date: '2022-06-28'
sections:
  security_fixes:
    - "**MEDIUM**: Prevents an attack where an `org` query string parameter can be specified for a GitHub Enterprise Server URL that then gives access to another organization's active committers."
    - "**MEDIUM**: Ensures that `github.company.com` and `github-company.com` are not evaluated by internal services as identical hostnames, preventing a potential server-side security forgery (SSRF) attack."
    - "**LOW**: An attacker could access the Management Console with a path traversal attack via HTTP even if external firewall rules blocked HTTP access."
    - Packages have been updated to the latest security versions.
  bugs:
    - Files inside an artifact archive were unable to be opened after decompression due to restrictive permissions.
    - In some cases, packages pushed to the Container registry were not visible in GitHub Enterprise Server's web UI.
    - Management Console would appear stuck on the _Starting_ screen after upgrading an under-provisioned instance to GitHub Enterprise Server 3.5.
    - Redis timeouts no longer halt database migrations while running `ghe-config-apply`.
    - Background job processors would get stuck in a partially shut-down state, resulting in certain kinds of background jobs (like code scanning) appearing stuck.
    - In some cases, site administrators were not automatically added as enterprise owners.
    - Actions workflows calling other reusable workflows failed to run on a schedule.
    - Resolving Actions using GitHub Connect failed briefly after changing repository visibility from public to internal.
  changes:
    - Improved the performance of Dependabot Updates when first enabled.
    - Increase maximum concurrent connections for Actions runners to support [the GHES performance target](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-server#review-hardware-requirements).
    - The GitHub Pages build and synchronization timeouts are now configurable in the Management Console.
    - Added environment variable to configure Redis timeouts.
    - Creating or updating check runs or check suites could return `500 Internal Server Error` if the value for certain fields, like the name, was too long.
    - Improves performance in pull requests' "Files changed" tab when the diff includes many changes.
    - The Actions repository cache usage policy no longer accepts a maximum value less than 1 for [`max_repo_cache_size_limit_in_gb`](/rest/actions/cache#set-github-actions-cache-usage-policy-for-an-enterprise).
    - When [deploying cache-server nodes](/admin/enterprise-management/caching-repositories/configuring-a-repository-cache#configuring-a-repository-cache), it is now mandatory to describe the datacenter topology (using the `--datacenter` argument) for every node in the system. This requirement prevents situations where leaving datacenter membership set to "default" leads to workloads being inappropriately balanced across multiple datacenters.
    - |
      VMware vSphere ESXi hypervisor version 7.0 is now supported. [Updated: 2022-09-07]
  known_issues:
      - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
      - Custom firewall rules are removed during the upgrade process.
      - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
      - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
      - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
      - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
      - Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
      - |
        The following features were unavailable for users in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3. The features are available in 3.5.4 and later. [Updated: 2022-08-16]

        - Detection of GitHub Actions workflow files for the dependency graph
        - Reopening of dismissed Dependabot alerts
        - Enabling the **Update branch** button for all pull requests in a repository
        - Light high contrast theme
      - '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}'
      - |
        GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
      - '{% data reusables.release-notes.babeld-max-threads-performance-issue %}'