From ef70a7581f7efc4f9246005804975f7d70ced8d7 Mon Sep 17 00:00:00 2001
From: Matt Pollard <mattpollard@users.noreply.github.com>
Date: Thu, 1 Jun 2023 15:02:40 +0200
Subject: [PATCH 1/2] Update release note and docs for GHES support for Hex in
 the GitHub Advisory Database; add "Errata" to release notes (#37261)

---
 components/release-notes/PatchNotes.tsx         | 1 +
 data/features/GH-advisory-db-erlang-support.yml | 4 ++--
 data/release-notes/enterprise-server/3-7/0.yml  | 7 +++++--
 src/content-linter/lib/release-notes-schema.js  | 1 +
 4 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/components/release-notes/PatchNotes.tsx b/components/release-notes/PatchNotes.tsx
index 21779e1d4839..2f28ba3a8033 100644
--- a/components/release-notes/PatchNotes.tsx
+++ b/components/release-notes/PatchNotes.tsx
@@ -15,6 +15,7 @@ const SectionToLabelMap: Record<string, string> = {
   changes: 'Changes',
   deprecations: 'Deprecations',
   backups: 'Backups',
+  errata: 'Errata',
 }
 
 type Props = {
diff --git a/data/features/GH-advisory-db-erlang-support.yml b/data/features/GH-advisory-db-erlang-support.yml
index 3b9bccabb5e6..f9465db27233 100644
--- a/data/features/GH-advisory-db-erlang-support.yml
+++ b/data/features/GH-advisory-db-erlang-support.yml
@@ -3,5 +3,5 @@
 versions:
   fpt: '*'
   ghec: '*'
-  ghes: '>=3.7'
-  ghae: '>= 3.7'
+  ghes: '>=3.10'
+  ghae: '>=3.10'
diff --git a/data/release-notes/enterprise-server/3-7/0.yml b/data/release-notes/enterprise-server/3-7/0.yml
index d89ee769728b..f1e004798be6 100644
--- a/data/release-notes/enterprise-server/3-7/0.yml
+++ b/data/release-notes/enterprise-server/3-7/0.yml
@@ -138,13 +138,11 @@ sections:
         - |
           Organization owners can manage teams of security managers using the REST API. For more information, see "[Security Managers](/rest/orgs/security-managers)" in the REST API documentation.
 
-        # https://github.com/github/releases/issues/2042
         # https://github.com/github/releases/issues/2295
         # https://github.com/github/releases/issues/2307
         - |
           Users can take advantage of the following improvements to the [GitHub Advisory Database](https://github.com/advisories).
 
-          - The database displays advisories for for Elixir, Erlang's Hex package manager, and more.
           - Users can find malware advisories by searching for `type:malware`.
           - The database displays advisories for GitHub Actions vulnerabilities.
 
@@ -372,3 +370,8 @@ sections:
     # https://github.com/github/releases/issues/2480
     - |
       Package registries on the new GitHub Packages architecture, including Container registry and npm packages, no longer expose data through the GraphQL API. In a coming release, other GitHub Packages registries will migrate to the new architecture, which will deprecate the GraphQL API for those registries as well.
+
+  errata:
+    # https://github.com/github/releases/issues/2042
+    - |
+      "[Features](#3.7.0-features)" incorrectly indicated that users of the GitHub Advisory Database can see advisories for Elixir, Erlang's Hex package manager, and more. This feature is unavailable in GitHub Enterprise Server 3.7, and will be available in a future release. [Updated 2023-06-01]
\ No newline at end of file
diff --git a/src/content-linter/lib/release-notes-schema.js b/src/content-linter/lib/release-notes-schema.js
index 1fa536b06d1f..4873e366fd52 100644
--- a/src/content-linter/lib/release-notes-schema.js
+++ b/src/content-linter/lib/release-notes-schema.js
@@ -58,6 +58,7 @@ export default {
         'deprecations',
         'security_fixes',
         'backups',
+        'errata',
       ].reduce((prev, curr) => ({ ...prev, [curr]: section }), {}),
     },
   },

From f28f1c334e59a5ec2d7f3a86572f6b13d5e733c0 Mon Sep 17 00:00:00 2001
From: mc <42146119+mchammer01@users.noreply.github.com>
Date: Thu, 1 Jun 2023 14:06:23 +0100
Subject: [PATCH 2/2] Add custom pattern push protection enablement info
 (#37226)

Co-authored-by: Felicity Chapman <felicitymay@github.com>
---
 ...ing-custom-patterns-for-secret-scanning.md | 44 ++++---------
 .../protecting-pushes-with-secret-scanning.md | 61 +++++++++++++++++++
 .../secret-scanning-edit-custom-pattern.md    |  1 +
 .../dry-runs-enterprise-permissions.md        |  1 +
 .../push-protection-enterprise-note.md        |  8 +++
 .../push-protection-org-notes.md              |  7 +++
 .../push-protection-repo-notes.md             |  8 +++
 7 files changed, 98 insertions(+), 32 deletions(-)
 create mode 100644 data/reusables/advanced-security/secret-scanning-edit-custom-pattern.md
 create mode 100644 data/reusables/secret-scanning/dry-runs-enterprise-permissions.md
 create mode 100644 data/reusables/secret-scanning/push-protection-enterprise-note.md
 create mode 100644 data/reusables/secret-scanning/push-protection-org-notes.md
 create mode 100644 data/reusables/secret-scanning/push-protection-repo-notes.md

diff --git a/content/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning.md b/content/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning.md
index e47746739d01..b8a37b87dde2 100644
--- a/content/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning.md
+++ b/content/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning.md
@@ -51,18 +51,16 @@ Before defining a custom pattern, you must ensure that {% data variables.product
 {%- ifversion secret-scanning-custom-enterprise-35 %}{% indented_data_reference reusables.secret-scanning.beta-dry-runs spaces=3 %}{% endif %}
 {% endif %}
 {% data reusables.advanced-security.secret-scanning-create-custom-pattern %}{% ifversion secret-scanning-push-protection-custom-patterns %}
-1. Optionally, to enable push protection for your custom pattern, click **Enable**.
-
+1. Optionally, to enable push protection for your custom pattern, click **Enable**.  
    {% note %}
-
-   **Note:**
-
-   - Push protection for custom patterns will only apply to repositories that have {% data variables.product.prodname_secret_scanning %} as push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-a-repository)."
-   - Enabling push protection for commonly found custom patterns can be disruptive to contributors.
-
+   
+   **Note**: The "Enable" button isn't available until after the dry run succeeds and you publish the pattern.
+   
    {% endnote %}
+   
+   For more information about push protection, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."
 
-   ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png){% endif %}
+{% endif %}
 
 After your pattern is created, {% data reusables.secret-scanning.secret-scanning-process %} For more information on viewing {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
 
@@ -120,17 +118,9 @@ Before defining a custom pattern, you must ensure that you enable {% data variab
 {%- ifversion secret-scanning-custom-enterprise-35 %}{% indented_data_reference reusables.secret-scanning.beta-dry-runs spaces=3 %}{% endif %}
 {%- endif %}
 {% data reusables.advanced-security.secret-scanning-create-custom-pattern %}{% ifversion secret-scanning-push-protection-custom-patterns %}
-1. Optionally, to enable push protection for your custom pattern, click **Enable**.
+1. Optionally, to enable push protection for your custom pattern, click **Enable**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-in-an-organization-for-a-custom-pattern)."
 
-   {% note %}
-
-   **Note:**
-   - Push protection for custom patterns will only apply to repositories in your organization that have {% data variables.product.prodname_secret_scanning %} as push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization)."
-   - Enabling push protection for commonly found custom patterns can be disruptive to contributors.
-
-   {% endnote %}
-
-![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png){% endif %}
+{% indented_data_reference reusables.secret-scanning.push-protection-org-notes spaces=3 %}{% endif %}
 
 After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories in your organization, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
 
@@ -147,7 +137,7 @@ Before defining a custom pattern, you must ensure that you enable secret scannin
 {% ifversion secret-scanning-custom-enterprise-36 or custom-pattern-dry-run-ga %}
 **Notes:**
 - At the enterprise level, only the creator of a custom pattern can edit the pattern, and use it in a dry run.
-- Enterprise owners can only make use of dry runs on repositories that they have access to, and enterprise owners do not necessarily have access to all the organizations or repositories within the enterprise.
+- {% data reusables.secret-scanning.dry-runs-enterprise-permissions %}
 {% else %}
 **Note:** As there is no dry-run functionality, we recommend that you test your custom patterns in a repository before defining them for your entire enterprise. That way, you can avoid creating excess false-positive {% data variables.secret-scanning.alerts %}.
 
@@ -170,18 +160,8 @@ Before defining a custom pattern, you must ensure that you enable secret scannin
 {%- ifversion secret-scanning-custom-enterprise-36 %}{% indented_data_reference reusables.secret-scanning.beta-dry-runs spaces=3 %}{% endif %}
 {%- endif %}
 {% data reusables.advanced-security.secret-scanning-create-custom-pattern %}{% ifversion secret-scanning-push-protection-custom-patterns %}
-1. Optionally, to enable push protection for your custom pattern, click **Enable**.
-
-   {% note %}
-
-   **Note:**
-
-   - To enable push protection for custom patterns, {% data variables.product.prodname_secret_scanning %} as push protection needs to be enabled at the enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-your-enterprise)."
-   - Enabling push protection for commonly found custom patterns can be disruptive to contributors.
-
-   {% endnote %}
-
-![Screenshot of the custom pattern page with the button to enable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png){% endif %}
+1. Optionally, to enable push protection for your custom pattern, click **Enable**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."
+{% indented_data_reference reusables.secret-scanning.push-protection-enterprise-note spaces=3 %}{% endif %}
 
 After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories within your enterprise's organizations with {% data variables.product.prodname_GH_advanced_security %} enabled, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
 
diff --git a/content/code-security/secret-scanning/protecting-pushes-with-secret-scanning.md b/content/code-security/secret-scanning/protecting-pushes-with-secret-scanning.md
index 6796ab6686cf..99e865ac5aee 100644
--- a/content/code-security/secret-scanning/protecting-pushes-with-secret-scanning.md
+++ b/content/code-security/secret-scanning/protecting-pushes-with-secret-scanning.md
@@ -74,6 +74,67 @@ You can use the organization settings page for "Code security and analysis" to e
 {% data reusables.repositories.navigate-to-ghas-settings %}
 {% data reusables.advanced-security.secret-scanning-push-protection-repo %}
 
+{% ifversion secret-scanning-push-protection %}
+
+## Enabling push protection for a custom pattern
+
+You can enable {% data variables.product.prodname_secret_scanning %} as a push protection for custom patterns stored at {% ifversion ghec or ghes or ghae %}the enterprise, organization, or repository level{% else%} the organization or repository level{% endif %}.
+
+{% ifversion ghec or ghes or ghae %}
+### Enabling push protection for a custom pattern stored in an enterprise
+
+{% data reusables.secret-scanning.push-protection-enterprise-note %}
+
+Before enabling push protection for a custom pattern at enterprise level, you must also{% ifversion secret-scanning-custom-enterprise-36 or custom-pattern-dry-run-ga %} test your custom patterns using dry runs. {% data reusables.secret-scanning.dry-runs-enterprise-permissions %}{% else %} test your custom patterns in a repository before defining them for your entire enterprise, as there is no dry-run functionality. That way, you can avoid creating excess false-positive {% data variables.secret-scanning.alerts %}.{% endif %}
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.policies-tab %}{% ifversion security-feature-enablement-policies %}
+{% data reusables.enterprise-accounts.code-security-and-analysis-policies %}
+1. Under "Code security and analysis", click **Security features**.{% else %}
+{% data reusables.enterprise-accounts.advanced-security-policies %}
+{% data reusables.enterprise-accounts.advanced-security-security-features %}{% endif %}
+{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %}
+{% ifversion secret-scanning-custom-enterprise-36 or custom-pattern-dry-run-ga %}
+   {% note %}
+
+   **Note**: At the enterprise level, you can only edit and enable push protection for custom patterns that you created.
+
+   {% endnote %}
+{%- endif %}
+1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**.
+
+   ![Screenshot of the custom pattern page with the button to enable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png)
+
+{% endif %}
+### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in an organization for a custom pattern 
+
+Before enabling push protection for a custom pattern at organization level, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.organizations.security-and-analysis %}
+{% data reusables.repositories.navigate-to-ghas-settings %}
+{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %}
+1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**.
+{% indented_data_reference reusables.secret-scanning.push-protection-org-notes spaces=3 %}
+
+   ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png)
+
+### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in a repository for a custom pattern 
+
+Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)."
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.navigate-to-code-security-and-analysis %}
+{% data reusables.repositories.navigate-to-ghas-settings %}
+{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %}
+1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**. 
+
+   ![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png)
+
+{% endif %}
+
 ## Using secret scanning as a push protection from the command line
 
 {% data reusables.secret-scanning.push-protection-command-line-choice %}
diff --git a/data/reusables/advanced-security/secret-scanning-edit-custom-pattern.md b/data/reusables/advanced-security/secret-scanning-edit-custom-pattern.md
new file mode 100644
index 000000000000..228f7edf8238
--- /dev/null
+++ b/data/reusables/advanced-security/secret-scanning-edit-custom-pattern.md
@@ -0,0 +1 @@
+1. Under "{% data variables.product.prodname_secret_scanning_caps %}", under "Custom patterns", click {% octicon "pencil" aria-label="Edit custom pattern" %} for the pattern of interest.
\ No newline at end of file
diff --git a/data/reusables/secret-scanning/dry-runs-enterprise-permissions.md b/data/reusables/secret-scanning/dry-runs-enterprise-permissions.md
new file mode 100644
index 000000000000..168e7b6785cb
--- /dev/null
+++ b/data/reusables/secret-scanning/dry-runs-enterprise-permissions.md
@@ -0,0 +1 @@
+You can only perform a dry run on repositories that you have administration access to. If an enterprise owner wants access to perform dry runs on any repository in an organization, they must be assigned the organization owner role. For more information, see "[AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise)."
\ No newline at end of file
diff --git a/data/reusables/secret-scanning/push-protection-enterprise-note.md b/data/reusables/secret-scanning/push-protection-enterprise-note.md
new file mode 100644
index 000000000000..94159d929347
--- /dev/null
+++ b/data/reusables/secret-scanning/push-protection-enterprise-note.md
@@ -0,0 +1,8 @@
+{% note %}
+
+**Notes:**
+
+- To enable push protection for custom patterns, {% data variables.product.prodname_secret_scanning %} as push protection needs to be enabled at the enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-your-enterprise)."
+- Enabling push protection for commonly found custom patterns can be disruptive to contributors.
+
+{% endnote %}
\ No newline at end of file
diff --git a/data/reusables/secret-scanning/push-protection-org-notes.md b/data/reusables/secret-scanning/push-protection-org-notes.md
new file mode 100644
index 000000000000..08f6903815c8
--- /dev/null
+++ b/data/reusables/secret-scanning/push-protection-org-notes.md
@@ -0,0 +1,7 @@
+{% note %}
+
+**Notes:**
+- Push protection for custom patterns will only apply to repositories in your organization that have {% data variables.product.prodname_secret_scanning %} as push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization)."
+- Enabling push protection for commonly found custom patterns can be disruptive to contributors.
+
+{% endnote %}
\ No newline at end of file
diff --git a/data/reusables/secret-scanning/push-protection-repo-notes.md b/data/reusables/secret-scanning/push-protection-repo-notes.md
new file mode 100644
index 000000000000..c21836411e36
--- /dev/null
+++ b/data/reusables/secret-scanning/push-protection-repo-notes.md
@@ -0,0 +1,8 @@
+{% note %}
+
+**Notes:**
+
+- Push protection for custom patterns will only apply to repositories that have {% data variables.product.prodname_secret_scanning %} as push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-a-repository)."
+- Enabling push protection for commonly found custom patterns can be disruptive to contributors.
+
+{% endnote %}
\ No newline at end of file