From f64b803e7f8b97dc0109e5c7207d1a1d8e53e3ce Mon Sep 17 00:00:00 2001
From: docs-bot <77750099+docs-bot@users.noreply.github.com>
Date: Tue, 29 Jul 2025 11:32:09 -0700
Subject: [PATCH 1/6] Update CodeQL query tables (#56758)

Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
---
 .../code-scanning/codeql-query-tables/go.md      |  2 +-
 .../code-scanning/codeql-query-tables/java.md    |  2 +-
 .../codeql-query-tables/javascript.md            |  2 --
 .../code-scanning/codeql-query-tables/rust.md    | 16 ++++++++++++++++
 4 files changed, 18 insertions(+), 4 deletions(-)
 create mode 100644 data/reusables/code-scanning/codeql-query-tables/rust.md

diff --git a/data/reusables/code-scanning/codeql-query-tables/go.md b/data/reusables/code-scanning/codeql-query-tables/go.md
index 5e3f2e5232f3..7bb25f200e8c 100644
--- a/data/reusables/code-scanning/codeql-query-tables/go.md
+++ b/data/reusables/code-scanning/codeql-query-tables/go.md
@@ -7,7 +7,7 @@
 | [Bad redirect check](https://codeql.github.com/codeql-query-help/go/go-bad-redirect-check/) | 601 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Clear-text logging of sensitive information](https://codeql.github.com/codeql-query-help/go/go-clear-text-logging/) | 312, 315, 359 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Command built from user-controlled sources](https://codeql.github.com/codeql-query-help/go/go-command-injection/) | 078 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
-| [Cross-site scripting via HTML template escaping bypass](https://codeql.github.com/codeql-query-help/go/go-html-template-escaping-bypass-xss/) | 079, 116 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Cross-site scripting via HTML template escaping bypass](https://codeql.github.com/codeql-query-help/go/go-html-template-escaping-bypass-xss/) | 079, 116 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
 | [Database query built from user-controlled sources](https://codeql.github.com/codeql-query-help/go/go-sql-injection/) | 089 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Disabled TLS certificate check](https://codeql.github.com/codeql-query-help/go/go-disabled-certificate-check/) | 295 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Email content injection](https://codeql.github.com/codeql-query-help/go/go-email-injection/) | 640 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
diff --git a/data/reusables/code-scanning/codeql-query-tables/java.md b/data/reusables/code-scanning/codeql-query-tables/java.md
index 59021233535a..27683694bfa8 100644
--- a/data/reusables/code-scanning/codeql-query-tables/java.md
+++ b/data/reusables/code-scanning/codeql-query-tables/java.md
@@ -17,7 +17,7 @@
 | [Detect JHipster Generator Vulnerability CVE-2019-16303](https://codeql.github.com/codeql-query-help/java/java-jhipster-prng/) | 338 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Disabled Netty HTTP header validation](https://codeql.github.com/codeql-query-help/java/java-netty-http-request-or-response-splitting/) | 093, 113 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Disabled Spring CSRF protection](https://codeql.github.com/codeql-query-help/java/java-spring-disabled-csrf-protection/) | 352 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
-| [Exposed Spring Boot actuators](https://codeql.github.com/codeql-query-help/java/java-spring-boot-exposed-actuators/) | 200 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Exposed Spring Boot actuators](https://codeql.github.com/codeql-query-help/java/java-spring-boot-exposed-actuators/) | 200 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
 | [Expression language injection (JEXL)](https://codeql.github.com/codeql-query-help/java/java-jexl-expression-injection/) | 094 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Expression language injection (MVEL)](https://codeql.github.com/codeql-query-help/java/java-mvel-expression-injection/) | 094 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Expression language injection (Spring)](https://codeql.github.com/codeql-query-help/java/java-spel-expression-injection/) | 094 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
diff --git a/data/reusables/code-scanning/codeql-query-tables/javascript.md b/data/reusables/code-scanning/codeql-query-tables/javascript.md
index f5bbc47d2aff..efde1ef5ae80 100644
--- a/data/reusables/code-scanning/codeql-query-tables/javascript.md
+++ b/data/reusables/code-scanning/codeql-query-tables/javascript.md
@@ -27,7 +27,6 @@
 | [Enabling Electron allowRunningInsecureContent](https://codeql.github.com/codeql-query-help/javascript/js-enabling-electron-insecure-content/) | 494 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Exception text reinterpreted as HTML](https://codeql.github.com/codeql-query-help/javascript/js-xss-through-exception/) | 079, 116 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Exposure of private files](https://codeql.github.com/codeql-query-help/javascript/js-exposure-of-private-files/) | 200, 219, 548 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
-| [Expression injection in Actions](https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection/) | 094 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Host header poisoning in email generation](https://codeql.github.com/codeql-query-help/javascript/js-host-header-forgery-in-email-generation/) | 640 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Improper code sanitization](https://codeql.github.com/codeql-query-help/javascript/js-bad-code-sanitization/) | 094, 079, 116 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Inclusion of functionality from an untrusted source](https://codeql.github.com/codeql-query-help/javascript/js-functionality-from-untrusted-source/) | 830 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
@@ -65,7 +64,6 @@
 | [Server-side URL redirect](https://codeql.github.com/codeql-query-help/javascript/js-server-side-unvalidated-url-redirection/) | 601 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Shell command built from environment values](https://codeql.github.com/codeql-query-help/javascript/js-shell-command-injection-from-environment/) | 078, 088 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Storage of sensitive information in build artifact](https://codeql.github.com/codeql-query-help/javascript/js-build-artifact-leak/) | 312, 315, 359 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
-| [Storage of sensitive information in GitHub Actions artifact](https://codeql.github.com/codeql-query-help/javascript/js-actions-actions-artifact-leak/) | 312, 315, 359 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Stored cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-stored-xss/) | 079, 116 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Template Object Injection](https://codeql.github.com/codeql-query-help/javascript/js-template-object-injection/) | 073, 094 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Type confusion through parameter tampering](https://codeql.github.com/codeql-query-help/javascript/js-type-confusion-through-parameter-tampering/) | 843 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
diff --git a/data/reusables/code-scanning/codeql-query-tables/rust.md b/data/reusables/code-scanning/codeql-query-tables/rust.md
new file mode 100644
index 000000000000..6c236a4dafa2
--- /dev/null
+++ b/data/reusables/code-scanning/codeql-query-tables/rust.md
@@ -0,0 +1,16 @@
+{% rowheaders %}
+
+| Query name | Related CWEs | Default | Extended | {% data variables.copilot.copilot_autofix_short %} |
+| --- | --- | --- | --- | --- |
+| [Access of invalid pointer](https://codeql.github.com/codeql-query-help/rust/rust-access-invalid-pointer/) | 476, 825 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Cleartext logging of sensitive information](https://codeql.github.com/codeql-query-help/rust/rust-cleartext-logging/) | 312, 359, 532 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Cleartext transmission of sensitive information](https://codeql.github.com/codeql-query-help/rust/rust-cleartext-transmission/) | 319 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Database query built from user-controlled sources](https://codeql.github.com/codeql-query-help/rust/rust-sql-injection/) | 089 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Regular expression injection](https://codeql.github.com/codeql-query-help/rust/rust-regex-injection/) | 020, 074 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Uncontrolled allocation size](https://codeql.github.com/codeql-query-help/rust/rust-uncontrolled-allocation-size/) | 770, 789 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/rust/rust-path-injection/) | 022, 023, 036, 073, 099 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Use of a broken or weak cryptographic algorithm](https://codeql.github.com/codeql-query-help/rust/rust-weak-cryptographic-algorithm/) | 327 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Use of a broken or weak cryptographic hashing algorithm on sensitive data](https://codeql.github.com/codeql-query-help/rust/rust-weak-sensitive-data-hashing/) | 327, 328, 916 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Access of a pointer after its lifetime has ended](https://codeql.github.com/codeql-query-help/rust/rust-access-after-lifetime-ended/) | 825 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+
+{% endrowheaders %}

From a1b7a51f5c9d9f0734ea48a31b2c8934df7d91cc Mon Sep 17 00:00:00 2001
From: Jim Boyle <95828167+boylejj@users.noreply.github.com>
Date: Tue, 29 Jul 2025 14:58:55 -0400
Subject: [PATCH 2/6] Update GitHub IP ranges for GitHub Enterprise Importer
 (#56890)

Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com>
---
 .../identifying-githubs-ip-ranges.md                          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/reusables/enterprise-migration-tool/identifying-githubs-ip-ranges.md b/data/reusables/enterprise-migration-tool/identifying-githubs-ip-ranges.md
index a541971bc0be..b167bc603c13 100644
--- a/data/reusables/enterprise-migration-tool/identifying-githubs-ip-ranges.md
+++ b/data/reusables/enterprise-migration-tool/identifying-githubs-ip-ranges.md
@@ -4,10 +4,10 @@ You'll need to add the following IP ranges to your IP allow list(s):
 * 185.199.108.0/22
 * 140.82.112.0/20
 * 143.55.64.0/20
-* 40.71.233.224/28
+* 135.234.59.224/28 (Note: Introduced July 28, 2025)
 * 2a0a:a440::/29
 * 2606:50c0::/32
-* 20.125.12.8/29 _(active from 00:00 UTC on November 8, 2023)_
+* 20.99.172.64/28 (Note: Introduced July 28, 2025)
 
 You can get an up-to-date list of IP ranges used by {% data variables.product.prodname_importer_proper_name %} at any time with the "Get {% data variables.product.prodname_dotcom %} meta information" endpoint of the REST API.
 

From 98ead7463017aeab05884987a6e7e3b2561f26be Mon Sep 17 00:00:00 2001
From: Shin <octoshin@github.com>
Date: Tue, 29 Jul 2025 12:08:29 -0700
Subject: [PATCH 3/6] Copilot metrics (#56676)

Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com>

From ea6680c030bca7e51d96f050b54853e935b8599c Mon Sep 17 00:00:00 2001
From: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com>
Date: Tue, 29 Jul 2025 12:28:07 -0700
Subject: [PATCH 4/6] Revert "Revert "Patch release notes for GitHub Enterprise
 Server"" (#56875)

Co-authored-by: Devin Dooley <dooleydevin@github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../enterprise-server/3-14/16.yml             | 45 ++++++++++++
 .../enterprise-server/3-15/11.yml             | 56 +++++++++++++++
 .../enterprise-server/3-16/7.yml              | 70 +++++++++++++++++++
 .../enterprise-server/3-17/4.yml              | 66 +++++++++++++++++
 4 files changed, 237 insertions(+)
 create mode 100644 data/release-notes/enterprise-server/3-14/16.yml
 create mode 100644 data/release-notes/enterprise-server/3-15/11.yml
 create mode 100644 data/release-notes/enterprise-server/3-16/7.yml
 create mode 100644 data/release-notes/enterprise-server/3-17/4.yml

diff --git a/data/release-notes/enterprise-server/3-14/16.yml b/data/release-notes/enterprise-server/3-14/16.yml
new file mode 100644
index 000000000000..f501ee1f9038
--- /dev/null
+++ b/data/release-notes/enterprise-server/3-14/16.yml
@@ -0,0 +1,45 @@
+date: '2025-07-29'
+sections:
+  security_fixes:
+    - |
+      Packages have been updated to the latest security versions.
+  bugs:
+    - |
+      Administrators would occasionally encounter timeouts when downloading diagnostics via the Management Console.
+    - |
+      In full cluster topologies, some expensive stats queries are skipped during `ghe-cluster-support-bundle` to prevent overloading the nodes with identical requests.
+    - |
+      Unsuccessful attempts to sign in to the Management Console were reported in the audit log and were indistinguishable from successful attempts.
+  known_issues:
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
+    - |
+      {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
+    - |
+      In the header bar displayed to site administrators, some icons are not available.
+    - |
+      When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded.
+    - |
+      When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
+    - |
+      After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
+    - |
+      After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows.
+    - |
+      Unexpected elements may appear in the UI on the repo overview page for locked repositories.
diff --git a/data/release-notes/enterprise-server/3-15/11.yml b/data/release-notes/enterprise-server/3-15/11.yml
new file mode 100644
index 000000000000..e8202384a293
--- /dev/null
+++ b/data/release-notes/enterprise-server/3-15/11.yml
@@ -0,0 +1,56 @@
+date: '2025-07-29'
+sections:
+  security_fixes:
+    - |
+      Packages have been updated to the latest security versions.
+  bugs:
+    - |
+      Administrators would occasionally encounter timeouts when downloading diagnostics via the Management Console.
+    - |
+      In full cluster topologies, some expensive stats queries are skipped during `ghe-cluster-support-bundle` to prevent overloading the nodes with identical requests.
+    - |
+      Unsuccessful attempts to sign in to the Management Console were reported in the audit log and were indistinguishable from successful attempts.
+    - |
+      Enterprise Managed Users (EMUs) who were restricted from creating user namespace repositories could still create repositories in organizations and transfer them to their user namespace.
+    - |
+      On instances with secret scanning enabled, repositories could display a persistent backfill banner due to pending scans associated with canceled job groups.
+    - |
+      Administrators and users could experience delays due to performance regressions affecting the background processing of notification jobs.
+  changes:
+    - |
+      For administrators performing a live upgrade, a new entry point has been added to the upgrade container to clean up database tables. This utility can be run manually via `ghe-live-migrations -cleanup`, and is also executed automatically via `ghe-config-apply` after a complete upgrade.
+    - |
+      During pre-upgrade operations of a live upgrade, tables are now renamed instead of being dropped immediately. The tables are then dropped at a later stage via `ghe-config-apply`.
+  known_issues:
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
+    - |
+      {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
+    - |
+      In the header bar displayed to site administrators, some icons are not available.
+    - |
+      When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded.
+    - |
+      When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
+    - |
+      When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration.
+    - |
+      Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories.
+    - |
+      After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
diff --git a/data/release-notes/enterprise-server/3-16/7.yml b/data/release-notes/enterprise-server/3-16/7.yml
new file mode 100644
index 000000000000..4e6d34757f3d
--- /dev/null
+++ b/data/release-notes/enterprise-server/3-16/7.yml
@@ -0,0 +1,70 @@
+date: '2025-07-29'
+sections:
+  security_fixes:
+    - |
+      The maintenance page in the Management Console did not include cross-site request forgery (CSRF) protection.
+    - |
+      Packages have been updated to the latest security versions.
+  bugs:
+    - |
+      On instances in a cluster configuration, builds of GitHub Pages sites timed out in GitHub Actions workflows.
+    - |
+      Administrators would occasionally encounter timeouts when downloading diagnostics via the Management Console.
+    - |
+      In full cluster topologies, some expensive stats queries are skipped during `ghe-cluster-support-bundle` to prevent overloading the nodes with identical requests.
+    - |
+      Unsuccessful attempts to sign in to the Management Console were reported in the audit log and were indistinguishable from successful attempts.
+    - |
+      Enterprise Managed Users (EMUs) who were restricted from creating user namespace repositories could still create repositories in organizations and transfer them to their user namespace.
+    - |
+      In some scenarios, during an upgrade from GHES 3.14 to GHES 3.16 the `BackfillDefaultLegacyEnterpriseConfigurationsTransition` migration step could fail.
+    - |
+      Administrators and users could experience delays due to performance regressions affecting the background processing of notification jobs.
+  changes:
+    - |
+      For administrators performing a live upgrade, a new entry point has been added to the upgrade container to clean up database tables. This utility can be run manually via `ghe-live-migrations -cleanup`, and is also executed automatically via `ghe-config-apply` after a complete upgrade.
+    - |
+      During pre-upgrade operations of a live upgrade, tables are now renamed instead of being dropped immediately. The tables are then dropped at a later stage via `ghe-config-apply`.
+    - |
+      Events for adding or removing issues and pull requests from a project, or changing their status within a project, are now included in the items timeline alongside existing events. This update helps administrators and users more comprehensively track project-related activity.
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
+    - |
+      {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
+    - |
+      When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded.
+    - |
+      When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
+    - |
+      When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration.
+    - |
+      Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories.
+    - |
+      In a cluster, the host running restore requires access the storage nodes via their private IPs.
+    - |
+      On an instance hosted on Azure, commenting on an issue via email meant the comment was not added to the issue.
+    - |
+      After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
+    - |
+      After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows.
+    - |
+      Customers operating at high scale or near capacity may experience unexpected performance degradation, such as slow response times, background job queue spikes, elevated CPU usage, and increased MySQL load. Consider upgrading to {% ifversion ghes = 3.16 %}3.16{% endif %} {% ifversion ghes = 3.17 %}3.17{% endif %} with caution.
diff --git a/data/release-notes/enterprise-server/3-17/4.yml b/data/release-notes/enterprise-server/3-17/4.yml
new file mode 100644
index 000000000000..695ed5692e99
--- /dev/null
+++ b/data/release-notes/enterprise-server/3-17/4.yml
@@ -0,0 +1,66 @@
+date: '2025-07-29'
+sections:
+  security_fixes:
+    - |
+      The maintenance page in the Management Console did not include cross-site request forgery (CSRF) protection.
+    - |
+      Packages have been updated to the latest security versions.
+  bugs:
+    - |
+      When generating a support bundle, site administrators could encounter errors if character escaping caused the bundle script to omit the URL parameter for `curl`.
+    - |
+      Administrators would occasionally encounter timeouts when downloading diagnostics via the Management Console.
+    - |
+      In full cluster topologies, some expensive stats queries are skipped during `ghe-cluster-support-bundle` to prevent overloading the nodes with identical requests.
+    - |
+      Unsuccessful attempts to sign in to the Management Console were reported in the audit log and were indistinguishable from successful attempts.
+    - |
+      Taking a backup snapshot would sometimes fail because of a permissions error when the backup process attempted to create log files.
+    - |
+      Enterprise Managed Users (EMUs) who were restricted from creating user namespace repositories could still create repositories in organizations and transfer them to their user namespace.
+    - |
+      SCIM provisioning requests failed when a user’s non-primary email was sent by the identity provider.
+    - |
+      SCIM managed enterprise users were able to edit email addresses.
+    - |
+      Administrators and users could experience delays due to performance regressions affecting the background processing of notification jobs.
+  changes:
+    - |
+      For administrators performing a live upgrade, a new entry point has been added to the upgrade container to clean up database tables. This utility can be run manually via `ghe-live-migrations -cleanup`, and is also executed automatically via `ghe-config-apply` after a complete upgrade.
+    - |
+      During pre-upgrade operations of a live upgrade, tables are now renamed instead of being dropped immediately. The tables are then dropped at a later stage via `ghe-config-apply`.
+    - |
+      Events for adding or removing issues and pull requests from a project, or changing their status within a project, are now included in the items timeline alongside existing events. This update helps administrators and users more comprehensively track project-related activity.
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration.
+    - |
+      Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories.
+    - |
+      In a cluster, the host running restore requires access the storage nodes via their private IPs.
+    - |
+      On an instance hosted on Azure, commenting on an issue via email meant the comment was not added to the issue.
+    - |
+      After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
+    - |
+      After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows.
+    - |
+      When publishing npm packages in a workflow after restoring from a backup to GitHub Enterprise Server 3.13.5.gm4 or 3.14.2.gm3, you may encounter a `401 Unauthorized` error from the GitHub Packages service. This can happen if the restore is from an N-1 or N-2 version and the workflow targets the npm endpoint on the backup instance. To avoid this issue, ensure the access token is valid and includes the correct scopes for publishing to GitHub Packages.
+    - |
+      Customers operating at high scale or near capacity may experience unexpected performance degradation, such as slow response times, background job queue spikes, elevated CPU usage, and increased MySQL load. Consider upgrading to {% ifversion ghes = 3.16 %}3.16{% endif %} {% ifversion ghes = 3.17 %}3.17{% endif %} with caution.

From 1659c36b27e771a9bf47f95d91798b2f6d2deb48 Mon Sep 17 00:00:00 2001
From: Hirsch Singhal <1666363+hpsin@users.noreply.github.com>
Date: Tue, 29 Jul 2025 12:28:39 -0700
Subject: [PATCH 5/6] Add ghe.com to graphql doc (#56785)

---
 content/graphql/guides/managing-enterprise-accounts.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/content/graphql/guides/managing-enterprise-accounts.md b/content/graphql/guides/managing-enterprise-accounts.md
index 35007d1d2056..2a99fc1a601f 100644
--- a/content/graphql/guides/managing-enterprise-accounts.md
+++ b/content/graphql/guides/managing-enterprise-accounts.md
@@ -80,6 +80,7 @@ The next steps will use Insomnia.
 1. Add the base url and `POST` method to your GraphQL client. When using GraphQL to request information (queries), change information (mutations), or transfer data using the GitHub API, the default HTTP method is `POST` and the base url follows this syntax:
     * For your enterprise instance: `https://<HOST>/api/graphql`
     * For GitHub Enterprise Cloud: `https://api.github.com/graphql`
+    * For GitHub Enterprise Cloud with Data Residency: `https://api.SUBDOMAIN.ghe.com/graphql`
 
 1. Select the "Auth" menu and click **Bearer Token**. If you've previously selected a different authentication method, the menu will be labeled with that method, such as "Basic Auth", instead.
    ![Screenshot of the expanded "Auth" menu in Insomnia. The menu label, "Auth", and the "Bearer Token" option are outlined in dark orange.](/assets/images/developer/graphql/insomnia-bearer-token-option.png)

From eff11eea8de7b4221ae971782fc06911c649f099 Mon Sep 17 00:00:00 2001
From: Sarita Iyer <66540150+saritai@users.noreply.github.com>
Date: Tue, 29 Jul 2025 15:48:10 -0400
Subject: [PATCH 6/6] Fix MCP policy statement (#56880)

Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com>
---
 content/copilot/concepts/about-mcp.md                          | 2 +-
 .../provide-context/use-mcp/extend-copilot-chat-with-mcp.md    | 3 ++-
 .../provide-context/use-mcp/use-the-github-mcp-server.md       | 1 +
 data/reusables/copilot/mcp/mcp-policy.md                       | 1 +
 4 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 data/reusables/copilot/mcp/mcp-policy.md

diff --git a/content/copilot/concepts/about-mcp.md b/content/copilot/concepts/about-mcp.md
index ae4b3a419492..4c678d9257c7 100644
--- a/content/copilot/concepts/about-mcp.md
+++ b/content/copilot/concepts/about-mcp.md
@@ -25,7 +25,7 @@ For more information on MCP, see [the official MCP documentation](https://modelc
 
 To learn how to configure and use MCP servers with {% data variables.copilot.copilot_chat_short %}, see [AUTOTITLE](/copilot/how-tos/context/model-context-protocol/extending-copilot-chat-with-mcp).
 
-Enterprises and organizations can choose to enable or disable use of MCP for members of their organization or enterprise. See [AUTOTITLE](/copilot/how-tos/administer/enterprises/managing-policies-and-features-for-copilot-in-your-enterprise#mcp-servers-on-githubcom). The MCP policy only applies to members with {% data variables.copilot.copilot_business_short %}, {% data variables.copilot.copilot_enterprise_short %}, or {% data variables.product.prodname_copilot_short %} licenses assigned by the organization or enterprise that configures the policy. {% data variables.copilot.copilot_free_short %}, {% data variables.copilot.copilot_pro_short %}, or {% data variables.copilot.copilot_pro_plus_short %} do not have their MCP access governed by this policy.
+{% data reusables.copilot.mcp.mcp-policy %}
 
 ## About the {% data variables.product.github %} MCP server
 
diff --git a/content/copilot/how-tos/provide-context/use-mcp/extend-copilot-chat-with-mcp.md b/content/copilot/how-tos/provide-context/use-mcp/extend-copilot-chat-with-mcp.md
index d1988d69c90d..c5f584c7bd8f 100644
--- a/content/copilot/how-tos/provide-context/use-mcp/extend-copilot-chat-with-mcp.md
+++ b/content/copilot/how-tos/provide-context/use-mcp/extend-copilot-chat-with-mcp.md
@@ -5,6 +5,7 @@ shortTitle: Extend Copilot Chat with MCP
 intro: 'Learn how to use the Model Context Protocol (MCP) to extend {% data variables.copilot.copilot_chat_short %}.'
 versions:
   feature: copilot
+defaultTool: vscode
 topics:
   - Copilot
 redirect_from:
@@ -29,7 +30,7 @@ For information on currently available MCP servers, see [the MCP servers reposit
 
 {% vscode %}
 
-Enterprises and organizations can choose to enable or disable use of MCP for members of their organization or enterprise. See [AUTOTITLE](/copilot/how-tos/administer/enterprises/managing-policies-and-features-for-copilot-in-your-enterprise#mcp-servers-on-githubcom). The MCP policy only applies to members with {% data variables.copilot.copilot_business_short %}, {% data variables.copilot.copilot_enterprise_short %}, or {% data variables.product.prodname_copilot_short %} licenses assigned by the organization or enterprise that configures the policy. {% data variables.copilot.copilot_free_short %}, {% data variables.copilot.copilot_pro_short %}, or {% data variables.copilot.copilot_pro_plus_short %} do not have their MCP access governed by this policy.
+{% data reusables.copilot.mcp.mcp-policy %}
 
 ## Prerequisites
 
diff --git a/content/copilot/how-tos/provide-context/use-mcp/use-the-github-mcp-server.md b/content/copilot/how-tos/provide-context/use-mcp/use-the-github-mcp-server.md
index addf3a1845f8..7608b1e1a929 100644
--- a/content/copilot/how-tos/provide-context/use-mcp/use-the-github-mcp-server.md
+++ b/content/copilot/how-tos/provide-context/use-mcp/use-the-github-mcp-server.md
@@ -4,6 +4,7 @@ intro: 'Learn how to use the GitHub Model Context Protocol (MCP) server to exten
 shortTitle: Use the GitHub MCP Server
 versions:
   feature: copilot
+defaultTool: vscode
 topics:
   - Copilot
 redirect_from:
diff --git a/data/reusables/copilot/mcp/mcp-policy.md b/data/reusables/copilot/mcp/mcp-policy.md
new file mode 100644
index 000000000000..9f001db1569a
--- /dev/null
+++ b/data/reusables/copilot/mcp/mcp-policy.md
@@ -0,0 +1 @@
+Enterprises and organizations can choose to enable or disable use of MCP for members of their organization or enterprise. See [AUTOTITLE](/copilot/how-tos/administer/enterprises/managing-policies-and-features-for-copilot-in-your-enterprise#mcp-servers-on-githubcom). The MCP policy **only** applies to users who have a {% data variables.copilot.copilot_business_short %} or {% data variables.copilot.copilot_enterprise_short %} subscription from an organization or enterprise that configures the policy. {% data variables.copilot.copilot_free_short %}, {% data variables.copilot.copilot_pro_short %}, or {% data variables.copilot.copilot_pro_plus_short %} **do not** have their MCP access governed by this policy.