repo sync

data/release-notes/enterprise-server/3-2/15.yml

@@ -0,0 +1,19 @@
+date: '2022-06-28'
+sections:
+  security_fixes:
+    - "**MEDIUM**: Ensures that `github.company.com` and `github-company.com` are not evaluated by internal services as identical hostnames, preventing a potential server-side security forgery (SSRF) attack."
+    - "**LOW**: An attacker could access the Management Console with a path traversal attack via HTTP even if external firewall rules blocked HTTP access."
+    - Packages have been updated to the latest security versions.
+  bugs:
+    - In some cases, site administrators were not automatically added as enterprise owners. 
+    - After merging a branch into the default branch, the "History" link for a file would still link to the previous branch instead of the target branch.
+  changes:
+    - Creating or updating check runs or check suites could return `500 Internal Server Error` if the value for certain fields, like the name, was too long.
+  known_issues:
+    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+    - Custom firewall rules are removed during the upgrade process.
+    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+    - When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results.
+    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

data/release-notes/enterprise-server/3-3/10.yml

@@ -0,0 +1,21 @@
+date: '2022-06-28'
+sections:
+  security_fixes:
+    - "**MEDIUM**: Ensures that `github.company.com` and `github-company.com` are not evaluated by internal services as identical hostnames, preventing a potential server-side security forgery (SSRF) attack."
+    - "**LOW**: An attacker could access the Management Console with a path traversal attack via HTTP even if external firewall rules blocked HTTP access."
+    - Packages have been updated to the latest security versions.
+  bugs:
+    - In some cases, site administrators were not automatically added as enterprise owners.
+    - After merging a branch into the default branch, the "History" link for a file would still link to the previous branch instead of the target branch. 
+  changes:
+    - Creating or updating check runs or check suites could return `500 Internal Server Error` if the value for certain fields, like the name, was too long. 
+  known_issues:
+    - After upgrading to {% data variables.product.prodname_ghe_server %} 3.3, {% data variables.product.prodname_actions %} may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the `ghe-actions-start` command.
+    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+    - Custom firewall rules are removed during the upgrade process.
+    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+    - When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results.
+    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
+    - '{% data variables.product.prodname_actions %} storage settings cannot be validated and saved in the {% data variables.enterprise.management_console %} when "Force Path Style" is selected, and must instead be configured with the `ghe-actions-precheck` command line utility.'

data/release-notes/enterprise-server/3-4/3.yml

@@ -18,6 +18,7 @@ sections:
     - When using GitHub Enterprise Importer to import a repository, some issues would fail to import due to incorrectly configured project timeline events.
     - When using `ghe-migrator`, a migration would fail to import video file attachments in issues and pull requests.
     - 'The Releases page would return a 500 error when the repository has tags that contain non-ASCII characters. [Updated: 2022-06-10]'
+    - 'Upgrades would sometimes fail while migrating dependency graph data. [Updated: 2022-06-30]'
   changes:
     - In high availability configurations, clarify that the replication overview page in the Management Console only displays the current replication configuration, not the current replication status.
     - The Nomad allocation timeout for Dependency Graph has been increased to ensure post-upgrade migrations can complete.

data/release-notes/enterprise-server/3-4/5.yml

@@ -0,0 +1,34 @@
+date: '2022-06-28'
+sections:
+  security_fixes:
+    - "**MEDIUM**: Prevents an attack where an `org` query string parameter can be specified for a GitHub Enterprise Server URL that then gives access to another organization's active committers."
+    - "**MEDIUM**: Ensures that `github.company.com` and `github-company.com` are not evaluated by internal services as identical hostnames, preventing a potential server-side security forgery (SSRF) attack."
+    - "**LOW**: An attacker could access the Management Console with a path traversal attack via HTTP even if external firewall rules blocked HTTP access."
+    - Packages have been updated to the latest security versions.
+  bugs:
+    - Files inside an artifact archive were unable to be opened after decompression due to restrictive permissions.
+    - Redis timeouts no longer halt database migrations while running `ghe-config-apply`.
+    - Background job processors would get stuck in a partially shut-down state, resulting in certain kinds of background jobs (like code scanning) appearing stuck.
+    - In some cases, site administrators were not automatically added as enterprise owners.
+    - A rendering issue could affect the dropdown list for filtering secret scanning alerts in a repository.
+  changes:
+    - Improved the performance of Dependabot version updates after first enabled.
+    - The GitHub Pages build and synchronization timeouts are now configurable in the Management Console.
+    - Creating or updating check runs or check suites could return `500 Internal Server Error` if the value for certain fields, like the name, was too long.
+    - When [deploying cache-server nodes](/admin/enterprise-management/caching-repositories/configuring-a-repository-cache#configuring-a-repository-cache), it is now mandatory to describe the datacenter topology (using the `--datacenter` argument) for every node in the system. This requirement prevents situations where leaving datacenter membership set to "default" leads to workloads being inappropriately balanced across multiple datacenters.
+  known_issues:
+    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+    - Custom firewall rules are removed during the upgrade process.
+    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+    - When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results.
+    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
+    - |
+      After registering a self-hosted runner with the `--ephemeral` parameter on more than one level (for example, both enterprise and organization), the runner may get stuck in an idle state and require re-registration. [Updated: 2022-06-17]
+    - |
+      When using SAML encrypted assertions with {% data variables.product.prodname_ghe_server %} 3.4.0 and 3.4.1, a new XML attribute `WantAssertionsEncrypted` in the `SPSSODescriptor` contains an invalid attribute for SAML metadata. IdPs that consume this SAML metadata endpoint may encounter errors when validating the SAML metadata XML schema. A fix will be available in the next patch release. [Updated: 2022-04-11]
+
+      To work around this problem, you can take one of the two following actions.
+      - Reconfigure the IdP by uploading a static copy of the SAML metadata without the `WantAssertionsEncrypted` attribute.
+      - Copy the SAML metadata, remove `WantAssertionsEncrypted` attribute, host it on a web server, and reconfigure the IdP to point to that URL.

data/release-notes/enterprise-server/3-5/2.yml

@@ -0,0 +1,35 @@
+date: '2022-06-28'
+sections:
+  security_fixes:
+    - "**MEDIUM**: Prevents an attack where an `org` query string parameter can be specified for a GitHub Enterprise Server URL that then gives access to another organization's active committers."
+    - "**MEDIUM**: Ensures that `github.company.com` and `github-company.com` are not evaluated by internal services as identical hostnames, preventing a potential server-side security forgery (SSRF) attack."
+    - "**LOW**: An attacker could access the Management Console with a path traversal attack via HTTP even if external firewall rules blocked HTTP access."
+    - Packages have been updated to the latest security versions.
+  bugs:
+    - Files inside an artifact archive were unable to be opened after decompression due to restrictive permissions.
+    - In some cases, packages pushed to the Container registry were not visible in GitHub Enterprise Server's web UI.
+    - Management Console would appear stuck on the _Starting_ screen after upgrading an under-provisioned instance to GitHub Enterprise Server 3.5.
+    - Redis timeouts no longer halt database migrations while running `ghe-config-apply`.
+    - Background job processors would get stuck in a partially shut-down state, resulting in certain kinds of background jobs (like code scanning) appearing stuck.
+    - In some cases, site administrators were not automatically added as enterprise owners.
+    - Actions workflows calling other reusable workflows failed to run on a schedule.
+    - Resolving Actions using GitHub Connect failed briefly after changing repository visibility from public to internal.
+  changes:
+    - Improved the performance of Dependabot Updates when first enabled.
+    - Increase maximum concurrent connections for Actions runners to support [the GHES performance target](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-server#review-hardware-requirements).
+    - The GitHub Pages build and synchronization timeouts are now configurable in the Management Console.
+    - Added environment variable to configure Redis timeouts.
+    - Creating or updating check runs or check suites could return `500 Internal Server Error` if the value for certain fields, like the name, was too long.
+    - Improves performance in pull requests' "Files changed" tab when the diff includes many changes.
+    - The Actions repository cache usage policy no longer accepts a maximum value less than 1 for [`max_repo_cache_size_limit_in_gb`](/rest/actions/cache#set-github-actions-cache-usage-policy-for-an-enterprise).
+    - When [deploying cache-server nodes](/admin/enterprise-management/caching-repositories/configuring-a-repository-cache#configuring-a-repository-cache), it is now mandatory to describe the datacenter topology (using the `--datacenter` argument) for every node in the system. This requirement prevents situations where leaving datacenter membership set to "default" leads to workloads being inappropriately balanced across multiple datacenters.
+  known_issues:
+      - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+      - Custom firewall rules are removed during the upgrade process.
+      - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+      - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+      - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
+      - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+      - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
+      - Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
+      - 'Deleted repositories will not be purged from disk automatically after the 90-day retention period ends. This issue is resolved in the 3.5.1 release. [Updated: 2022-06-10]'