v2.18.0-beta13

[fiftin]

Semaphore UI v2.18.0-beta13 — Release Summary

This is a substantial beta release that pushes Semaphore meaningfully further into enterprise-grade secrets management, hardens the API token lifecycle, expands the runner scheduling model, and absorbs a flurry of security and dependency fixes — many of them caught and triaged by automated review bots (Cursor, ChatGPT Codex) before merge. It also bumps the bundled Ansible runtime by two major versions.

Below is a qualitative, themed walkthrough rather than a flat PR list.

---

🔐 Secret storage: two new external backends + a hard look at ownership

The headline feature of this release is first-class support for two more enterprise secret backends, joining the existing Devolutions Server (DVLS) integration:

• AWS Secrets Manager ([#3750](aws sm #3750)) — adds a full Secret Storage type for AWS SM with a dedicated form, icon, and a Sync button to pull secrets on demand. The PR also introduced a generalized rekey flow and "source details" surfacing for individual secrets.
• Azure Key Vault ([#3752](feat(azure): imlement azure storage #3752)) — symmetric implementation for Azure, using the official Microsoft SDKs (azcore, azidentity, azsecrets). Auth follows the same DB / env-var / file pattern as AWS SM and DVLS, and the backend was refactored to consolidate SyncSecrets across all storage types into a single function.

Alongside the new backends, an unusually large cluster of secret-related security fixes landed — almost all of them automatically flagged by cursor[bot] during review:

• [#3753](fix: broken ownership check in environment secret delete/update (nil deref + auth bypass) #3753) / [#3762](fix(secrets): broken ownership check in environment secret delete/update #3762) — broken ownership checks on environment secret delete/update (nil deref + auth bypass). These are real authorization bugs where an unauthenticated edge case could fall through.
• [#3768](fix(secrets): broken ErrReadOnlyStorage sentinel + silent delete error in environment secrets #3768) — broken ErrReadOnlyStorage sentinel + a silent delete error on environment secrets (the operation appeared to succeed while failing).
• [#3778](fix(rekey): skip external storage keys during vault rekey #3778) — vault rekey now correctly skips keys that live in external storage (AWS/Azure/DVLS), since rekeying them locally would be incoherent.
• [#3784](sec(config): unsetenv for sensitive fields #3784) — unsetenv for sensitive config fields after they're consumed, so they don't linger in process memory available to child processes.
• [#3792](fix(auth,env): add missing return statements after error responses #3792) — missing return statements after error responses in auth/env handlers (classic continue-after-error logic bug).

The pattern here is notable: the new backends were merged together with a methodical sweep of the existing secret-handling code, suggesting the secrets subsystem received a deliberate audit pass.

---

🪪 API tokens grow up

Two complementary PRs turn API tokens from disposable opaque strings into something closer to a managed credential:

• Expiration support ([#3795](feat(api): expire for api token #3795)) — tokens can now carry an optional expires_at. Creation rejects non-future values; bearer-token authentication checks expiry on every request via a new IsExpiredAt method, so revocation-by-time is enforced before the request handler even runs. This also added rollback SQL for the migration.
• Named tokens ([#3788](feat: add name field to API tokens #3788)) — first contribution from @setswei. Tokens get a name field, which is the small UX touch that finally makes a token list legible when you have more than two of them.

Together with [#3785](#3785) (a nil pointer dereference fix in TOTP session verification), the auth surface in this release is meaningfully more robust.

---

🏃 Runners: tags become a first-class scheduling primitive

[#3804](#3804) is the largest single feature in the release (24 commits) and is worth understanding architecturally rather than as a list of bullets:

• A new runner__tag join table replaces the previous single-string tag column, so a runner can carry multiple tags.
• Global runners can now be tagged, not just project runners. This bridges the "platform team owns a fleet, project teams target subsets" model that previously required workarounds.
• The runner list UI gains Default and Global labels, label wrapping, autocompletion in the tag input, and a partial-tag filter ("get runners with any tag matching X").
• A new RunnerTagFilterMode enum (CompleteMatch, HasNoTags, IsDefault, IgnoreTags, HasAnyTag) governs how tasks pick runners.
• Non-admin users have actions disabled on globally-tagged runners — the UI honors the ownership boundary.

The PR is also a fascinating case study in automated code review actually working: cursor[bot] repeatedly flagged an inverted condition in services/tasks/RemoteJob.go where tagFilterMode was set backward (tagged jobs would have routed to untagged runners and vice versa, breaking the isolation guarantee that's the whole point of the feature). Across roughly five review cycles the maintainer (@fiftin) iterated until the logic was right. A bolt driver caveat — db:"-" tags causing tag persistence to silently break on Bolt deployments — was raised by the Codex reviewer; worth verifying for anyone still on Bolt.

A related smaller change, [#3793](#3793), refactored the sync flag handling, which was prerequisite plumbing.

---

🛡️ Admin observability

[#3782](#3782) adds a System Information dialog for admins — a new admin-only GET /admin/info endpoint backing a UI dialog that surfaces:

• tmp_path, home_dir_mode
• Go version / arch / OS, Ansible version, git client
• DB dialect, HA configuration
• Auth method flags (LDAP, OIDC, etc.)
• Task limits, runner settings, notification flags

This is genuinely useful for support triage — the kind of "what version of everything is this server running?" question that previously required SSH access. The endpoint is correctly gated by adminMiddleware server-side, with the UI also guarding render with v-if="user && user.admin". Notably, several of these values were already exposed to all authenticated users via /api/info; the new endpoint is more restrictive than what existed before.

---

🧱 Ansible jumps two major versions

[#3736](#3736) (first contribution from @sevencastles) bumps the bundled Ansible from 11.1.0 → 13.5.0 (ansible-core 2.20.4). This is a non-trivial jump for anyone running Ansible workloads against the Semaphore image — playbooks that relied on collections or behavior from Ansible 11 should be re-tested. There are no notes about pinned-version overrides, so the upgrade is mandatory for users on the official image.

---

🧭 Terraform: stop logic finally works

[#3694](#3694) — a long-standing bug from @JulianKap: stopping a Terraform task while it sat in waiting_confirmation (the human-approval gate between plan and apply) didn't actually stop it. Now it does. For anyone using Terraform integration, this closes one of the more annoying state machine quirks.

---

🔧 Quality-of-life and infrastructure

A few smaller items worth flagging:

• i18n correctness ([#3764](fix(i18n): do not translate CLI command strings #3764), first contribution from @lawrence3699) — CLI command strings are no longer translated. Translating ansible-playbook into other languages was, predictably, breaking command execution.
• Process file ownership ([#3777](fix(process): chown for directories which process have access #3777)) — chown is now scoped to directories the process actually has access to, instead of attempting it everywhere and erroring noisily.
• README ([#3742](docs: update README to use SQLite instead of Bolt (deprecated) #3742), first contribution from @gaetan-steininger) — updated to recommend SQLite over Bolt, which is now deprecated. Worth noting alongside the Bolt-driver concern raised on feat/tagged global runner #3804: Bolt's days are numbered, and new features may not get the same testing coverage on it.

---

📦 Dependency churn

This release pulled in a high volume of dependency bumps. The notable security-relevant ones:

• go-git/go-git/v5 → v5.17.2 ([#3732](fix(deps): update module github.com/go-git/go-git/v5 to v5.17.1 [security] #3732), [#3751](fix(deps): update module github.com/go-git/go-git/v5 to v5.17.2 #3751)) — security advisory fix.
• go-jose/go-jose/v4 → v4.1.4 ([#3745](chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 #3745)) — patches CVE-2026-34986 (DoS via JWE decryption panic), which is in Semaphore's path because it's transitively used by the OIDC login flow.
• axios → v1.15.0/v1.15.2 ([#3756](chore(deps): update dependency axios to v1.15.0 [security] #3756), [#3800](chore(deps): update dependency axios to v1.15.2 #3800)) — security advisory.
• node-forge → 1.4.0 ([#3728](chore(deps-dev): bump node-forge from 1.3.3 to 1.4.0 in /web #3728))
• go-ldap/ldap/v3 → v3.4.13 ([#3767](fix(deps): update module github.com/go-ldap/ldap/v3 to v3.4.13 #3767))
• Azure/go-ntlmssp → v0.1.1 ([#3794](chore(deps): bump github.com/Azure/go-ntlmssp from 0.0.0-20221128193559-754e69321358 to 0.1.1 #3794)) — also feeds into the Azure work.

Plus routine bumps of lodash, picomatch, flatted, follow-redirects, prettier, core-js, dotenv, openai, and actions/checkout.

A small style/config cleanup ([588b369d](https://github.com/semaphoreui/semaphore/commit/588b369d)) removes some extra config validation.

---

👋 New contributors

Four first-time contributors landed code this release: @gaetan-steininger, @lawrence3699, @sevencastles, and @setswei. The community continues to broaden.

---

🎯 Headline takeaways for upgraders

1. If you use external secret managers, this is a meaningful release — AWS SM and Azure KV are now first-class.
2. If you provision API tokens programmatically, plan for the new expires_at and name fields; they're optional but the inflection point to start using them is now.
3. If you run Ansible playbooks via Semaphore, validate against ansible-core 2.20.4 before upgrading production.
4. If you're still on the Bolt driver, evaluate migrating to SQLite — the README now recommends it and at least one PR in this release ([#3804](feat/tagged global runner #3804)) had a noted Bolt-specific concern.
5. If you operate a multi-team installation, the new tagged-global-runner model is worth designing around — it removes one of the longest-standing rough edges in shared-fleet runner setups.

This is a beta — the 0-beta13 suffix and the volume of late-breaking review-bot fixes both signal that. But the architectural direction (external secrets, scoped tokens, tagged runners, admin observability) is coherent and points clearly toward enterprise-readiness.

Full Changelog: v2.17.38...v2.18.0-beta13

Changelog

• 588b369 style(config): remove extra validation

What's Changed

• chore(deps-dev): bump lodash from 4.17.23 to 4.18.1 in /web by @dependabot[bot] in chore(deps-dev): bump lodash from 4.17.23 to 4.18.1 in /web #3746
• docs: update README to use SQLite instead of Bolt (deprecated) by @gaetan-steininger in docs: update README to use SQLite instead of Bolt (deprecated) #3742
• fix(deps): update module github.com/go-git/go-git/v5 to v5.17.1 [security] by @renovate[bot] in fix(deps): update module github.com/go-git/go-git/v5 to v5.17.1 [security] #3732
• chore(deps-dev): bump node-forge from 1.3.3 to 1.4.0 in /web by @dependabot[bot] in chore(deps-dev): bump node-forge from 1.3.3 to 1.4.0 in /web #3728
• chore(deps-dev): bump picomatch from 2.3.1 to 2.3.2 in /web by @dependabot[bot] in chore(deps-dev): bump picomatch from 2.3.1 to 2.3.2 in /web #3723
• aws sm by @fiftin in aws sm #3750
• chore(deps): update dependency axios to v1.15.0 [security] by @renovate[bot] in chore(deps): update dependency axios to v1.15.0 [security] #3756
• fix(i18n): do not translate CLI command strings by @lawrence3699 in fix(i18n): do not translate CLI command strings #3764
• fix(secrets): broken ownership check in environment secret delete/update by @cursor[bot] in fix(secrets): broken ownership check in environment secret delete/update #3762
• fix: broken ownership check in environment secret delete/update (nil deref + auth bypass) by @cursor[bot] in fix: broken ownership check in environment secret delete/update (nil deref + auth bypass) #3753
• fix(deps): update module github.com/go-git/go-git/v5 to v5.17.2 by @renovate[bot] in fix(deps): update module github.com/go-git/go-git/v5 to v5.17.2 #3751
• chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @dependabot[bot] in chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 #3745
• chore(deps): bump github.com/go-git/go-git/v5 from 5.16.5 to 5.17.1 in /pro by @dependabot[bot] in chore(deps): bump github.com/go-git/go-git/v5 from 5.16.5 to 5.17.1 in /pro #3733
• chore(deps): update dependency prettier to v3.8.2 by @renovate[bot] in chore(deps): update dependency prettier to v3.8.2 #3766
• fix(deps): update module github.com/go-ldap/ldap/v3 to v3.4.13 by @renovate[bot] in fix(deps): update module github.com/go-ldap/ldap/v3 to v3.4.13 #3767
• fix(secrets): broken ErrReadOnlyStorage sentinel + silent delete error in environment secrets by @cursor[bot] in fix(secrets): broken ErrReadOnlyStorage sentinel + silent delete error in environment secrets #3768
• chore(deps): update dependency core-js to v3.49.0 by @renovate[bot] in chore(deps): update dependency core-js to v3.49.0 #3769
• chore(deps): update dependency dotenv to v17.4.2 by @renovate[bot] in chore(deps): update dependency dotenv to v17.4.2 #3774
• chore(deps): bump flatted from 3.2.5 to 3.4.2 in /web by @dependabot[bot] in chore(deps): bump flatted from 3.2.5 to 3.4.2 in /web #3707
• sec(config): unsetenv for sensitive fields by @fiftin in sec(config): unsetenv for sensitive fields #3784
• fix(auth): nil pointer dereference in TOTP session verification by @cursor[bot] in fix(auth): nil pointer dereference in TOTP session verification #3785
• fix(rekey): skip external storage keys during vault rekey by @cursor[bot] in fix(rekey): skip external storage keys during vault rekey #3778
• chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 in /web by @dependabot[bot] in chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 in /web #3779
• feat: add system info dialog for admins by @fiftin in feat: add system info dialog for admins #3782
• chore(deps): update dependency openai to v6.34.0 by @renovate[bot] in chore(deps): update dependency openai to v6.34.0 #3775
• chore(deps): update dependency prettier to v3.8.3 by @renovate[bot] in chore(deps): update dependency prettier to v3.8.3 #3786
• fix(process): chown for directories which process have access by @fiftin in fix(process): chown for directories which process have access #3777
• feat(azure): imlement azure storage by @fiftin in feat(azure): imlement azure storage #3752
• fix(auth,env): add missing return statements after error responses by @cursor[bot] in fix(auth,env): add missing return statements after error responses #3792
• Upgrade Ansible from 11.1.0 to 13.5.0 (ansible-core 2.20.4) by @sevencastles in Upgrade Ansible from 11.1.0 to 13.5.0 (ansible-core 2.20.4) #3736
• chore(deps): bump github.com/Azure/go-ntlmssp from 0.0.0-20221128193559-754e69321358 to 0.1.1 by @dependabot[bot] in chore(deps): bump github.com/Azure/go-ntlmssp from 0.0.0-20221128193559-754e69321358 to 0.1.1 #3794
• chore(deps): bump github.com/go-git/go-git/v5 from 5.17.1 to 5.18.0 by @dependabot[bot] in chore(deps): bump github.com/go-git/go-git/v5 from 5.17.1 to 5.18.0 #3797
• refactor/sync flag by @fiftin in refactor/sync flag #3793
• feat(api): expire for api token by @fiftin in feat(api): expire for api token #3795
• feat: add name field to API tokens by @setswei in feat: add name field to API tokens #3788
• chore(deps): update dependency axios to v1.15.2 by @renovate[bot] in chore(deps): update dependency axios to v1.15.2 #3800
• Fix stopping Terraform tasks in waiting_confirmation stage by @JulianKap in Fix stopping Terraform tasks in waiting_confirmation stage #3694
• chore(deps): bump github.com/go-git/go-git/v5 from 5.17.1 to 5.18.0 in /pro by @dependabot[bot] in chore(deps): bump github.com/go-git/go-git/v5 from 5.17.1 to 5.18.0 in /pro #3790
• feat/tagged global runner by @fiftin in feat/tagged global runner #3804
• chore(deps): update actions/checkout action to v6 by @renovate[bot] in chore(deps): update actions/checkout action to v6 #3484

New Contributors

• @gaetan-steininger made their first contribution in docs: update README to use SQLite instead of Bolt (deprecated) #3742
• @lawrence3699 made their first contribution in fix(i18n): do not translate CLI command strings #3764
• @sevencastles made their first contribution in Upgrade Ansible from 11.1.0 to 13.5.0 (ansible-core 2.20.4) #3736
• @setswei made their first contribution in feat: add name field to API tokens #3788

Full Changelog: v2.17.38...v2.18.0-beta13

---

This discussion was created from the release v2.18.0-beta13.

[ewu-waabi]

What's the current status of 2.18.x? I see 2.18.0 beta and rc releases. But then yesterday there's a 2.18.1 that has a similar changelog to this post, saying that it's beta and latest tag on Docker Hub points to it already.