Codespaces: Org-level allowed images policy (#30802)

Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Jules <19994093+jules-p@users.noreply.github.com>

content/codespaces/customizing-your-codespace/index.md

@@ -11,6 +11,7 @@ topics:
   - Codespaces
 children:
   - /personalizing-github-codespaces-for-your-account
+  - /renaming-a-codespace
   - /changing-the-machine-type-for-your-codespace
   - /setting-your-default-editor-for-github-codespaces
   - /setting-your-default-region-for-github-codespaces

content/codespaces/customizing-your-codespace/renaming-a-codespace.md

@@ -50,7 +50,9 @@ Changing the display name of a codespace can be useful if you have multiple code
 To rename a codespace, use the `gh codespace edit` subcommand:
 
 ```shell
-gh codespace edit -c PERMANENT-NAME-OF-CODESPACE -d NEW-DISPLAY-NAME
+gh codespace edit -c PERMANENT-CODESPACE-NAME -d NEW-DISPLAY-NAME
 ```
 
-In this example, replace `permanent name of the codespace` with the permanent name of the codespace. Replace `new display name` with the desired display name.
+In this example, replace `PERMANENT-CODESPACE-NAME` with the permanent name of the codespace whose display name you want to change. Replace `NEW-DISPLAY-NAME` with the display name you want to use for this codespace.
+
+For more information, see "[Using {% data variables.product.prodname_github_codespaces %} with {% data variables.product.prodname_cli %}](/codespaces/developing-in-codespaces/using-github-codespaces-with-github-cli#rename-a-codespace)."

content/codespaces/developing-in-codespaces/codespaces-lifecycle.md

@@ -59,6 +59,8 @@ In the example `postCreate.sh` file below, the contents of the `config` director
 ln -sf $PWD/.devcontainer/config $HOME/config && set +x
 ```
 
+For more information, see "[Introduction to dev containers](/codespaces/setting-up-your-project-for-codespaces/introduction-to-dev-containers#applying-configuration-changes-to-a-codespace)."
+
 ## Stopping a codespace
 
 {% data reusables.codespaces.stopping-a-codespace %} For more information, see "[Stopping and starting a codespace](/codespaces/developing-in-codespaces/stopping-and-starting-a-codespace)."

content/codespaces/developing-in-codespaces/index.md

@@ -16,7 +16,6 @@ children:
   - /using-source-control-in-your-codespace
   - /using-github-codespaces-for-pull-requests
   - /stopping-and-starting-a-codespace
-  - /renaming-a-codespace
   - /forwarding-ports-in-your-codespace
   - /default-environment-variables-for-your-codespace
   - /connecting-to-a-private-network

content/codespaces/developing-in-codespaces/using-github-codespaces-with-github-cli.md

@@ -6,6 +6,7 @@ product: '{% data reusables.gated-features.codespaces %}'
 miniTocMaxHeadingLevel: 3
 versions:
   fpt: '*'
+  ghec: '*'
 type: how_to
 topics:
   - Codespaces
@@ -24,6 +25,7 @@ You can work with {% data variables.product.prodname_github_codespaces %} in the
   - [Create a new codespace](#create-a-new-codespace)
   - [Stop a codespace](#stop-a-codespace)
   - [Delete a codespace](#delete-a-codespace)
+  - [Rename a codespace](#rename-a-codespace)
   - [SSH into a codespace](#ssh-into-a-codespace)
   - [Open a codespace in {% data variables.product.prodname_vscode %}](#open-a-codespace-in--data-variablesproductprodname_vscode-)
   - [Open a codespace in JupyterLab](#open-a-codespace-in-jupyterlab)
@@ -74,6 +76,8 @@ gh codespace list
 
 The list includes the unique name of each codespace, which you can use in other `gh codespace` commands.
 
+An asterisk at the end of the branch name for a codespace indicates that there are uncommitted or unpushed changes in that codespace.
+
 ### Create a new codespace
 
 ```shell
@@ -98,6 +102,14 @@ gh codespace delete -c CODESPACE-NAME
 
 For more information, see "[Deleting a codespace](/codespaces/developing-in-codespaces/deleting-a-codespace)."
 
+### Rename a codespace
+
+```shell
+gh codespace edit -c CODESPACE-NAME -d DISPLAY-NAME
+```
+
+For more information, see "[Renaming a codespace](/codespaces/customizing-your-codespace/renaming-a-codespace)."
+
 ### SSH into a codespace
 
 To run commands on the remote codespace machine, from your terminal, you can SSH into the codespace.
@@ -215,4 +227,4 @@ You can use the {% data variables.product.prodname_cli %} extension to create a
 gh codespace edit -m <em>machine-type-name</em>
 ```
 
-For more information, see the "{% data variables.product.prodname_cli %}" tab of "[Changing the machine type for your codespace](/codespaces/customizing-your-codespace/changing-the-machine-type-for-your-codespace)."
+For more information, see the "{% data variables.product.prodname_cli %}" tab of "[Changing the machine type for your codespace](/codespaces/customizing-your-codespace/changing-the-machine-type-for-your-codespace)."

content/codespaces/getting-started/deep-dive.md

@@ -35,7 +35,7 @@ When you create a codespace, a [shallow clone](https://github.blog/2020-12-21-ge
 
 ### Step 2: Container is created
 
-{% data variables.product.prodname_github_codespaces %} uses a container as the development environment. This container is created based on the configurations that you can define in a `devcontainer.json` file and/or Dockerfile in your repository. If you don't [configure a container](/codespaces/customizing-your-codespace/configuring-codespaces-for-your-project), {% data variables.product.prodname_github_codespaces %} uses a [default image](/codespaces/customizing-your-codespace/configuring-codespaces-for-your-project#using-the-default-configuration), which has many languages and runtimes available. For information on what the default image contains, see the [`vscode-dev-containers`](https://github.com/microsoft/vscode-dev-containers/tree/main/containers/codespaces-linux) repository.
+{% data variables.product.prodname_github_codespaces %} uses a container as the development environment. This container is created based on the configurations that you can define in a `devcontainer.json` file and/or Dockerfile in your repository. If you don't specify a custom Docker image in your configuration, {% data variables.product.prodname_codespaces %} uses a default image, which has many languages and runtimes available. For information, see "[Introduction to dev containers](/codespaces/setting-up-your-project-for-codespaces/introduction-to-dev-containers#using-the-default-dev-container-configuration)." For details of what the default image contains, see the [`vscode-dev-containers`](https://github.com/microsoft/vscode-dev-containers/tree/main/containers/codespaces-linux) repository.
 
 {% note %}
 

content/codespaces/getting-started/quickstart.md

@@ -92,11 +92,10 @@ Within a codespace, you have access to the {% data variables.product.prodname_vs
 
 1. In the left sidebar, click the Extensions icon.
 
-1. In the search bar, enter `fairyfloss` and install the fairyfloss extension.
+1. In the search bar, type `fairyfloss` and click **Install**.
 
    ![Add an extension](/assets/images/help/codespaces/add-extension.png)
 
-1. Click **Install in Codespaces**.
 1. Select the `fairyfloss` theme by selecting it from the list.
 
    ![Select the fairyfloss theme](/assets/images/help/codespaces/fairyfloss.png)

content/codespaces/guides.md

@@ -44,7 +44,8 @@ includeGuides:
   - /codespaces/managing-codespaces-for-your-organization/managing-billing-for-codespaces-in-your-organization
   - /codespaces/managing-codespaces-for-your-organization/managing-encrypted-secrets-for-your-repository-and-organization-for-codespaces
   - /codespaces/managing-codespaces-for-your-organization/restricting-access-to-machine-types
-  - /codespaces/managing-codespaces-for-your-organization/retricting-the-idle-timeout-period
+  - /codespaces/managing-codespaces-for-your-organization/restricting-the-base-image-for-codespaces.md
+  - /codespaces/managing-codespaces-for-your-organization/restricting-the-idle-timeout-period
   - /codespaces/managing-codespaces-for-your-organization/restricting-the-retention-period-for-codespaces
   - /codespaces/managing-codespaces-for-your-organization/restricting-the-visibility-of-forwarded-ports
   - /codespaces/managing-codespaces-for-your-organization/reviewing-your-organizations-audit-logs-for-codespaces

content/codespaces/managing-codespaces-for-your-organization/index.md

@@ -17,6 +17,7 @@ children:
   - /managing-repository-access-for-your-organizations-codespaces
   - /reviewing-your-organizations-audit-logs-for-github-codespaces
   - /restricting-access-to-machine-types
+  - /restricting-the-base-image-for-codespaces
   - /restricting-the-visibility-of-forwarded-ports
   - /restricting-the-idle-timeout-period
   - /restricting-the-retention-period-for-codespaces

content/codespaces/managing-codespaces-for-your-organization/restricting-access-to-machine-types.md

@@ -14,7 +14,9 @@ topics:
 
 ## Overview
 
-Typically, when you create a codespace you are offered a choice of specifications for the machine that will run your codespace. You can choose the machine type that best suits your needs. For more information, see "[Creating a codespace](/codespaces/developing-in-codespaces/creating-a-codespace#creating-a-codespace)." If you pay for using {% data variables.product.prodname_github_codespaces %} then your choice of machine type will affect how much your are billed. For more information about pricing, see "[About billing for {% data variables.product.prodname_github_codespaces %}](/billing/managing-billing-for-github-codespaces/about-billing-for-github-codespaces)."
+Typically, when you create a codespace you are offered a choice of specifications for the machine that will run your codespace. You can choose the machine type that best suits your needs. For more information, see "[Creating a codespace](/codespaces/developing-in-codespaces/creating-a-codespace#creating-a-codespace)." 
+
+If you pay for using {% data variables.product.prodname_github_codespaces %} then your choice of machine type will affect how much your are billed. The compute cost for a codespace is proportional to the number of processor cores in the machine type you choose. For example, the compute cost of using a codespace for an hour on a 16-core machine is eight times greater than a 2-core machine. For more information about pricing, see "[About billing for {% data variables.product.prodname_github_codespaces %}](/billing/managing-billing-for-github-codespaces/about-billing-for-github-codespaces)."
 
 As an organization owner, you may want to configure constraints on the types of machine that are available. For example, if the work in your organization doesn't require significant compute power or storage space, you can remove the highly resourced machines from the list of options that people can choose from. You do this by defining one or more policies in the {% data variables.product.prodname_github_codespaces %} settings for your organization.
 
@@ -52,21 +54,29 @@ If you add an organization-wide policy, you should set it to the largest choice
 {% data reusables.codespaces.codespaces-org-policies %}
 1. Click **Add constraint** and choose **Machine types**.
 
-   ![Add a constraint for machine types](/assets/images/help/codespaces/add-constraint-dropdown.png)
+   ![Screenshot of the 'Add constraint' dropdown menu](/assets/images/help/codespaces/add-constraint-dropdown.png)
 
 1. Click {% octicon "pencil" aria-label="The edit icon" %} to edit the constraint, then clear the selection of any machine types that you don't want to be available.
 
-   ![Edit the machine type constraint](/assets/images/help/codespaces/edit-machine-constraint.png)
+   ![Screenshot of the pencil icon for editing the constraint](/assets/images/help/codespaces/edit-machine-constraint.png)
 
 {% data reusables.codespaces.codespaces-policy-targets %}
-1. If you want to add another constraint to the policy, click **Add constraint** and choose another constraint. For information about other constraints, see "[Restricting the visibility of forwarded ports](/codespaces/managing-codespaces-for-your-organization/restricting-the-visibility-of-forwarded-ports)," "[Restricting the idle timeout period](/codespaces/managing-codespaces-for-your-organization/restricting-the-idle-timeout-period)," and "[Restricting the retention period for codespaces](/codespaces/managing-codespaces-for-your-organization/restricting-the-retention-period-for-codespaces)."
+1. If you want to add another constraint to the policy, click **Add constraint** and choose another constraint. For information about other constraints, see:
+   * "[Restricting the base image for codespaces](/codespaces/managing-codespaces-for-your-organization/restricting-the-base-image-for-codespaces)"
+   * "[Restricting the visibility of forwarded ports](/codespaces/managing-codespaces-for-your-organization/restricting-the-visibility-of-forwarded-ports)"
+   * "[Restricting the idle timeout period](/codespaces/managing-codespaces-for-your-organization/restricting-the-idle-timeout-period)"
+   * "[Restricting the retention period for codespaces](/codespaces/managing-codespaces-for-your-organization/restricting-the-retention-period-for-codespaces)"
 1. After you've finished adding constraints to your policy, click **Save**.
+
+The policy will be applied to all new codespaces that are billable to your organization. The machine type constraint is also applied to existing codespaces when someone attempts to restart a stopped codespace or reconnect to an active codespace.
+
 ## Editing a policy
 
 You can edit an existing policy. For example, you may want to add or remove constraints to or from a policy.
 
 1. Display the "Codespace policies" page. For more information, see "[Adding a policy to limit the available machine types](#adding-a-policy-to-limit-the-available-machine-types)."
 1. Click the name of the policy you want to edit.
+1. Click the pencil icon ({% octicon "pencil" aria-label="The edit icon" %}) beside the "Machine types" constraint.
 1. Make the required changes then click **Save**.
 
 ## Deleting a policy 
@@ -74,7 +84,7 @@ You can edit an existing policy. For example, you may want to add or remove cons
 1. Display the "Codespace policies" page. For more information, see "[Adding a policy to limit the available machine types](#adding-a-policy-to-limit-the-available-machine-types)."
 1. Click the delete button to the right of the policy you want to delete.
 
-   ![The delete button for a policy](/assets/images/help/codespaces/policy-delete.png)
+   ![Screenshot of the delete button for a policy](/assets/images/help/codespaces/policy-delete.png)
 
 ## Further reading
 

content/codespaces/managing-codespaces-for-your-organization/restricting-the-base-image-for-codespaces.md

@@ -0,0 +1,101 @@
+---
+title: Restricting the base image for codespaces
+shortTitle: Restrict base image
+intro: You can specify which base images can be used for new codespaces created within your organization.
+product: '{% data reusables.gated-features.codespaces %}'
+permissions: 'To manage image constraints for an organization''s codespaces, you must be an owner of the organization.'
+versions:
+  fpt: '*'
+  ghec: '*'
+type: how_to
+topics:
+  - Codespaces
+---
+
+## Overview
+
+When you create a codespace, a Docker container is automatically created on a remote virtual machine. The Docker container is created from a Docker image. The image is effectively a template for Docker containers and it determines many aspects of the resulting environment provided by the codespace.
+
+You can choose which image you want to use for your codespaces by specifying it in the dev container configuration for a repository. You can do this, for example, by using the `image` property in the `devcontainer.json` file.
+
+```json{:copy}
+"image": "mcr.microsoft.com/vscode/devcontainers/javascript-node:18",
+```
+
+For more information, see the [dev containers specification](https://containers.dev/implementors/json_reference/) on containers.dev.
+
+If you don't specify an image in the dev container configuration for a repository, the default image is used. The default image contains a number of runtime versions for popular languages and commonly used tools. For more information, see "[Introduction to dev containers](/codespaces/setting-up-your-project-for-codespaces/introduction-to-dev-containers#using-the-default-dev-container-configuration)."
+
+As an organization owner, you can add a policy to restrict which images can be used for codespaces created within your organization.
+
+If the image specified in the dev container configuration does not match one of the allowed images, the following message is displayed when someone tries to create a codespace for the repository:
+
+> Codespace could not be created: Base image 'DETAILS FROM DEV CONTAINER CONFIGURATION' is not allowed based on an organization policy set by your organization administrator.
+
+{% note %}
+
+**Notes**: 
+* The base image policy is only applied when a codespace is created. It is currently not applied when you rebuild a container. This will change in a future release. For more information, see "[Codespaces lifecycle](/codespaces/developing-in-codespaces/codespaces-lifecycle#rebuilding-a-codespace)."
+* The base image policy does not apply to the default image, or the image that's used to recover a codespace if an error is introduced into a dev container configuration which prevents the container from being rebuilt. 
+
+{% endnote %}
+
+### Setting organization-wide and repository-specific policies
+
+When you create a policy you choose whether it applies to all repositories in your organization, or only to specified repositories. If you set an organization-wide policy then any policies you set for individual repositories must fall within the restriction set at the organization level. Adding policies makes the choice of image more, not less, restrictive.
+
+For example, you could create an organization-wide policy that restricts the base image to any of ten specified images. You can then set a policy for Repository A that restricts the image to a subset of just two of the images specified at the organization level. Specifying additional images for Repository A will have no effect because these images are not specified in the organization-level policy. If you add an organization-wide policy, you should set it to the largest choice of images that will be available for any repository in your organization. You can then add repository-specific policies to further restrict the choice.
+
+{% data reusables.codespaces.codespaces-org-policies-note %}
+
+## Adding a policy to define the allowed images
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.codespaces.codespaces-org-policies %}
+1. Click **Add constraint** and choose **Base images**.
+
+   ![Screenshot of the 'Add constraint' dropdown menu](/assets/images/help/codespaces/add-constraint-dropdown-image.png)
+
+1. Click {% octicon "pencil" aria-label="The edit icon" %} to edit the constraint.
+
+   ![Screenshot of the pencil icon for editing the constraint](/assets/images/help/codespaces/edit-image-constraint.png)
+
+1. In the "Allowed values" field, enter the complete URL of an image you want to allow.
+
+   ![Screenshot of an entry in the 'Allowed values' field](/assets/images/help/codespaces/image-allowed-values.png)
+ 
+   {% note %}
+
+   **Note**: You must specify an image URL that exactly matches the value specified in a dev container configuration.
+
+   {% endnote %}
+
+1. Click the plus button ({% octicon "plus" aria-label="The plus icon" %}) to add the value.
+1. If required, repeat the previous two steps to add more image URLs.
+{% data reusables.codespaces.codespaces-policy-targets %}
+1. If you want to add another constraint to the policy, click **Add constraint** and choose another constraint. For information about other constraints, see:
+   * "[Restricting access to machine types](/codespaces/managing-codespaces-for-your-organization/restricting-access-to-machine-types)"
+   * "[Restricting the visibility of forwarded ports](/codespaces/managing-codespaces-for-your-organization/restricting-the-visibility-of-forwarded-ports)"
+   * "[Restricting the idle timeout period](/codespaces/managing-codespaces-for-your-organization/restricting-the-idle-timeout-period)"
+   * "[Restricting the retention period for codespaces](/codespaces/managing-codespaces-for-your-organization/restricting-the-retention-period-for-codespaces)"
+1. After you've finished adding constraints to your policy, click **Save**.
+
+The policy is applied when anyone attempts to create a new codespace that is billable to your organization. The base image constraint does not affect existing codespaces, either active or stopped.
+
+## Editing a policy
+
+You can edit an existing policy. For example, you may want to add or remove constraints to or from a policy.
+
+1. Display the "Codespace policies" page. For more information, see "[Adding a policy to define the allowed images](#adding-a-policy-to-define-the-allowed-images)."
+1. Click the name of the policy you want to edit.
+1. Click the pencil icon ({% octicon "pencil" aria-label="The edit icon" %}) beside the "Base images" constraint.
+1. Add or remove image URLs.
+1. Click **Save**.
+
+## Deleting a policy 
+
+1. Display the "Codespace policies" page. For more information, see "[Adding a policy to define the allowed images](#adding-a-policy-to-define-the-allowed-images)."
+1. Click the delete button to the right of the policy you want to delete.
+
+   ![Screenshot of the delete button for a policy](/assets/images/help/codespaces/policy-delete.png)

content/codespaces/managing-codespaces-for-your-organization/restricting-the-idle-timeout-period.md

@@ -49,21 +49,25 @@ If you add an organization-wide policy with a timeout constraint, you should set
 {% data reusables.codespaces.codespaces-org-policies %}
 1. Click **Add constraint** and choose **Maximum idle timeout**.
 
-   ![Add a constraint for idle timeout](/assets/images/help/codespaces/add-constraint-dropdown-timeout.png)
+   ![Screenshot of the 'Add constraint' dropdown menu](/assets/images/help/codespaces/add-constraint-dropdown-timeout.png)
 
 1. Click {% octicon "pencil" aria-label="The edit icon" %} to edit the constraint.
 
-   ![Edit the timeout constraint](/assets/images/help/codespaces/edit-timeout-constraint.png)
+   ![Screenshot of the pencil icon for editing the constraint](/assets/images/help/codespaces/edit-timeout-constraint.png)
 
 1. Enter the maximum number of minutes codespaces can remain inactive before they time out, then click **Save**.
 
-   ![Set the maximum timeout in minutes](/assets/images/help/codespaces/maximum-minutes-timeout.png)
+   ![Screenshot of setting the maximum timeout in minutes](/assets/images/help/codespaces/maximum-minutes-timeout.png)
 
 {% data reusables.codespaces.codespaces-policy-targets %}
-1. If you want to add another constraint to the policy, click **Add constraint** and choose another constraint. For information about other constraints, see "[Restricting access to machine types](/codespaces/managing-codespaces-for-your-organization/restricting-access-to-machine-types)," "[Restricting the visibility of forwarded ports](/codespaces/managing-codespaces-for-your-organization/restricting-the-visibility-of-forwarded-ports)," and "[Restricting the retention period for codespaces](/codespaces/managing-codespaces-for-your-organization/restricting-the-retention-period-for-codespaces)."
+1. If you want to add another constraint to the policy, click **Add constraint** and choose another constraint. For information about other constraints, see:
+   * "[Restricting access to machine types](/codespaces/managing-codespaces-for-your-organization/restricting-access-to-machine-types)"
+   * "[Restricting the base image for codespaces](/codespaces/managing-codespaces-for-your-organization/restricting-the-base-image-for-codespaces)"
+   * "[Restricting the visibility of forwarded ports](/codespaces/managing-codespaces-for-your-organization/restricting-the-visibility-of-forwarded-ports)"
+   * "[Restricting the retention period for codespaces](/codespaces/managing-codespaces-for-your-organization/restricting-the-retention-period-for-codespaces)"
 1. After you've finished adding constraints to your policy, click **Save**.
 
-The policy will be applied to all new codespaces that are created, and to existing codespaces the next time they are started.
+The policy will be applied to all new codespaces that are billable to your organization. The timeout constraint is also applied to existing codespaces the next time they are started.
 
 ## Editing a policy
 
@@ -71,6 +75,7 @@ You can edit an existing policy. For example, you may want to add or remove cons
 
 1. Display the "Codespace policies" page. For more information, see "[Adding a policy to set a maximum idle timeout period](#adding-a-policy-to-set-a-maximum-idle-timeout-period)."
 1. Click the name of the policy you want to edit.
+1. Click the pencil icon ({% octicon "pencil" aria-label="The edit icon" %}) beside the "Maximum idle timeout" constraint.
 1. Make the required changes then click **Save**.
 
 ## Deleting a policy 
@@ -78,4 +83,4 @@ You can edit an existing policy. For example, you may want to add or remove cons
 1. Display the "Codespace policies" page. For more information, see "[Adding a policy to set a maximum idle timeout period](#adding-a-policy-to-set-a-maximum-idle-timeout-period)."
 1. Click the delete button to the right of the policy you want to delete.
 
-   ![The delete button for a policy](/assets/images/help/codespaces/policy-delete.png)
+   ![Screenshot of the delete button for a policy](/assets/images/help/codespaces/policy-delete.png)

content/codespaces/managing-codespaces-for-your-organization/restricting-the-retention-period-for-codespaces.md

@@ -35,15 +35,15 @@ If you add an organization-wide policy with a retention constraint, you should s
 {% data reusables.codespaces.codespaces-org-policies %}
 1. Click **Add constraint** and choose **Retention period**.
 
-   ![Add a constraint for retention periods](/assets/images/help/codespaces/add-constraint-dropdown-retention.png)
+   ![Screenshot of the 'Add constraint' dropdown menu](/assets/images/help/codespaces/add-constraint-dropdown-retention.png)
 
 1. Click {% octicon "pencil" aria-label="The edit icon" %} to edit the constraint.
 
-   ![Edit the timeout constraint](/assets/images/help/codespaces/edit-timeout-constraint.png)
+   ![Screenshot of the pencil icon for editing the constraint](/assets/images/help/codespaces/edit-timeout-constraint.png)
 
 1. Enter the maximum number of days codespaces can remain stopped before they are automatically deleted, then click **Save**.
 
-   ![Set the retention period in days](/assets/images/help/codespaces/maximum-days-retention.png)
+   ![Screenshot of setting the retention period in days](/assets/images/help/codespaces/maximum-days-retention.png)
 
    {% note %}
 
@@ -55,10 +55,14 @@ If you add an organization-wide policy with a retention constraint, you should s
    {% endnote %}
 
 {% data reusables.codespaces.codespaces-policy-targets %}
-1. If you want to add another constraint to the policy, click **Add constraint** and choose another constraint. For information about other constraints, see "[Restricting access to machine types](/codespaces/managing-codespaces-for-your-organization/restricting-access-to-machine-types)," "[Restricting the visibility of forwarded ports](/codespaces/managing-codespaces-for-your-organization/restricting-the-visibility-of-forwarded-ports)," and "[Restricting the idle timeout period](/codespaces/managing-codespaces-for-your-organization/restricting-the-idle-timeout-period)."
+1. If you want to add another constraint to the policy, click **Add constraint** and choose another constraint. For information about other constraints, see:
+   * "[Restricting access to machine types](/codespaces/managing-codespaces-for-your-organization/restricting-access-to-machine-types)"
+   * "[Restricting the base image for codespaces](/codespaces/managing-codespaces-for-your-organization/restricting-the-base-image-for-codespaces)"
+   * "[Restricting the visibility of forwarded ports](/codespaces/managing-codespaces-for-your-organization/restricting-the-visibility-of-forwarded-ports)"
+   * "[Restricting the idle timeout period](/codespaces/managing-codespaces-for-your-organization/restricting-the-idle-timeout-period)"
 1. After you've finished adding constraints to your policy, click **Save**.
 
-The policy will be applied to all new codespaces that are created.
+The policy will be applied to all new codespaces that are billable to your organization. The retention period constraint is only applied on codespace creation.
 
 ## Editing a policy
 
@@ -68,6 +72,7 @@ The retention period constraint is only applied to codespaces when they are crea
 
 1. Display the "Codespace policies" page. For more information, see "[Adding a policy to set a maximum codespace retention period](#adding-a-policy-to-set-a-maximum-codespace-retention-period)."
 1. Click the name of the policy you want to edit.
+1. Click the pencil icon ({% octicon "pencil" aria-label="The edit icon" %}) beside the "Retention period" constraint.
 1. Make the required changes then click **Save**.
 
 ## Deleting a policy 
@@ -77,4 +82,4 @@ You can delete a policy at any time. Deleting a policy has no effect on existing
 1. Display the "Codespace policies" page. For more information, see "[Adding a policy to set a maximum codespace retention period](#adding-a-policy-to-set-a-maximum-codespace-retention-period)."
 1. Click the delete button to the right of the policy you want to delete.
 
-   ![The delete button for a policy](/assets/images/help/codespaces/policy-delete.png)
+   ![Screenshot of the delete button for a policy](/assets/images/help/codespaces/policy-delete.png)

content/codespaces/managing-codespaces-for-your-organization/restricting-the-visibility-of-forwarded-ports.md

@@ -45,25 +45,33 @@ If you add an organization-wide policy, you should set it to the most lenient vi
 {% data reusables.codespaces.codespaces-org-policies %}
 1. Click **Add constraint** and choose **Port visibility**.
 
-   ![Add a constraint for port visibility](/assets/images/help/codespaces/add-constraint-dropdown-ports.png)
+   ![Screenshot of the 'Add constraint' dropdown menu](/assets/images/help/codespaces/add-constraint-dropdown-ports.png)
 
 1. Click {% octicon "pencil" aria-label="The edit icon" %} to edit the constraint.
 
-   ![Edit the port visibility constraint](/assets/images/help/codespaces/edit-port-visibility-constraint.png)
+   ![Screenshot of the pencil icon for editing the constraint](/assets/images/help/codespaces/edit-port-visibility-constraint.png)
 
 1. Clear the selection of the port visibility options (**Org** or **Public**) that you don't want to be available.
 
-   ![Choose the port visibility options](/assets/images/help/codespaces/choose-port-visibility-options.png)
+   ![Screenshot of clearing a port visibility option](/assets/images/help/codespaces/choose-port-visibility-options.png)
 
 {% data reusables.codespaces.codespaces-policy-targets %}
-1. If you want to add another constraint to the policy, click **Add constraint** and choose another constraint. For information about other constraints, see "[Restricting access to machine types](/codespaces/managing-codespaces-for-your-organization/restricting-access-to-machine-types)," "[Restricting the idle timeout period](/codespaces/managing-codespaces-for-your-organization/restricting-the-idle-timeout-period)," and "[Restricting the retention period for codespaces](/codespaces/managing-codespaces-for-your-organization/restricting-the-retention-period-for-codespaces)."
+1. If you want to add another constraint to the policy, click **Add constraint** and choose another constraint. For information about other constraints, see:
+   * "[Restricting access to machine types](/codespaces/managing-codespaces-for-your-organization/restricting-access-to-machine-types)"
+   * "[Restricting the base image for codespaces](/codespaces/managing-codespaces-for-your-organization/restricting-the-base-image-for-codespaces)"
+   * "[Restricting the idle timeout period](/codespaces/managing-codespaces-for-your-organization/restricting-the-idle-timeout-period)"
+   * "[Restricting the retention period for codespaces](/codespaces/managing-codespaces-for-your-organization/restricting-the-retention-period-for-codespaces)"
 1. After you've finished adding constraints to your policy, click **Save**.
+
+The policy will be applied to all new codespaces that are billable to your organization. The port visibility constraint is also applied to existing codespaces the next time they are started.
+
 ## Editing a policy
 
 You can edit an existing policy. For example, you may want to add or remove constraints to or from a policy.
 
 1. Display the "Codespace policies" page. For more information, see "[Adding a policy to limit the port visibility options](#adding-a-policy-to-limit-the-port-visibility-options)."
 1. Click the name of the policy you want to edit.
+1. Click the pencil icon ({% octicon "pencil" aria-label="The edit icon" %}) beside the "Port visibility" constraint.
 1. Make the required changes then click **Save**.
 
 ## Deleting a policy 
@@ -71,4 +79,4 @@ You can edit an existing policy. For example, you may want to add or remove cons
 1. Display the "Codespace policies" page. For more information, see "[Adding a policy to limit the port visibility options](#adding-a-policy-to-limit-the-port-visibility-options)."
 1. Click the delete button to the right of the policy you want to delete.
 
-   ![The delete button for a policy](/assets/images/help/codespaces/policy-delete.png)
+   ![Screenshot of the delete button for a policy](/assets/images/help/codespaces/policy-delete.png)

content/codespaces/managing-your-codespaces/managing-encrypted-secrets-for-your-codespaces.md

@@ -93,10 +93,10 @@ You can use secrets in a codespace after the codespace is built and is running.
 * When launching an application from the integrated terminal or ssh session.
 * Within a dev container lifecycle script that is run after the codespace is running. For more information about dev container lifecycle scripts, see the documentation on containers.dev: [Specification](https://containers.dev/implementors/json_reference/#lifecycle-scripts).
 
-Codespace secrets cannot be used during:
+Codespace secrets cannot be used:
 
-* Codespace build time (that is, within a Dockerfile or custom entry point).
-* Within a dev container feature. For more information, see the `features` attribute in the documentation on containers.dev: [Specification](https://containers.dev/implementors/json_reference/#general-properties).
+* During codespace build time (that is, within a Dockerfile or custom entry point).
+* Within a dev container feature. For more information, see the `features` property in the [dev containers specification](https://containers.dev/implementors/json_reference/#general-properties) on containers.dev.
 
 ## Further reading
 

content/codespaces/setting-up-your-project-for-codespaces/introduction-to-dev-containers.md

@@ -65,7 +65,7 @@ The Dockerfile for a dev container is typically located in the `.devcontainer` f
 
 {% note %}
 
-**Note**: As an alternative to using a Dockerfile you can use the `image` property in the `devcontainer.json` file to refer directly to an existing image you want to use. If neither a Dockerfile nor an image is found then the default container image is used. For more information, see "[Using the default dev container configuration](#using-the-default-dev-container-configuration)."
+**Note**: As an alternative to using a Dockerfile you can use the `image` property in the `devcontainer.json` file to refer directly to an existing image you want to use. The image you specify here must be allowed by any organization image policy that has been set. For more information, see "[Restricting the base image for codespaces](/codespaces/managing-codespaces-for-your-organization/restricting-the-base-image-for-codespaces)." If neither a Dockerfile nor an image is found then the default container image is used. For more information, see "[Using the default dev container configuration](#using-the-default-dev-container-configuration)."
 
 {% endnote %}
 

content/codespaces/setting-up-your-project-for-codespaces/setting-a-minimum-specification-for-codespace-machines.md

@@ -15,7 +15,7 @@ product: '{% data reusables.gated-features.codespaces %}'
 
 ## Overview
 
-Each codespace that you create is hosted on a separate virtual machine, and you can usually choose from different types of virtual machines. Each machine type has different resources (CPUs, memory, storage) and, by default, the machine type with the least resources is used. For more information, see "[Changing the machine type for your codespace](/codespaces/customizing-your-codespace/changing-the-machine-type-for-your-codespace#about-machine-types)."
+Each codespace that you create is hosted on a separate virtual machine, and you can usually choose from different types of virtual machines. Each machine type has different resources (processor cores, memory, storage) and, by default, the machine type with the least resources is used. For more information, see "[Changing the machine type for your codespace](/codespaces/customizing-your-codespace/changing-the-machine-type-for-your-codespace#about-machine-types)."
 
 If your project needs a certain level of compute power, you can configure {% data variables.product.prodname_github_codespaces %} so that only machine types that meet these requirements can be used by default, or selected by users. You configure this in a `devcontainer.json` file.
 

content/codespaces/setting-up-your-project-for-codespaces/setting-up-your-dotnet-project-for-codespaces.md

@@ -104,14 +104,12 @@ The newly added `devcontainer.json` file defines a few properties that are descr
 	//        "ASPNETCORE_Kestrel__Certificates__Default__Path": "/home/vscode/.aspnet/https/aspnetapp.pfx",
 	//    },
 	//
-	// 3. Do one of the following depending on your scenario:
-	//    * When using GitHub Codespaces and/or Remote - Containers:
-	//      1. Start the container
-	//      2. Drag ~/.aspnet/https/aspnetapp.pfx into the root of the file explorer
-	//      3. Open a terminal in VS Code and run "mkdir -p /home/vscode/.aspnet/https && mv aspnetapp.pfx /home/vscode/.aspnet/https"
+	// 3. Start the container.
+	//
+	// 4. Drag ~/.aspnet/https/aspnetapp.pfx into the root of the file explorer.
+	//
+	// 5. Open a terminal in VS Code and run "mkdir -p /home/vscode/.aspnet/https && mv aspnetapp.pfx /home/vscode/.aspnet/https".
 	//
-	//    * If only using Remote - Containers with a local container, uncomment this line instead:
-	//      "mounts": [ "source=${env:HOME}${env:USERPROFILE}/.aspnet/https,target=/home/vscode/.aspnet/https,type=bind" ],
 
 	// Use 'postCreateCommand' to run commands after the container is created.
 	// "postCreateCommand": "dotnet restore",

content/codespaces/setting-up-your-project-for-codespaces/setting-up-your-java-project-for-codespaces.md

@@ -32,7 +32,7 @@ This guide shows you how to set up your Java project in {% data variables.produc
 
   If you don’t see this option, {% data variables.product.prodname_github_codespaces %} isn't available for your project. See [Access to {% data variables.product.prodname_github_codespaces %}](/codespaces/developing-in-codespaces/creating-a-codespace#access-to-github-codespaces) for more information.
 
-When you create a codespace, your project is created on a remote VM that is dedicated to you. By default, the container for your codespace has many languages and runtimes including Java, nvm, npm, and Yarn. It also includes a common set of tools like git, wget, rsync, openssh, and nano.
+When you create a codespace, your project is created on a remote VM that is dedicated to you. By default, the container for your codespace has many languages and runtimes including Java, nvm, npm, and Yarn. It also includes a set of commonly used tools such as git, wget, rsync, openssh, and nano.
 
 {% data reusables.codespaces.customize-vcpus-and-ram %}
 

data/reusables/codespaces/codespaces-org-policies-note.md

@@ -1,5 +1,5 @@
 {% note %}
 
-**Note**: Organization policies you define for {% data variables.product.prodname_codespaces %} only apply to codespaces for which your organization will be billed. If an individual user creates a codespace for a repository in your organization, and the organization is not billed, then the codespace will not be bound by these policies. For information on how to choose who can create codespaces that are billed to your organization, see "[Enabling {% data variables.product.prodname_github_codespaces %} for your organization](/codespaces/managing-codespaces-for-your-organization/enabling-github-codespaces-for-your-organization#choose-who-can-create-codespaces-that-are-billed-to-your-organization)."
+**Note**: Codespace policies only apply to codespaces for which your organization will be billed. If an individual user creates a codespace for a repository in your organization, and the organization is not billed, then the codespace will not be bound by these policies. For information on how to choose who can create codespaces that are billed to your organization, see "[Enabling {% data variables.product.prodname_github_codespaces %} for your organization](/codespaces/managing-codespaces-for-your-organization/enabling-github-codespaces-for-your-organization#choose-who-can-create-codespaces-that-are-billed-to-your-organization)."
 
 {% endnote %}

data/reusables/codespaces/codespaces-policy-targets.md

@@ -1,11 +1,14 @@
-1. In the "Change policy target" area, click the dropdown button.
-1. Choose either **All repositories** or **Selected repositories** to determine which repositories this policy will apply to.
-1. If you chose **Selected repositories**:
+1. Click outside of the dialog box to close it.
+1. By default the policy is set to apply to all repositories, if you want it to apply only to some of the repositories in your organization, click **All repositories** and then click **Selected repositories** in the dropdown menu.
+
+   ![Screenshot of choosing 'Selected repositories'](/assets/images/help/codespaces/selected-repositories.png)
+
+   With **Selected repositories** selected:
    1. Click {% octicon "gear" aria-label="The settings icon" %}.
 
-      ![Edit the settings for the policy](/assets/images/help/codespaces/policy-edit.png)
+      ![Screenshot of the gear icon for editing the settings](/assets/images/help/codespaces/policy-edit.png)
 
    2. Select the repositories you want this policy to apply to.
    3. At the bottom of the repository list, click **Select repositories**.
 
-      ![Select repositories for this policy](/assets/images/help/codespaces/policy-select-repos.png)
+      ![Screenshot of selected repositories for this policy](/assets/images/help/codespaces/policy-select-repos.png)