Update IP allow lists documentation for public resources (#58344)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>

Author: 4 people

data/reusables/identity-and-permissions/ip-allow-lists-example-and-restrictions.md

@@ -1,9 +1,17 @@
 For example, you can allow access to the private resources exclusively from the IP address of your office network.
 
-After you configure an IP allow list, the list determines whether users can access protected resources through the web UI, APIs, or Git, using any of the following authentication methods:
+Once you configure a {% data variables.product.github %} IP allow list, the list determines whether users or apps can access protected resources through the web UI, APIs, or Git when they use any of the following authentication methods. 
 
-* Username and password, using {% data variables.product.prodname_dotcom %} authentication or SAML SSO
+**Interactive (web) authentication:**
+* User authentication, including {% data variables.product.prodname_dotcom %} authentication, SAML, and OIDC authentication
+
+**Non-interactive authentication:**
 * {% data variables.product.pat_generic_caps %}
-* SSH key
+* OAuth app tokens
+* SSH keys (including deploy keys and SSH keys used by {% data variables.product.prodname_github_apps %}
+* {% data variables.product.prodname_github_app %} user-to-server or installation tokens, including the {% data variables.product.prodname_actions %}`GITHUB_TOKEN`
+
+  > [!NOTE]
+  > IP allow lists don't currently restrict access when a {% data variables.product.prodname_github_app %} is installed on a user account and uses server-to-server installation tokens to access an organization or enterprise.
 
 The IP allow list applies to users with any role or access, including enterprise and organization owners, repository administrators, and external collaborators.

data/reusables/identity-and-permissions/ip-allow-lists-which-resources-are-protected.md

@@ -4,12 +4,19 @@ IP allow lists **do** restrict access to:
 
 * Organization-owned repositories
 * Private and internal repositories
-* Public resources, when a user is signed into {% data variables.product.prodname_dotcom %}
+* Public resources, when a user is signed into {% data variables.product.prodname_dotcom %} (including non-interactive authentication methods such as:
+  * {% data variables.product.pat_generic_caps %}
+  * OAuth app tokens
+  * SSH keys, including deploy keys
+  * {% data variables.product.prodname_github_app %} user-to-server or installation tokens, including the {% data variables.product.prodname_actions %}`GITHUB_TOKEN`
+    > [!NOTE]
+    > Excluding installation tokens used by a {% data variables.product.prodname_github_app %} which is installed on a user account.
 * Raw URLs for files in repositories, such as `https://raw.githubusercontent.com/octo-org/octo-repo/main/README.md?token=ABC10001`
 
 IP allow lists do **not** restrict access to:
 
 * Repositories, including forks, owned by {% data variables.enterprise.prodname_managed_users %}
 * Public resources, when accessed anonymously
+* A {% data variables.product.prodname_github_app %} (server-to-server) installation token when the {% data variables.product.prodname_github_app %} is installed on a user account.
 * {% data variables.product.prodname_copilot %} features that do not require directly fetching private or organizational data from {% data variables.product.prodname_dotcom %}
 * Anonymized URLs for images and videos uploaded to issues or pull requests, such as `https://private-user-images.githubusercontent.com/10001/20002.png?jwt=ABC10001`, unless you use {% data variables.enterprise.data_residency %}