You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
JWT session expiration: Configurable --session-lifetime flag (e.g. 24h, 7d, 30d) adds exp claim to session tokens. Default 0 preserves current behavior (no expiry) (#599).
Password-change session invalidation: Changing a password (self or admin reset) immediately invalidates all existing sessions for that user via a token_gen generation counter (#599).
Build status not updating in UI: Active build view now detects when a build transitions to a terminal state (succeeded/failed/cancelled) and re-fetches it, instead of requiring a manual page reload.
Build polling fan-out CPU spike: Jobs view now fetches all non-terminal builds in a single ?status= request instead of one HTTP call per build every 2s. Added in-flight guard and setTimeout-based scheduling to usePolling to prevent overlapping request storms.
N+1 query elimination: Pipeline image, job list, and resource list endpoints now use batch queries (FilterByPipeline, LatestVersionByResources, batch serial-group loading) instead of per-item DB calls.
Changed
Role rename: Viewer→Read, Operator→Write, Maintainer→Maintain to match GitHub's model. DB migration auto-renames stored values. CLI, UI, and docs updated.
Modulepreload hints: Add <link rel="modulepreload"> for all 27 ES modules, collapsing 4 discovery rounds to 1 parallel fetch (#575).
Added
OIDC/OAuth2 authentication: Single sign-on with GitHub, Google, GitLab, Keycloak, Microsoft, or any OIDC/OAuth2 provider. Admin UI with provider templates, account linking, and local auth toggle (#249).
Secret chaining: Secret path/key fields and secret_type config can now reference other variables, resolved in dependency order with cycle detection (#248).
Approval gates: approve HCL block on jobs creates a human approval gate. Purple "Waiting for Approval" status, approve/reject UI+CLI+API (Maintain+), configurable count, notifications, version pinning, audit events (#152).
Version pinning at build creation: Downstream builds snapshot triggered resource versions at creation time, matching Concourse CI behavior.
Audit log: Append-only team audit trail with 16 event types, filterable UI/CLI/API, cursor-based pagination. Read+ access (#532).
Secrets masking in build logs: Secret values replaced with *** in stdout/stderr. Real-time and stored output. Skips values < 3 chars (#147).
Build report export: JSON report for any build containing status, steps, logs, approvals, and version data. Available via API (GET .../builds/{bn}/report), CLI (builds report), and UI Export button. Read+ access (#531).
Worker team isolation: Team-scoped worker tokens restrict workers to their team's builds with automatic global-worker deferral (#12, #98).
Fixed
GracefulStop() hanging indefinitely after SIGQUIT when workers reconnect during drain, leaving the server alive but not accepting connections (502 from reverse proxy) (#572).