Skip to content

Releases: dcadolph/yardmaster

v0.66.0

Choose a tag to compare

@dcadolph dcadolph released this 11 Jul 05:11
1ca2ace

Robustness and accessibility, the last of a four-part quality pass.

  • Webhook notifications no longer carry the run's extra vars, which can hold survey-supplied secrets, and webhook and email deliveries drain on shutdown instead of being cut off mid-send.
  • Table rows that navigate or inspect are keyboard reachable, dialogs move focus to their first field and restore it on close, and the runs table ignores a stale search response.
  • The run detail guards its action buttons, the non-terminal query agrees across all three stores, and two pieces of dead code are gone.

v0.65.0

Choose a tag to compare

@dcadolph dcadolph released this 11 Jul 05:00
046394a

A UI consistency pass and the last resource page.

  • Schedules is now a full resource page with a create dialog, edit in place, and delete, matching every other resource.
  • The clickable-row cursor applies only to rows that navigate or inspect, long cells truncate instead of stretching the row, and the run detail step list shows the playbook name rather than a temporary path.
  • The brand links home on every page, the overview recent-runs list shows a run's command rather than its id, and empty-state text drops the HTTP jargon.
  • A new Secrets reference in the docs collects the credential kinds, the sources including ephemeral Vault dynamic secrets, scoping, and masking.

v0.64.0

Choose a tag to compare

@dcadolph dcadolph released this 11 Jul 04:50
00c3b06

The demo now shows every page with real data: approval policies, accounts, and configuration drift are seeded and wired, so the Policies, Users, and Drift pages are no longer empty or unavailable. The read-only banner and the welcome tour read cleanly and name all five tools. Yardmaster is presented on its own terms, with the AWX framing kept to the migration and comparison pages. The credential kinds in the secrets guide are now a table.

v0.63.0

Choose a tag to compare

@dcadolph dcadolph released this 11 Jul 04:37
e3333ac

A security and robustness hardening pass from a full audit.

  • Secret sources are protected against server-side request forgery: a Vault address cannot be pointed at a cloud metadata endpoint to steal instance credentials, and the resolvers no longer follow redirects that could exfiltrate a token.
  • SMTP notifications upgrade to TLS before authenticating, so credentials and mail are never sent in the clear.
  • The last administrator account cannot be demoted or deleted, so an install cannot lock itself out.
  • Secrets carried in a sourced inventory, such as an ansible_password, are now masked in the run log and events.
  • A canceled or timed-out run kills the whole process group, so the helper processes a tool spawns no longer keep running.
  • Two endpoints stopped returning internal error detail, and secret resolution now cancels with the run.

v0.62.0

Choose a tag to compare

@dcadolph dcadolph released this 11 Jul 00:07
167fb02

Yardmaster now tells you where your fleet has drifted. A dry run reveals which hosts no longer match the state a playbook asserts, and a new Drift page surfaces that divergence per host before the next real run. This is a control-plane capability neither AWX nor Semaphore offers.

  • A dry run executes in check mode, where a task that would change means the host has diverged from the desired state. Yardmaster reads that from the run it already recorded, so drift needs no separate agent and no extra setup.
  • The Drift page, under Execution, lists hosts most drifted first, each with its drifted task count, when it was last checked, and a link to the run that observed it.
  • GET /drift returns the same ranking for scripts and dashboards.
  • Schedule a dry run of a playbook on a cadence and the Drift page stays current.

Drift is defined for tools that assert desired state and support a no-change check, Ansible with a check run and Terraform with a plan.

v0.61.0

Choose a tag to compare

@dcadolph dcadolph released this 10 Jul 23:46
055f098

Secrets that clean up after themselves. A credential can now mint a fresh, short-lived value for each run and revoke it the moment the run ends, so a leaked value is useless minutes later. This is a control-plane capability neither AWX nor Semaphore offers.

  • A new credential source, Vault dynamic, reads a Vault dynamic secrets path such as database/creds/app or aws/creds/deploy. Vault mints a new credential on each read, Yardmaster injects the chosen field into the run, and the Vault lease is revoked when the run reaches a terminal state.
  • If the process dies before it can revoke, the credential still expires on the lease's own TTL, so nothing is left behind for long.
  • The minted value is masked in the run's log, live stream, and events like any other secret.
  • The credential dialog gets the new source, and the set-a-secret guide shows how to use it.

The engine seam is pluggable, so cloud STS and other short-lived credential sources can follow the same path.

v0.60.0

Choose a tag to compare

@dcadolph dcadolph released this 10 Jul 23:10
37a7dfd

Approval policies now have a home in the UI. The policy engine has enforced from the API since v0.58.0, holding a matching run for approval so the gate cannot be skipped. This release makes those rules visible and editable in the product.

  • A new admin-only Policies page under Access lists every rule and lets you create, edit in place, and delete.
  • Each rule shows its tool, the command substring it matches, the target inventory, and whether dry runs are skipped. An empty field reads as any, so the width of a rule is clear at a glance.
  • Editing a policy keeps its original creation time, and the list has the same search filter as the other pages.

This completes the governance story: tamper-evident audit, an enforced approval gate, and policy rules you can manage without touching the API.

v0.59.0

Choose a tag to compare

@dcadolph dcadolph released this 10 Jul 22:51
bd9f6f9

Go joins Ansible, Bash, Terraform, and Python as a runnable tool. Submit a Go program and Yardmaster compiles and runs it with go run, streaming output into the same host matrix, live view, and audit trail as every other tool. A dry run vets the source with go vet without executing it, and reports the result so the log is never empty.

  • Go in the launch and template tool pickers, with a dry-run toggle.
  • A new Go guide in the docs.
  • The demo seeds a Go run and a Fleet capacity report template on hosts that have the Go toolchain.
  • The comparison now shows, honestly, the two places Yardmaster still trails: LDAP sign-in and a drag-and-drop workflow editor.

Set the tool to Go in the UI, or POST a run with tool "go".

v0.58.0

Choose a tag to compare

@dcadolph dcadolph released this 10 Jul 19:49
784eba5

Enforced approval policies.

Approval is no longer just opt-in. A policy matches runs by tool, command text, or target inventory, and any matching run is held for approval automatically at submission, so an operator cannot skip the gate. Enforcement lives in the dispatcher, so scheduled and triggered runs are gated the same as hand-launched ones. Admins manage the rules through the /policies endpoints. This is policy-as-code change control neither AWX nor Semaphore offers.

v0.57.0

Choose a tag to compare

@dcadolph dcadolph released this 10 Jul 19:17
1afbe84

Run approval gate.

A run can be marked to require sign-off. It is held and never executes until an admin approves it, releasing it to run, or rejects it. An operator can request a run, but only an admin releases it, so duties are separated, and both the request and the decision are recorded in the tamper-evident audit trail. This is change control neither AWX nor Semaphore matches: guardrails on execution, not just execution.