v0.11.1

Changelog

Security

• bb73b9a: sec: fix GHSA-vwq2-jx9q-9h9f (@caarlos0)

Docs

• 56e9784: docs: Add IdentitiesOnly option to ssh command examples (#628) (@robberwick)

---

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.1/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.1/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.1/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.11.0

Changelog

New!

• ea8799b: feat: add CORS headers (#654) (@fetsorn)

Security

• d963932: sec: strip ansi from user input GHSA-fv2r-r8mp-pg48 (@caarlos0)

---

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.0/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.0/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.0/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.10.0

Changelog

New Features

• 52f7a9e: feat(tui): yank the patch/diff to clipboard (#725) (@ChausseBenjamin)
• 6856877: feat: add readiness and liveness probes for self healing (#734) (@Jay-Madden)

Bug fixes

• 397288d: fix(ui): help menu on file list view (#719) (@eldondev)
• 5a2bde5: fix: check that commit is a SHA1 (#737) (@caarlos0)
• fa175c7: fix: repo commit help (#736) (@caarlos0)

Other work

• 5d9034c: ci: sync dependabot config (#741) (@charmcli)
• 844f175: ci: sync golangci-lint config (#732) (@github-actions[bot])
• e5edfd5: sec: update git-module (#742) (@caarlos0)

---

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.10.0/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.10.0/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.10.0/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, Discord, Slack, The Fediverse.

v0.9.1

This is a small release fixing some UI artifacts after upgrading to v2.

Changelog

Bug fixes

• 8e6fd53: fix(ui): use more accurate scroll percent symbol and improve status bar (@aymanbagabas)

---

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.9.1/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.9.1/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.9.1/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.

v0.9.0

Upgraded UI

This release upgrades the UI stack to the new v2 stack which includes the
latest beta versions of Bubble Tea, Lip Gloss, Bubbles, Glamour, as well as
Wish. There are no breaking changes in this release nor any new features.

Happy hacking!

Changelog

New Features

• df3d71c: feat(ui): adapt to new glamour v2 updates (@aymanbagabas)
• d05c13c: feat(web): add support for http git-upload-archive service (@aymanbagabas)

Bug fixes

• e93eeff: fix(daemon): ensure daemon starts correctly in tests and ignore errors (@aymanbagabas)
• d4edeab: fix(daemon): handle multiple listeners gracefully (@aymanbagabas)
• 3f646c6: fix(daemon): mutex for listeners (@aymanbagabas)
• 9b2fe20: fix(server): properly handle server shutdown (@aymanbagabas)
• 91f28a8: fix(server): properly handle server shutdown (@aymanbagabas)
• 14a804a: fix(ssh): honor SOFT_SERVE_NO_COLOR env var in blob command (@aymanbagabas)
• 332fd00: fix(ssh): keep using EmulatedPty for now (@aymanbagabas)
• 7ed1994: fix(ui): ensure the code component width accounts for the horizontal (@aymanbagabas)
• 7e944a2: fix(ui): remove red background for empty spaces in code blocks (@aymanbagabas)
• 7c3fa24: fix(ui): viewport: rename HalfViewDown/Up to HalfPageDown/Up (@aymanbagabas)

Documentation updates

• 5356717: docs(common): update style comment (@aymanbagabas)
• 24c6f83: docs: add contributing guidelines (#715) (@bashbunni)

Other work

• 454df5d: ci: sync dependabot config (#698) (@charmcli)
• 5bcf420: ci: sync golangci-lint config (#685) (@github-actions[bot])
• 604f519: ci: sync golangci-lint config (#695) (@github-actions[bot])
• cae622b: ci: sync golangci-lint config (#708) (@github-actions[bot])
• 50710d3: refactor(ui): use bubblezone/v2 fork (@aymanbagabas)
• 41c4f31: refactor: upgrade the remaining components (@aymanbagabas)
• 7e51392: refactor: use KeyPressMsg and MouseClickMsg instead of KeyMsg and MouseMsg (@aymanbagabas)
• f9feea6: refactor: use glamour/v2 (@aymanbagabas)
• 9871df2: refactor: use the latest v2 packages (@aymanbagabas)

---

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.9.0/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.9.0/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.9.0/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.

v0.8.5

This release fixes an issue with Wish Bubbletea middleware taking over Git SSH requests and causing them to fail. See #683 for more details.

Changelog

Full Changelog: v0.8.4...v0.8.5

---

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.5/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.5/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.5/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.

v0.8.4

This release includes an important fix for server side hooks to make the global pre-receive and post-receive hooks work as expected.

Changelog

Bug fixes

• f23cdc4: fix: update go.sum (@aymanbagabas)
• 0956752: log invalid hook input instead of returning error to the client (@aymanbagabas)
• 923844b: pre and post hooks now receive the full input line (@aymanbagabas)

---

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.4/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.4/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.4/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.

v0.8.2

Prevent path traversal attacks

This is a security release to patch an issue where a malicious user could take over other user's repositories. Please upgrade your Soft Serve instances to prevent these attacks from happening.

Changelog

Bug fixes

• 22d00e9: fix(ssh): cmd: remove unnecessary call to utils.SanitizeRepo (@aymanbagabas)
• a8d1bf3: fix: prevent path traversal attacks (#631) (@aymanbagabas)
• 9cd64aa: fix: using lipgloss tables instead of tablewriter (#618) (@caarlos0)

---

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.2/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.2/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.2/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.

v0.8.1

Patch x/crypto/ssh

This is a small patch release to fix x/crypto/ssh vulnerability https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ

Changelog

---

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.1/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.1/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.1/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.

v0.8.0

Soft Serve 0.8.0 puts you in control

This release contains new features and important bug fixes to different Soft Serve components. You now can services that you don't need as well as use a custom config path different from the data directory.

Toggle Server Componenets

Soft Serve runs 4 different services that listen to various ports to serve Git repositories and metadata over the network. It has an SSH server, HTTP server, Git TCP server, and a Prometheus stats server. They all start when you run soft serve! Now, you can disable unwanted components in your config file or via environment variables.

git:
  # Disable Git daemon TCP server
  enabled: false
stats:
  # Disable Promethues stats server
  enabled: false

Custom Config Path

Soft Serve defaults to reading your config.yaml from $SOFT_SERVE_DATA/config.yaml. Now, you can have a custom path for the config file using $SOFT_SERVE_CONFIG_LOCATION.

export SOFT_SERVE_CONFIG_LOCATION=$HOME/.soft-serve.yaml
soft serve

Changelog

New Features

• c354d5f: feat: optionally pull config from a custom file (envvar), default to data path. (#557) (@fire833)
• 069db27: feat: support toggling servers on/off in configuration (#594) (#612) (@jaw)
• 0540b4d: feat: test framework supports turning off -race flag (#605) (@jaw)
• 446ec63: feat: update go.mod to use go 1.22 and toolchain go1.23.2 (@aymanbagabas)

Bug fixes

• c78da07: fix(config): add SOFT_SERVE_CONFIG_LOCATION to Environ (@aymanbagabas)
• 00be796: fix(config): add default values for the enabled fields (@aymanbagabas)
• 7c45a99: fix(daemon): close listener only once (#615) (@aymanbagabas)
• 85b4625: fix: add missing arg length check to fix runtime panic (#568) (@christophershirk)
• 3aa71e0: fix: git daemon listens only when starting it (#607) (@jaw)
• 1de446f: fix: prevent enumeration of private repo (#614) (@kyokugirl)
• a2cf786: fix: respect anon-access on ssh (@aymanbagabas)
• 5d5c55e: fix: test framework supports ensuring specific port is open (#606) (@jaw)
• 6658cf1: fix: update position constant in JoinHorizontal (#552) (@aditipatelpro)

Other work

• 950ef0c: Fix tui_session_seconds_total metric description (#602) (@jest)

---

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.0/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.0/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.0/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.