review comments are addressed

src/content/docs/service-architecture-intelligence/github-integrations/github-enterprise-integration.mdx

@@ -14,9 +14,10 @@ freshnessValidatedDate: never
   This feature is currently provided as part of a preview program pursuant to our [pre-release policies](/docs/licenses/license-information/referenced-policies/new-relic-pre-release-policy).
 </Callout>
 
-Are you looking to gain deeper insights into your service architecture by leveraging data from your on-premise GitHub Enterprise account? The New Relic GitHub Enterprise integration imports repositories, teams, and user data directly into the New Relic platform using a secure collector service deployed within your private network.
+Are you looking to gain deeper insights into your service architecture by leveraging data from your on-premise GitHub Enterprise account? The New Relic GitHub Enterprise integration imports repositories, and teams directly into the New Relic platform using a secure collector service deployed within your private network.
+
+With the new selective data fetching feature, you can choose exactly which data types to import—whether it's teams, repositories and pull requests, or both. This integration aims to enhance the management and visibility of Teams, Catalogs and Scorecards within New Relic. For more information, refer to the Service Architecture Intelligence capability.
 
-This integration streamlines the onboarding process for users and teams while simplifying role management. It also clarifies entity ownership mapping, reducing setup time and effort. Due to the restricted nature of GHE environments, integration is achieved via a local collector service deployed within your private network. This integration aims to enhance the management and visibility of [Catalogs](/docs/service-architecture-intelligence/catalogs/catalogs) and [Scorecards](/docs/service-architecture-intelligence/scorecards/getting-started) within New Relic. For more information, refer to the [Service Architecture Intelligence capability](/docs/service-architecture-intelligence/getting-started).
 
 **Prerequisites**
 
@@ -34,27 +35,132 @@ In your GHE instance, navigate to **Settings → Developer Settings → GitHub A
 
 ### Configure permissions
 
-Set the specific permissions required for the app to perform real-time and initial data syncs. For detailed guidance on GitHub App permissions, refer to the [GitHub documentation on setting permissions for GitHub Apps](https://docs.github.com/en/apps/creating-github-apps/setting-up-a-github-app/setting-permissions-for-github-apps).
-
-**Required Repository Permissions**:
-- **Contents**: Read (to access repository files and content)
-- **Metadata**: Read (to access basic repository information)
-- **Issues**: Read (to access issue data)
-- **Pull requests**: Read (to access pull request data)
-- **Repository security advisories**: Read (to access security information)
-
-**Required Organization Permissions**:
-- **Members**: Read (to access organization member information)
-- **Organization administration**: Read (to access organization settings)
-- **Team discussions**: Read (to access team information)
+When integrating a GitHub application, it's essential to configure app permissions accurately to ensure seamless data fetching during the initial sync and efficient listening to webhook events thereafter. App permissions define the scope of access that the application has to various repository and organizational resources on GitHub. By tailoring these permissions, you can enhance security, ensuring that the application only accesses the necessary data while minimizing exposure. Proper configuration facilitates smooth initial data synchronization and reliable event handling, optimizing the application's integration with GitHub's ecosystem.
+
+For detailed guidance on GitHub App permissions, refer to the [GitHub documentation on setting permissions for GitHub Apps](https://docs.github.com/en/apps/creating-github-apps/setting-up-a-github-app/setting-permissions-for-github-apps).
+
+#### Required repository permissions
+
+Configure the following repository-level permissions exactly as shown to enable data synchronization:
+
+- **Administration**: Read-only ✓
+- **Checks**: Read-only ✓
+- **Commit statuses**: Selected ✓
+- **Contents**: Selected ✓
+- **Custom properties**: Selected ✓
+- **Deployments**: Read-only ✓
+- **Metadata**: Read-only (mandatory) ✓
+- **Pull requests**: Selected ✓
+- **Webhooks**: Read-only ✓
+
+**Leave these permissions as "No access":**
+- Actions
+- Attestations
+- Code scanning alerts
+- Codespaces
+- Codespaces lifecycle admin
+- Codespaces metadata
+- Codespaces secrets
+- Dependabot alerts
+- Dependabot secrets
+- Discussions
+- Environments
+- Issues
+- Merge queues
+- Packages
+- Pages
+- Projects
+- Repository security advisories
+- Secret scanning alert dismissal requests
+- Secret scanning alerts
+- Secret scanning push protection bypass requests
+- Secrets
+- Single file
+- Variables
+- Workflows
+
+#### Required organization permissions
+
+Configure the following organization-level permissions exactly as shown:
+
+- **Administration**: Read-only ✓
+- **Custom organization roles**: Selected ✓
+- **Custom properties**: Selected ✓
+- **Custom repository roles**: Selected ✓
+- **Events**: Selected ✓
+- **Members**: Selected ✓
+- **Webhooks**: Selected ✓
+
+**Leave these permissions as "No access":**
+- Blocking users
+- Organization announcement banners
+- Organization codespaces
+- Organization codespaces secrets
+- Organization codespaces settings
+- Organization dependabot secrets
+- Organization hooks
+- Organization packages
+- Organization plan
+- Organization projects
+- Organization secrets
+- Organization self hosted runners
+- Plan
+- Team discussions
+
+#### Required account permissions
+
+Enable account-level access for user identification:
 
-**Required Account Permissions**:
 - **Email addresses**: Read (to access user email information)
 
-**Subscribe to Events**: Enable the following webhook events for real-time synchronization:
-- Repository events: `repository`, `push`, `pull_request`, `issues`
-- Organization events: `organization`, `team`, `membership`
-- Security events: `repository_vulnerability_alert`, `security_advisory`
+#### Webhook event subscriptions
+
+Select the following webhook events exactly as shown for real-time synchronization and monitoring:
+
+**✓ Select these events:**
+- `commit_comment` - Comments on commits
+- `create` - Branch or tag creation
+- `custom_property` - Custom property changes for team assignments
+- `delete` - Branch or tag deletion
+- `deployment` - Deployment activities
+- `deployment_review` - Deployment review processes
+- `deployment_status` - Deployment status updates
+- `installation_target` - GitHub App installation changes
+- `member` - Member profile changes
+- `membership` - Member additions and removals
+- `organization` - Organization-level changes
+- `pull_request` - Pull request activities
+- `pull_request_review` - Pull request review activities
+- `pull_request_review_comment` - Review comment activities
+- `push` - Code pushes and commits
+- `repository` - Repository creation, deletion, and modifications
+- `team` - Team creation and modifications
+- `team_add` - Team member additions
+
+**Leave these events unselected:**
+- `branch_protection_configuration`
+- `check_run`
+- `fork`
+- `gollum`
+- `issues`
+- `label`
+- `merge_queue_entry`
+- `meta`
+- `milestone`
+- `public`
+- `release`
+- `repository_dispatch`
+- `repository_ruleset`
+- `security_and_analysis`
+- `star`
+- `status`
+- `watch`
+- `workflow_dispatch`
+- `workflow_job`
+
+<Callout variant="tip">
+**Security best practice**: Only enable the minimum permissions required for your integration needs. This reduces security exposure and follows the principle of least privilege access.
+</Callout>
 
 ### Set up webhooks
 
@@ -67,23 +173,29 @@ Configure the Webhook URL and create a custom Event Secret for secure communicat
   **Example**: If your collector service is deployed at `collector.yourcompany.com`, the webhook URL would be:
   `https://collector.yourcompany.com:8443/webhook`
 
-- **Event Secret**: Generate a secure random string (32+ characters) for webhook authentication. Save this value as you'll need it for the `EVENT_SECRET` environment variable.
+- **Event Secret**: Generate a secure random string (32+ characters) for webhook authentication. Save this value as you'll need it for the `GITHUB_APP_WEBHOOK_SECRET` environment variable.
 
 ### Generate and convert keys
 
 1. Upon creation, the app will generate a unique App ID and a Private Key file (.pem format). Save these securely as they will be needed for the collector service configuration.
 
-2. Convert your downloaded private key file to Base64 format using the following command:
+2. Convert your downloaded private key file to DER format and then encode it in Base64:
 
+   **Step 1: Convert .pem to DER format**
+   ```bash
+   openssl rsa -outform der -in private-key.pem -out output.der
+   ```
+
+   **Step 2: Encode the DER file in Base64**
    ```bash
    # For Linux/macOS
-   base64 your-private-key.pem
+   base64 -i output.der -o outputBase64
 
    # For Windows (using PowerShell)
-   [Convert]::ToBase64String([IO.File]::ReadAllBytes("your-private-key.pem"))
+   [Convert]::ToBase64String([IO.File]::ReadAllBytes("output.der"))
 
    # Alternative for Windows (using certutil)
-   certutil -encode your-private-key.pem temp.b64 && findstr /v /c:- temp.b64
+   certutil -encode output.der temp.b64 && findstr /v /c:- temp.b64
    ```
 
    Copy the resulting Base64 string and use it as the value for `GITHUB_APP_PRIVATE_KEY` environment variable in your collector configuration.
@@ -132,7 +244,7 @@ Before deploying the collector service, gather the following information:
       <td>The content of the private key (`.pem`) file, converted to a Base64 string. See step 1 for conversion instructions.</td>
     </tr>
     <tr>
-      <td>`EVENT_SECRET`</td>
+      <td>`GITHUB_APP_WEBHOOK_SECRET`</td>
       <td>GitHub App</td>
       <td>The custom Event Secret value you set when creating the GitHub App.</td>
     </tr>
@@ -222,61 +334,36 @@ Create a Docker Compose file that automates the download and deployment of the s
 
    services:
      nr-ghe-collector:
-       image: newrelic/nr-ghe-collector:latest
+       image: newrelic/nr-ghe-collector:tag # use latest tag available in dockerhub starting with v*
        container_name: nr-ghe-collector
        restart: unless-stopped
        ports:
-         - "8080:8080"     # HTTP port
-         - "8443:8443"     # HTTPS port (when SSL is configured)
+         - "8080:8080"     # HTTP port, make 8443 in case of HTTPS
        environment:
          # Required environment variables
-         - NR_API_KEY=${NR_API_KEY}
-         - NR_LICENSE_KEY=${NR_LICENSE_KEY}
-         - GHE_BASE_URL=${GHE_BASE_URL}
-         - GITHUB_APP_ID=${GITHUB_APP_ID}
-         - GITHUB_APP_PRIVATE_KEY=${GITHUB_APP_PRIVATE_KEY}
-         - EVENT_SECRET=${EVENT_SECRET}
+         - NR_API_KEY=${NR_API_KEY:-DEFAULT_VALUE}
+         - NR_LICENSE_KEY=${NR_LICENSE_KEY:-DEFAULT_VALUE}
+         - GHE_BASE_URL=${GHE_BASE_URL:-DEFAULT_VALUE}
+         - GITHUB_APP_ID=${GITHUB_APP_ID:-DEFAULT_VALUE}
+         - GITHUB_APP_PRIVATE_KEY=${GITHUB_APP_PRIVATE_KEY:-DEFAULT_VALUE}
+         - GITHUB_APP_WEBHOOK_SECRET=${GITHUB_APP_WEBHOOK_SECRET:-DEFAULT_VALUE}
 
          # Optional SSL environment variables (uncomment and configure if using HTTPS)
          # - SERVER_SSL_KEY_STORE=${SERVER_SSL_KEY_STORE}
          # - SERVER_SSL_KEY_STORE_PASSWORD=${SERVER_SSL_KEY_STORE_PASSWORD}
          # - SERVER_SSL_KEY_STORE_TYPE=${SERVER_SSL_KEY_STORE_TYPE}
          # - SERVER_SSL_KEY_ALIAS=${SERVER_SSL_KEY_ALIAS}
          # - SERVER_PORT=8443
-       volumes:
-         # Uncomment the line below if using SSL keystore
-         # - /path/to/your/keystore.p12:/app/keystore.p12:ro
-         - collector-data:/app/data
-       networks:
-         - ghe-network
-
-   volumes:
-     collector-data:
+       #volumes: # Uncomment the line below if using SSL keystore
+       #  - ./keystore.p12:/app/keystore.p12 # path to your keystore file
+       network_mode: bridge
 
    networks:
-     ghe-network:
+     nr-network:
        driver: bridge
    ```
 
-2. Create a `.env` file in the same directory with your environment variables:
-
-   ```bash
-   # New Relic Configuration
-   NR_API_KEY=your_newrelic_api_key
-   NR_LICENSE_KEY=your_newrelic_license_key
-
-   # GitHub Enterprise Configuration
-   GHE_BASE_URL=https://your-ghe-server.com
-   GITHUB_APP_ID=your_github_app_id
-   GITHUB_APP_PRIVATE_KEY=your_base64_encoded_private_key
-   EVENT_SECRET=your_github_app_event_secret
-
-   # SSL Configuration (uncomment if using HTTPS)
-   # SERVER_SSL_KEY_STORE=/app/keystore.p12
-   # SERVER_SSL_KEY_STORE_PASSWORD=your_keystore_password
-   # SERVER_SSL_KEY_STORE_TYPE=PKCS12
-   # SERVER_SSL_KEY_ALIAS=your_key_alias
-   ```
+2. Set your environment variables by replacing the `DEFAULT_VALUE` placeholders in the Docker Compose file with your actual values, or create environment variables on your system before running the command.
 
 3. Run the following command to start the service:
 
@@ -308,7 +395,7 @@ After the collector service is running, you need to install the GitHub App on th
 <Step>
 ## Access New Relic UI
 
-Once the collector service is running and the GitHub App is installed on your GHE organization(s), complete the integration setup in New Relic:
+Once the collector service is running and the GitHub App is installed on your GHE organization(s), complete the integration setup as instructed in the New Relic UI:
 
 1. The corresponding GHE organizations will appear in the New Relic UI.
 2. Click **First time sync** to start the initial data synchronization.