Clarify storage of secrets for GitHub Actions in GHES documentation (#37258)

Co-authored-by: Steven Honson <snh@github.com>
2023-06-05 12:30:52 +02:00 · 2023-06-05 12:30:52 +02:00 · b1fedb083a
--- a/content/actions/security-guides/encrypted-secrets.md
+++ b/content/actions/security-guides/encrypted-secrets.md
@ -19,7 +19,7 @@ versions:

 ## About encrypted secrets

-Secrets are encrypted variables that you create in an organization, repository, or repository environment. The secrets that you create are available to use in {% data variables.product.prodname_actions %} workflows. {% data variables.product.prodname_dotcom %} uses a [libsodium sealed box](https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes) to help ensure that secrets are encrypted before they reach {% data variables.product.prodname_dotcom %} and remain encrypted until you use them in a workflow.
+Secrets are variables that you create in an organization, repository, or repository environment. The secrets that you create are available to use in {% data variables.product.prodname_actions %} workflows. {% data variables.product.prodname_actions %} can only read a secret if you explicitly include the secret in a workflow.

 {% data reusables.actions.secrets-org-level-overview %}

--- a/data/release-notes/enterprise-server/3-4/0.yml
+++ b/data/release-notes/enterprise-server/3-4/0.yml
@ -313,3 +313,6 @@ sections:

  backups:
    - '{% data variables.product.prodname_ghe_server %} 3.4 requires at least [GitHub Enterprise Backup Utilities 3.4.0](https://github.com/github/backup-utils) for [Backups and Disaster Recovery](/admin/configuration/configuring-your-enterprise/configuring-backups-on-your-appliance).'
+
+  errata:
+    - '{% data reusables.release-notes.github-actions-secrets-encryption-docs %}'
--- a/data/release-notes/enterprise-server/3-5/0.yml
+++ b/data/release-notes/enterprise-server/3-5/0.yml
@ -406,7 +406,6 @@ sections:
    - |
        MinIO has announced the removal of the MinIO Gateways starting June 1st, 2022. While MinIO Gateway for NAS continues to be one of the supported storage providers for Github Actions and Github Packages, we recommend moving to MinIO LTS support to avail support and bug fixes from MinIO. For more information about rate limits, see "[Scheduled removal of MinIO Gateway for GCS, Azure, HDFS in the minio/minio repository](https://github.com/minio/minio/issues/14331)."

-
  deprecations:
    - heading: Change to the format of authentication tokens affects GitHub Connect
      notes:
@ -446,3 +445,6 @@ sections:
      - |
        GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
      - '{% data reusables.release-notes.babeld-max-threads-performance-issue %}'
+
+  errata:
+    - '{% data reusables.release-notes.github-actions-secrets-encryption-docs %}'
--- a/data/release-notes/enterprise-server/3-6/0.yml
+++ b/data/release-notes/enterprise-server/3-6/0.yml
@ -322,3 +322,6 @@ sections:
          {% data reusables.ssh.rsa-sha-1-connection-failure-criteria %}
          
          You can adjust the cutoff date. For more information, see "[Configuring SSH connections to your instance](/admin/configuration/configuring-your-enterprise/configuring-ssh-connections-to-your-instance)." [Updated: 2023-01-31]
+
+  errata:
+    - '{% data reusables.release-notes.github-actions-secrets-encryption-docs %}'
--- a/data/release-notes/enterprise-server/3-7/0.yml
+++ b/data/release-notes/enterprise-server/3-7/0.yml
@ -372,6 +372,8 @@ sections:
      Package registries on the new GitHub Packages architecture, including Container registry and npm packages, no longer expose data through the GraphQL API. In a coming release, other GitHub Packages registries will migrate to the new architecture, which will deprecate the GraphQL API for those registries as well.

  errata:
+    - '{% data reusables.release-notes.github-actions-secrets-encryption-docs %}'
+
    # https://github.com/github/releases/issues/2042
    - |
      "[Features](#3.7.0-features)" incorrectly indicated that users of the GitHub Advisory Database can see advisories for Elixir, Erlang's Hex package manager, and more. This feature is unavailable in GitHub Enterprise Server 3.7, and will be available in a future release. [Updated 2023-06-01]
--- a/data/release-notes/enterprise-server/3-8/0.yml
+++ b/data/release-notes/enterprise-server/3-8/0.yml
@ -476,3 +476,6 @@ sections:
        # https://github.com/github/releases/issues/2621
        - |
          For integrators who wish to receive webhooks for Dependabot alerts activity, the `dependabot_alert` webhook replaces the `repository_vulnerability_alert` webhook. For more information, see "[Webhook events and payloads](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#dependabot_alert)."
+
+  errata:
+    - '{% data reusables.release-notes.github-actions-secrets-encryption-docs %}'
--- a/data/reusables/release-notes/github-actions-secrets-encryption-docs.md
+++ b/data/reusables/release-notes/github-actions-secrets-encryption-docs.md
@ -0,0 +1 @@
+"[AUTOTITLE](/actions/security-guides/encrypted-secrets)" incorrectly indicated that secrets for GitHub Actions are encrypted in the instance's database. The article has been updated to reflect that secrets are not encrypted on the instance. To encrypt secrets at rest, you must encrypt your instance's block storage device. For more information, refer to the documentation for your hypervisor or cloud service. [Updated: 2023-06-01]
				`@ -0,0 +1 @@`
				`"[AUTOTITLE](/actions/security-guides/encrypted-secrets)" incorrectly indicated that secrets for GitHub Actions are encrypted in the instance's database. The article has been updated to reflect that secrets are not encrypted on the instance. To encrypt secrets at rest, you must encrypt your instance's block storage device. For more information, refer to the documentation for your hypervisor or cloud service. [Updated: 2023-06-01]`