - removeLabel:
+          label: do not merge
+    - description: Remove ready to merge label when pull request is labeled do not merge
+      if:
+      - payloadType: Pull_Request
+      - labelAdded:
+          label: do not merge
+      - isOpen
+      then:
+      - removeLabel:
+          label: ready to merge
+    - description: Remove resolved awaiting prod deployment label when pull request is labeled schema live
+      if:
+      - payloadType: Pull_Request
+      - labelAdded:
+          label: schema live
+      - isOpen
+      then:
+      - removeLabel:
+          label: 'resolved: awaiting prod deployment'
     - description: Add do not merge label to new pull requests opened by contributors
       if:
       - payloadType: Pull_Request

.github/policies/resourceManagement.yml

@@ -89,7 +89,7 @@ Document within the **Properties** section of the resource that uses the enum. T
        ```
 
 2. **Create table:**
-   - Columns: **Member** and **Description**
+   - Columns: **Member** (required) and **Description** (optional)
    - List members in ascending order by numeric value (without exposing numeric values)
    - **For evolvable enums:**
      - Include `unknownFutureValue` member
@@ -126,14 +126,15 @@ Create a dedicated topic for the enumeration. This option is rarely applicable.
 
 1. **Create enum topic:**
    - Title: "{enum-type} enum type"
-   - Single sentence describing the enum's purpose
+   - doc_type: "enumPageType"
+   - Single sentence describing the enum's purpose, linking to consuming resource(s)
    - **For flagged enums:** Append "This flagged enumeration allows multiple members to be selected simultaneously." to the introductory text.
    - **For evolvable enums:** Mention it's an evolvable enumeration
 
 2. **Add Members H2 section:**
    - **For evolvable enums (if members follow unknownFutureValue):**
      - Add introductory text before the table (same as Option 2)
-   - Table with columns: **Member** and **Description**
+   - Table with columns: **Member** (required) and **Description** (optional)
    - List members in ascending order by numeric value (without exposing values)
    - **For evolvable enums:**
      - Include `unknownFutureValue` member
@@ -257,21 +258,23 @@ Create a dedicated topic for the enumeration. This option is rarely applicable.
   - [ ] For evolvable enums with members after unknownFutureValue: Prefer header note included in property description
 - [ ] **Option 2 (Parent resource):**
   - [ ] H3 section "{enum-type} values" added after Properties table
-  - [ ] Table has Member and Description columns
+  - [ ] Table has Member column (required) and Description column (optional)
   - [ ] Members listed in ascending order by numeric value (values not exposed)
   - [ ] For evolvable enums: unknownFutureValue description is "Evolvable enumeration sentinel value. Do not use."
   - [ ] For evolvable enums with members after unknownFutureValue: Introductory text about Prefer header included
   - [ ] Properties table links to H3 section
+  - [ ] Parent resource property description excludes inline value listing (values are accessible via linked H3 section)
   - [ ] For subnamespaces: Fully qualified enum name used
 - [ ] **Option 3 (Separate topic):**
   - [ ] File created with correct naming convention
   - [ ] Title is "{enum-type} enum type"
   - [ ] Description mentions evolvable enumeration if applicable
-  - [ ] Members H2 section with Member and Description columns
+  - [ ] Members H2 section with Member column (required) and Description column (optional)
   - [ ] For evolvable enums: unknownFutureValue description is "Evolvable enumeration sentinel value. Don't use."
   - [ ] For evolvable enums with members after unknownFutureValue: Introductory text about Prefer header included
   - [ ] For subnamespaces: Namespace attribute added in page annotation
   - [ ] Parent resource Properties table links to enum topic
+  - [ ] Parent resource property description excludes inline value listing (values are accessible via linked enum topic)
 
 ### For updating existing enumerations
 

.github/prompts/author-api-docs/enumerations.md

@@ -8,6 +8,7 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  id-token: write  # Required for federated identity credentials
 
 jobs:
   update-permissions-reference:
@@ -23,13 +24,19 @@ jobs:
       with:
         path: docs
 
+    - name: Azure Login using Federated Identity
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.GRAPHPERMISSIONSREFERENCE_CLIENT_ID }}
+        tenant-id: ${{ secrets.GRAPHPERMISSIONSREFERENCE_TENANT_ID }}
+        allow-no-subscriptions: true
+
     - name: Run PowerShell script to update permissions
       shell: pwsh
       run: | 
         $ClientId = "${{ secrets.GRAPHPERMISSIONSREFERENCE_CLIENT_ID }}"
         $TenantId = "${{ secrets.GRAPHPERMISSIONSREFERENCE_TENANT_ID }}"
-        $ClientSecret = "${{ secrets.GRAPHPERMISSIONSREFERENCE_CLIENT_SECRET }}"
-        ./docs/scripts/update-permissions-reference.ps1 -ClientId $ClientId -TenantId $TenantId -ClientSecret $ClientSecret
+        ./docs/scripts/update-permissions-reference.ps1 -ClientId $ClientId -TenantId $TenantId
         
     - name: Get token
       id: get_token

.github/workflows/permissions-reference-gen-fic.yml

@@ -0,0 +1,42 @@
+# Agent Quick Guide
+
+Top-level entrypoint for agents working in this repository.
+
+## Authority
+
+If this file and `.github/copilot-instructions.md` ever differ, follow:
+
+1. `.github/copilot-instructions.md`
+2. The prompt and template files it routes you to
+
+This file is intentionally thin to avoid split-brain guidance.
+
+## Read first
+
+Before doing docs work in this repo:
+
+1. Read `.github/copilot-instructions.md`
+2. Determine whether the task is **authoring/updating** or **review**
+3. Load the prompt file that `.github/copilot-instructions.md` tells you to read first
+
+## Repo map
+
+- `api-reference/*/api/` — API operation topics
+- `api-reference/*/resources/` — resource and enum topics
+- `changelog/` — API change records
+- `concepts/whats-new-overview.md` — monthly release highlights
+- `concepts/` — conceptual topics such as tutorials, conceptual overviews, guides
+- `api-reference/*/toc/toc.mapping.json` — API reference TOC mapping
+- `api-reference/*/includes/rbac-for-apis/` — RBAC include files
+- `temp-docstubs/` — temporary authoring inputs
+
+## Workflow
+
+1. Start with `.github/copilot-instructions.md`
+2. Load the correct scenario guidance
+3. Make scoped changes only
+4. Run the validation expected by the loaded workflow
+
+## Rule of thumb
+
+Do not duplicate detailed rules in this file. Keep detailed authoring, review, changelog, What's New, TOC, enum, and RBAC guidance in the files referenced by `.github/copilot-instructions.md`.

.github/workflows/permissions-reference-gen.yml

@@ -42,13 +42,7 @@ The following table shows the parameters that can be used with this function.
 
 |Parameter|Type|Description|
 |:---|:---|:---|
-|on|[accessPackageAssignmentRequestFilterByCurrentUserOptions](../resources/accesspackageassignmentrequest-accesspackageassignmentrequestfilterbycurrentuseroptions.md)|The list of current user options that can be used to filter on the access package assignment requests list. The possible values are `target`, `createdBy`, `approver`.|
-
-- `target` is used to get the `accessPackageAssignmentRequest` objects where the signed-in user is the target. The resulting list includes all the assignment requests, current and expired, that were requested by the caller or for the caller, across all catalogs and access packages.
-
-- `createdBy` is used to get the `accessPackageAssignmentRequest` objects created by the signed-in user. The resulting list includes all of the assignment requests that the caller has created for themselves or on behalf of others, such as in case of admin direct assignment, across all catalogs and access packages.
-
-- `approver` is used to get the `accessPackageAssignmentRequest` objects where the signed-in user is an allowed approver in any contained `accessPackageAssignment/accessPackageAssignmentPolicy/requestApprovalSettings/approvalStages` (`primaryApprovers` or `escalationApprovers`). The resulting list includes the assignment requests in *pending* state, across all catalogs and access packages and that need a decision from the caller. The resulting list includes the assignment requests in a `pending` state, across all catalogs and access packages and that need a decision from the caller.
+|on|[accessPackageAssignmentRequestFilterByCurrentUserOptions](../resources/accesspackageassignmentrequestfilterbycurrentuseroptions.md)|The list of current user options that can be used to filter on the access package assignment requests list.|
 
 ## Request headers
 |Name|Description|

AGENTS.md

@@ -37,7 +37,7 @@ GET /identityGovernance/entitlementManagement/accessPackageCatalogs/{id}/accessP
 
 ## Optional query parameters
 
-This method supports OData query parameters to help customize the response. For example, to retrieve the access package resource scopes and environments for each resource, include `$expand=accessPackageResourceScopes,accessPackageResourceEnvironment` in the query. To retrieve the available roles of a resource, include `$expand=accessPackageResourceRoles`. To retrieve only resources for applications and not groups or sites, include `$filter=resourceType eq 'Application'` in the query. For general information, see [OData query parameters](/graph/query-parameters).
+This method supports OData query parameters to help customize the response. For example, to retrieve the access package resource scopes and environments for each resource, include `$expand=accessPackageResourceScopes,accessPackageResourceEnvironment,externalOriginResourceConnector` in the query. To retrieve the available roles of a resource, include `$expand=accessPackageResourceRoles`. To retrieve only resources for applications and not groups or sites, include `$filter=resourceType eq 'Application'` in the query. For general information, see [OData query parameters](/graph/query-parameters).
 
 ## Request headers