Skip to content

v0.7.0

Latest

Choose a tag to compare

@xescugc xescugc released this 08 Jul 15:39

Added

  • JWT session expiration: Configurable --session-lifetime flag (e.g. 24h, 7d, 30d) adds exp claim to session tokens. Default 0 preserves current behavior (no expiry) (#599).
  • Password-change session invalidation: Changing a password (self or admin reset) immediately invalidates all existing sessions for that user via a token_gen generation counter (#599).
  • Password strength validation: Enforce minimum 8-character passwords with inline frontend hints (#597).

Fixed

  • Build status not updating in UI: Active build view now detects when a build transitions to a terminal state (succeeded/failed/cancelled) and re-fetches it, instead of requiring a manual page reload.
  • Build polling fan-out CPU spike: Jobs view now fetches all non-terminal builds in a single ?status= request instead of one HTTP call per build every 2s. Added in-flight guard and setTimeout-based scheduling to usePolling to prevent overlapping request storms.
  • N+1 query elimination: Pipeline image, job list, and resource list endpoints now use batch queries (FilterByPipeline, LatestVersionByResources, batch serial-group loading) instead of per-item DB calls.

Changed

  • Role rename: Viewer→Read, Operator→Write, Maintainer→Maintain to match GitHub's model. DB migration auto-renames stored values. CLI, UI, and docs updated.
  • Modulepreload hints: Add <link rel="modulepreload"> for all 27 ES modules, collapsing 4 discovery rounds to 1 parallel fetch (#575).

Added

  • OIDC/OAuth2 authentication: Single sign-on with GitHub, Google, GitLab, Keycloak, Microsoft, or any OIDC/OAuth2 provider. Admin UI with provider templates, account linking, and local auth toggle (#249).
  • Secret chaining: Secret path/key fields and secret_type config can now reference other variables, resolved in dependency order with cycle detection (#248).
  • Approval gates: approve HCL block on jobs creates a human approval gate. Purple "Waiting for Approval" status, approve/reject UI+CLI+API (Maintain+), configurable count, notifications, version pinning, audit events (#152).
  • Version pinning at build creation: Downstream builds snapshot triggered resource versions at creation time, matching Concourse CI behavior.
  • Audit log: Append-only team audit trail with 16 event types, filterable UI/CLI/API, cursor-based pagination. Read+ access (#532).
  • Secrets masking in build logs: Secret values replaced with *** in stdout/stderr. Real-time and stored output. Skips values < 3 chars (#147).
  • Build report export: JSON report for any build containing status, steps, logs, approvals, and version data. Available via API (GET .../builds/{bn}/report), CLI (builds report), and UI Export button. Read+ access (#531).
  • Worker team isolation: Team-scoped worker tokens restrict workers to their team's builds with automatic global-worker deferral (#12, #98).

Fixed

  • GracefulStop() hanging indefinitely after SIGQUIT when workers reconnect during drain, leaving the server alive but not accepting connections (502 from reverse proxy) (#572).