Patch release notes for GitHub Enterprise Server (#40494)

release-controller[bot] · Release-Controller · rachaelrenk · web-flow · commit cdee2db701d7 · 2023-08-10T15:48:52.000Z
Co-authored-by: Release-Controller &lt;runner@fv-az225-545.nn523fotaqjeti0rucxshd1u2e.jx.internal.cloudapp.net&gt;
Co-authored-by: Rachael Rose Renk &lt;91027132+rachaelrenk@users.noreply.github.com&gt;
Co-authored-by: Vanessa &lt;vgrl@github.com&gt;
diff --git a/data/release-notes/enterprise-server/3-6/17.yml b/data/release-notes/enterprise-server/3-6/17.yml
@@ -0,0 +1,46 @@
+date: '2023-08-10'
+sections:
+  security_fixes:
+    - |
+      **LOW:**  An attacker could circumvent branch protection by changing a PR base branch to an invalid ref name. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). 
+    - |
+      Packages have been updated to the latest security versions. 
+  bugs:
+    - | 
+      On an instance in a high availability configuration, on some platforms, replication could perform poorly over links with very high latency. 
+    - |
+      On an instance with custom firewall rules defined, a configuration run with `ghe-config-apply` could take longer than expected. 
+    - |
+      Events related to repository notifications did not appear in the audit log. 
+    - |
+      A collaborator with the "Set the social preview" permission inherited from the "Read" role couldnt upload the social preview image of a repository. 
+    - |
+      On an instance in a high availability configuration, existing nodes with out-of-sync repositories prevented new nodes from replicating those repositories. 
+    - |
+      GitHub Enterprise Server was queuing zip jobs unnecessarily. 
+  changes:
+    - |
+      The secondary abuse rate limits of the GraphQL API are now configurable in the Management Console. 
+    - |
+      The description of the `ghe-cluster-balance` command line utility clarifies that it can be used to balance jobs other than `github-unicorn`. 
+    - |
+      Administrators can display all repositories in a network with `spokesctl` by using the `repositories` subcommand. 
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - |
+      The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - |
+      In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
+    - |
+      Custom patterns for secret scanning have `.*` as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the `.*` delimiter.
+    - |
+      {% data reusables.release-notes.repository-inconsistencies-errors %}
+    - |
+      On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
+    - |
+      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
+    - |
+      When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
diff --git a/data/release-notes/enterprise-server/3-7/15.yml b/data/release-notes/enterprise-server/3-7/15.yml
@@ -0,0 +1,56 @@
+date: '2023-08-10'
+sections:
+  security_fixes:
+    - |
+      **LOW:**  An attacker could circumvent branch protection by changing a PR base branch to an invalid ref name. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). 
+    - |
+      In some cases, users could reopen a pull request that should not have been able to be reopened. 
+    - |
+      Packages have been updated to the latest security versions. 
+  bugs:
+    - |
+      In rare circumstances, Git commits signed with SSH keys using the RSA algorithm would incorrectly indicate the signature was invalid. 
+    - |
+      Issues with cross references to pull requests from deleted accounts would not load. 
+    - |
+      The site admin page for organizations erroneously included a "Blocked Copilot Repositories" link. 
+    - |
+      The checks in the merge box for a pull request did not always match the the checks for the most recent commit in the pull request. 
+    - |
+      When a site administrator used GitHub Enterprise Importer on versions 3.7 and below to migrate repositories from GitHub Enterprise Server, the system backup size would increase after running many migrations due to storage files not being cleaned up. 
+    - |
+      API results were incomplete, and ordering of results was incorrect if `asc` or `desc` appeared in lowercase within the API query. 
+    - | 
+      A collaborator with the "Set the social preview" permission inherited from the "Read" role couldnt upload the social preview image of a repository. 
+    - |
+      In some cases, on an instance with GitHub Actions enabled, deployment of GitHub Pages site using a GitHub Actions workflow failed with a status of `deployment_lost`. 
+    - |
+      On an instance in a high availability configuration, existing nodes with out-of-sync repositories prevented new nodes from replicating those repositories. 
+    - | 
+      GitHub Enterprise Server was queuing zip jobs unnecessarily. 
+  changes:
+    - |
+      The description of the `ghe-cluster-balance` command line utility clarifies that it can be used to balance jobs other than `github-unicorn`. 
+    - |
+      Administrators can display all repositories in a network with `spokesctl` by using the `repositories` subcommand. 
+    - |
+      Site administrators can see improved diagnostic information about repositories that have been deleted. 
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - |
+      In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
+    - |
+      Custom patterns for secret scanning have `.*` as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the `.*` delimiter.
+    - |
+      {% data reusables.release-notes.repository-inconsistencies-errors %}
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
+    - |
+      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
+    - |
+      When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
diff --git a/data/release-notes/enterprise-server/3-8/8.yml b/data/release-notes/enterprise-server/3-8/8.yml
@@ -0,0 +1,48 @@
+date: '2023-08-10'
+sections:
+  security_fixes:
+    - |
+      **LOW:**  An attacker could circumvent branch protection by changing a PR base branch to an invalid ref name. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). 
+    - |
+      Packages have been updated to the latest security versions. 
+  bugs:
+    - |
+      API results were incomplete, and ordering of results was incorrect if `asc` or `desc` appeared in lowercase within the API query. 
+    - |
+      The checks in the merge box for a pull request did not always match the the checks for the most recent commit in the pull request. 
+    - |
+      When a site administrator used GitHub Enterprise Importer on versions 3.7 and below to migrate repositories from GitHub Enterprise Server, the system backup size would increase after running many migrations due to storage files not being cleaned up. 
+    - |
+      A collaborator with the "Set the social preview" permission inherited from the "Read" role couldnt upload the social preview image of a repository. 
+    - |
+      When running the `ghe-migrator`, certain error messages contained an invalid link to import documentation. 
+    - |
+      In some cases, on an instance with GitHub Actions enabled, deployment of GitHub Pages site using a GitHub Actions workflow failed with a status of `deployment_lost`. 
+    - |
+      On an instance in a high availability configuration, existing nodes with out-of-sync repositories prevented new nodes from replicating those repositories. 
+    - |
+      GitHub Enterprise Server was queuing zip jobs unnecessarily. 
+  changes:
+    - |
+      The description of the `ghe-cluster-balance` command line utility clarifies that it can be used to balance jobs other than `github-unicorn`. 
+    - |
+      On GitHub Enterprise Server 3.8 and above, a blob storage provider must be configured in the Management Console in order to use the GitHub Enterprise Importer CLI, "startRepositoryMigration" GraphQL API, or "Start an organization migration" REST API. The "Migrations" section in the Management Console was mistakenly removed and has been added back. 
+    - |
+      Administrators can display all repositories in a network with `spokesctl` by using the `repositories` subcommand. 
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[Troubleshooting access to the Management Console](https://docs.github.com/en/enterprise-server@3.8/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." [Updated: 2023-02-23]
+    - |
+      On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
+    - |
+      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
+    - |
+      When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
+    - |
+      On an instance with subdomain isolation disabled, Mermaid diagrams in the web UI display an "Unable to render rich display" error and fail to render.
diff --git a/data/release-notes/enterprise-server/3-9/3.yml b/data/release-notes/enterprise-server/3-9/3.yml
@@ -0,0 +1,52 @@
+date: '2023-08-10'
+intro: |
+  {% warning %}
+
+  **Warning**: This release contains known issues that can impact the performance of your instance. Before you upgrade, make sure you've read the "[Known issues](#3.9.1-known-issues)" section of these release notes.
+  
+  {% endwarning %}
+sections:
+  security_fixes:
+    - |
+      **LOW:**  An attacker could circumvent branch protection by changing a PR base branch to an invalid ref name. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). 
+  bugs:
+    - |
+      API results were incomplete, and ordering of results was incorrect if `asc` or `desc` appeared in lowercase within the API query. 
+    - |
+      The checks in the merge box for a pull request did not always match the the checks for the most recent commit in the pull request. 
+    - |
+      When a site administrator used GitHub Enterprise Importer on versions 3.7 and below to migrate repositories from GitHub Enterprise Server, the system backup size would increase after running many migrations due to storage files not being cleaned up. 
+    - |
+      A collaborator with the "Set the social preview" permission inherited from the "Read" role could not upload the social preview image of a repository. 
+    - |
+      The security settings page for a repository would return an error when enterprise-level runners were assigned to the repository. 
+    - |
+      GitHub Enterprise Server was queuing zip jobs unnecessarily. 
+  changes:
+    - |
+      On GitHub Enterprise Server 3.8 and above, a blob storage provider must be configured in the Management Console in order to use the GitHub Enterprise Importer CLI, "startRepositoryMigration" GraphQL API, or "Start an organization migration" REST API. The "Migrations" section in the Management Console was mistakenly removed and has been added back. 
+    - |
+      Administrators can display all repositories in a network with `spokesctl` by using the `repositories` subcommand. 
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[Troubleshooting access to the Management Console](https://docs.github.com/en/enterprise-server@3.8/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." [Updated: 2023-02-23]
+    - |
+      On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
+    - |
+      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
+    - |
+      When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
+    - |
+      The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
+    - |
+      On an instance with subdomain isolation disabled, Mermaid diagrams in the web UI display an "Unable to render rich display" error and fail to render.
+    - |
+      When enabling CodeQL via default setup [at scale](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale), some checks related to GitHub Actions are omitted, potentially preventing the process from completing.
+    - |
+      {% data reusables.release-notes.upgrade-mysql8-cannot-start-up %}
