diff --git a/release-notes-published/11.0.8.md b/release-notes-published/11.0.8.md
new file mode 100644
index 0000000000..035b0e4e14
--- /dev/null
+++ b/release-notes-published/11.0.8.md
@@ -0,0 +1,21 @@
+
+
+<!--start release-notes-assistant-->
+
+## Release notes
+<!--URL:https://codeberg.org/forgejo/forgejo-->
+- Security bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10039): <!--number 10039 --><!--line 0 --><!--description Zml4KGFwaSk6IGZpeCBkZXBlbmRlbmN5IHJlcG8gcGVybXMgaW4gQ3JlYXRlL1JlbW92ZUlzc3VlRGVwZW5kZW5jeQ==-->fix(api): fix dependency repo perms in Create/RemoveIssueDependency<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10039): <!--number 10039 --><!--line 1 --><!--description Zml4KGFwaSk6IGRyYWZ0IHJlbGVhc2VzIGNvdWxkIGJlIHJlYWQgYmVmb3JlIGJlaW5nIHB1Ymxpc2hlZA==-->fix(api): draft releases could be read before being published<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10039): <!--number 10039 --><!--line 2 --><!--description bWlzY29uZmlndXJlZCBzZWN1cml0eSBjaGVja3Mgb24gdGFnIGRlbGV0ZSB3ZWIgZm9ybQ==-->misconfigured security checks on tag delete web form<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10039): <!--number 10039 --><!--line 3 --><!--description aW5jb3JyZWN0IGxvZ2ljIGluICJVcGRhdGUgUFIiIGRpZCBub3QgZW5mb3JjZSBoZWFkIGJyYW5jaCBwcm90ZWN0aW9uIHJ1bGVzIGNvcnJlY3RseQ==-->incorrect logic in "Update PR" did not enforce head branch protection rules correctly<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10039): <!--number 10039 --><!--line 4 --><!--description aXNzdWUgb3duZXIgY2FuIGRlbGV0ZSBhbm90aGVyIHVzZXIncyBjb21tZW50J3MgZWRpdCBoaXN0b3J5IG9uIHNhbWUgaXNzdWU=-->issue owner can delete another user's comment's edit history on same issue<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10039): <!--number 10039 --><!--line 5 --><!--description dGFnIHByb3RlY3Rpb24gcnVsZXMgY2FuIGJlIGJ5cGFzc2VkIGR1cmluZyB0YWcgZGVsZXRlIG9wZXJhdGlvbg==-->tag protection rules can be bypassed during tag delete operation<!--description-->
+- Included for completeness but not user-facing (chores, etc.)
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10186): <!--number 10186 --><!--line 0 --><!--description Zml4OiBmcm9udGVuZC1jaGVja3MgZmFpbHVyZQ==-->fix: frontend-checks failure<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10176): <!--number 10176 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQHBsYXl3cmlnaHQvdGVzdCB0byB2MS41Ni4xICh2MTEuMC9mb3JnZWpvKQ==-->Update dependency @playwright/test to v1.56.1 (v11.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10177): <!--number 10177 --><!--line 0 --><!--description Y2hvcmU6IHBpbiBub2RlIHZlcnNpb24=-->chore: pin node version<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10174): <!--number 10174 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvY3J5cHRvIHRvIHYwLjQ1LjAgKHYxMS4wL2Zvcmdlam8p-->Update module golang.org/x/crypto to v0.45.0 (v11.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10134): <!--number 10134 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvY3J5cHRvIHRvIHYwLjQ0LjAgKHYxMS4wL2Zvcmdlam8p-->Update module golang.org/x/crypto to v0.44.0 (v11.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10043): <!--number 10043 --><!--line 0 --><!--description ZmVhdDogUmVwbGFjZSBtaG9sdC9hcmNoaXZlci92MyB3aXRoIG1ob2x0L2FyY2hpdmVzICgjNzAyNSk=-->feat: Replace mholt/archiver/v3 with mholt/archives (#7025)<!--description-->
+<!--end release-notes-assistant-->