Release 2026-03-24 - (expected chart version 5.29.0)#5153
Merged
stefanwire merged 73 commits intomasterfrom Mar 25, 2026
Merged
Release 2026-03-24 - (expected chart version 5.29.0)#5153stefanwire merged 73 commits intomasterfrom
stefanwire merged 73 commits intomasterfrom
Conversation
This way while testing other subsystems which may be writing to/reading from UserStore will remain consistent. This is only useful for AuthenticationSubsystem as of now.
It was broken in #4986
Master->Develop after release
* charts/elasticsearch-index: Allow configuring postgresql Without this an ES data migration would always fail. * Fix typo Co-authored-by: Leif Battermann <leif.battermann@wire.com> * Quote everything --------- Co-authored-by: Leif Battermann <leif.battermann@wire.com>
…e` to type class for Galley/Action (#5098)
Also move the tests to the new integration suite.
This hasn't been updated for over 6 years now, corresponding Docker images cannot be found in the internet and Julia said it's not in use. As stated in the docs, they need to be updated. The misleading section about metallb is now removed.
…uery parameters (#5108)
This reverts commit b2515b4. Unfortunately, this broke dependencies for direnv.
It could not be called outside of the repo folder. This is done as refactoring: The direnv "speedhack" can stay in place.
It probably hasn't been used for two years. Removing this to keep our Nix env small.
This reverts commit ef70106.
…soCodeByEmail finds IdP for SCIM user by domain` test (#5133) The in-memory IdPConfigStore resembles some constraints that would have been enforced on a higher level: The IdP issuer is (depending on IdP API version) either unique per backend (V1) or per team (V2). Also, add tests to ensure IdP constraints are multi-ingress agnostic, filling a small test gap.
It probably hasn't been used for two years. Removing this to keep our Nix env small.
* Add security guidelines to AGENTS.md source: https://wearezeta.atlassian.net/wiki/spaces/SC/pages/2064515093/PSA+Guidance+on+AI-assisted+Coding --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This is a mixed bag of small changes for facilitating SBOM creation on CI: - Use repository secrets to avoid rate limits and access `wire-server-enterprise` images - Create a dedicated Nix shell env with only those dependencies required for SBOM creation. This has two benefits: The regular dev env stays small and swift, the dedicated env is much fast to load (saves about 10 Minutes on CI) - Don't patch versions in SBOM scripts: We already got machinery for this. - Use `syft` do pull docker images instead of `docker`: There is no `dockerd` running on CI.
zebot
added
the
ok-to-test
stefanwire
approved these changes
Mar 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[2026-03-24] (Chart Release 5.29.0)
Release notes
Helm chart refactoring: several core services were migrated from wire-server subcharts into the umbrella chart templates (
charts/wire-server/templates).Moved as core services:
background-workerbrigcannoncargoholdgalleygundeckproxysparAs a result, dependency tags for moved services are obsolete for the current wire-server chart, because these services are no longer resolved through
requirements.yamldependencies. In particular,tags.brig,tags.galley,tags.cannon,tags.cargohold,tags.gundeck,tags.proxy, andtags.sparare no longer needed for wire-server deployments.Operator note: during upgrade, rendered manifests will show metadata/source changes (for example chart labels and template source paths). This is expected from the inlining refactor and may trigger a one-time rollout due to checksum annotation changes.
Compatibility note: for standard wire-server deployments this is not expected to be breaking, because the moved core services were not toggled off via tags in default/in-repo environments. However, this is a breaking change for custom deployments that previously disabled any of these services via wire-server dependency tags (
tags.<service>: false), because those tags are now obsolete after inlining. (WPB-23830 Merge service helm charts with wire-server chart #5085)Rate-limit status codes in
nginzand cannon's embeddednginzare now configurable via Helm values.Compatibility note: the default remains
420, so this does not change behavior for existing deployments and requires no direct operator action. (WPB-23913 rate limit http status code config for nginz and cannon #5124)Remove the old
metallbwrapper chart. This hasn't been published or updatedfor quite some time. Even the Docker images weren't available anymore. (Delete metallb chart (and related docs) #5111)
API changes
Require admin password for refreshing app cookies (
POST /teams/:tid/apps/:uid/cookies). ([WPB-21432] app refresh cookie requires password #5129)Add
"app"attribute toGET /list-users,GET /users/:dom/:uid; makeGET /teams/:tid/apps,GET /teams/:tid/apps/:uidreturn same schema asGET /list-users. ([WPB-23644] add app data toget /list-users#5070)GET /teams/:tid/searchresponse contains user types now (app or regular). ([WPB-23644] refactor user type in wire-subsystems #5074)Create new API version V16 and finalize API version V15. ([WPB-23841] Create new API version V16 and finalize API version V15. #5121)
Features
Add meetings listings endpoint
/meetings/list. (WPB-21964: Add Wire Meetings list #5109)Add Wire Meetings add invitation endpoint
POST /meetings/:domain/:id/invitations(WPB-24074: Add Wire Meetings add invitation endpoint #5132)Add Wire Meetings delete invitation endpoint
POST /meetings/:domain/:id/invitations/delete(WPB-24075: Add Wire Meetings delete invitation endpoint #5136)Bug fixes and other updates
Claiming key packages for a deleted user now returns a client error instead of a server error (WPB-23257 fix: claiming key package for a deleted user causes a 500 #5113)
backoffice/stern: fix Swagger UI for comma-separated list query parameters (WPB-23262 backoffice/stern: fix Swagger UI for comma-separated list query parameters #5108)
Streamlined and fixed team feature config
validateSAMLemails(WPB-23441 fix: validate saml emails feature not correctly targeted #5114)When the admin creates a new app cookie, all previous ones must be revoked. ([WPB-24033] invalidate old app cookies #5149)
charts/elasticsearch-index: Allow configuring postgresql (charts/elasticsearch-index: Allow configuring postgresql #5092)
charts/wire-server: Fix nil pointer errors in merged subchart templates when optional values (brig.turn, rabbitmq TLS, cassandraBrig/cassandraGalley) are not provided (fix: adding Helm nil guards for optional values #5112)
Improve error message when failing to parse group ID (Group ID parse error #5089)
Documentation
validateSAMLemails(WPB-24006 rename validate sam lemails to require external email verification and deprecate legacy feature flag endpoint #5118)Internal changes
The status code for rate limit responses from nginz and cannon is now configurable and set to 420 per default (WPB-23913 rate limit http status code config for nginz and cannon #5124)
Add curl to integration test failure reports. ([WPB-22549] Add curl to integration test failure reports. #5048)
Add
UserTypefields in various data types. ([WPB-23644] refactor user type in wire-subsystems #5074)Progressively move away from singletons to type class to allow progressive migration to
wire-subsystemsof Galley's actions.Drop
Galley.Intra.Util,Galley.Effects,Galley.API.MLS.Commit, andGalley.API.Push.Break dependencies to
Opts/Env.Split
ConversationSubsystem.InterpreterGalley.API.Federation(WPB-23789: Wrap Galley updateLocalConversation #5075, WPB-23789: SplitperformActionin Galley #5081, WPB-23789: Introduce type class for Galley/Action #5086, WPB-23789: MigrateensureAllowedto type class for Galley/Action #5087, WPB-23789: MigrateskipConversationRoleCheck&channelAdminOverrideto type class for Galley/Action #5098, WPB-23789: DropGalley.Intra.Util#5101, WPB-23789: DropGalley.Effects#5102, WPB-23789: DropGalley.API.MLS.Commit#5103, WPB-23789: DropGalley.API.Push#5104, WPB-23789: Break dependencies toOpts/Env#5110, WPB-23789: SplitConversationSubsystem.Interpreter#5145, WPB-23789: SplitGalley.API.Federation#5148)Logging Wire-Client, Wire-Client-Version and Wire-Config-Hash headers in nginz (WPB-23816 log wire client and wire client verison headers in nginz #5123)
Refactor scripts to alleviate SonarQube warnings (WPB-23896: Handle SonarQube last blocker and high/medium warnings #5097)
Consumable notifications are now disabled (WPB-23942 prevent rabbit mq queues creation for client notifications #5116)
The fields
code,label, andmessagewhere added to the inconsistent group state error response ofPOST /mls/commit-bundels(#PR_NOT_FOUND)Refactor Category: from ADT to Text. ([WPB-23990] refactor category #5120)
Moved TeamVisibilityStore operations into TeamStore (WPB-24149 move team search visibility to wire subsystems #5137)
Moved TeamNotificationStore to wire-subsystems (WPB-24151 move team notifications store to wire subsystems #5138)
Moved CustomBackendStore to wire-subsystems (WPB-24152 move custom backends code to wire subsystems #5135)
Moved TeamMemberStore, interpreter, and ListItems interpreters for Team to wire-subsystems (WPB-24178 move team member store to wire subsystems #5140)
sbomqshas been unused for years now. Thus, dropping it from our Nix env. (remove unused sbomqs #5144)Adjust the
defaultNix flakedevShellsuch thatnix developis usable. (Fixnix develop#5127)Create and upload SBOMs for Helmfile, docker-compose and Helm charts. (SBOMs for Helmfile, docker-compose and Helm charts #5122)