Reducing downtime on starting replication (#58931)

Co-authored-by: isaacmbrown <isaacmbrown@github.com>

Author: pallsama

data/release-notes/enterprise-server/3-14/20.yml

@@ -27,6 +27,8 @@ sections:
       Administrators can add security key-backed (SK) SSH certificate authorities.
     - |
       Administrators and users experience faster and more efficient searching of GitHub Actions workflow runs, with lower compute and networking resource usage. Searches for workflow runs within a repository are now always scoped to an associated repository.
+    - |
+      `ghe-repl-start` can now be executed without requiring a maintenance window when setting up a new replica, as long as `ghe-repl-setup` is immediately followed by `ghe-config-apply`. [Updated: 2025-12-17]
   known_issues:
     - |
       During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.

data/release-notes/enterprise-server/3-15/15.yml

@@ -13,7 +13,7 @@ sections:
     - |
       On instances with a "No Proxy" setting configured for GitHub Actions with MinIO or AWS remote blob providers, administrators sometimes experienced failures reading or writing Actions logs, artifacts, or caches because some traffic was incorrectly routed through the instances proxy.
     - |
-      New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation. <!-- markdownlint-disable-line GHD046 --> 
+      New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation. <!-- markdownlint-disable-line GHD046 -->
     - |
       Site administrators using the Management Console would see overly verbose error messages on the maintenance page. These error messages were not cleared when a new request was made, and no message was displayed when maintenance mode changes were saved successfully.
     - |
@@ -26,11 +26,13 @@ sections:
       When new Elasticsearch indexes were created, index routing memos could go to a read-only MySQL replica and fail, causing delays in audit log indexing after monthly rollovers. The memos are now written to the primary database rather than a read-only replica.
   changes:
     - |
-      A new weekly job automatically disables Elasticsearch deprecation logging and removes existing deprecation logs every Saturday at midnight. This helps administrators manage disk space by regularly cleaning up deprecation data streams and log indices that are no longer needed. <!-- markdownlint-disable-line GHD046 --> 
+      A new weekly job automatically disables Elasticsearch deprecation logging and removes existing deprecation logs every Saturday at midnight. This helps administrators manage disk space by regularly cleaning up deprecation data streams and log indices that are no longer needed. <!-- markdownlint-disable-line GHD046 -->
     - |
       Administrators can add security key-backed (SK) SSH certificate authorities.
     - |
       Administrators and users experience faster and more efficient searching of GitHub Actions workflow runs, with lower compute and networking resource usage. Searches for workflow runs within a repository are now always scoped to an associated repository.
+    - |
+      `ghe-repl-start` can now be executed without requiring a maintenance window when setting up a new replica, as long as `ghe-repl-setup` is immediately followed by `ghe-config-apply`. [Updated: 2025-12-17]
   known_issues:
     - |
       Custom firewall rules are removed during the upgrade process.

data/release-notes/enterprise-server/3-16/11.yml

@@ -11,7 +11,7 @@ sections:
     - |
       On instances with a "No Proxy" setting configured for GitHub Actions with MinIO or AWS remote blob providers, administrators sometimes experienced failures reading or writing Actions logs, artifacts, or caches because some traffic was incorrectly routed through the instances proxy.
     - |
-      New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation. <!-- markdownlint-disable-line GHD046 --> 
+      New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation. <!-- markdownlint-disable-line GHD046 -->
     - |
       Site administrators using the Management Console would see overly verbose error messages on the maintenance page. These error messages were not cleared when a new request was made, and no message was displayed when maintenance mode changes were saved successfully.
     - |
@@ -30,9 +30,11 @@ sections:
       When new Elasticsearch indexes were created, index routing memos could go to a read-only MySQL replica and fail, causing delays in audit log indexing after monthly rollovers. The memos are now written to the primary database rather than a read-only replica.
   changes:
     - |
-      A new weekly job automatically disables Elasticsearch deprecation logging and removes existing deprecation logs every Saturday at midnight. This helps administrators manage disk space by regularly cleaning up deprecation data streams and log indices that are no longer needed. <!-- markdownlint-disable-line GHD046 --> 
+      A new weekly job automatically disables Elasticsearch deprecation logging and removes existing deprecation logs every Saturday at midnight. This helps administrators manage disk space by regularly cleaning up deprecation data streams and log indices that are no longer needed. <!-- markdownlint-disable-line GHD046 -->
     - |
       Administrators can add security key-backed (SK) SSH certificate authorities.
+    - |
+      `ghe-repl-start` can now be executed without requiring a maintenance window when setting up a new replica, as long as `ghe-repl-setup` is immediately followed by `ghe-config-apply`. [Updated: 2025-12-17]
   known_issues:
     - |
       Custom firewall rules are removed during the upgrade process.

data/release-notes/enterprise-server/3-17/8.yml

@@ -11,7 +11,7 @@ sections:
     - |
       On instances with a "No Proxy" setting configured for GitHub Actions with MinIO or AWS remote blob providers, administrators sometimes experienced failures reading or writing Actions logs, artifacts, or caches because some traffic was incorrectly routed through the instances proxy.
     - |
-      New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation. <!-- markdownlint-disable-line GHD046 --> 
+      New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation. <!-- markdownlint-disable-line GHD046 -->
     - |
       Site administrators using the Management Console would see overly verbose error messages on the maintenance page. These error messages were not cleared when a new request was made, and no message was displayed when maintenance mode changes were saved successfully.
     - |
@@ -34,11 +34,13 @@ sections:
       When new Elasticsearch indexes were created, index routing memos could go to a read-only MySQL replica and fail, causing delays in audit log indexing after monthly rollovers. The memos are now written to the primary database rather than a read-only replica.
   changes:
     - |
-      A new weekly job automatically disables Elasticsearch deprecation logging and removes existing deprecation logs every Saturday at midnight. This helps administrators manage disk space by regularly cleaning up deprecation data streams and log indices that are no longer needed. <!-- markdownlint-disable-line GHD046 --> 
+      A new weekly job automatically disables Elasticsearch deprecation logging and removes existing deprecation logs every Saturday at midnight. This helps administrators manage disk space by regularly cleaning up deprecation data streams and log indices that are no longer needed. <!-- markdownlint-disable-line GHD046 -->
     - |
       Administrators can add security key-backed (SK) SSH certificate authorities.
     - |
       Administrators and users experience faster and more efficient searching of GitHub Actions workflow runs, with lower compute and networking resource usage. Searches for workflow runs within a repository are now always scoped to an associated repository.
+    - |
+      `ghe-repl-start` can now be executed without requiring a maintenance window when setting up a new replica, as long as `ghe-repl-setup` is immediately followed by `ghe-config-apply`. [Updated: 2025-12-17]
   known_issues:
     - |
       Custom firewall rules are removed during the upgrade process.

data/release-notes/enterprise-server/3-18/2.yml

@@ -13,7 +13,7 @@ sections:
     - |
       On instances with a "No Proxy" setting configured for GitHub Actions with MinIO or AWS remote blob providers, administrators sometimes experienced failures reading or writing Actions logs, artifacts, or caches because some traffic was incorrectly routed through the instances proxy.
     - |
-      New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation. <!-- markdownlint-disable-line GHD046 --> 
+      New Microsoft Teams integrations failed to set up because the required `tenant_id` field was missing from the configuration, following Microsoft's deprecation of multi-tenant bot creation. <!-- markdownlint-disable-line GHD046 -->
     - |
       Administrators running the `ghe-repl-decommission` script received an error.
     - |
@@ -43,6 +43,8 @@ sections:
       Administrators can add security key-backed (SK) SSH certificate authorities.
     - |
       Administrators and users experience faster and more efficient searching of GitHub Actions workflow runs, with lower compute and networking resource usage. Searches for workflow runs within a repository are now always scoped to an associated repository.
+    - |
+      `ghe-repl-start` can now be executed without requiring a maintenance window when setting up a new replica, as long as `ghe-repl-setup` is immediately followed by `ghe-config-apply`. [Updated: 2025-12-17]
   known_issues:
     - |
       Custom firewall rules are removed during the upgrade process.

data/release-notes/enterprise-server/3-19/0.yml

@@ -18,6 +18,9 @@ sections:
         # https://github.com/github/releases/issues/6908
         - |
           Starting 3.19, new installations of GHES will have OpenTelemetry metrics enabled and Collectd metrics disabled by default. You have the option to toggle between the two. Upgraded instances will retain their current settings. In about two to three releases, OpenTelemetry metrics will become the only supported metrics. To learn about OTel metrics, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/monitoring-your-instance/opentelemetry-metrics).
+        # https://github.com/github/releases/issues/6922
+        - |
+          `ghe-repl-start` can now be executed without requiring a maintenance window when setting up a new replica, as long as `ghe-repl-setup` is immediately followed by `ghe-config-apply`. [Updated: 2025-12-17]
 
     - heading: Migrations
       notes:
@@ -199,14 +202,12 @@ sections:
         # https://github.com/github/releases/issues/6385
         - |
           Enterprises using IP allowlists should verify and update their network settings to include the newly required IP ranges for importer migrations. Failure to allow these addresses prevents successful migrations.
-        # https://github.com/github/releases/issues/6019  
+        # https://github.com/github/releases/issues/6019
         - |
           Projects now support up to 50,000 active items and 10,000 archived items. The previous limit was 1,200 items total. There is no option to opt out of this increased limit.
 
   known_issues:
     # INCLUDE NOTES FOR RELEASE FROM "GHES Release Note Tracking" PROJECT'S "Known Issues" TAB
-    - |
-      **Note:** This list is not complete. Any new known issues that are identified for the 3.19 release will be added between now and the general availability release.
     - |
       Custom firewall rules are removed during the upgrade process.
     - |
@@ -253,4 +254,4 @@ sections:
     - |
       Starting 3.21, networking-related syscalls will be disabled by default in the pre-receive hook environment. For enhanced security, hook environments will be placed in dedicated network namespaces. You will be able to override the default setting by setting pre-receive-hook-networking to enabled. As an alternative to many pre-receive hooks, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#push-rulesets).
     - |
-      In 3.20, we will be retiring `Telegraf`. For context, this was a dark-shipped service running in the background and not part of any customer workflows. If you have discovered it and notice it is missing in a future release, we want to you to know we have intentionally removed it. 
+      In 3.20, we will be retiring `Telegraf`. For context, this was a dark-shipped service running in the background and not part of any customer workflows. If you have discovered it and notice it is missing in a future release, we want to you to know we have intentionally removed it.