From be29ce409316e907b60a76ce7091f1e4ba7bb7d8 Mon Sep 17 00:00:00 2001
From: "release-controller[bot]"
 <110195724+release-controller[bot]@users.noreply.github.com>
Date: Thu, 29 Feb 2024 17:08:03 +0000
Subject: [PATCH 1/2] Patch release notes for GitHub Enterprise Server (#49406)

Co-authored-by: Release-Controller <releasecontroller@github.com>
Co-authored-by: Junior Eluhu <82401060+jeluhu@users.noreply.github.com>
Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com>
---
 .../enterprise-server/3-10/8.yml              | 53 +++++++++++++++++++
 .../enterprise-server/3-11/6.yml              | 42 +++++++++++++++
 .../enterprise-server/3-8/16.yml              | 34 ++++++++++++
 .../enterprise-server/3-9/11.yml              | 53 +++++++++++++++++++
 ...aproxy-upgrade-causing-increased-errors.md |  3 +-
 .../2024-02-pages-deployment-error.md         | 17 ++++++
 6 files changed, 200 insertions(+), 2 deletions(-)
 create mode 100644 data/release-notes/enterprise-server/3-10/8.yml
 create mode 100644 data/release-notes/enterprise-server/3-11/6.yml
 create mode 100644 data/release-notes/enterprise-server/3-8/16.yml
 create mode 100644 data/release-notes/enterprise-server/3-9/11.yml
 create mode 100644 data/reusables/release-notes/2024-02-pages-deployment-error.md

diff --git a/data/release-notes/enterprise-server/3-10/8.yml b/data/release-notes/enterprise-server/3-10/8.yml
new file mode 100644
index 0000000000..dfbec25bbe
--- /dev/null
+++ b/data/release-notes/enterprise-server/3-10/8.yml
@@ -0,0 +1,53 @@
+date: '2024-02-29'
+intro: |
+  {% warning %}
+
+  **Warning**: A change to MySQL in GitHub Enterprise Server 3.9 and later may impact the performance of your instance. Before you upgrade, make sure you've read the "[Known issues](#3.10.8-known-issues)" section of these release notes.
+
+  {% endwarning %}
+sections:
+  security_fixes:
+    - |
+      **HIGH**: On an instance with GitHub Connect enabled and non-default settings for GitHub Connect configured, an attacker could use an enterprise GitHub Actions download token to fetch private repository data. This token is only accessible to users on the GitHub Enterprise Server instance. To fix this vulnerability, the Actions download token will now be a permissionless token. GitHub has requested CVE ID [CVE-2024-1908](https://www.cve.org/cverecord?id=CVE-2024-1908) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). 
+    - |
+      Packages have been updated to the latest security versions. 
+  bugs:
+    - |
+      Redundant messages caused increased log volumes in `/var/log/syslog`.
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
+    - |
+      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
+    - |
+      The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
+    - |
+      {% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-mysql-cannot-start-up %}
+    - |
+      {% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-io-utilization-increase %}
+    - |
+      {% data reusables.release-notes.2023-08-mssql-replication-known-issue %}
+    - |
+      {% data reusables.release-notes.2023-09-config-apply-timeout-hookshot-go-replicas %}
+    - |
+      After an administrator enables maintenance mode from the instance's Management Console UI using Firefox, the administrator is redirected to the Settings page, but maintenance mode is not enabled. To work around this issue, use a different browser.
+    - |
+      {% data reusables.release-notes.2023-11-aws-system-time %}
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
+    - |
+      {% data reusables.release-notes.2023-10-actions-upgrade-bug %}
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      {% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
+    - |
+      {% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
+    - |
+      {% data reusables.release-notes.2024-02-pages-deployment-error %}
diff --git a/data/release-notes/enterprise-server/3-11/6.yml b/data/release-notes/enterprise-server/3-11/6.yml
new file mode 100644
index 0000000000..d13c77ec2b
--- /dev/null
+++ b/data/release-notes/enterprise-server/3-11/6.yml
@@ -0,0 +1,42 @@
+date: '2024-02-29'
+sections:
+  security_fixes:
+    - |
+      **HIGH**: On an instance with GitHub Connect enabled and non-default settings for GitHub Connect configured, an attacker could use an enterprise GitHub Actions download token to fetch private repository data. This token is only accessible to users on the GitHub Enterprise Server instance. To fix this vulnerability, the Actions download token will now be a permissionless token. GitHub has requested CVE ID [CVE-2024-1908](https://www.cve.org/cverecord?id=CVE-2024-1908) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
+    - |
+      Packages have been updated to the latest security versions.
+  bugs:
+    - |
+      Redundant messages caused increased log volumes in `/var/log/syslog`.
+  changes:
+    - |
+      For instances deployed on Google Cloud Platform, GitHubs public images include support for Google Virtual NIC (gVNIC) by default. Previously, to use gVNIC, an administrator needed to use the `--guest-os-features=gvnic` flag when creating the instance.
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
+    - |
+      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
+    - |
+      The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
+    - |
+      {% data reusables.release-notes.2023-11-aws-system-time %}
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      {% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
+    - |
+      {% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
+    - |
+      {% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
+    - |
+      Pre-receive hooks which utilize `git rev-list` fail with an `fatal: Invalid revision range` error message.
+    - |
+      {% data reusables.release-notes.2024-02-pages-deployment-error %}
\ No newline at end of file
diff --git a/data/release-notes/enterprise-server/3-8/16.yml b/data/release-notes/enterprise-server/3-8/16.yml
new file mode 100644
index 0000000000..ef81e74637
--- /dev/null
+++ b/data/release-notes/enterprise-server/3-8/16.yml
@@ -0,0 +1,34 @@
+date: '2024-02-29'
+sections:
+  security_fixes:
+    - |
+      **HIGH**: On an instance with GitHub Connect enabled and non-default settings for GitHub Connect configured, an attacker could use an enterprise GitHub Actions download token to fetch private repository data. This token is only accessible to users on the GitHub Enterprise Server instance. To fix this vulnerability, the Actions download token will now be a permissionless token. GitHub has requested CVE ID [CVE-2024-1908](https://www.cve.org/cverecord?id=CVE-2024-1908) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
+    - |
+      Packages have been updated to the latest security versions. 
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
+    - |
+      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
+    - |
+      When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
+    - |
+      {% data reusables.release-notes.mermaid-rendering-known-issue %}
+    - |
+      {% data reusables.release-notes.2023-08-mssql-replication-known-issue %}
+    - |
+      {% data reusables.release-notes.2023-11-aws-system-time %}
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
+    - |
+      {% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
+    - |
+      {% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
+    - |
+      {% data reusables.release-notes.2024-02-pages-deployment-error %}
diff --git a/data/release-notes/enterprise-server/3-9/11.yml b/data/release-notes/enterprise-server/3-9/11.yml
new file mode 100644
index 0000000000..aafcdcc130
--- /dev/null
+++ b/data/release-notes/enterprise-server/3-9/11.yml
@@ -0,0 +1,53 @@
+date: '2024-02-29'
+intro: |
+  {% warning %}
+
+  **Warning**: A change to MySQL in GitHub Enterprise Server 3.9 and later may impact the performance of your instance. Before you upgrade, make sure you've read the "[Known issues](#3.9.11-known-issues)" section of these release notes.
+
+  {% endwarning %}
+sections:
+  security_fixes:
+    - |
+      **HIGH**: On an instance with GitHub Connect enabled and non-default settings for GitHub Connect configured, an attacker could use an enterprise GitHub Actions download token to fetch private repository data. This token is only accessible to users on the GitHub Enterprise Server instance. To fix this vulnerability, the Actions download token will now be a permissionless token. GitHub has requested CVE ID [CVE-2024-1908](https://www.cve.org/cverecord?id=CVE-2024-1908) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
+    - |
+      Packages have been updated to the latest security versions. 
+  bugs:
+    - |
+      Redundant messages caused increased log volumes in `/var/log/syslog`.
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
+    - |
+      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
+    - |
+      When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
+    - |
+      The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
+    - |
+      When enabling CodeQL via default setup [at scale](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale), some checks related to GitHub Actions are omitted, potentially preventing the process from completing.
+    - |
+      {% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-mysql-cannot-start-up %}
+    - |
+      {% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-io-utilization-increase %}
+    - |
+      {% data reusables.release-notes.2023-08-mssql-replication-known-issue %}
+    - |
+      {% data reusables.release-notes.2023-09-config-apply-timeout-hookshot-go-replicas %}
+    - |
+      {% data reusables.release-notes.2023-11-aws-system-time %}
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
+    - |
+      {% data reusables.release-notes.2023-10-actions-upgrade-bug %}
+    - |
+      {% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
+    - |
+      {% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
+    - |
+      {% data reusables.release-notes.2024-02-pages-deployment-error %}
diff --git a/data/reusables/release-notes/2024-01-haproxy-upgrade-causing-increased-errors.md b/data/reusables/release-notes/2024-01-haproxy-upgrade-causing-increased-errors.md
index 6a5d4dd66c..512d911cff 100644
--- a/data/reusables/release-notes/2024-01-haproxy-upgrade-causing-increased-errors.md
+++ b/data/reusables/release-notes/2024-01-haproxy-upgrade-causing-increased-errors.md
@@ -1,5 +1,4 @@
-The upgrade of `HAProxy` to version `2.8.4` (to address scenarios that could
-lead to denial of service) is causing elevated error rates when HAProxy
+The `HAProxy` version has been updated in this release. You may encounter elevated error rates when HAProxy
 is upgraded as part of a hotpatch upgrade to a {% data variables.product.prodname_ghe_server %} instance.
 These elevated error rates should resolve within 5 minutes of the hotpatch being applied.
 
diff --git a/data/reusables/release-notes/2024-02-pages-deployment-error.md b/data/reusables/release-notes/2024-02-pages-deployment-error.md
new file mode 100644
index 0000000000..8fc9ae49f0
--- /dev/null
+++ b/data/reusables/release-notes/2024-02-pages-deployment-error.md
@@ -0,0 +1,17 @@
+On an instance with GitHub Actions enabled, Actions workflows that deploy GitHub Pages sites may fail with the following error:
+
+```text
+Error: Deployment failed, try again later.
+```
+
+To fix this issue, connect to any of the instance's nodes using SSH, then run the following commands.
+
+```shell
+if [ -d "$CHROOT_PATH/data/pages-untar" ] ; then
+  rm -rf "$CHROOT_PATH/data/pages-untar"
+fi
+pages_untar_image_tag="$(cat "$CHROOT_PATH/data/docker-image-tags/pages_untar_image_tag")"
+id="$(docker create "pages-untar:$pages_untar_image_tag")"
+sudo docker cp "$id:/data/pages-untar" "$BASE_PATH/$CHROOT_PATH/data/pages-untar/"
+docker rm "$id"
+```

From 74cd9e0cb28542b63ad1e534f3b3da1461520e63 Mon Sep 17 00:00:00 2001
From: Peter Bengtsson <peterbe@github.com>
Date: Thu, 29 Feb 2024 12:09:03 -0500
Subject: [PATCH 2/2] nodemon 3.1.0 (#49454)

---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 7fb737c7c1..5ffa5f9c92 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -145,7 +145,7 @@
         "mkdirp": "^3.0.0",
         "mockdate": "^3.0.5",
         "nock": "^13.5.0",
-        "nodemon": "3.0.3",
+        "nodemon": "3.1.0",
         "npm-merge-driver-install": "^3.0.0",
         "nth-check": "2.1.1",
         "prettier": "^3.2.4",
@@ -11935,9 +11935,9 @@
       "integrity": "sha512-uYr7J37ae/ORWdZeQ1xxMJe3NtdmqMC/JZK+geofDrkLUApKRHPd18/TxtBOJ4A0/+uUIliorNrfYV6s1b02eQ=="
     },
     "node_modules/nodemon": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/nodemon/-/nodemon-3.0.3.tgz",
-      "integrity": "sha512-7jH/NXbFPxVaMwmBCC2B9F/V6X1VkEdNgx3iu9jji8WxWcvhMWkmhNWhI5077zknOnZnBzba9hZP6bCPJLSReQ==",
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/nodemon/-/nodemon-3.1.0.tgz",
+      "integrity": "sha512-xqlktYlDMCepBJd43ZQhjWwMw2obW/JRvkrLxq5RCNcuDDX1DbcPT+qT1IlIIdf+DhnWs90JpTMe+Y5KxOchvA==",
       "dev": true,
       "dependencies": {
         "chokidar": "^3.5.2",
diff --git a/package.json b/package.json
index 347d13f870..59446a416e 100644
--- a/package.json
+++ b/package.json
@@ -366,7 +366,7 @@
     "mkdirp": "^3.0.0",
     "mockdate": "^3.0.5",
     "nock": "^13.5.0",
-    "nodemon": "3.0.3",
+    "nodemon": "3.1.0",
     "npm-merge-driver-install": "^3.0.0",
     "nth-check": "2.1.1",
     "prettier": "^3.2.4",