From 0063858f751f0e809f705748e17a83e58d591899 Mon Sep 17 00:00:00 2001
From: Tingluo Huang <tingluohuang@github.com>
Date: Wed, 20 Nov 2024 09:23:03 -0500
Subject: [PATCH 1/2] Doc how to escape ':' in OIDC 'sub' claim. (#53080)

Co-authored-by: Steve-Glass <84886334+Steve-Glass@users.noreply.github.com>
Co-authored-by: Sophie <29382425+sophietheking@users.noreply.github.com>
---
 ...-security-hardening-with-openid-connect.md | 23 ++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md
index fe7842c1a013..13218ea56323 100644
--- a/content/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md
+++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md
@@ -297,7 +297,8 @@ To help improve security, compliance, and standardization, you can customize the
 Customizing the claims results in a new format for the entire `sub` claim, which replaces the default predefined `sub` format in the token described in "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims)."
 
 > [!NOTE]
-> The `sub` claim uses the shortened form `repo` (for example, `repo:ORG-NAME/REPO-NAME`) instead of `repository` to reference the repository.
+> The `sub` claim uses the shortened form `repo` (for example, `repo:ORG-NAME/REPO-NAME`) instead of `repository` to reference the repository. {% ifversion fpt or ghec or ghes > 3.15 %}
+> Any `:` within the context value will be replaced with `%3A`. {% endif %}
 
 The following example templates demonstrate various ways to customize the subject claim. To configure these settings on {% data variables.product.prodname_dotcom %}, admins use the REST API to specify a list of claims that must be included in the subject (`sub`) claim.
 
@@ -420,6 +421,26 @@ or:
 
 In your cloud provider's OIDC configuration, configure the `sub` condition to require a `repository_owner_id` claim that matches the required value.
 
+{% ifversion fpt or ghec or ghes > 3.15 %}
+
+#### Example: Context value with `:`
+
+This example demonstrates how to handle context value with `:`. For example, when the job references an environment named `production:eastus`.
+
+{% data reusables.actions.use-request-body-api %}
+
+```json
+{
+   "include_claim_keys": [
+       "environment",
+       "repository_owner"
+   ]
+}
+```
+
+In your cloud provider's OIDC configuration, configure the `sub` condition to require that claims must include a specific value for `environment` and `repository_owner`. For example: `"sub": "environment:production%3Aeastus:repository_owner:octo-org"`.
+{% endif %}
+
 #### Resetting organization template customizations
 
 This example template resets the subject claims to the default format. This template effectively opts out of any organization-level customization policy.

From 38776e88fb81f382d41b3767792cef917f5eecc9 Mon Sep 17 00:00:00 2001
From: Pallavi <96553709+pallsama@users.noreply.github.com>
Date: Wed, 20 Nov 2024 07:22:09 -0800
Subject: [PATCH 2/2] Add a note for deprecation and removal of copy storage
 setting from actions (#53144)

Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com>
---
 data/release-notes/enterprise-server/3-14/2.yml     | 6 ++++++
 data/release-notes/enterprise-server/3-15/0-rc1.yml | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/data/release-notes/enterprise-server/3-14/2.yml b/data/release-notes/enterprise-server/3-14/2.yml
index 8d211f405120..7a7f763aa178 100644
--- a/data/release-notes/enterprise-server/3-14/2.yml
+++ b/data/release-notes/enterprise-server/3-14/2.yml
@@ -82,3 +82,9 @@ sections:
       {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %}
 
       [Updated: 2024-11-13]
+      
+  deprecations:
+    - |
+      The option to "copy Storage settings from Actions" in the Management Console ("GitHub Packages" > "Packages Storage Settings") has been removed. [Updated: 2024-11-20]
+      
+  
diff --git a/data/release-notes/enterprise-server/3-15/0-rc1.yml b/data/release-notes/enterprise-server/3-15/0-rc1.yml
index f78b6c7d0aa5..b68f6559a590 100644
--- a/data/release-notes/enterprise-server/3-15/0-rc1.yml
+++ b/data/release-notes/enterprise-server/3-15/0-rc1.yml
@@ -226,6 +226,8 @@ sections:
     # https://github.com/github/releases/issues/4878
     - |
       The Management Console API has been removed. The Manage GHES API reached feature parity with the Management Console API in {% data variables.product.prodname_ghe_server %} version 3.12. For information about the Manage GHES API, see "[AUTOTITLE](/rest/enterprise-admin/manage-ghes)."
+    - |
+      The option to "copy Storage settings from Actions" in the Management Console ("GitHub Packages" > "Packages Storage Settings") has been removed. [Updated: 2024-11-20]
 
   errata:
     # https://github.com/github/docs-content/issues/16489