diff --git a/CHANGELOG.md b/CHANGELOG.md
index b5b8da28b1a..16fbd73b4aa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,154 @@
+# [2024-07-08] (Chart Release 5.4.0)
+
+## Release notes
+
+
+* Phone registration and login is not supported anymore. All API endpoints dealing with phone numbers and phone activation codes now fail with a 400 error. Brig options related to phone number support have now been deleted, namely:
+   - `setTwilio`
+   - `setNexmo`
+   - `setAllowlistPhonePrefixes`. (#4045)
+
+
+## API changes
+
+
+* Internal API endpoints related to phone numbers have been removed.
+
+  In brig:
+  - `iGetPhonePrefix`
+  - `iDeletePhonePrefix`
+  - `iPostPhonePrefix`.
+
+  In stern:
+  - `get-users-by-phone`
+  - `put-phone`. (#4045)
+
+
+## Features
+
+
+* charts/coturn: support putting coturn into 'drain' mode when terminating pods, denying new incoming client connections. This speeds up graceful coturn restarts significantly. (#4098)
+
+* Set SFT usernames's `shared` field according to team settings (#4117)
+
+* Updated the `mlsE2EId` feature config with two additional fields `crlProxy` and `useProxyOnMobile` (#4051)
+
+* reject MLS messages for future epochs (#4110)
+
+* Introduce more configuration options to the `coturn` helm chart (#4083)
+
+* Update email templates to v1.0.121. (#4064)
+
+* Support connecting to RabbitMQ over TLS. See "Configure RabbitMQ" section in the documentation for details. (#4094)
+
+* Support connecting to Redis over TLS
+
+  It can be enabled by setting these options on the wire-server helm chart:
+
+  ```yaml
+  gundeck:
+    config:
+      redis:
+        enableTls: true
+
+        # When custom CAs are required, one of these must be set:
+        tlsCa: <PEM encoded CA certificates>
+        tlsCaSecretRef:
+          name: <Name of the secret>
+          key: <Key in the secret containing pem encoded CA Cert>
+
+        # When TLS needs to be used without verification:
+        insecureSkipVerifyTls: true
+  ```
+  (#4016)
+
+
+## Bug fixes and other updates
+
+
+* fixed stern endpoint `/i/users/meta-info` (#4101)
+
+* Log password reset errors instead of propagating them (#4114)
+
+* Log request ids in brig. (#4086)
+
+* Do not set update origin "scim" in public brig api. (#4072)
+
+* Disabling legalhold before user's approval doesn't result in an error  (#4104)
+
+* Make scim-delete-user idempotent. Hide information about existing users (make delete idempotent) (#4120)
+
+* Expose /providers/assets via nginz (#4082)
+
+* federator: Expect a client certificate to be the certificate chain
+
+  Without this openssl doesn't forward to whole chain causing mTLS to not succeed. (#4089)
+
+* Only resend proposals once after external commit (#4103)
+
+* gundeck: Better tolerance for redis-cluster restarts (#4084)
+
+* GHC does not support repeated --with-rtsopts options, and it simply applies the last one. This means many of the baked-in options were actually not being passed, including -N for some of the services and -T for cannon. (#4118)
+
+* Ensure that a Request ID is logged whenever unexpected errors are caught in any service (#4059)
+
+* charts/coturn: use allowed dir to write PID file (#4098)
+
+* Make pending LH requests (with no LH devices listening yet) not throw LH policy errors.  This helps eg. in cases where a LH request is issued to the wrong user by accident, and the user can clear up the mistake. (#4056)
+
+
+## Documentation
+
+
+* Adjust documentation for migrated helm charts (#4058)
+
+
+## Internal changes
+
+
+* Adapt EJPD data to current requirements. (#3945)
+
+* Port team feature tests to the `integration` package (#4063)
+
+* Ported flaky legalhold test to the new integration test suite (#4057)
+
+* Added profile update operations to the user subsystem. (#4046)
+
+* Introduce authentication subsystem with password reset. (#4086)
+
+* update nixpkgs and hence GHC version as well as some other tooling. (#4071)
+
+* nginz: Added `allowlisted_fqdn_origins` to `nginx_conf` value (#4087)
+
+* Add weeder for dead code elimination. (#4088)
+
+* Introduce email subsystem (#4111)
+
+* replace cabal.project.local template and update cabal.project (#4119)
+
+* Add HTTP proxy in the local setup for elasticsearch in federation-v0. This makes it possible to use a single elasticsearch instance for both the main backends and federation-v0. (#4062)
+
+* federator: Add metrics for garbage collections and unexpected errors that were caught (#4085)
+
+* federator: Simplify polysemy setup to make it similar to other services so the
+  interpreter is only used for hoisting the servant application and not explicitly
+  inside handler of an endpoint (#4059)
+
+* Added prometheus enable and datacenter size variables for k8ssandra-test-cluster helm chart. (#4011)
+
+* Make `Handle` type abstract to guarantee it always contains *valid* Handles. (#4076)
+
+* metrics-core: Delete `Data.Metrics` in favour of defining metrics closer to where they are being emitted (#4085)
+
+* add more metadata into the meta attribute of all nix derivations produced locally (#4069)
+
+* Do not log anything when warp kills a worker thread. (#4112)
+
+* Introduce VerificationCodSubsystem (#4121)
+
+* add tests for bots that use self-signed certs and add documentation on why we cannot test the bots to work with PKI (#4027)
+
+
 # [2024-05-21] (Chart Release 5.3.0)
 
 ## API changes
diff --git a/changelog.d/0-release-notes/remove-phone-support.md b/changelog.d/0-release-notes/remove-phone-support.md
deleted file mode 100644
index 609832ac624..00000000000
--- a/changelog.d/0-release-notes/remove-phone-support.md
+++ /dev/null
@@ -1,4 +0,0 @@
-Phone registration and login is not supported anymore. All API endpoints dealing with phone numbers and phone activation codes now fail with a 400 error. Brig options related to phone number support have now been deleted, namely:
- - `setTwilio`
- - `setNexmo`
- - `setAllowlistPhonePrefixes`.
diff --git a/changelog.d/1-api-changes/remove-internal-phone-endpoints.md b/changelog.d/1-api-changes/remove-internal-phone-endpoints.md
deleted file mode 100644
index ed80d0eca54..00000000000
--- a/changelog.d/1-api-changes/remove-internal-phone-endpoints.md
+++ /dev/null
@@ -1,10 +0,0 @@
-Internal API endpoints related to phone numbers have been removed.
-
-In brig:
-- `iGetPhonePrefix`
-- `iDeletePhonePrefix`
-- `iPostPhonePrefix`.
-
-In stern:
-- `get-users-by-phone`
-- `put-phone`.
diff --git a/changelog.d/2-features/WPB-2690-coturn-drain b/changelog.d/2-features/WPB-2690-coturn-drain
deleted file mode 100644
index f805466c3c5..00000000000
--- a/changelog.d/2-features/WPB-2690-coturn-drain
+++ /dev/null
@@ -1 +0,0 @@
-charts/coturn: support putting coturn into 'drain' mode when terminating pods, denying new incoming client connections. This speeds up graceful coturn restarts significantly.
diff --git a/changelog.d/2-features/WPB-6954 b/changelog.d/2-features/WPB-6954
deleted file mode 100644
index b2208e9d728..00000000000
--- a/changelog.d/2-features/WPB-6954
+++ /dev/null
@@ -1 +0,0 @@
-Set SFT usernames's `shared` field according to team settings
diff --git a/changelog.d/2-features/WPB-8824 b/changelog.d/2-features/WPB-8824
deleted file mode 100644
index e93a613602f..00000000000
--- a/changelog.d/2-features/WPB-8824
+++ /dev/null
@@ -1 +0,0 @@
-Updated the `mlsE2EId` feature config with two additional fields `crlProxy` and `useProxyOnMobile`
diff --git a/changelog.d/2-features/WPB-9871 b/changelog.d/2-features/WPB-9871
deleted file mode 100644
index cf474cbd534..00000000000
--- a/changelog.d/2-features/WPB-9871
+++ /dev/null
@@ -1 +0,0 @@
-reject MLS messages for future epochs
diff --git a/changelog.d/2-features/coturn-params b/changelog.d/2-features/coturn-params
deleted file mode 100644
index ceab29645df..00000000000
--- a/changelog.d/2-features/coturn-params
+++ /dev/null
@@ -1 +0,0 @@
-Introduce more configuration options to the `coturn` helm chart
diff --git a/changelog.d/2-features/email-templates-v1.0.110 b/changelog.d/2-features/email-templates-v1.0.110
deleted file mode 100644
index d8807d1328a..00000000000
--- a/changelog.d/2-features/email-templates-v1.0.110
+++ /dev/null
@@ -1 +0,0 @@
-Update email templates to v1.0.121.
diff --git a/changelog.d/2-features/rabbit-tls b/changelog.d/2-features/rabbit-tls
deleted file mode 100644
index 21114d011dd..00000000000
--- a/changelog.d/2-features/rabbit-tls
+++ /dev/null
@@ -1 +0,0 @@
-Support connecting to RabbitMQ over TLS. See "Configure RabbitMQ" section in the documentation for details.
diff --git a/changelog.d/2-features/redis-tls b/changelog.d/2-features/redis-tls
deleted file mode 100644
index d2823f0cf1e..00000000000
--- a/changelog.d/2-features/redis-tls
+++ /dev/null
@@ -1,20 +0,0 @@
-Support connecting to Redis over TLS
-
-It can be enabled by setting these options on the wire-server helm chart:
-
-```yaml
-gundeck:
-  config:
-    redis:
-      enableTls: true
-
-      # When custom CAs are required, one of these must be set:
-      tlsCa: <PEM encoded CA certificates>
-      tlsCaSecretRef:
-        name: <Name of the secret>
-        key: <Key in the secret containing pem encoded CA Cert>
-
-      # When TLS needs to be used without verification:
-      insecureSkipVerifyTls: true
-```
-(##)
diff --git a/changelog.d/3-bug-fixes/WBP-9677 b/changelog.d/3-bug-fixes/WBP-9677
deleted file mode 100644
index d769d8c7458..00000000000
--- a/changelog.d/3-bug-fixes/WBP-9677
+++ /dev/null
@@ -1 +0,0 @@
-fixed stern endpoint `/i/users/meta-info`
diff --git a/changelog.d/3-bug-fixes/WPB-5491 b/changelog.d/3-bug-fixes/WPB-5491
deleted file mode 100644
index 4e1a919a248..00000000000
--- a/changelog.d/3-bug-fixes/WPB-5491
+++ /dev/null
@@ -1 +0,0 @@
-Log password reset errors instead of propagating them
diff --git a/changelog.d/3-bug-fixes/WPB-8890 b/changelog.d/3-bug-fixes/WPB-8890
deleted file mode 100644
index f462e51abe5..00000000000
--- a/changelog.d/3-bug-fixes/WPB-8890
+++ /dev/null
@@ -1 +0,0 @@
-Log request ids in brig.
diff --git a/changelog.d/3-bug-fixes/WPB-9488-fix-update-origin b/changelog.d/3-bug-fixes/WPB-9488-fix-update-origin
deleted file mode 100644
index c22e8f3ff7d..00000000000
--- a/changelog.d/3-bug-fixes/WPB-9488-fix-update-origin
+++ /dev/null
@@ -1 +0,0 @@
-Do not set update origin "scim" in public brig api.
diff --git a/changelog.d/3-bug-fixes/WPB-9685 b/changelog.d/3-bug-fixes/WPB-9685
deleted file mode 100644
index ba18992bbd5..00000000000
--- a/changelog.d/3-bug-fixes/WPB-9685
+++ /dev/null
@@ -1 +0,0 @@
-Disabling legalhold before user's approval doesn't result in an error 
diff --git a/changelog.d/3-bug-fixes/WPB-9708-scim-gc-logic b/changelog.d/3-bug-fixes/WPB-9708-scim-gc-logic
deleted file mode 100644
index 42a461c408e..00000000000
--- a/changelog.d/3-bug-fixes/WPB-9708-scim-gc-logic
+++ /dev/null
@@ -1 +0,0 @@
-Make scim-delete-user idempotent. Hide information about existing users (make delete idempotent)
\ No newline at end of file
diff --git a/changelog.d/3-bug-fixes/expose-provider-assets b/changelog.d/3-bug-fixes/expose-provider-assets
deleted file mode 100644
index b23a510bfd8..00000000000
--- a/changelog.d/3-bug-fixes/expose-provider-assets
+++ /dev/null
@@ -1 +0,0 @@
-Expose /providers/assets via nginz
\ No newline at end of file
diff --git a/changelog.d/3-bug-fixes/federator-client-cert-chain b/changelog.d/3-bug-fixes/federator-client-cert-chain
deleted file mode 100644
index b05a5385ef6..00000000000
--- a/changelog.d/3-bug-fixes/federator-client-cert-chain
+++ /dev/null
@@ -1,3 +0,0 @@
-federator: Expect a client certificate to be the certificate chain
-
-Without this openssl doesn't forward to whole chain causing mTLS to not succeed.
\ No newline at end of file
diff --git a/changelog.d/3-bug-fixes/filter-duplicates-when-resending-props b/changelog.d/3-bug-fixes/filter-duplicates-when-resending-props
deleted file mode 100644
index 80b1f8a703a..00000000000
--- a/changelog.d/3-bug-fixes/filter-duplicates-when-resending-props
+++ /dev/null
@@ -1 +0,0 @@
-Only resend proposals once after external commit
diff --git a/changelog.d/3-bug-fixes/redis b/changelog.d/3-bug-fixes/redis
deleted file mode 100644
index 06767cd9fe7..00000000000
--- a/changelog.d/3-bug-fixes/redis
+++ /dev/null
@@ -1 +0,0 @@
-gundeck: Better tolerance for redis-cluster restarts
diff --git a/changelog.d/3-bug-fixes/repeated-rtsopts b/changelog.d/3-bug-fixes/repeated-rtsopts
deleted file mode 100644
index abd9caa6320..00000000000
--- a/changelog.d/3-bug-fixes/repeated-rtsopts
+++ /dev/null
@@ -1 +0,0 @@
-GHC does not support repeated --with-rtsopts options, and it simply applies the last one. This means many of the baked-in options were actually not being passed, including -N for some of the services and -T for cannon.
diff --git a/changelog.d/3-bug-fixes/request-id-logging b/changelog.d/3-bug-fixes/request-id-logging
deleted file mode 100644
index 17d0fea68fc..00000000000
--- a/changelog.d/3-bug-fixes/request-id-logging
+++ /dev/null
@@ -1 +0,0 @@
-Ensure that a Request ID is logged whenever unexpected errors are caught in any service
\ No newline at end of file
diff --git a/changelog.d/3-bug-fixes/tmp-pid b/changelog.d/3-bug-fixes/tmp-pid
deleted file mode 100644
index f3be4e444a0..00000000000
--- a/changelog.d/3-bug-fixes/tmp-pid
+++ /dev/null
@@ -1 +0,0 @@
-charts/coturn: use allowed dir to write PID file
diff --git a/changelog.d/3-bug-fixes/wpb9362-lh-logic-glitch b/changelog.d/3-bug-fixes/wpb9362-lh-logic-glitch
deleted file mode 100644
index ebd0f8e3ce7..00000000000
--- a/changelog.d/3-bug-fixes/wpb9362-lh-logic-glitch
+++ /dev/null
@@ -1 +0,0 @@
-Make pending LH requests (with no LH devices listening yet) not throw LH policy errors.  This helps eg. in cases where a LH request is issued to the wrong user by accident, and the user can clear up the mistake.
\ No newline at end of file
diff --git a/changelog.d/4-docs/WPB-7036 b/changelog.d/4-docs/WPB-7036
deleted file mode 100644
index 0a261a1dfc9..00000000000
--- a/changelog.d/4-docs/WPB-7036
+++ /dev/null
@@ -1 +0,0 @@
-Adjust documentation for migrated helm charts
diff --git a/changelog.d/5-internal/WBP7005 b/changelog.d/5-internal/WBP7005
deleted file mode 100644
index 1e85e4457e2..00000000000
--- a/changelog.d/5-internal/WBP7005
+++ /dev/null
@@ -1 +0,0 @@
-Adapt EJPD data to current requirements.
diff --git a/changelog.d/5-internal/WPB-6442 b/changelog.d/5-internal/WPB-6442
deleted file mode 100644
index efb05804505..00000000000
--- a/changelog.d/5-internal/WPB-6442
+++ /dev/null
@@ -1 +0,0 @@
-Port team feature tests to the `integration` package
diff --git a/changelog.d/5-internal/WPB-8757 b/changelog.d/5-internal/WPB-8757
deleted file mode 100644
index 55c87d5d8e3..00000000000
--- a/changelog.d/5-internal/WPB-8757
+++ /dev/null
@@ -1 +0,0 @@
-Ported flaky legalhold test to the new integration test suite
diff --git a/changelog.d/5-internal/WPB-8880 b/changelog.d/5-internal/WPB-8880
deleted file mode 100644
index 3527e5de73b..00000000000
--- a/changelog.d/5-internal/WPB-8880
+++ /dev/null
@@ -1 +0,0 @@
-Added profile update operations to the user subsystem.
diff --git a/changelog.d/5-internal/WPB-8890-subsystems b/changelog.d/5-internal/WPB-8890-subsystems
deleted file mode 100644
index 7e5a1a62024..00000000000
--- a/changelog.d/5-internal/WPB-8890-subsystems
+++ /dev/null
@@ -1 +0,0 @@
-Introduce authentication subsystem with password reset.
diff --git a/changelog.d/5-internal/WPB-8943 b/changelog.d/5-internal/WPB-8943
deleted file mode 100644
index ca30b58b2ae..00000000000
--- a/changelog.d/5-internal/WPB-8943
+++ /dev/null
@@ -1 +0,0 @@
-update nixpkgs and hence GHC version as well as some other tooling.
diff --git a/changelog.d/5-internal/WPB-9495 b/changelog.d/5-internal/WPB-9495
deleted file mode 100644
index 4be0c6f6de5..00000000000
--- a/changelog.d/5-internal/WPB-9495
+++ /dev/null
@@ -1 +0,0 @@
-nginz: Added `allowlisted_fqdn_origins` to `nginx_conf` value
diff --git a/changelog.d/5-internal/WPB-9667-weeder b/changelog.d/5-internal/WPB-9667-weeder
deleted file mode 100644
index 2be9a9adfd5..00000000000
--- a/changelog.d/5-internal/WPB-9667-weeder
+++ /dev/null
@@ -1 +0,0 @@
-Add weeder for dead code elimination.
\ No newline at end of file
diff --git a/changelog.d/5-internal/WPB-9831-email-subsystem b/changelog.d/5-internal/WPB-9831-email-subsystem
deleted file mode 100644
index eb14a50e4ac..00000000000
--- a/changelog.d/5-internal/WPB-9831-email-subsystem
+++ /dev/null
@@ -1 +0,0 @@
-Introduce email subsystem
diff --git a/changelog.d/5-internal/cabal-project-local-improvements b/changelog.d/5-internal/cabal-project-local-improvements
deleted file mode 100644
index 9a0c5621c18..00000000000
--- a/changelog.d/5-internal/cabal-project-local-improvements
+++ /dev/null
@@ -1 +0,0 @@
-replace cabal.project.local template and update cabal.project
diff --git a/changelog.d/5-internal/elasticsearch b/changelog.d/5-internal/elasticsearch
deleted file mode 100644
index 84fb1f08dca..00000000000
--- a/changelog.d/5-internal/elasticsearch
+++ /dev/null
@@ -1 +0,0 @@
-Add HTTP proxy in the local setup for elasticsearch in federation-v0. This makes it possible to use a single elasticsearch instance for both the main backends and federation-v0.
diff --git a/changelog.d/5-internal/federator-metrics b/changelog.d/5-internal/federator-metrics
deleted file mode 100644
index d2453989684..00000000000
--- a/changelog.d/5-internal/federator-metrics
+++ /dev/null
@@ -1 +0,0 @@
-federator: Add metrics for garbage collections and unexpected errors that were caught
\ No newline at end of file
diff --git a/changelog.d/5-internal/federator-simplification b/changelog.d/5-internal/federator-simplification
deleted file mode 100644
index 9a170ab3f41..00000000000
--- a/changelog.d/5-internal/federator-simplification
+++ /dev/null
@@ -1,3 +0,0 @@
-federator: Simplify polysemy setup to make it similar to other services so the
-interpreter is only used for hoisting the servant application and not explicitly
-inside handler of an endpoint
\ No newline at end of file
diff --git a/changelog.d/5-internal/k8ssandra-test-cluster-chart-variables b/changelog.d/5-internal/k8ssandra-test-cluster-chart-variables
deleted file mode 100644
index 6799efaf807..00000000000
--- a/changelog.d/5-internal/k8ssandra-test-cluster-chart-variables
+++ /dev/null
@@ -1 +0,0 @@
-Added prometheus enable and datacenter size variables for k8ssandra-test-cluster helm chart.
diff --git a/changelog.d/5-internal/make-handle-abstract b/changelog.d/5-internal/make-handle-abstract
deleted file mode 100644
index 5816db8a58b..00000000000
--- a/changelog.d/5-internal/make-handle-abstract
+++ /dev/null
@@ -1 +0,0 @@
-Make `Handle` type abstract to guarantee it always contains *valid* Handles.
\ No newline at end of file
diff --git a/changelog.d/5-internal/metrics-core b/changelog.d/5-internal/metrics-core
deleted file mode 100644
index f9b39a5a634..00000000000
--- a/changelog.d/5-internal/metrics-core
+++ /dev/null
@@ -1 +0,0 @@
-metrics-core: Delete `Data.Metrics` in favour of defining metrics closer to where they are being emitted
\ No newline at end of file
diff --git a/changelog.d/5-internal/more-metadata-in-meta b/changelog.d/5-internal/more-metadata-in-meta
deleted file mode 100644
index b6085a69987..00000000000
--- a/changelog.d/5-internal/more-metadata-in-meta
+++ /dev/null
@@ -1 +0,0 @@
-add more metadata into the meta attribute of all nix derivations produced locally
diff --git a/changelog.d/5-internal/reduce-thread-killed-log-noise b/changelog.d/5-internal/reduce-thread-killed-log-noise
deleted file mode 100644
index 177ca9f4d37..00000000000
--- a/changelog.d/5-internal/reduce-thread-killed-log-noise
+++ /dev/null
@@ -1 +0,0 @@
-Do not log anything when warp kills a worker thread.
\ No newline at end of file
diff --git a/changelog.d/5-internal/verification-code-subsystem b/changelog.d/5-internal/verification-code-subsystem
deleted file mode 100644
index 530645f29a6..00000000000
--- a/changelog.d/5-internal/verification-code-subsystem
+++ /dev/null
@@ -1 +0,0 @@
-Introduce VerificationCodSubsystem
\ No newline at end of file
diff --git a/changelog.d/5-internal/wpb-6350 b/changelog.d/5-internal/wpb-6350
deleted file mode 100644
index 0414493148d..00000000000
--- a/changelog.d/5-internal/wpb-6350
+++ /dev/null
@@ -1 +0,0 @@
-add tests for bots that use self-signed certs and add documentation on why we cannot test the bots to work with PKI
diff --git a/charts/gundeck/templates/redis-ca-secret.yaml b/charts/gundeck/templates/redis-ca-secret.yaml
index 84c6aa59128..de1f752e55a 100644
--- a/charts/gundeck/templates/redis-ca-secret.yaml
+++ b/charts/gundeck/templates/redis-ca-secret.yaml
@@ -11,7 +11,7 @@ metadata:
     heritage: "{{ .Release.Service }}"
 type: Opaque
 data:
-  ca.pem: {{ .Values.redis.tlsCa | b64enc | quote }}
+  ca.pem: {{ .Values.config.redis.tlsCa | b64enc | quote }}
 {{- end }}
 ---
 {{- if not (empty .Values.config.redis.additionalTlsCa) }}
@@ -26,5 +26,5 @@ metadata:
     heritage: "{{ .Release.Service }}"
 type: Opaque
 data:
-  ca.pem: {{ .Values.redis.additionalTlsCa | b64enc | quote }}
+  ca.pem: {{ .Values.config.redis.additionalTlsCa | b64enc | quote }}
 {{- end }}