diff --git a/docs/admin/auth.md b/docs/admin/auth.md
index 4c846573cd8ac..11eeeb2349af8 100644
--- a/docs/admin/auth.md
+++ b/docs/admin/auth.md
@@ -315,6 +315,14 @@ OIDC provider will be added to the `myCoderGroupName` group in Coder.
 [azure-gids]:
   https://github.com/MicrosoftDocs/azure-docs/issues/59766#issuecomment-664387195
 
+### Group allowlist
+
+You can limit which groups from your identity provider can log in to Coder with
+[CODER_OIDC_ALLOWED_GROUPS](https://coder.com/docs/v2/latest/cli/server#--oidc-allowed-groups).
+Users who are not in a matching group will see the following error:
+
+![Unauthorized group error](../images/admin/group-allowlist.png)
+
 ### Troubleshooting
 
 Some common issues when enabling group sync.
diff --git a/docs/changelogs/README.md b/docs/changelogs/README.md
index c3eb49e6f742b..b84be3beb9362 100644
--- a/docs/changelogs/README.md
+++ b/docs/changelogs/README.md
@@ -13,8 +13,8 @@ git checkout main; git pull; git fetch --all
 export CODER_IGNORE_MISSING_COMMIT_METADATA=1
 export BRANCH=main
 ./scripts/release/generate_release_notes.sh \
-  --old-version=v2.4.0 \
-  --new-version=v2.4.1 \
+  --old-version=v2.5.0 \
+  --new-version=v2.5.1 \
   --ref=$(git rev-parse --short "${ref:-origin/$BRANCH}") \
-  > ./docs/changelogs/v2.4.1.md
+  > ./docs/changelogs/v2.5.0.md
 ```
diff --git a/docs/changelogs/v2.5.0.md b/docs/changelogs/v2.5.0.md
new file mode 100644
index 0000000000000..807f42e2c4df0
--- /dev/null
+++ b/docs/changelogs/v2.5.0.md
@@ -0,0 +1,116 @@
+## Changelog
+
+### Features
+
+- Templates can now be deprecated in "template settings" to warn new users and prevent new workspaces from being created (#10745) (@Emyrk)
+  ![Deprecated template](https://gist.github.com/assets/22407953/5883ff54-11a6-4af0-afd3-ad77be1c4dc2)
+  > This is an [Enterprise feature](https://coder.com/docs/v2/latest/enterprise).
+- Add user/settings page for managing external auth (#10945) (@Emyrk)
+  ![External auth settings](https://gist.github.com/assets/22407953/99252719-7255-426e-ba88-55d08dd04586)
+- Allow auditors to read template insights (#10860) (@johnstcn)
+- Add support for custom permissions in Helm chart `rbac.yaml` file (#10590) (@lbi22)
+- Add `workspace_id`, `owner_name` to agent manifest (#10199) (@szab100)
+- Allow identity provider to return single string for roles/groups claim (#10993) (@Emyrk)
+- Add endpoints to list all auth-ed external apps (#10944) (@Emyrk)
+- Support v2 Tailnet API in AGPL coordinator (#11010) (@spikecurtis)
+- Dormant workspaces now appear in the default workspaces list (#11053) (@sreya)
+- Include server agent API version in buildinfo (#11057) (@spikecurtis)
+- Restart stopped workspaces on `coder ssh` command (#11050) (@Emyrk)
+- You can now specify an [allowlist for OIDC Groups](https://coder.com/docs/v2/latest/admin/auth#group-allowlist) (#11070) (@Emyrk)
+- Display 'Deprecated' warning for agents using old API version (#11058) (@spikecurtis)
+- Add support for `coder_env` resource to set environment variables within a workspace (#11102) (@mafredri)
+- Handle session signals (#10842) (@mafredri)
+- Allow specifying names of provisioner daemons (#11077) (@johnstcn)
+- Preserve old agent logs (#10776) (@ammario)
+- Store workspace proxy version in the database (#10790) (@johnstcn)
+- Add `last_seen_at` and version to provisioner_daemons table (#11033) (@johnstcn)
+- New layout for web-based template editor (#10912) (@BrunoQuaresma)
+  ![Template editor layout](https://gist.github.com/assets/22407953/0351f0bd-6872-4186-a704-a403048e5758)
+- Add `arm64` and `amd64` portable binaries to `winget` (#11030) (@matifali)
+- Add claims to oauth link in db for debug (#10827) (@Emyrk)
+- Change login screen layout (#10768) (@BrunoQuaresma)
+
+### Bug fixes
+
+- Automatically purge inactive provisioner daemons after 7 days (#10949) (@mtojek)
+- All migrations run in a transaction to avoid broken migrations (#10966) (@coadler)
+- Set `ignore_changes` on EC2 example templates (#10773) (@ericpaulsen)
+- Stop redirecting DERP and replicasync http requests (#10752) (@spikecurtis)
+- Prevent alt text from appearing if OIDC icon fail to load (#10792) (@Parkreiner)
+- Fix insights metrics comparison (#10800) (@mtojek)
+- Clarify language in orphan section of delete modal (#10764) (@Kira-Pilot)
+- Prevent change in defaults if user unsets in template edit (#10793) (@Emyrk)
+- Only update last_used_at when connection count > 0 (#10808) (@sreya)
+- Update workspace cleanup flag names for template cmds (#10805) (@sreya)
+- Give SSH stdio sessions a chance to close before closing netstack (#10815) (@spikecurtis)
+- Preserve order of node reports in healthcheck (#10835) (@mtojek)
+- Enable FeatureHighAvailability if it is licensed (#10834) (@spikecurtis)
+- Skip autostart for suspended/dormant users (#10771) (@coadler)
+- Display explicit 'retry' button(s) when a workspace fails (#10720) (@Parkreiner)
+- Improve exit codes for agent/agentssh and cli/ssh (#10850) (@mafredri)
+- Detect and retry reverse port forward on used port (#10844) (@spikecurtis)
+- Document workspace filter query param correctly (#10894) (@Kira-Pilot)
+- Hide groups in account page if not enabled (#10898) (@Parkreiner)
+- Add spacing for yes/no prompts (#10907) (@f0ssel)
+- Numerical validation grammar (#10924) (@ericpaulsen)
+- Insert replica when removed by cleanup (#10917) (@f0ssel)
+- Update autostart context to include querying users (#10929) (@sreya)
+- Clear workspace name validation on field dirty (#10927) (@Kira-Pilot)
+- Redirect to new url after template name update (#10926) (@Kira-Pilot)
+- Do not allow selection of unsuccessful versions (#10941) (@f0ssel)
+- Parse username/workspace correctly on `coder state pull --build` (#10973) (#10974) (@spikecurtis)
+- Handle 404 on unknown top level routes (#10964) (@f0ssel)
+- FIX `UpdateWorkspaceDormantDeletingAt` interval out of range (#11000) (@coadler)
+- Create centralized PaginationContainer component (#10967) (@Parkreiner)
+- Use database for user creation to prevent flake (#10992) (@f0ssel)
+- Pass in time parameter to prevent flakes (#11023) (@f0ssel)
+- Respect header flags in wsproxy server (#10985) (@deansheather)
+- Update tailscale to include fix to prevent race (#11032) (@spikecurtis)
+- Disable prefetches for audits table (#11040) (@Parkreiner)
+- Increase default staleTime for paginated data (#11041) (@Parkreiner)
+- Display app templates correctly in build preview (#10994) (@Kira-Pilot)
+- Redirect unauthorized git users to login screen (#10995) (@Kira-Pilot)
+- Use unique workspace owners over unique users (#11044) (@f0ssel)
+- Avoid updating agent stats from deleted workspaces (#11026) (@f0ssel)
+- Track JetBrains connections (#10968) (@code-asher)
+- Handle no memory limit in `coder stat mem` (#11107) (@f0ssel)
+- Provide helpful error when no login url specified (#11110) (@f0ssel)
+- Return 403 when rebuilding workspace with require_active_version (#11114) (@sreya)
+- Use provisionerd context when failing job on canceled acquire (#11118) (@spikecurtis)
+- Ensure we are talking to coder on first user check (#11130) (@f0ssel)
+- Prevent logging error for query cancellation in `watchWorkspaceAgentMetadata` (#10843) (@mafredri)
+- Disable CODER_DERP_SERVER_STUN_ADDRESSES correctly (#10840) (@strike)
+- Remove anchor links from headings in admin/healthcheck.md (#10975) (@johnstcn)
+- Use mtime instead of atime (#10893) (#10892) (@johnstcn)
+- Correctly interpret timezone based on offset in `formatOffset` (#10797) (@mafredri)
+- Use correct default insights time for day interval (#10837) (@mafredri)
+- Fix filter font size (#11028) (@BrunoQuaresma)
+- Fix padding for loader (#11046) (@BrunoQuaresma)
+- Fix template editor route (#11063) (@BrunoQuaresma)
+- Use correct permission when determining orphan deletion privileges (#11143) (@sreya)
+
+### Documentation
+
+- Align CODER_HTTP_ADDRESS with document (#10779) (@JounQin)
+- Migrate all deprecated `CODER_ADDRESS `to `CODER_HTTP_ADDRESS` (#10780) (@JounQin)
+- Add documentation for template update policies (experimental) (#10804) (@sreya)
+- Fix typo in additional-clusters.md (#10868) (@bpmct)
+- Update FE guide (#10942) (@BrunoQuaresma)
+- Add warning about Sysbox before installation (#10619) (@bartonip)
+- Add license and template insights prometheus metrics (#11109) (@ericpaulsen)
+- Add documentation for template update policies (#11145) (@sreya)
+
+### Other changes
+
+- Document suspended users not consuming seat (#11045) (@ericpaulsen)
+- Fix small typo in docs/admin/configure (#11135) (@stirby)
+
+Compare: [`v2.4.0...v2.5.0`](https://github.com/coder/coder/compare/v2.4.0...v2.5.0)
+
+## Container image
+
+- `docker pull ghcr.io/coder/coder:v2.5.0`
+
+## Install/upgrade
+
+Refer to our docs to [install](https://coder.com/docs/v2/latest/install) or [upgrade](https://coder.com/docs/v2/latest/admin/upgrade) Coder, or use a release asset below.
diff --git a/docs/images/admin/group-allowlist.png b/docs/images/admin/group-allowlist.png
new file mode 100644
index 0000000000000..55fe0ae3f4464
Binary files /dev/null and b/docs/images/admin/group-allowlist.png differ