From b1fedb083a74470bde6138b089b61b54f249a51c Mon Sep 17 00:00:00 2001
From: Matt Pollard <mattpollard@users.noreply.github.com>
Date: Mon, 5 Jun 2023 12:30:52 +0200
Subject: [PATCH] Clarify storage of secrets for GitHub Actions in GHES
 documentation (#37258)

Co-authored-by: Steven Honson <snh@github.com>
---
 content/actions/security-guides/encrypted-secrets.md          | 2 +-
 data/release-notes/enterprise-server/3-4/0.yml                | 3 +++
 data/release-notes/enterprise-server/3-5/0.yml                | 4 +++-
 data/release-notes/enterprise-server/3-6/0.yml                | 3 +++
 data/release-notes/enterprise-server/3-7/0.yml                | 2 ++
 data/release-notes/enterprise-server/3-8/0.yml                | 3 +++
 .../release-notes/github-actions-secrets-encryption-docs.md   | 1 +
 7 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 data/reusables/release-notes/github-actions-secrets-encryption-docs.md

diff --git a/content/actions/security-guides/encrypted-secrets.md b/content/actions/security-guides/encrypted-secrets.md
index bc0af9d23e..645dc8e215 100644
--- a/content/actions/security-guides/encrypted-secrets.md
+++ b/content/actions/security-guides/encrypted-secrets.md
@@ -19,7 +19,7 @@ versions:
 
 ## About encrypted secrets
 
-Secrets are encrypted variables that you create in an organization, repository, or repository environment. The secrets that you create are available to use in {% data variables.product.prodname_actions %} workflows. {% data variables.product.prodname_dotcom %} uses a [libsodium sealed box](https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes) to help ensure that secrets are encrypted before they reach {% data variables.product.prodname_dotcom %} and remain encrypted until you use them in a workflow.
+Secrets are variables that you create in an organization, repository, or repository environment. The secrets that you create are available to use in {% data variables.product.prodname_actions %} workflows. {% data variables.product.prodname_actions %} can only read a secret if you explicitly include the secret in a workflow.
 
 {% data reusables.actions.secrets-org-level-overview %}
 
diff --git a/data/release-notes/enterprise-server/3-4/0.yml b/data/release-notes/enterprise-server/3-4/0.yml
index 984f99c191..213e22c67a 100644
--- a/data/release-notes/enterprise-server/3-4/0.yml
+++ b/data/release-notes/enterprise-server/3-4/0.yml
@@ -313,3 +313,6 @@ sections:
 
   backups:
     - '{% data variables.product.prodname_ghe_server %} 3.4 requires at least [GitHub Enterprise Backup Utilities 3.4.0](https://github.com/github/backup-utils) for [Backups and Disaster Recovery](/admin/configuration/configuring-your-enterprise/configuring-backups-on-your-appliance).'
+
+  errata:
+    - '{% data reusables.release-notes.github-actions-secrets-encryption-docs %}'
\ No newline at end of file
diff --git a/data/release-notes/enterprise-server/3-5/0.yml b/data/release-notes/enterprise-server/3-5/0.yml
index 6ccbf9f4b0..2927519283 100644
--- a/data/release-notes/enterprise-server/3-5/0.yml
+++ b/data/release-notes/enterprise-server/3-5/0.yml
@@ -406,7 +406,6 @@ sections:
     - |
         MinIO has announced the removal of the MinIO Gateways starting June 1st, 2022. While MinIO Gateway for NAS continues to be one of the supported storage providers for Github Actions and Github Packages, we recommend moving to MinIO LTS support to avail support and bug fixes from MinIO. For more information about rate limits, see "[Scheduled removal of MinIO Gateway for GCS, Azure, HDFS in the minio/minio repository](https://github.com/minio/minio/issues/14331)."
 
-
   deprecations:
     - heading: Change to the format of authentication tokens affects GitHub Connect
       notes:
@@ -446,3 +445,6 @@ sections:
       - |
         GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28]
       - '{% data reusables.release-notes.babeld-max-threads-performance-issue %}'
+
+  errata:
+    - '{% data reusables.release-notes.github-actions-secrets-encryption-docs %}'
\ No newline at end of file
diff --git a/data/release-notes/enterprise-server/3-6/0.yml b/data/release-notes/enterprise-server/3-6/0.yml
index 359df9607c..c077d312b9 100644
--- a/data/release-notes/enterprise-server/3-6/0.yml
+++ b/data/release-notes/enterprise-server/3-6/0.yml
@@ -322,3 +322,6 @@ sections:
           {% data reusables.ssh.rsa-sha-1-connection-failure-criteria %}
           
           You can adjust the cutoff date. For more information, see "[Configuring SSH connections to your instance](/admin/configuration/configuring-your-enterprise/configuring-ssh-connections-to-your-instance)." [Updated: 2023-01-31]
+
+  errata:
+    - '{% data reusables.release-notes.github-actions-secrets-encryption-docs %}'
\ No newline at end of file
diff --git a/data/release-notes/enterprise-server/3-7/0.yml b/data/release-notes/enterprise-server/3-7/0.yml
index f1e004798b..f12c0cc280 100644
--- a/data/release-notes/enterprise-server/3-7/0.yml
+++ b/data/release-notes/enterprise-server/3-7/0.yml
@@ -372,6 +372,8 @@ sections:
       Package registries on the new GitHub Packages architecture, including Container registry and npm packages, no longer expose data through the GraphQL API. In a coming release, other GitHub Packages registries will migrate to the new architecture, which will deprecate the GraphQL API for those registries as well.
 
   errata:
+    - '{% data reusables.release-notes.github-actions-secrets-encryption-docs %}'
+
     # https://github.com/github/releases/issues/2042
     - |
       "[Features](#3.7.0-features)" incorrectly indicated that users of the GitHub Advisory Database can see advisories for Elixir, Erlang's Hex package manager, and more. This feature is unavailable in GitHub Enterprise Server 3.7, and will be available in a future release. [Updated 2023-06-01]
\ No newline at end of file
diff --git a/data/release-notes/enterprise-server/3-8/0.yml b/data/release-notes/enterprise-server/3-8/0.yml
index f52218421b..1d2b3cb294 100644
--- a/data/release-notes/enterprise-server/3-8/0.yml
+++ b/data/release-notes/enterprise-server/3-8/0.yml
@@ -476,3 +476,6 @@ sections:
         # https://github.com/github/releases/issues/2621
         - |
           For integrators who wish to receive webhooks for Dependabot alerts activity, the `dependabot_alert` webhook replaces the `repository_vulnerability_alert` webhook. For more information, see "[Webhook events and payloads](/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#dependabot_alert)."
+
+  errata:
+    - '{% data reusables.release-notes.github-actions-secrets-encryption-docs %}'
\ No newline at end of file
diff --git a/data/reusables/release-notes/github-actions-secrets-encryption-docs.md b/data/reusables/release-notes/github-actions-secrets-encryption-docs.md
new file mode 100644
index 0000000000..f5570ba0ae
--- /dev/null
+++ b/data/reusables/release-notes/github-actions-secrets-encryption-docs.md
@@ -0,0 +1 @@
+"[AUTOTITLE](/actions/security-guides/encrypted-secrets)" incorrectly indicated that secrets for GitHub Actions are encrypted in the instance's database. The article has been updated to reflect that secrets are not encrypted on the instance. To encrypt secrets at rest, you must encrypt your instance's block storage device. For more information, refer to the documentation for your hypervisor or cloud service. [Updated: 2023-06-01]