diff --git a/README.md b/README.md
index 012ccca7c83..398e6dd383d 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,51 @@ The new nuget package [can be found here](https://www.nuget.org/packages/io.gith
 - `dotnet tool install --global io.github.christopherhx.gharun`
 - Run `gharun` like `Runner.Client`
 
+## Environment Secret files
+CLI
+```
+Runner.Client -W sample.yml --environment-secret-file develop=develop.yml --environment-secret-file staging=staging.yaml --environment-secret-file prod=prod.secrets
+```
+
+develop.yml, staging.yaml
+```yaml
+secret1: |
+  My multiline secret
+  it's yaml
+secret2: val3
+```
+
+prod.secrets
+```
+secret1<<DELIMITER
+My multiline secret
+it's the environment file syntax of github actions
+see GITHUB_ENV
+DELIMITER
+secret2=val3 x
+prodsecret=xval
+```
+
+sample.yml
+```yaml
+on: push
+jobs:
+  test:
+    strategy:
+      matrix:
+        environment:
+        - develop
+        - staging
+        - prod
+    runs-on: self-hosted
+    environment: ${{matrix.environment}}
+    steps:
+    - run: echo prodsecret=${{env.prodsecret}}
+      if: env.prodsecret
+      env: ${{secrets}}
+    - run: exit ${{ secrets.secret1 && secrets.secret2 && (matrix.environment != 'prod' || secrets.prodsecret) && '0' || '1' }}
+```
+
 ## Troubleshooting
 
 If you get an error like: 
@@ -177,7 +222,7 @@ With this config you are no longer allowed to register a runner with any token,
 ```
 
 ### Allow PullRequest events
-Process the `pull_request` action trigger, if disabled only `pull_request_target` from the target branch are processed. Enabling this make it possible to leak secrets and run arbitary code on your self-hosted runners. Proper secret and self-hosted runner protection needs to be implemented, to make this save to enable.
+Process the `pull_request` action trigger, if disabled only `pull_request_target` from the target branch or `pull_request` from the same repository are processed. Enabling this make it possible to leak secrets and run arbitary code on your self-hosted runners from forked repositories. Proper secret and self-hosted runner protection needs to be implemented, to make this save to enable.
 ```json
 {
   "Runner.Server": {
@@ -233,6 +278,27 @@ If this doesn't match with the your configuration url, you cannot configure any
 }
 ```
 
+### Configure insecure Environment Secrets
+
+This provides the secrets `mysecret1`, `myothersecret` to jobs with the `environment` name set to `develop`. Only the `Runner.Server:GITHUB_TOKEN`, `Runner.Server:GITHUB_TOKEN_READ_ONLY` and `Runner.Server:GITHUB_TOKEN_NONE` properties are shared with jobs with a specfic environment.
+`appsettings.json`
+```json
+{
+  "Runner.Server": {
+    "Environments": {
+      "develop": {
+        "mysecret1": "test",
+        "myothersecret": "other"
+      }
+    }
+  }
+}
+```
+CLI
+```
+Runner.Server --Runner.Server:Environments:develop:mysecret1=test --Runner.Server:Environments:develop:myothersecret=other
+```
+
 ### Configure to use sqlite instead of an in Memory DB
 ```json
 {
@@ -268,6 +334,145 @@ Add `<url of Runner.Server>/signin-oidc` (https://localhost:5001/signin-oidc) as
 }
 ```
 
+### Dynamic GITHUB_TOKEN with specified permissions ( GitHub App )
+
+Create a new github app with the following permissions
+- Read access to metadata
+- Read and write access to actions, checks, code, commit statuses, deployments, discussions, issues, packages, pull requests, repository projects, and security events
+
+Create the private key and configure the server to use the private key and your GitHubAppId.
+```json
+{
+  "Runner.Server": {
+    "GitHubAppPrivateKeyFile": "path/to/privatekey.pem",
+    "GitHubAppId": 32344
+  }
+}
+```
+CLI
+```
+Runner.Server --Runner.Server:GitHubAppPrivateKeyFile=path/to/privatekey.pem --Runner.Server:GitHubAppId=32344
+```
+
+#### AllowPrivateActionAccess
+You can allow that your workflows can access private reusable workflows and actions where your GitHub App is registered. **Do not use together with AllowPullRequests or the content of all your private repositories can be leaked.**
+
+```json
+{
+  "Runner.Server": {
+    "AllowPrivateActionAccess": true
+  }
+}
+```
+
+### OnQueueJob
+You can configure the server to execute a command once a job is queued, e.g. you can configure or start a suspended runner to run the job.
+
+For example run a bash script, you can see the stdout and stderr of the process in the live logs of the job which ran the hook
+```json
+{
+  "Runner.Server": {
+    "OnQueueJobProgram": "/bin/bash",
+    "OnQueueJobArgs": "\"/home/ubuntu/runner.server-3.6.0/upscale.sh\""
+  }
+}
+```
+You also get the `RUNNER_SERVER_PAYLOAD` environment variable with information about the queued job. Sample Content:
+```json
+{
+    "contextData": {
+        "inputs": null,
+        "github": {
+            "server_url": "https://github.com",
+            "api_url": "https://api.github.com",
+            "graphql_url": "https://api.github.com/graphql",
+            "workflow": "example",
+            "repository": "murx/murx",
+            "sha": "02303847892393472939380472973932",
+            "repository_owner": "murx",
+            "ref": "refs/tags/urgh",
+            "ref_protected": false,
+            "ref_type": "tag",
+            "ref_name": "urgh",
+            "head_ref": "",
+            "base_ref": "",
+            "event": {
+                "commits": [
+                    {
+                        "message": "Untraced changes",
+                        "id": "02303847892393472939380472973932",
+                        "added": [],
+                        "removed": [],
+                        "modified": []
+                    }
+                ],
+                "sender": {
+                    "login": "weird",
+                    "name": "weird",
+                    "email": "weird@runner.server.localhost",
+                    "id": 976638,
+                    "type": "user"
+                },
+                "pusher": {
+                    "login": "weird",
+                    "name": "weird",
+                    "email": "weird@runner.server.localhost",
+                    "id": 976638,
+                    "type": "user"
+                },
+                "before": "0000000000000000000000000000000000000000",
+                "ref": "refs/tags/urgh",
+                "after": "02303847892393472939380472973932",
+                "head_commit": {
+                    "message": "Untraced changes",
+                    "id": "02303847892393472939380472973932",
+                    "added": [],
+                    "removed": [],
+                    "modified": []
+                },
+                "repository": {
+                    "owner": {
+                        "login": "weird",
+                        "name": "weird",
+                        "email": "weird@runner.server.localhost",
+                        "id": 976638,
+                        "type": "user"
+                    },
+                    "default_branch": "main",
+                    "master_branch": "master",
+                    "name": "murx",
+                    "full_name": "murx/murx"
+                }
+            },
+            "event_name": "push",
+            "actor": "weird",
+            "run_id": "824",
+            "run_number": "824",
+            "retention_days": "90",
+            "run_attempt": "1",
+            "repositoryUrl": "https://github.com/murx/murx.git"
+        },
+        "needs": {},
+        "strategy": {
+            "fail-fast": true,
+            "max-parallel": 1,
+            "job-total": 1,
+            "job-index": 0
+        },
+        "matrix": null
+    },
+    "repository": "murx/murx",
+    "workflowFileName": ".github/workflows/main.yaml",
+    "job": "test",
+    "jobDisplayName": "test",
+    "environment": "",
+    "labels": [
+        "self-hosted",
+        "container-host"
+    ]
+}
+```
+
 ### The `.actrc` File
 Put every parameter pair into a single line, here just a sample
 ```
@@ -309,7 +514,7 @@ This Software contains Open Source reimplementations of some parts of the propri
 - matrix parsing and evaluation
 - callable workflows
 - `on` parsing incl. filter
-- context creation of `github`, `needs`, `matrix` and `strategy`
+- context creation of `github`, `needs`, `matrix`, `strategy` and `inputs`
 - job inputs / outputs, based on documentation
 - secret management
 - cache service
diff --git a/releaseNote.md b/releaseNote.md
index 89e34888a56..4716e4b22f0 100644
--- a/releaseNote.md
+++ b/releaseNote.md
@@ -1,28 +1,9 @@
 ## Fixes
-- Don't share the templatecontext to avoid accumulated evaluation memory limits across jobs
-- `--version` switch now working again with an `.actrc`
-- Errors in `.actrc` are no longer fatal errors
-- Trim white spaces in `.actrc` files
-- `--list` flag works again, was broken between `v3.5.0` and `v3.6.4`
-- Force cancellation no longer waits for any running agent, can be used to resync a stale runner
-- Send cancellation Message not within 5s after sending the job message, **to mitigate a runner bug**
+- Problem matcher commands now working again in docker containers, broken as of 3.6.4. New tests added, since this is part of a runner modification.
 
 ## Features
-- Specify deployment environment secrets and use different secrets per job
-- Simple oidc stub, eventually works with cloud providers or not
-- Update actions/runner 2.289.1
-- Accept live logs via websockets, Protocol addition of github actions March 2022
-- Allow to rerun from HEAD commit of the branch or tag, faster testing of release and issue workflows 
-- Option to run a command when a new job gets queued, e.g. for basic upscaling
-- Better error messages of cyclic and missing dependencies 
 
 ## Breaking Changes
-- Specifing an job ( deployment ) environment no longer uses secrets of `-s` or `--secret` flag
-- Yaml anchors are now disabled again
-- The `GITHUB_TOKEN` in appsettings.json is no longer sent to jobs with contents: read / none permissions
-  Added `GITHUB_TOKEN_NONE` and `GITHUB_TOKEN_READ_ONLY` properties to be able to set a value
-- The `gharun` / `Runner.Client` `-C` flag no longer uses `.github/workflows` as default argument, instead it uses a default path relative to the `-C` flag
-  workflow filenames are now resolved relative to the `-C` flag before sending the name to the server
 
 ## Windows x64
 We recommend configuring the runner in a root folder of the Windows drive (e.g. "C:\actions-runner"). This will help avoid issues related to service identity folder permissions and long file path restrictions on Windows.
diff --git a/releaseVersion b/releaseVersion
index 7c69a55dbb1..a76ccff2a6e 100644
--- a/releaseVersion
+++ b/releaseVersion
@@ -1 +1 @@
-3.7.0
+3.7.1
diff --git a/src/Runner.Server/webpage1.png b/src/Runner.Server/webpage1.png
index cec82ab0589..97f6e1cbc5c 100644
Binary files a/src/Runner.Server/webpage1.png and b/src/Runner.Server/webpage1.png differ
diff --git a/src/Runner.Server/webpage2.png b/src/Runner.Server/webpage2.png
new file mode 100644
index 00000000000..84eca18bdf0
Binary files /dev/null and b/src/Runner.Server/webpage2.png differ
diff --git a/src/Runner.Server/webpage3.png b/src/Runner.Server/webpage3.png
new file mode 100644
index 00000000000..5f49329478c
Binary files /dev/null and b/src/Runner.Server/webpage3.png differ
diff --git a/src/Runner.Server/webpage4.png b/src/Runner.Server/webpage4.png
new file mode 100644
index 00000000000..4d3a02d7ea4
Binary files /dev/null and b/src/Runner.Server/webpage4.png differ
diff --git a/src/runnerversion b/src/runnerversion
index 7c69a55dbb1..a76ccff2a6e 100644
--- a/src/runnerversion
+++ b/src/runnerversion
@@ -1 +1 @@
-3.7.0
+3.7.1