v0.23.0-rc1

Release Notes

Significant release headlined by historical Loki-backed logs with a redesigned log viewer, a new frontend design system (themes, profile preferences, shell rebuild), and runtime-agnostic workload identity tokens. Also lands several deployment/ingress improvements and a number of bug fixes.

⚠️ Breaking Changes

• Service accounts API path renamed (/projects/{project}/workload-identities* → /service-accounts*) with no deprecation alias. The CLI is updated in lockstep, so users must upgrade rise to manage service accounts — older CLIs get 404s on rise sa subcommands.
• Loki 3.0+ is a hard requirement for the new historical-logs backend (relies on detected_level for classification and the volume chart).
• Existing installs configuring multi-org features must set default_organization.kubernetes_namespace_prefix: "rise-" explicitly in their config; otherwise the controller falls back to org-{discriminator}-{project_name} and orphans the legacy rise-* namespaces on first reconcile. The shipped config/{development,production}.yaml already set this.

New Features

• Historical logs with Loki — new RuntimeLogBackend trait with Kubernetes (live pod) and Loki implementations; project authorization enforced before any backend query. Backend-driven log levels via new GET /api/v1/logs/capabilities endpoint; /logs/volume now returns sparse by_level buckets. Repeatable ?level= filter on /logs and /logs/volume. CLI gains rise deployment logs --level <name> and colour-codes lines by level (TTY-only, NO_COLOR-aware).
• Redesigned log viewer — multi-select level filter, lazy-loaded stacked volume chart with per-level CSS variables, Grafana-style infinite scroll (200-line pages, IntersectionObserver), custom two-month date-range picker, auto-refresh dropdown (Off / 10s / 30s / 1m / 5m), single-line rows with click-to-expand JSON syntax highlighting, A11y polish.
• New frontend design system — Inter + JetBrains Mono fonts, oklch tokens, rebuilt shell (sidebar, topbar, command palette, login). Profile page with color themes (mint/indigo/ember/slate), density (compact/cozy), and light/dark toggle persisted to localStorage. Auth pages now honor theme preferences before paint.
• Multi-host ingress per deployment group — the reconciler now puts the deployment-group host, environment hosts, production host, and that env's custom domains all on the deployment group's primary ingress. project_custom_domains gains an environment_id column; rise domain add gets --environment/-e; the frontend gets an env selector + ENVIRONMENT/PRIMARY columns.
• Runtime-agnostic workload identity tokens — deployed apps obtain short-lived Rise-signed OIDC JWTs with claims describing the Rise identity (sub = rise:proj:<project>:env:<environment>). Two delivery modes: pull (unauthenticated POST /api/v1/identity/token exchange, rise identity token --audience <aud> CLI) and push (deployment controller mints tokens per [identity.audiences] in .rise.toml, mounted at /var/run/secrets/rise/identity/). Per-IP rate-limited.
• Pod last_state in UI — last_state collected from container statuses and surfaced as red status pills (OOMKilled, crash loops, etc.) with · Nm ago finished-at deltas. "Updated Xs ago" header with a 1s local ticker; conditions rendered as inline r-status pills; container cards become an auto-fit grid on wide screens.
• Optional project name in CLI — rise project show/update/delete accept an optional name and resolve it from [project] in rise.toml (with --path override).
• Git repository URL tracking — CLI auto-detects from 8+ CI platforms (GitHub Actions, GitLab CI, CircleCI, Buildkite, Drone, Jenkins, Azure Pipelines, Bitbucket) or local origin; normalizes to canonical HTTPS; surfaced on deployment + project responses and in the frontend.
• Auto-detect build platform — CLI default falls back to host arch (linux/arm64 on Apple Silicon, linux/amd64 elsewhere); backend can hint via target_platform on the registry-credentials response (driven by controller node_selector["kubernetes.io/arch"]). Local development "just works" on both Intel and ARM Macs.
• Cross-platform dev-setup.sh — single bootstrap script for macOS and Linux replacing the prior mise setup:hosts / mise setup:docker tasks; managed-block edits to /etc/hosts, ~/.docker/daemon.json on macOS, idempotent re-runs, symmetric mise down teardown.

Bug Fixes

• Frontend Redeploy no longer always overwrites http_port with 8080 — the field is now omitted so server-side source-deployment inheritance kicks in (#329).
• Docs deploys no longer wipe open PR previews — docs-deploy now seeds the live Pages site and surgically replaces only docs-prod/{user,operator,index.html}; all three Pages jobs serialize on a shared pages-deploy concurrency group (#328).
• rise.toml project access-class changes now trigger RiseProject CR resync, so ingress config updates immediately instead of lagging behind the DB (#308).
• Snowflake OAuth provisioner no longer keeps warehouses awake — steady-state drift check switched to a metadata-only SHOW INTEGRATIONS and re-verifies once per verify_interval_seconds (default 1h) instead of every 5s (#324).
• Leader-gated reconciler loops now share a global schedule (leader_schedules table) so handovers can't burst the cadence after a leader transition (#323).
• database.url config now correctly takes precedence over DATABASE_URL env var (#309).
• mise dev / mise down robustness — fail fast when .env is missing the rise-managed block, reliably tear down the frontend process group on Ctrl+C, and use a kubectl reachability probe for cluster teardown.
• macOS dev setup — minikube setup now detects running / existing / missing profiles and prompts before destroying state (#331).

Other Notable Changes

• New --platform precedence chain on rise build/deploy: flag → RISE_PLATFORM → rise.toml [build].platform → backend hint → host arch.
• @uiw/react-codemirror → 4.25.10, reqwest → 0.13.4, vite → 8.0.14, aws-config → 1.8.17, serde_json → 1.0.150, JFrog Artifactory → 7.146.15.
• Backend settings JSON schema moved from docs/user/public/schemas/ to docs/engineering/public/schemas/.

Operator / Multi-Tenancy & Resource Store (work in progress)

These land foundational pieces of the multi-tenancy plan. Operator-only, not yet exposed to end users.

• Generic resource HTTP API with wildcard path routing (GET|POST|PUT|DELETE /resources/{*path}), versioned-collection semantics, store-aware classification, AnyAuth extractor, cascade-only deletion (GET /resources/pending-deletion for monitoring), ResourceDefinition hardening (immutable parent, multi-version schema validation), and operator docs.
• Multi-org linkage, default-org bootstrap, and controller gating — default Organization upserted on startup behind a Postgres advisory lock; nullable organization_resource_uid on teams/projects plus user_organization_memberships; Metacontroller webhook now refuses to reconcile projects whose Organization's spec.deploymentControllerClass doesn't match controller_class_name (label-routed via rise.dev/controller-class); per-request resolution of controller class + namespace prefix with a 30s moka cache; Organization-delete guard counts teams + projects + memberships; ResourceStore::rename lets bootstrap re-key the default Org instead of orphaning typed-row linkages.
• Resource GC worker — single-replica ResourceGcController drains cascading deletes (default 20 rows/s), with per-row audit-log entries and stuck-tombstone warnings.
• Controller authentication & operator role — JWT-validated controller identities (issuer + claim allowlist), separate operator_users role (distinct from admins) gating the generic resource API. /me now returns is_operator.
• Service accounts module rename — workload_identity → service_accounts (this is the breaking API change called out above; "service account" = inbound OIDC federation into Rise, distinct from the new workload identity tokens for deployed apps).
• Workspace layout — new rise-resource-api and rise-resource-store crates; releasable artifact is still the consolidated rise binary.

---

Download rise-deploy 0.23.0-rc1

File	Platform	Checksum
rise-deploy-aarch64-apple-darwin.tar.xz	Apple Silicon macOS	checksum
rise-deploy-x86_64-apple-darwin.tar.xz	Intel macOS	checksum
rise-deploy-x86_64-unknown-linux-gnu.tar.xz	x64 Linux	checksum