diff --git a/content/rest/actions/artifacts.md b/content/rest/actions/artifacts.md
index d97273483ee3..5cc2c8746cd4 100644
--- a/content/rest/actions/artifacts.md
+++ b/content/rest/actions/artifacts.md
@@ -19,6 +19,4 @@ autogenerated: rest
 
 You can use the REST API to download, delete, and retrieve information about workflow artifacts in {% data variables.product.prodname_actions %}. {% data reusables.actions.about-artifacts %} For more information, see "[AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts)."
 
-{% data reusables.actions.actions-authentication %} {% data reusables.actions.actions-app-actions-permissions-api %}
-
 <!-- Content after this section is automatically generated -->
diff --git a/content/rest/actions/index.md b/content/rest/actions/index.md
index 76758c88d306..ead2b8eb9045 100644
--- a/content/rest/actions/index.md
+++ b/content/rest/actions/index.md
@@ -28,6 +28,4 @@ children:
 autogenerated: rest
 ---
 
-You can use the REST API to manage and control {% data variables.product.prodname_actions %} for an organization or repository. {% data reusables.actions.actions-authentication %} {% data variables.product.prodname_github_apps %} require the permissions mentioned in each endpoint. For more information, see "[AUTOTITLE](/actions)."
-
 <!-- Content after this section is automatically generated -->
diff --git a/content/rest/actions/oidc.md b/content/rest/actions/oidc.md
index ad90d32457ed..804864955389 100644
--- a/content/rest/actions/oidc.md
+++ b/content/rest/actions/oidc.md
@@ -14,6 +14,8 @@ versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖
 autogenerated: rest
 ---
 
+## About {% data variables.product.prodname_actions %} OIDC
 
+You can use the REST API to query and manage a customization template for an OpenID Connect (OIDC) subject claim. For more information, see "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)."
 
 <!-- Content after this section is automatically generated -->
diff --git a/content/rest/actions/secrets.md b/content/rest/actions/secrets.md
index 405362249802..091eaedd04d3 100644
--- a/content/rest/actions/secrets.md
+++ b/content/rest/actions/secrets.md
@@ -19,6 +19,4 @@ autogenerated: rest
 
 You can use the REST API to create, update, delete, and retrieve information about encrypted secrets that can be used in workflows in {% data variables.product.prodname_actions %}. {% data reusables.actions.about-secrets %} For more information, see "[AUTOTITLE](/actions/security-guides/encrypted-secrets)."
 
-{% data reusables.actions.actions-authentication %} {% data variables.product.prodname_github_apps %} must have the `secrets` permission to use these endpoints. Authenticated users must have collaborator access to a repository to create, update, or read secrets.
-
 <!-- Content after this section is automatically generated -->
diff --git a/content/rest/actions/self-hosted-runners.md b/content/rest/actions/self-hosted-runners.md
index 66bbb2773c3f..dece0aa6f763 100644
--- a/content/rest/actions/self-hosted-runners.md
+++ b/content/rest/actions/self-hosted-runners.md
@@ -17,6 +17,4 @@ autogenerated: rest
 
 You can use the REST API to register, view, and delete self-hosted runners in {% data variables.product.prodname_actions %}. {% data reusables.actions.about-self-hosted-runners %} For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners)."
 
-{% data reusables.actions.actions-authentication %} {% data variables.product.prodname_github_apps %} must have the `administration` permission for repositories and the `organization_self_hosted_runners` permission for organizations. Authenticated users must have admin access to repositories or organizations, or the `manage_runners:enterprise` scope for enterprises to use these endpoints.
-
 <!-- Content after this section is automatically generated -->
diff --git a/content/rest/actions/variables.md b/content/rest/actions/variables.md
index c6fe7cce6cbc..62c26cb5e756 100644
--- a/content/rest/actions/variables.md
+++ b/content/rest/actions/variables.md
@@ -16,8 +16,6 @@ autogenerated: rest
 
 ## About variables in {% data variables.product.prodname_actions %}
 
-You can use the REST API to create, update, delete, and retrieve information about variables that can be used in workflows in {% data variables.product.prodname_actions %}. {% data reusables.actions.about-variables %}
-
-{% data reusables.actions.actions-authentication %} {% data variables.product.prodname_github_apps %} must have the `actions_variables/environments/organization_actions_variables` permission to use these endpoints. Authenticated users must have collaborator access to a repository to create, update, or read variables.
+You can use the REST API to create, update, delete, and retrieve information about variables that can be used in workflows in {% data variables.product.prodname_actions %}. {% data reusables.actions.about-variables %} For more information, see "[AUTOTITLE](/actions/learn-github-actions/variables)" in the {% data variables.product.prodname_actions %} documentation.
 
 <!-- Content after this section is automatically generated -->
diff --git a/content/rest/actions/workflow-jobs.md b/content/rest/actions/workflow-jobs.md
index b5fb5f20373c..2e0b356747a2 100644
--- a/content/rest/actions/workflow-jobs.md
+++ b/content/rest/actions/workflow-jobs.md
@@ -15,8 +15,6 @@ autogenerated: rest
 
 ## About workflow jobs in {% data variables.product.prodname_actions %}
 
-You can use the REST API to view logs and workflow jobs in {% data variables.product.prodname_actions %}. {% data reusables.actions.about-workflow-jobs %} For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions)".
-
-{% data reusables.actions.actions-authentication %} {% data reusables.actions.actions-app-actions-permissions-api %}
+You can use the REST API to view logs and workflow jobs in {% data variables.product.prodname_actions %}. {% data reusables.actions.about-workflow-jobs %} For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions)."
 
 <!-- Content after this section is automatically generated -->
diff --git a/content/rest/actions/workflow-runs.md b/content/rest/actions/workflow-runs.md
index d1f7a802639a..5a0f598488b9 100644
--- a/content/rest/actions/workflow-runs.md
+++ b/content/rest/actions/workflow-runs.md
@@ -17,6 +17,4 @@ autogenerated: rest
 
 You can use the REST API to view, re-run, cancel, and view logs for workflow runs in {% data variables.product.prodname_actions %}. {% data reusables.actions.about-workflow-runs %} For more information, see "[AUTOTITLE](/actions/managing-workflow-runs)."
 
-{% data reusables.actions.actions-authentication %} {% data reusables.actions.actions-app-actions-permissions-api %}
-
 <!-- Content after this section is automatically generated -->
diff --git a/content/rest/actions/workflows.md b/content/rest/actions/workflows.md
index 5bbdbb7d74f0..06bae857a00c 100644
--- a/content/rest/actions/workflows.md
+++ b/content/rest/actions/workflows.md
@@ -15,8 +15,6 @@ autogenerated: rest
 
 ## About workflows in {% data variables.product.prodname_actions %}
 
-You can use the REST API to view workflows for a repository in {% data variables.product.prodname_actions %}. {% data reusables.actions.about-workflows %} For more information, see "[AUTOTITLE](/actions)."
-
-{% data reusables.actions.actions-authentication %} {% data reusables.actions.actions-app-actions-permissions-api %}
+You can use the REST API to view workflows for a repository in {% data variables.product.prodname_actions %}. {% data reusables.actions.about-workflows %} For more information, see "[AUTOTITLE](/actions/using-workflows/about-workflows)" in the {% data variables.product.prodname_actions %} documentation.
 
 <!-- Content after this section is automatically generated -->
diff --git a/data/release-notes/enterprise-server/3-6/17.yml b/data/release-notes/enterprise-server/3-6/17.yml
new file mode 100644
index 000000000000..ca7348b080c2
--- /dev/null
+++ b/data/release-notes/enterprise-server/3-6/17.yml
@@ -0,0 +1,46 @@
+date: '2023-08-10'
+sections:
+  security_fixes:
+    - |
+      **LOW:**  An attacker could circumvent branch protection by changing a PR base branch to an invalid ref name. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). 
+    - |
+      Packages have been updated to the latest security versions. 
+  bugs:
+    - | 
+      On an instance in a high availability configuration, on some platforms, replication could perform poorly over links with very high latency. 
+    - |
+      On an instance with custom firewall rules defined, a configuration run with `ghe-config-apply` could take longer than expected. 
+    - |
+      Events related to repository notifications did not appear in the audit log. 
+    - |
+      A collaborator with the "Set the social preview" permission inherited from the "Read" role couldnt upload the social preview image of a repository. 
+    - |
+      On an instance in a high availability configuration, existing nodes with out-of-sync repositories prevented new nodes from replicating those repositories. 
+    - |
+      GitHub Enterprise Server was queuing zip jobs unnecessarily. 
+  changes:
+    - |
+      The secondary abuse rate limits of the GraphQL API are now configurable in the Management Console. 
+    - |
+      The description of the `ghe-cluster-balance` command line utility clarifies that it can be used to balance jobs other than `github-unicorn`. 
+    - |
+      Administrators can display all repositories in a network with `spokesctl` by using the `repositories` subcommand. 
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - |
+      The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - |
+      In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
+    - |
+      Custom patterns for secret scanning have `.*` as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the `.*` delimiter.
+    - |
+      {% data reusables.release-notes.repository-inconsistencies-errors %}
+    - |
+      On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
+    - |
+      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
+    - |
+      When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
diff --git a/data/release-notes/enterprise-server/3-7/15.yml b/data/release-notes/enterprise-server/3-7/15.yml
new file mode 100644
index 000000000000..a55f412e8a51
--- /dev/null
+++ b/data/release-notes/enterprise-server/3-7/15.yml
@@ -0,0 +1,56 @@
+date: '2023-08-10'
+sections:
+  security_fixes:
+    - |
+      **LOW:**  An attacker could circumvent branch protection by changing a PR base branch to an invalid ref name. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). 
+    - |
+      In some cases, users could reopen a pull request that should not have been able to be reopened. 
+    - |
+      Packages have been updated to the latest security versions. 
+  bugs:
+    - |
+      In rare circumstances, Git commits signed with SSH keys using the RSA algorithm would incorrectly indicate the signature was invalid. 
+    - |
+      Issues with cross references to pull requests from deleted accounts would not load. 
+    - |
+      The site admin page for organizations erroneously included a "Blocked Copilot Repositories" link. 
+    - |
+      The checks in the merge box for a pull request did not always match the the checks for the most recent commit in the pull request. 
+    - |
+      When a site administrator used GitHub Enterprise Importer on versions 3.7 and below to migrate repositories from GitHub Enterprise Server, the system backup size would increase after running many migrations due to storage files not being cleaned up. 
+    - |
+      API results were incomplete, and ordering of results was incorrect if `asc` or `desc` appeared in lowercase within the API query. 
+    - | 
+      A collaborator with the "Set the social preview" permission inherited from the "Read" role couldnt upload the social preview image of a repository. 
+    - |
+      In some cases, on an instance with GitHub Actions enabled, deployment of GitHub Pages site using a GitHub Actions workflow failed with a status of `deployment_lost`. 
+    - |
+      On an instance in a high availability configuration, existing nodes with out-of-sync repositories prevented new nodes from replicating those repositories. 
+    - | 
+      GitHub Enterprise Server was queuing zip jobs unnecessarily. 
+  changes:
+    - |
+      The description of the `ghe-cluster-balance` command line utility clarifies that it can be used to balance jobs other than `github-unicorn`. 
+    - |
+      Administrators can display all repositories in a network with `spokesctl` by using the `repositories` subcommand. 
+    - |
+      Site administrators can see improved diagnostic information about repositories that have been deleted. 
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - |
+      In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
+    - |
+      Custom patterns for secret scanning have `.*` as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the `.*` delimiter.
+    - |
+      {% data reusables.release-notes.repository-inconsistencies-errors %}
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
+    - |
+      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
+    - |
+      When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
diff --git a/data/release-notes/enterprise-server/3-8/8.yml b/data/release-notes/enterprise-server/3-8/8.yml
new file mode 100644
index 000000000000..6303436ab924
--- /dev/null
+++ b/data/release-notes/enterprise-server/3-8/8.yml
@@ -0,0 +1,48 @@
+date: '2023-08-10'
+sections:
+  security_fixes:
+    - |
+      **LOW:**  An attacker could circumvent branch protection by changing a PR base branch to an invalid ref name. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). 
+    - |
+      Packages have been updated to the latest security versions. 
+  bugs:
+    - |
+      API results were incomplete, and ordering of results was incorrect if `asc` or `desc` appeared in lowercase within the API query. 
+    - |
+      The checks in the merge box for a pull request did not always match the the checks for the most recent commit in the pull request. 
+    - |
+      When a site administrator used GitHub Enterprise Importer on versions 3.7 and below to migrate repositories from GitHub Enterprise Server, the system backup size would increase after running many migrations due to storage files not being cleaned up. 
+    - |
+      A collaborator with the "Set the social preview" permission inherited from the "Read" role couldnt upload the social preview image of a repository. 
+    - |
+      When running the `ghe-migrator`, certain error messages contained an invalid link to import documentation. 
+    - |
+      In some cases, on an instance with GitHub Actions enabled, deployment of GitHub Pages site using a GitHub Actions workflow failed with a status of `deployment_lost`. 
+    - |
+      On an instance in a high availability configuration, existing nodes with out-of-sync repositories prevented new nodes from replicating those repositories. 
+    - |
+      GitHub Enterprise Server was queuing zip jobs unnecessarily. 
+  changes:
+    - |
+      The description of the `ghe-cluster-balance` command line utility clarifies that it can be used to balance jobs other than `github-unicorn`. 
+    - |
+      On GitHub Enterprise Server 3.8 and above, a blob storage provider must be configured in the Management Console in order to use the GitHub Enterprise Importer CLI, "startRepositoryMigration" GraphQL API, or "Start an organization migration" REST API. The "Migrations" section in the Management Console was mistakenly removed and has been added back. 
+    - |
+      Administrators can display all repositories in a network with `spokesctl` by using the `repositories` subcommand. 
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[Troubleshooting access to the Management Console](https://docs.github.com/en/enterprise-server@3.8/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." [Updated: 2023-02-23]
+    - |
+      On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
+    - |
+      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
+    - |
+      When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
+    - |
+      On an instance with subdomain isolation disabled, Mermaid diagrams in the web UI display an "Unable to render rich display" error and fail to render.
diff --git a/data/release-notes/enterprise-server/3-9/3.yml b/data/release-notes/enterprise-server/3-9/3.yml
new file mode 100644
index 000000000000..916b0aecc1cb
--- /dev/null
+++ b/data/release-notes/enterprise-server/3-9/3.yml
@@ -0,0 +1,52 @@
+date: '2023-08-10'
+intro: |
+  {% warning %}
+
+  **Warning**: This release contains known issues that can impact the performance of your instance. Before you upgrade, make sure you've read the "[Known issues](#3.9.1-known-issues)" section of these release notes.
+  
+  {% endwarning %}
+sections:
+  security_fixes:
+    - |
+      **LOW:**  An attacker could circumvent branch protection by changing a PR base branch to an invalid ref name. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). 
+  bugs:
+    - |
+      API results were incomplete, and ordering of results was incorrect if `asc` or `desc` appeared in lowercase within the API query. 
+    - |
+      The checks in the merge box for a pull request did not always match the the checks for the most recent commit in the pull request. 
+    - |
+      When a site administrator used GitHub Enterprise Importer on versions 3.7 and below to migrate repositories from GitHub Enterprise Server, the system backup size would increase after running many migrations due to storage files not being cleaned up. 
+    - |
+      A collaborator with the "Set the social preview" permission inherited from the "Read" role could not upload the social preview image of a repository. 
+    - |
+      The security settings page for a repository would return an error when enterprise-level runners were assigned to the repository. 
+    - |
+      GitHub Enterprise Server was queuing zip jobs unnecessarily. 
+  changes:
+    - |
+      On GitHub Enterprise Server 3.8 and above, a blob storage provider must be configured in the Management Console in order to use the GitHub Enterprise Importer CLI, "startRepositoryMigration" GraphQL API, or "Start an organization migration" REST API. The "Migrations" section in the Management Console was mistakenly removed and has been added back. 
+    - |
+      Administrators can display all repositories in a network with `spokesctl` by using the `repositories` subcommand. 
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[Troubleshooting access to the Management Console](https://docs.github.com/en/enterprise-server@3.8/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." [Updated: 2023-02-23]
+    - |
+      On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
+    - |
+      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
+    - |
+      When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
+    - |
+      The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
+    - |
+      On an instance with subdomain isolation disabled, Mermaid diagrams in the web UI display an "Unable to render rich display" error and fail to render.
+    - |
+      When enabling CodeQL via default setup [at scale](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale), some checks related to GitHub Actions are omitted, potentially preventing the process from completing.
+    - |
+      {% data reusables.release-notes.upgrade-mysql8-cannot-start-up %}
diff --git a/data/reusables/actions/actions-app-actions-permissions-api.md b/data/reusables/actions/actions-app-actions-permissions-api.md
deleted file mode 100644
index 2e323c163137..000000000000
--- a/data/reusables/actions/actions-app-actions-permissions-api.md
+++ /dev/null
@@ -1 +0,0 @@
-{% data variables.product.prodname_github_apps %} must have the `actions` permission to use these endpoints.