Upgrade to 3.16 failing due to a transition issue (#54855)

pallsama · zackfern · sabrowning1 · web-flow · commit b298e42457d8 · 2025-03-17T22:17:02.000Z
Co-authored-by: Zack Fernandes &lt;zackfern@github.com&gt;
Co-authored-by: Sam Browning &lt;106113886+sabrowning1@users.noreply.github.com&gt;
Co-authored-by: Vanessa &lt;vgrl@github.com&gt;
diff --git a/content/admin/upgrading-your-instance/troubleshooting-upgrades/known-issues-with-upgrades-to-your-instance.md b/content/admin/upgrading-your-instance/troubleshooting-upgrades/known-issues-with-upgrades-to-your-instance.md
@@ -74,3 +74,20 @@ If undecryptable records are detected, you will be prompted whether you want to
 
 If you have any questions during the upgrade, you can reach out to {% data variables.contact.github_support %}. Once you have had the time and opportunity to understand the impact, you can retrigger the upgrade.
 {% endif %}
+
+{% ifversion ghes > 3.13 and ghes < 3.17 %}
+
+## Upgrading from 3.14 to 3.16.0
+
+If you are using {% data variables.product.prodname_ghe_server %} 3.14, and you have enabled security products by default at the organization level, you cannot upgrade directly from 3.14 to 3.16.0. To determine your upgrade eligibility, run the following command:
+
+```shell
+ghe-console -y
+Organization.any? { |o| [o.vulnerability_updates_enabled_for_new_repos?, o.security_alerts_enabled_for_new_repos?, o.dependency_graph_enabled_for_new_repos?, o.advanced_security_enabled_on_new_repos?, SecretScanning::Features::Org::TokenScanning.new(o).secret_scanning_enabled_for_new_repos?, SecretScanning::Features::Org::PushProtection.new(o).enabled_for_new_repos?].any? }
+```
+
+If the command returns `true`, a direct upgrade from 3.14 to 3.16.0 will fail, and we recommend you wait for the next 3.16 patch to upgrade.
+
+Alternatively, you can move to 3.16.0 now by first upgrading from 3.14 to 3.15, then from 3.15 to 3.16.0.
+
+{% endif %}
diff --git a/data/release-notes/enterprise-server/3-16/0.yml b/data/release-notes/enterprise-server/3-16/0.yml
@@ -2,6 +2,12 @@ date: '2025-03-11'
 release_candidate: false
 deprecated: false
 intro: |
+  {% warning %}
+
+  **Warning**: Customers who have security products enabled by default at the organization level will experience issues when upgrading from 3.14 to 3.16.0. We recommend waiting for the next 3.16 patch to upgrade.
+
+  {% endwarning %}
+ 
   For upgrade instructions, see [AUTOTITLE](/admin/upgrading-your-instance/preparing-to-upgrade/overview-of-the-upgrade-process).
 sections:
 
@@ -187,6 +193,8 @@ sections:
       The CodeQL Action has been updated to v3.28.6 to enable uploading artifacts in debug mode without logging the complete environment when running CodeQL CLI v2.20.3+.
 
   known_issues:
+    - |
+      {% data reusables.release-notes.2025-03-security-product-transition-bug %} [Updated: 2025-03-17]
     - |
       Custom firewall rules are removed during the upgrade process.
     - |
diff --git a/data/reusables/release-notes/2025-03-security-product-transition-bug.md b/data/reusables/release-notes/2025-03-security-product-transition-bug.md
@@ -0,0 +1 @@
+Instances with security products enabled by default at the organization level will experience issues while upgrading from 3.14 to 3.16.0. We recommend waiting for the next 3.16 patch to upgrade. If you instead upgrade from 3.14 to 3.15, then from 3.15 to 3.16.0, the upgrade will succeed.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Instances with security products enabled by default at the organization level will experience issues while upgrading from 3.14 to 3.16.0. We recommend waiting for the next 3.16 patch to upgrade. If you instead upgrade from 3.14 to 3.15, then from 3.15 to 3.16.0, the upgrade will succeed.`