🔧 Renovate: Update (minor) semaphoreui/semaphore Docker tag to v2.18.2 #2487

2026-05-10T10:39:24-04:00

renovate-bot commented

2026-05-10 10:39:24 -04:00

This PR contains the following updates:

Package	Update	Change
semaphoreui/semaphore	minor	`v2.16.51` → `v2.18.2`

⚠️ Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

⚡ Renovate Update Info

Update Type: minor
Automerge: 🛑 This update requires manual approval

Release Notes

semaphoreui/semaphore (semaphoreui/semaphore)

`v2.18.2`

Compare Source

Bugfixes

Fix bug with reading environment variable SEMAPHORE_DB_PASS.

`v2.18.1`

Compare Source

This is a substantial beta release that pushes Semaphore meaningfully further into enterprise-grade secrets management, hardens the API token lifecycle, expands the runner scheduling model, and absorbs a flurry of security and dependency fixes — many of them caught and triaged by automated review bots (Cursor, ChatGPT Codex) before merge. It also bumps the bundled Ansible runtime by two major versions.

Below is a qualitative, themed walkthrough rather than a flat PR list.

Secret storage: two new external backends + a hard look at ownership

The headline feature of this release is first-class support for two more enterprise secret backends, joining the existing Devolutions Server (DVLS) integration:

AWS Secrets Manager ([#3750](#3750)) — adds a full Secret Storage type for AWS SM with a dedicated form, icon, and a Sync button to pull secrets on demand. The PR also introduced a generalized rekey flow and "source details" surfacing for individual secrets.
Azure Key Vault ([#3752](#3752)) — symmetric implementation for Azure, using the official Microsoft SDKs (azcore, azidentity, azsecrets). Auth follows the same DB / env-var / file pattern as AWS SM and DVLS, and the backend was refactored to consolidate SyncSecrets across all storage types into a single function.

Alongside the new backends, an unusually large cluster of secret-related security fixes landed — almost all of them automatically flagged by cursor[bot] during review:

[#3753](#3753) / [#3762](#3762) — broken ownership checks on environment secret delete/update (nil deref + auth bypass). These are real authorization bugs where an unauthenticated edge case could fall through.
[#3768](#3768) — broken ErrReadOnlyStorage sentinel + a silent delete error on environment secrets (the operation appeared to succeed while failing).
[#3778](#3778) — vault rekey now correctly skips keys that live in external storage (AWS/Azure/DVLS), since rekeying them locally would be incoherent.
[#3784](#3784) — unsetenv for sensitive config fields after they're consumed, so they don't linger in process memory available to child processes.
[#3792](#3792) — missing return statements after error responses in auth/env handlers (classic continue-after-error logic bug).

The pattern here is notable: the new backends were merged together with a methodical sweep of the existing secret-handling code, suggesting the secrets subsystem received a deliberate audit pass.

API tokens grow up

Two complementary PRs turn API tokens from disposable opaque strings into something closer to a managed credential:

Expiration support ([#3795](#3795)) — tokens can now carry an optional expires_at. Creation rejects non-future values; bearer-token authentication checks expiry on every request via a new IsExpiredAt method, so revocation-by-time is enforced before the request handler even runs. This also added rollback SQL for the migration.
Named tokens ([#3788](#3788)) — first contribution from @setswei. Tokens get a name field, which is the small UX touch that finally makes a token list legible when you have more than two of them.

Together with [#3785](#3785) (a nil pointer dereference fix in TOTP session verification), the auth surface in this release is meaningfully more robust.

Runners: tags become a first-class scheduling primitive

[#3804](#3804) is the largest single feature in the release (24 commits) and is worth understanding architecturally rather than as a list of bullets:

A new runner__tag join table replaces the previous single-string tag column, so a runner can carry multiple tags.
Global runners can now be tagged, not just project runners. This bridges the "platform team owns a fleet, project teams target subsets" model that previously required workarounds.
The runner list UI gains Default and Global labels, label wrapping, autocompletion in the tag input, and a partial-tag filter ("get runners with any tag matching X").
A new RunnerTagFilterMode enum (CompleteMatch, HasNoTags, IsDefault, IgnoreTags, HasAnyTag) governs how tasks pick runners.
Non-admin users have actions disabled on globally-tagged runners — the UI honors the ownership boundary.

The PR is also a fascinating case study in automated code review actually working: cursor[bot] repeatedly flagged an inverted condition in services/tasks/RemoteJob.go where tagFilterMode was set backward (tagged jobs would have routed to untagged runners and vice versa, breaking the isolation guarantee that's the whole point of the feature). Across roughly five review cycles the maintainer (@fiftin) iterated until the logic was right. A bolt driver caveat — db:"-" tags causing tag persistence to silently break on Bolt deployments — was raised by the Codex reviewer; worth verifying for anyone still on Bolt.

A related smaller change, [#3793](#3793), refactored the sync flag handling, which was prerequisite plumbing.

Admin observability

[#3782](#3782) adds a System Information dialog for admins — a new admin-only GET /admin/info endpoint backing a UI dialog that surfaces:

tmp_path, home_dir_mode
Go version / arch / OS, Ansible version, git client
DB dialect, HA configuration
Auth method flags (LDAP, OIDC, etc.)
Task limits, runner settings, notification flags

This is genuinely useful for support triage — the kind of "what version of everything is this server running?" question that previously required SSH access. The endpoint is correctly gated by adminMiddleware server-side, with the UI also guarding render with v-if="user && user.admin". Notably, several of these values were already exposed to all authenticated users via /api/info; the new endpoint is more restrictive than what existed before.

Ansible jumps two major versions

[#3736](#3736) (first contribution from @sevencastles) bumps the bundled Ansible from 11.1.0 → 13.5.0 (ansible-core 2.20.4). This is a non-trivial jump for anyone running Ansible workloads against the Semaphore image — playbooks that relied on collections or behavior from Ansible 11 should be re-tested. There are no notes about pinned-version overrides, so the upgrade is mandatory for users on the official image.

Terraform: stop logic finally works

[#3694](#3694) — a long-standing bug from @JulianKap: stopping a Terraform task while it sat in waiting_confirmation (the human-approval gate between plan and apply) didn't actually stop it. Now it does. For anyone using Terraform integration, this closes one of the more annoying state machine quirks.

Quality-of-life and infrastructure

A few smaller items worth flagging:

i18n correctness ([#3764](#3764), first contribution from @lawrence3699) — CLI command strings are no longer translated. Translating ansible-playbook into other languages was, predictably, breaking command execution.
Process file ownership ([#3777](#3777)) — chown is now scoped to directories the process actually has access to, instead of attempting it everywhere and erroring noisily.
README ([#3742](#3742), first contribution from @gaetan-steininger) — updated to recommend SQLite over Bolt, which is now deprecated. Worth noting alongside the Bolt-driver concern raised on #3804: Bolt's days are numbered, and new features may not get the same testing coverage on it.

Dependency churn

This release pulled in a high volume of dependency bumps. The notable security-relevant ones:

go-git/go-git/v5 → v5.17.2 ([#3732](#3732), [#3751](#3751)) — security advisory fix.
go-jose/go-jose/v4 → v4.1.4 ([#3745](#3745)) — patches CVE-2026-34986 (DoS via JWE decryption panic), which is in Semaphore's path because it's transitively used by the OIDC login flow.
axios → v1.15.0/v1.15.2 ([#3756](#3756), [#3800](#3800)) — security advisory.
node-forge → 1.4.0 ([#3728](#3728))
go-ldap/ldap/v3 → v3.4.13 ([#3767](#3767))
Azure/go-ntlmssp → v0.1.1 ([#3794](#3794)) — also feeds into the Azure work.

Plus routine bumps of lodash, picomatch, flatted, follow-redirects, prettier, core-js, dotenv, openai, and actions/checkout.

A small style/config cleanup ([588b369d](https://github.com/semaphoreui/semaphore/commit/588b369d)) removes some extra config validation.

New contributors

Four first-time contributors landed code this release: @gaetan-steininger, @lawrence3699, @sevencastles, and @setswei. The community continues to broaden.

Headline takeaways for upgraders

If you use external secret managers, this is a meaningful release — AWS SM and Azure KV are now first-class.
If you provision API tokens programmatically, plan for the new expires_at and name fields; they're optional but the inflection point to start using them is now.
If you run Ansible playbooks via Semaphore, validate against ansible-core 2.20.4 before upgrading production.
If you're still on the Bolt driver, evaluate migrating to SQLite — the README now recommends it and at least one PR in this release ([#3804](#3804)) had a noted Bolt-specific concern.
If you operate a multi-team installation, the new tagged-global-runner model is worth designing around — it removes one of the longest-standing rough edges in shared-fleet runner setups.

`v2.17.39`

Compare Source

Bugfixes

BoltDB migrator: skipping broken vaults during migration

`v2.17.38`

Compare Source

Changes

Added namespace support for HashiCorp Vault (Pro/Enterprise)
Fixed critical bug with BoltDB migration.

`v2.17.37`

Compare Source

`v2.17.36`

Compare Source

Changelog

07b5c05 fix(subscr): show correct message
6b5a4ae Merge pull request #3754 from semaphoreui/fix/ldap_filter_injection

Changelog

629fc09 fix(repo): use *_internal directory to store requirements hash file

`v2.17.32`

Compare Source

Semaphore UI v2.17.32 – Release Summary

This release focuses on runner reliability, security improvements, and overall stability, along with several bug fixes and translation updates.

🚀 Improvements

Smarter runner distribution
Runners are now selected randomly, improving load balancing and avoiding uneven task distribution across runners.

🔐 Security & Safety

Config validation at startup
The access_key_encryption setting is now validated during startup to prevent misconfiguration issues early.
Stronger permission checks
Restoring projects from backup now requires admin permissions, improving security around sensitive operations.

🐛 Bug Fixes

Fixed nil pointer crash in runner updates when tasks are not part of a pool
Fixed incorrect handling of Git branch names containing slashes
Improved runner shutdown logic to ensure progress is uploaded before termination
Fixed inconsistencies in task status updates
Minor fix for a missed import

🌍 Localization

Improved Traditional Chinese (zh_TW) translations and consistency

What's Changed

fix(i18n): improve Traditional Chinese (zh_TW) translations by @tan9 in #3701
fix(config): validate access_key_encryption at startup by @abh in #3710
fix(i18n): improve zh_TW translation consistency by @tan9 in #3705
Fix branch names with slashes truncated in GetRemoteBranches by @Copilot in #3717
Add admin permission check for project restore from backup by @JulianKap in #3695
chore(deps): update dependency axios to v1.13.6 by @renovate[bot] in #3692
fix: nil pointer dereference in UpdateRunner when task not in pool by @cursor[bot] in #3727
feat: randomize runner selection by @agrrh in #3722
fix(runners): gate one-off shutdown on acknowledged progress upload by @fiftin in #3738
fix/status updating by @fiftin in #3737

New Contributors

@tan9 made their first contribution in #3701
@abh made their first contribution in #3710
@cursor[bot] made their first contribution in #3727
@agrrh made their first contribution in #3722

Full Changelog: https://github.com/semaphoreui/semaphore/compare/v2.17.31...v2.17.32

`v2.17.31`

Compare Source

Changelog

Fix Devolutions icon

`v2.17.30`

Compare Source

Changelog

3f8c2b9 fix(env): allow empty secret prefix

What's Changed

fix: windows abs path support by @fiftin in #3720

Full Changelog: https://github.com/semaphoreui/semaphore/compare/v2.17.28...v2.17.30

`v2.17.29`

Compare Source

`v2.17.28`

Compare Source

Release v2.17.28

This release improves runner-to-task tracking and fixes task status handling in the runner update flow.

A new runner_id field was added to tasks in the database, which makes it possible to persist the association between a task and the runner executing it. This improves internal task tracking and lays the groundwork for more reliable runner state handling.

This release also fixes a bug in the runner update logic where the current task state was checked using the wrong field. In api/runners/runners.go, the status check was corrected from job.Status.IsFinished() to tsk.Task.Status.IsFinished(), ensuring the system evaluates the actual stored task state before applying runner updates. This makes task state transitions more accurate during runner execution.

What's changed

Added runner_id to the task record in the database for better runner-to-task association. (#3712)
Fixed runner task status validation to use the actual task status field instead of the job status field.

Full Changelog

https://github.com/semaphoreui/semaphore/compare/v2.17.27...v2.17.28

`v2.17.27`

Compare Source

Bugfixes

Fixed bug with running Terragrunt

`v2.17.26`

Compare Source

Changelog

3b278d1 fix(secrets): null pointer

Full Changelog: https://github.com/semaphoreui/semaphore/compare/v2.17.24...v2.17.26

`v2.17.25`

Compare Source

`v2.17.24`

Compare Source

Changelog

b9cb5be fix(secrets): provide source storage type in var groups

What's Changed

fix: fixed a race condition for terraform task statuses by @JulianKap in #3686

New Contributors

@JulianKap made their first contribution in #3686

Full Changelog: https://github.com/semaphoreui/semaphore/compare/v2.17.22...v2.17.24

`v2.17.23`

Compare Source

`v2.17.22`

Compare Source

This patch release includes a small fix related to integrations permissions.

Fixes

Fixed permissions handling for integrations.

Full Changelog: https://github.com/semaphoreui/semaphore/compare/v2.17.21...v2.17.22

`v2.17.21`

Compare Source

Changelog

3a04fda Merge branch '2-17-stable' into develop

Full Changelog: https://github.com/semaphoreui/semaphore/compare/v2.17.17...v2.17.21

`v2.17.20`

Compare Source

`v2.17.19`

Compare Source

`v2.17.18`

Compare Source

`v2.17.17`

Compare Source

Changelog

9c82d18 Merge pull request #3689 from semaphoreui/load_secrets

What's Changed

chore(deps-dev): bump svgo from 2.8.0 to 2.8.2 in /web by @dependabot[bot] in #3682
Load secrets by @fiftin in #3689

Full Changelog: https://github.com/semaphoreui/semaphore/compare/v2.17.16...v2.17.17

`v2.17.16`

Compare Source

Changelog

140584f ci(docker): fix migration condition

What's Changed

feat(migrator): respect flag --merge-existing-users which allows use exiting users by @fiftin in #3673

Full Changelog: https://github.com/semaphoreui/semaphore/compare/v2.17.15...v2.17.16

`v2.17.15`

Compare Source

Here’s a clean release summary you can use:

Semaphore UI v2.17.15

Overview

This release improves secret management flexibility and includes minor internal cleanup and dependency updates.

✨ Highlights

🔐 Read Secrets from Raw Files

You can now load secrets directly from a raw file. This makes it easier to integrate with:

Docker/Kubernetes secret mounts
Vault Agent file sinks
External secret management systems

This enhancement simplifies secure automation workflows and improves compatibility with production setups.

What's Changed

feat(secrets): allow read secret from raw file by @fiftin in #3654
chore(deps): update dependency openai to v6.25.0 by @renovate[bot] in #3533

Full Changelog: https://github.com/semaphoreui/semaphore/compare/v2.17.14...v2.17.15

`v2.17.14`

Compare Source

Changelog

Fixed null pointer in Backups

`v2.17.12`

Compare Source

🚀 Release Summary

This release introduces improved task control, an important database migration capability, and multiple dependency updates for stability and security.

✨ Highlights

BoltDB → SQL migration tool (major step forward)

A new backend migration utility allows moving from BoltDB to SQL databases.
This is a key improvement for scalability and aligns with the future removal of BoltDB support.

🔧 Maintenance & Security

Updated multiple Go modules (crypto, OAuth2, PostgreSQL driver).
Updated frontend tooling (Prettier).
Edwards25519 dependency updated (core and Pro).
General dependency fixes and stability improvements.

🙌 Community

Welcome @darcystan for their first contribution!

Changelog

3e5e0de ci(github): return GH_TOKEN for docker

What's Changed

Added host limit values in Task parameters instead of just Yes by @darcystan in #3637
chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 by @dependabot[bot] in #3642
chore(deps): update dependency prettier to v3.8.1 by @renovate[bot] in #3635
feat(be): boltdb to sql migration tool by @mgukov in #3620
chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 in /pro by @dependabot[bot] in #3644
fix(deps): update module github.com/lib/pq to v1.11.2 by @renovate[bot] in #3645
fix(deps): update module golang.org/x/crypto to v0.48.0 by @renovate[bot] in #3646
fix(deps): update module golang.org/x/oauth2 to v0.35.0 by @renovate[bot] in #3648

New Contributors

@darcystan made their first contribution in #3637

Full Changelog: https://github.com/semaphoreui/semaphore/compare/v2.17.8...v2.17.12

`v2.17.10`

Compare Source

`v2.17.9`

Compare Source

`v2.17.8`

Compare Source

Release Summary

This is a small maintenance release focused on improving task control and integration behavior, along with routine dependency updates.

✨ New Features

Force stop all tasks
Added the ability to stop all running tasks with force option, giving administrators faster control in emergency or cleanup scenarios.

🔧 Improvements & Fixes

Integration value priority fix
Extracted values in integrations now correctly take precedence, ensuring more predictable configuration behavior.

Changelog

38d2d2a fix(integrations): extracted values has priority

What's Changed

chore(deps): update dependency cron-parser to v5.5.0 by @renovate[bot] in #3632
feat: add stop all force by @fiftin in #3633
chore(deps): update dependency dotenv to v17.3.1 by @renovate[bot] in #3634

Full Changelog: https://github.com/semaphoreui/semaphore/compare/v2.17.7...v2.17.8

`v2.17.7`

Compare Source

Release Summary

This release focuses on logging improvements, Docker usability, and dependency updates.

✨ Improvements

RFC 5424 syslog support
Syslog output now follows the RFC 5424 standard, improving compatibility with enterprise logging systems and SIEM platforms.

🐳 Docker

Config path for import fixed
Docker deployments now correctly provide the configuration path when importing settings.

Changelog

7c3cc4f fix(docker): provide config path for import

What's Changed

fix(deps): update module github.com/sirupsen/logrus to v1.9.4 by @renovate[bot] in #3622
feat(syslog): use rfc 5424 output format by @fiftin in #3624

Full Changelog: https://github.com/semaphoreui/semaphore/compare/v2.17.5...v2.17.7

`v2.17.6`

Compare Source

`v2.17.5`

Compare Source

Release Summary

This release delivers a fix for scheduled task configuration stability.

🛠 Fixes

Scheduled task properties saving issue resolved
Fixed a bug where task properties were not saved or updated correctly when working with schedules. This improves reliability and consistency of scheduled task configuration.

Changelog

23d300c fix(schedule): saving/updating task props (#3304)

Full Changelog: https://github.com/semaphoreui/semaphore/compare/v2.17.4...v2.17.5

`v2.17.4`

Compare Source

Summary

This release focuses on performance improvements, permission fixes, and small usability enhancements, along with routine dependency updates and test coverage improvements.

🚀 Performance

Reduced database queries for tasks, improving overall performance and responsiveness.

🔐 Permissions & UI fixes

Template role permissions are now correctly enforced in the UI.
Integration and role permission checks in the UI have been fixed.

⚙️ Improvements

Semaphore task details are now available to shell applications via environment variables.
Adjustments to template directory handling.

🧪 Testing & Maintenance

Added unit tests for getHomeDir.
Upgraded core-js dependency.
Internal optimizations and minor fixes.

Changelog

e49d030 Merge pull request #3619 from semaphoreui/perf/optimize_db_queries

What's Changed

[Snyk] Upgrade core-js from 3.47.0 to 3.48.0 by @fiftin in #3611
Add semaphore task details to shell apps as environment variables by @riton in #3597
test: add unit tests for getHomeDir function by @Copilot in #3615
home to template dir by @fiftin in #3612
fix(perms): respect role permisisons for templates on ui by @fiftin in #3617
fix(ui): check permissions for intergrations and roles by @fiftin in #3618
perf(tasks): descrese db queries by @fiftin in #3619

Full Changelog: https://github.com/semaphoreui/semaphore/compare/v2.17.2...v2.17.4

`v2.17.3`

Compare Source

`v2.17.2`

Compare Source

Release Summary

This release introduces high availability improvements, enhanced integrations, and important security and dependency updates.

✨ New Features

Active-active high availability
Added support for active-active HA deployments, allowing multiple Semaphore UI nodes to operate simultaneously for improved scalability and resilience.
Integration task details via headers
Integrations can now return created task details through response headers, enabling better automation workflows and easier external system integration.

🔒 Security & Maintenance

Security updates for axios and go-git.
Dependency updates including express, qs, webpack, and lodash for improved stability and performance.

👋 Community

Welcome @riton, who made their first contribution to Semaphore UI.

What's Changed

chore(deps): bump qs and express in /web by @dependabot[bot] in #3607
chore(deps): update dependency axios to v1.13.5 [security] by @renovate[bot] in #3603
chore(deps): bump axios from 1.13.2 to 1.13.5 in /web by @dependabot[bot] in #3602
feat: Allow integration to return created task details through headers by @riton in #3598
feat: add active-active ha by @fiftin in #3608
chore(deps-dev): bump webpack from 5.95.0 to 5.105.0 in /web by @dependabot[bot] in #3593
fix(deps): update module github.com/go-git/go-git/v5 to v5.16.5 [security] by @renovate[bot] in #3596
chore(deps-dev): bump lodash from 4.17.21 to 4.17.23 in /web by @dependabot[bot] in #3576

Full Changelog: https://github.com/semaphoreui/semaphore/compare/v2.17.0...v2.17.2

`v2.17.0`

Compare Source

Semaphore 2.17 Release Details

Syslog support
CLI improvements:
- Import project
- --register flag for runner command
UI improvements:
- Custom views
- New expended textarea behavior
Stop all tasks button for a template
Custom roles (Enterprise)
Devolution Server integration (Enterprise)

Links

Create best docker container
Join our responsive community

Configuration

📅 Schedule: (UTC)

Branch creation
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
- Only on Sunday and Saturday (* * * * 0,6)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [semaphoreui/semaphore](https://github.com/semaphoreui/semaphore) | minor | `v2.16.51` → `v2.18.2` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/288) for more information. ### ⚡ Renovate Update Info - **Update Type:** minor - **Automerge:** 🛑 This update requires manual approval --- ### Release Notes <details> <summary>semaphoreui/semaphore (semaphoreui/semaphore)</summary> ### [`v2.18.2`](https://github.com/semaphoreui/semaphore/releases/tag/v2.18.2) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.18.1...v2.18.2) #### Bugfixes - Fix bug with reading environment variable `SEMAPHORE_DB_PASS`. ### [`v2.18.1`](https://github.com/semaphoreui/semaphore/releases/tag/v2.18.1) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.39...v2.18.1) This is a substantial beta release that pushes Semaphore meaningfully further into **enterprise-grade secrets management**, hardens the **API token lifecycle**, expands the **runner scheduling model**, and absorbs a flurry of security and dependency fixes — many of them caught and triaged by automated review bots (Cursor, ChatGPT Codex) before merge. It also bumps the bundled Ansible runtime by two major versions. Below is a qualitative, themed walkthrough rather than a flat PR list. *** #### Secret storage: two new external backends + a hard look at ownership The headline feature of this release is **first-class support for two more enterprise secret backends**, joining the existing Devolutions Server (DVLS) integration: - **AWS Secrets Manager** (\[[#3750](https://github.com/semaphoreui/semaphore/pull/3750)]\([#3750](https://github.com/semaphoreui/semaphore/pull/3750))) — adds a full Secret Storage type for AWS SM with a dedicated form, icon, and a **Sync button** to pull secrets on demand. The PR also introduced a generalized **rekey** flow and "source details" surfacing for individual secrets. - **Azure Key Vault** (\[[#3752](https://github.com/semaphoreui/semaphore/pull/3752)]\([#3752](https://github.com/semaphoreui/semaphore/pull/3752))) — symmetric implementation for Azure, using the official Microsoft SDKs (`azcore`, `azidentity`, `azsecrets`). Auth follows the same DB / env-var / file pattern as AWS SM and DVLS, and the backend was refactored to consolidate `SyncSecrets` across all storage types into a single function. Alongside the new backends, an unusually large cluster of **secret-related security fixes** landed — almost all of them automatically flagged by `cursor[bot]` during review: - \[[#3753](https://github.com/semaphoreui/semaphore/pull/3753)]\([#3753](https://github.com/semaphoreui/semaphore/pull/3753)) / \[[#3762](https://github.com/semaphoreui/semaphore/pull/3762)]\([#3762](https://github.com/semaphoreui/semaphore/pull/3762)) — broken ownership checks on environment secret delete/update (nil deref + auth bypass). These are real authorization bugs where an unauthenticated edge case could fall through. - \[[#3768](https://github.com/semaphoreui/semaphore/pull/3768)]\([#3768](https://github.com/semaphoreui/semaphore/pull/3768)) — broken `ErrReadOnlyStorage` sentinel + a *silent* delete error on environment secrets (the operation appeared to succeed while failing). - \[[#3778](https://github.com/semaphoreui/semaphore/pull/3778)]\([#3778](https://github.com/semaphoreui/semaphore/pull/3778)) — vault rekey now correctly **skips keys that live in external storage** (AWS/Azure/DVLS), since rekeying them locally would be incoherent. - \[[#3784](https://github.com/semaphoreui/semaphore/pull/3784)]\([#3784](https://github.com/semaphoreui/semaphore/pull/3784)) — `unsetenv` for sensitive config fields after they're consumed, so they don't linger in process memory available to child processes. - \[[#3792](https://github.com/semaphoreui/semaphore/pull/3792)]\([#3792](https://github.com/semaphoreui/semaphore/pull/3792)) — missing `return` statements after error responses in auth/env handlers (classic continue-after-error logic bug). The pattern here is notable: the new backends were merged together with a methodical sweep of the *existing* secret-handling code, suggesting the secrets subsystem received a deliberate audit pass. *** #### API tokens grow up Two complementary PRs turn API tokens from disposable opaque strings into something closer to a managed credential: - **Expiration support** (\[[#3795](https://github.com/semaphoreui/semaphore/pull/3795)]\([#3795](https://github.com/semaphoreui/semaphore/pull/3795))) — tokens can now carry an optional `expires_at`. Creation rejects non-future values; bearer-token authentication checks expiry on every request via a new `IsExpiredAt` method, so revocation-by-time is enforced before the request handler even runs. This also added rollback SQL for the migration. - **Named tokens** (\[[#3788](https://github.com/semaphoreui/semaphore/pull/3788)]\([#3788](https://github.com/semaphoreui/semaphore/pull/3788))) — first contribution from `@setswei`. Tokens get a `name` field, which is the small UX touch that finally makes a token list legible when you have more than two of them. Together with \[[#3785](https://github.com/semaphoreui/semaphore/pull/3785)]\([#3785](https://github.com/semaphoreui/semaphore/pull/3785)) (a nil pointer dereference fix in TOTP session verification), the auth surface in this release is meaningfully more robust. *** #### Runners: tags become a first-class scheduling primitive \[[#3804](https://github.com/semaphoreui/semaphore/pull/3804)]\([#3804](https://github.com/semaphoreui/semaphore/pull/3804)) is the largest single feature in the release (24 commits) and is worth understanding architecturally rather than as a list of bullets: - A new `runner__tag` join table replaces the previous single-string `tag` column, so a runner can carry **multiple tags**. - **Global runners can now be tagged**, not just project runners. This bridges the "platform team owns a fleet, project teams target subsets" model that previously required workarounds. - The runner list UI gains **Default** and **Global** labels, label wrapping, autocompletion in the tag input, and a **partial-tag filter** ("get runners with any tag matching X"). - A new `RunnerTagFilterMode` enum (`CompleteMatch`, `HasNoTags`, `IsDefault`, `IgnoreTags`, `HasAnyTag`) governs how tasks pick runners. - Non-admin users have actions disabled on globally-tagged runners — the UI honors the ownership boundary. The PR is also a fascinating case study in **automated code review actually working**: `cursor[bot]` repeatedly flagged an inverted condition in `services/tasks/RemoteJob.go` where `tagFilterMode` was set backward (tagged jobs would have routed to untagged runners and vice versa, breaking the isolation guarantee that's the whole point of the feature). Across roughly five review cycles the maintainer (`@fiftin`) iterated until the logic was right. A `bolt` driver caveat — `db:"-"` tags causing tag persistence to silently break on Bolt deployments — was raised by the Codex reviewer; worth verifying for anyone still on Bolt. A related smaller change, \[[#3793](https://github.com/semaphoreui/semaphore/pull/3793)]\([#3793](https://github.com/semaphoreui/semaphore/pull/3793)), refactored the `sync` flag handling, which was prerequisite plumbing. *** #### Admin observability \[[#3782](https://github.com/semaphoreui/semaphore/pull/3782)]\([#3782](https://github.com/semaphoreui/semaphore/pull/3782)) adds a **System Information dialog for admins** — a new admin-only `GET /admin/info` endpoint backing a UI dialog that surfaces: - `tmp_path`, `home_dir_mode` - Go version / arch / OS, Ansible version, git client - DB dialect, HA configuration - Auth method flags (LDAP, OIDC, etc.) - Task limits, runner settings, notification flags This is genuinely useful for support triage — the kind of "what version of everything is this server running?" question that previously required SSH access. The endpoint is correctly gated by `adminMiddleware` server-side, with the UI also guarding render with `v-if="user && user.admin"`. Notably, several of these values were already exposed to all authenticated users via `/api/info`; the new endpoint is *more* restrictive than what existed before. *** #### Ansible jumps two major versions \[[#3736](https://github.com/semaphoreui/semaphore/pull/3736)]\([#3736](https://github.com/semaphoreui/semaphore/pull/3736)) (first contribution from `@sevencastles`) bumps the bundled Ansible from **11.1.0 → 13.5.0** (`ansible-core 2.20.4`). This is a non-trivial jump for anyone running Ansible workloads against the Semaphore image — playbooks that relied on collections or behavior from Ansible 11 should be re-tested. There are no notes about pinned-version overrides, so the upgrade is mandatory for users on the official image. *** #### Terraform: stop logic finally works \[[#3694](https://github.com/semaphoreui/semaphore/pull/3694)]\([#3694](https://github.com/semaphoreui/semaphore/pull/3694)) — a long-standing bug from `@JulianKap`: stopping a Terraform task while it sat in `waiting_confirmation` (the human-approval gate between plan and apply) didn't actually stop it. Now it does. For anyone using Terraform integration, this closes one of the more annoying state machine quirks. *** #### Quality-of-life and infrastructure A few smaller items worth flagging: - **i18n correctness** (\[[#3764](https://github.com/semaphoreui/semaphore/pull/3764)]\([#3764](https://github.com/semaphoreui/semaphore/pull/3764)), first contribution from `@lawrence3699`) — CLI command strings are no longer translated. Translating `ansible-playbook` into other languages was, predictably, breaking command execution. - **Process file ownership** (\[[#3777](https://github.com/semaphoreui/semaphore/pull/3777)]\([#3777](https://github.com/semaphoreui/semaphore/pull/3777))) — `chown` is now scoped to directories the process actually has access to, instead of attempting it everywhere and erroring noisily. - **README** (\[[#3742](https://github.com/semaphoreui/semaphore/pull/3742)]\([#3742](https://github.com/semaphoreui/semaphore/pull/3742)), first contribution from `@gaetan-steininger`) — updated to recommend SQLite over Bolt, which is now deprecated. Worth noting alongside the Bolt-driver concern raised on [#3804](https://github.com/semaphoreui/semaphore/issues/3804): **Bolt's days are numbered**, and new features may not get the same testing coverage on it. *** #### Dependency churn This release pulled in a high volume of dependency bumps. The notable security-relevant ones: - `go-git/go-git/v5` → **v5.17.2** (\[[#3732](https://github.com/semaphoreui/semaphore/pull/3732)]\([#3732](https://github.com/semaphoreui/semaphore/pull/3732)), \[[#3751](https://github.com/semaphoreui/semaphore/pull/3751)]\([#3751](https://github.com/semaphoreui/semaphore/pull/3751))) — security advisory fix. - `go-jose/go-jose/v4` → **v4.1.4** (\[[#3745](https://github.com/semaphoreui/semaphore/pull/3745)]\([#3745](https://github.com/semaphoreui/semaphore/pull/3745))) — patches CVE-2026-34986 (DoS via JWE decryption panic), which is in Semaphore's path because it's transitively used by the OIDC login flow. - `axios` → **v1.15.0/v1.15.2** (\[[#3756](https://github.com/semaphoreui/semaphore/pull/3756)]\([#3756](https://github.com/semaphoreui/semaphore/pull/3756)), \[[#3800](https://github.com/semaphoreui/semaphore/pull/3800)]\([#3800](https://github.com/semaphoreui/semaphore/pull/3800))) — security advisory. - `node-forge` → **1.4.0** (\[[#3728](https://github.com/semaphoreui/semaphore/pull/3728)]\([#3728](https://github.com/semaphoreui/semaphore/pull/3728))) - `go-ldap/ldap/v3` → **v3.4.13** (\[[#3767](https://github.com/semaphoreui/semaphore/pull/3767)]\([#3767](https://github.com/semaphoreui/semaphore/pull/3767))) - `Azure/go-ntlmssp` → **v0.1.1** (\[[#3794](https://github.com/semaphoreui/semaphore/pull/3794)]\([#3794](https://github.com/semaphoreui/semaphore/pull/3794))) — also feeds into the Azure work. Plus routine bumps of `lodash`, `picomatch`, `flatted`, `follow-redirects`, `prettier`, `core-js`, `dotenv`, `openai`, and `actions/checkout`. A small style/config cleanup ([`[588b369d](https://github.com/semaphoreui/semaphore/commit/588b369d)`](https://github.com/semaphoreui/semaphore/commit/588b369d)) removes some extra config validation. *** #### New contributors Four first-time contributors landed code this release: `@gaetan-steininger`, `@lawrence3699`, `@sevencastles`, and `@setswei`. The community continues to broaden. *** #### Headline takeaways for upgraders 1. **If you use external secret managers**, this is a meaningful release — AWS SM and Azure KV are now first-class. 2. **If you provision API tokens programmatically**, plan for the new `expires_at` and `name` fields; they're optional but the inflection point to start using them is now. 3. **If you run Ansible playbooks via Semaphore**, validate against ansible-core 2.20.4 before upgrading production. 4. **If you're still on the Bolt driver**, evaluate migrating to SQLite — the README now recommends it and at least one PR in this release (\[[#3804](https://github.com/semaphoreui/semaphore/pull/3804)]\([#3804](https://github.com/semaphoreui/semaphore/pull/3804))) had a noted Bolt-specific concern. 5. **If you operate a multi-team installation**, the new tagged-global-runner model is worth designing around — it removes one of the longest-standing rough edges in shared-fleet runner setups. ### [`v2.17.39`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.39) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.38...v2.17.39) #### Bugfixes - BoltDB migrator: skipping broken vaults during migration ### [`v2.17.38`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.38) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.37...v2.17.38) #### Changes - Added namespace support for HashiCorp Vault (Pro/Enterprise) - Fixed critical bug with BoltDB migration. ### [`v2.17.37`](https://github.com/semaphoreui/semaphore/compare/v2.17.36...v2.17.37) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.36...v2.17.37) ### [`v2.17.36`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.36) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.35...v2.17.36) #### Changelog - [`07b5c05`](https://github.com/semaphoreui/semaphore/commit/07b5c059ead248bea4f5713d838b475d97195d86) fix(subscr): show correct message - [`6b5a4ae`](https://github.com/semaphoreui/semaphore/commit/6b5a4aebda8ed2f46ece2262cae1ebc516559498) Merge pull request [#3754](https://github.com/semaphoreui/semaphore/issues/3754) from semaphoreui/fix/ldap\_filter\_injection ### [`v2.17.35`](https://github.com/semaphoreui/semaphore/compare/v2.17.34...v2.17.35) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.34...v2.17.35) ### [`v2.17.34`](https://github.com/semaphoreui/semaphore/compare/v2.17.33...v2.17.34) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.33...v2.17.34) ### [`v2.17.33`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.33) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.32...v2.17.33) #### Changelog - [`629fc09`](https://github.com/semaphoreui/semaphore/commit/629fc09c658c4861048cc5411a191476faf53c1b) fix(repo): use \*\_internal directory to store requirements hash file ### [`v2.17.32`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.32) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.31...v2.17.32) #### Semaphore UI v2.17.32 – Release Summary This release focuses on **runner reliability, security improvements, and overall stability**, along with several bug fixes and translation updates. ##### 🚀 Improvements - **Smarter runner distribution** Runners are now selected randomly, improving load balancing and avoiding uneven task distribution across runners. ##### 🔐 Security & Safety - **Config validation at startup** The `access_key_encryption` setting is now validated during startup to prevent misconfiguration issues early. - **Stronger permission checks** Restoring projects from backup now requires admin permissions, improving security around sensitive operations. ##### 🐛 Bug Fixes - Fixed nil pointer crash in runner updates when tasks are not part of a pool - Fixed incorrect handling of Git branch names containing slashes - Improved runner shutdown logic to ensure progress is uploaded before termination - Fixed inconsistencies in task status updates - Minor fix for a missed import ##### 🌍 Localization - Improved Traditional Chinese (zh\_TW) translations and consistency *** #### What's Changed - fix(i18n): improve Traditional Chinese (zh\_TW) translations by [@tan9](https://github.com/tan9) in [#3701](https://github.com/semaphoreui/semaphore/pull/3701) - fix(config): validate access\_key\_encryption at startup by [@abh](https://github.com/abh) in [#3710](https://github.com/semaphoreui/semaphore/pull/3710) - fix(i18n): improve zh\_TW translation consistency by [@tan9](https://github.com/tan9) in [#3705](https://github.com/semaphoreui/semaphore/pull/3705) - Fix branch names with slashes truncated in GetRemoteBranches by [@Copilot](https://github.com/Copilot) in [#3717](https://github.com/semaphoreui/semaphore/pull/3717) - Add admin permission check for project restore from backup by [@JulianKap](https://github.com/JulianKap) in [#3695](https://github.com/semaphoreui/semaphore/pull/3695) - chore(deps): update dependency axios to v1.13.6 by [@renovate](https://github.com/renovate)\[bot] in [#3692](https://github.com/semaphoreui/semaphore/pull/3692) - fix: nil pointer dereference in UpdateRunner when task not in pool by [@cursor](https://github.com/cursor)\[bot] in [#3727](https://github.com/semaphoreui/semaphore/pull/3727) - feat: randomize runner selection by [@agrrh](https://github.com/agrrh) in [#3722](https://github.com/semaphoreui/semaphore/pull/3722) - fix(runners): gate one-off shutdown on acknowledged progress upload by [@fiftin](https://github.com/fiftin) in [#3738](https://github.com/semaphoreui/semaphore/pull/3738) - fix/status updating by [@fiftin](https://github.com/fiftin) in [#3737](https://github.com/semaphoreui/semaphore/pull/3737) #### New Contributors - [@tan9](https://github.com/tan9) made their first contribution in [#3701](https://github.com/semaphoreui/semaphore/pull/3701) - [@abh](https://github.com/abh) made their first contribution in [#3710](https://github.com/semaphoreui/semaphore/pull/3710) - [@cursor](https://github.com/cursor)\[bot] made their first contribution in [#3727](https://github.com/semaphoreui/semaphore/pull/3727) - [@agrrh](https://github.com/agrrh) made their first contribution in [#3722](https://github.com/semaphoreui/semaphore/pull/3722) **Full Changelog**: <https://github.com/semaphoreui/semaphore/compare/v2.17.31...v2.17.32> ### [`v2.17.31`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.31) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.30...v2.17.31) #### Changelog - Fix Devolutions icon ### [`v2.17.30`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.30) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.29...v2.17.30) #### Changelog - [`3f8c2b9`](https://github.com/semaphoreui/semaphore/commit/3f8c2b9fc9bf1484d8875be6eab797450c59fd84) fix(env): allow empty secret prefix #### What's Changed - fix: windows abs path support by [@fiftin](https://github.com/fiftin) in [#3720](https://github.com/semaphoreui/semaphore/pull/3720) **Full Changelog**: <https://github.com/semaphoreui/semaphore/compare/v2.17.28...v2.17.30> ### [`v2.17.29`](https://github.com/semaphoreui/semaphore/compare/v2.17.28...v2.17.29) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.28...v2.17.29) ### [`v2.17.28`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.28) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.27...v2.17.28) #### Release v2.17.28 This release improves runner-to-task tracking and fixes task status handling in the runner update flow. A new `runner_id` field was added to tasks in the database, which makes it possible to persist the association between a task and the runner executing it. This improves internal task tracking and lays the groundwork for more reliable runner state handling. This release also fixes a bug in the runner update logic where the current task state was checked using the wrong field. In `api/runners/runners.go`, the status check was corrected from `job.Status.IsFinished()` to `tsk.Task.Status.IsFinished()`, ensuring the system evaluates the actual stored task state before applying runner updates. This makes task state transitions more accurate during runner execution. ##### What's changed - Added `runner_id` to the task record in the database for better runner-to-task association. ([#3712](https://github.com/semaphoreui/semaphore/pull/3712)) - Fixed runner task status validation to use the actual task status field instead of the job status field. ##### Full Changelog <https://github.com/semaphoreui/semaphore/compare/v2.17.27...v2.17.28> ### [`v2.17.27`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.27) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.26...v2.17.27) #### Bugfixes - Fixed bug with running Terragrunt <img width="1141" height="804" alt="image" src="https://github.com/user-attachments/assets/6718e50f-4091-4128-84dc-2d153d0b64e1" /> ### [`v2.17.26`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.26) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.25...v2.17.26) #### Changelog - [`3b278d1`](https://github.com/semaphoreui/semaphore/commit/3b278d1662440c8ba280f1549ffcd2d684ca4778) fix(secrets): null pointer **Full Changelog**: <https://github.com/semaphoreui/semaphore/compare/v2.17.24...v2.17.26> ### [`v2.17.25`](https://github.com/semaphoreui/semaphore/compare/v2.17.24...v2.17.25) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.24...v2.17.25) ### [`v2.17.24`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.24) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.23...v2.17.24) #### Changelog - [`b9cb5be`](https://github.com/semaphoreui/semaphore/commit/b9cb5beb6156fd9dcc252e3c503c405f5d319580) fix(secrets): provide source storage type in var groups #### What's Changed - fix: fixed a race condition for terraform task statuses by [@JulianKap](https://github.com/JulianKap) in [#3686](https://github.com/semaphoreui/semaphore/pull/3686) #### New Contributors - [@JulianKap](https://github.com/JulianKap) made their first contribution in [#3686](https://github.com/semaphoreui/semaphore/pull/3686) **Full Changelog**: <https://github.com/semaphoreui/semaphore/compare/v2.17.22...v2.17.24> ### [`v2.17.23`](https://github.com/semaphoreui/semaphore/compare/v2.17.22...v2.17.23) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.22...v2.17.23) ### [`v2.17.22`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.22) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.21...v2.17.22) This patch release includes a small fix related to integrations permissions. #### Fixes - Fixed permissions handling for integrations. **Full Changelog**: <https://github.com/semaphoreui/semaphore/compare/v2.17.21...v2.17.22> ### [`v2.17.21`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.21) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.20...v2.17.21) #### Changelog - [`3a04fda`](https://github.com/semaphoreui/semaphore/commit/3a04fda0df128ca648855ccc4a369f38112d2f05) Merge branch '2-17-stable' into develop **Full Changelog**: <https://github.com/semaphoreui/semaphore/compare/v2.17.17...v2.17.21> ### [`v2.17.20`](https://github.com/semaphoreui/semaphore/compare/v2.17.19...v2.17.20) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.19...v2.17.20) ### [`v2.17.19`](https://github.com/semaphoreui/semaphore/compare/v2.17.18...v2.17.19) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.18...v2.17.19) ### [`v2.17.18`](https://github.com/semaphoreui/semaphore/compare/v2.17.17...v2.17.18) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.17...v2.17.18) ### [`v2.17.17`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.17) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.16...v2.17.17) #### Changelog - [`9c82d18`](https://github.com/semaphoreui/semaphore/commit/9c82d18dcaeb0220e86801e452e8fc1a1c4b153d) Merge pull request [#3689](https://github.com/semaphoreui/semaphore/issues/3689) from semaphoreui/load\_secrets #### What's Changed - chore(deps-dev): bump svgo from 2.8.0 to 2.8.2 in /web by [@dependabot](https://github.com/dependabot)\[bot] in [#3682](https://github.com/semaphoreui/semaphore/pull/3682) - Load secrets by [@fiftin](https://github.com/fiftin) in [#3689](https://github.com/semaphoreui/semaphore/pull/3689) **Full Changelog**: <https://github.com/semaphoreui/semaphore/compare/v2.17.16...v2.17.17> ### [`v2.17.16`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.16) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.15...v2.17.16) #### Changelog - [`140584f`](https://github.com/semaphoreui/semaphore/commit/140584f62d619bb89d2dfeea8cc7e1bb75d772bf) ci(docker): fix migration condition #### What's Changed - feat(migrator): respect flag --merge-existing-users which allows use exiting users by [@fiftin](https://github.com/fiftin) in [#3673](https://github.com/semaphoreui/semaphore/pull/3673) **Full Changelog**: <https://github.com/semaphoreui/semaphore/compare/v2.17.15...v2.17.16> ### [`v2.17.15`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.15) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.14...v2.17.15) Here’s a clean release summary you can use: *** ### Semaphore UI v2.17.15 #### Overview This release improves secret management flexibility and includes minor internal cleanup and dependency updates. #### ✨ Highlights ##### 🔐 Read Secrets from Raw Files You can now load secrets directly from a raw file. This makes it easier to integrate with: - Docker/Kubernetes secret mounts - Vault Agent file sinks - External secret management systems This enhancement simplifies secure automation workflows and improves compatibility with production setups. #### What's Changed - feat(secrets): allow read secret from raw file by [@fiftin](https://github.com/fiftin) in [#3654](https://github.com/semaphoreui/semaphore/pull/3654) - chore(deps): update dependency openai to v6.25.0 by [@renovate](https://github.com/renovate)\[bot] in [#3533](https://github.com/semaphoreui/semaphore/pull/3533) **Full Changelog**: <https://github.com/semaphoreui/semaphore/compare/v2.17.14...v2.17.15> ### [`v2.17.14`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.14) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.12...v2.17.14) #### Changelog - Fixed null pointer in Backups ### [`v2.17.12`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.12) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.10...v2.17.12) #### 🚀 Release Summary This release introduces improved task control, an important database migration capability, and multiple dependency updates for stability and security. ##### ✨ Highlights **BoltDB → SQL migration tool (major step forward)** - A new backend migration utility allows moving from **BoltDB to SQL databases**. This is a key improvement for scalability and aligns with the future removal of BoltDB support. ##### 🔧 Maintenance & Security - Updated multiple Go modules (crypto, OAuth2, PostgreSQL driver). - Updated frontend tooling (Prettier). - Edwards25519 dependency updated (core and Pro). - General dependency fixes and stability improvements. ##### 🙌 Community - Welcome **[@darcystan](https://github.com/darcystan)** for their first contribution! #### Changelog - [`3e5e0de`](https://github.com/semaphoreui/semaphore/commit/3e5e0dec9f58b03915a19ef19db0cbc93cca734d) ci(github): return GH\_TOKEN for docker #### What's Changed - Added host limit values in Task parameters instead of just Yes by [@darcystan](https://github.com/darcystan) in [#3637](https://github.com/semaphoreui/semaphore/pull/3637) - chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#3642](https://github.com/semaphoreui/semaphore/pull/3642) - chore(deps): update dependency prettier to v3.8.1 by [@renovate](https://github.com/renovate)\[bot] in [#3635](https://github.com/semaphoreui/semaphore/pull/3635) - feat(be): boltdb to sql migration tool by [@mgukov](https://github.com/mgukov) in [#3620](https://github.com/semaphoreui/semaphore/pull/3620) - chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 in /pro by [@dependabot](https://github.com/dependabot)\[bot] in [#3644](https://github.com/semaphoreui/semaphore/pull/3644) - fix(deps): update module github.com/lib/pq to v1.11.2 by [@renovate](https://github.com/renovate)\[bot] in [#3645](https://github.com/semaphoreui/semaphore/pull/3645) - fix(deps): update module golang.org/x/crypto to v0.48.0 by [@renovate](https://github.com/renovate)\[bot] in [#3646](https://github.com/semaphoreui/semaphore/pull/3646) - fix(deps): update module golang.org/x/oauth2 to v0.35.0 by [@renovate](https://github.com/renovate)\[bot] in [#3648](https://github.com/semaphoreui/semaphore/pull/3648) #### New Contributors - [@darcystan](https://github.com/darcystan) made their first contribution in [#3637](https://github.com/semaphoreui/semaphore/pull/3637) **Full Changelog**: <https://github.com/semaphoreui/semaphore/compare/v2.17.8...v2.17.12> ### [`v2.17.10`](https://github.com/semaphoreui/semaphore/compare/v2.17.9...v2.17.10) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.9...v2.17.10) ### [`v2.17.9`](https://github.com/semaphoreui/semaphore/compare/v2.17.8...v2.17.9) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.8...v2.17.9) ### [`v2.17.8`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.8) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.7...v2.17.8) #### Release Summary This is a small maintenance release focused on improving task control and integration behavior, along with routine dependency updates. ##### ✨ New Features - **Force stop all tasks** Added the ability to stop all running tasks with force option, giving administrators faster control in emergency or cleanup scenarios. ##### 🔧 Improvements & Fixes - **Integration value priority fix** Extracted values in integrations now correctly take precedence, ensuring more predictable configuration behavior. #### Changelog - [`38d2d2a`](https://github.com/semaphoreui/semaphore/commit/38d2d2ae92d113ee54e0da00d2072f4eeae009fc) fix(integrations): extracted values has priority #### What's Changed - chore(deps): update dependency cron-parser to v5.5.0 by [@renovate](https://github.com/renovate)\[bot] in [#3632](https://github.com/semaphoreui/semaphore/pull/3632) - feat: add stop all force by [@fiftin](https://github.com/fiftin) in [#3633](https://github.com/semaphoreui/semaphore/pull/3633) - chore(deps): update dependency dotenv to v17.3.1 by [@renovate](https://github.com/renovate)\[bot] in [#3634](https://github.com/semaphoreui/semaphore/pull/3634) **Full Changelog**: <https://github.com/semaphoreui/semaphore/compare/v2.17.7...v2.17.8> ### [`v2.17.7`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.7) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.6...v2.17.7) Release Summary This release focuses on logging improvements, Docker usability, and dependency updates. ##### ✨ Improvements - **RFC 5424 syslog support** Syslog output now follows the RFC 5424 standard, improving compatibility with enterprise logging systems and SIEM platforms. ##### 🐳 Docker - **Config path for import fixed** Docker deployments now correctly provide the configuration path when importing settings. #### Changelog - [`7c3cc4f`](https://github.com/semaphoreui/semaphore/commit/7c3cc4fbdc1401f1030935ab51a1df95cc9bdc4f) fix(docker): provide config path for import #### What's Changed - fix(deps): update module github.com/sirupsen/logrus to v1.9.4 by [@renovate](https://github.com/renovate)\[bot] in [#3622](https://github.com/semaphoreui/semaphore/pull/3622) - feat(syslog): use rfc 5424 output format by [@fiftin](https://github.com/fiftin) in [#3624](https://github.com/semaphoreui/semaphore/pull/3624) **Full Changelog**: <https://github.com/semaphoreui/semaphore/compare/v2.17.5...v2.17.7> ### [`v2.17.6`](https://github.com/semaphoreui/semaphore/compare/v2.17.5...v2.17.6) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.5...v2.17.6) ### [`v2.17.5`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.5) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.4...v2.17.5) #### Release Summary This release delivers a fix for scheduled task configuration stability. ##### 🛠 Fixes - **Scheduled task properties saving issue resolved** Fixed a bug where task properties were not saved or updated correctly when working with schedules. This improves reliability and consistency of scheduled task configuration. #### Changelog - [`23d300c`](https://github.com/semaphoreui/semaphore/commit/23d300c097a4578e7544e30102dd155aa73e5f98) fix(schedule): saving/updating task props ([#3304](https://github.com/semaphoreui/semaphore/issues/3304)) **Full Changelog**: <https://github.com/semaphoreui/semaphore/compare/v2.17.4...v2.17.5> ### [`v2.17.4`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.4) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.3...v2.17.4) #### Summary This release focuses on **performance improvements, permission fixes, and small usability enhancements**, along with routine dependency updates and test coverage improvements. ##### 🚀 Performance - **Reduced database queries for tasks**, improving overall performance and responsiveness. ##### 🔐 Permissions & UI fixes - Template role permissions are now correctly enforced in the UI. - Integration and role permission checks in the UI have been fixed. ##### ⚙️ Improvements - Semaphore task details are now available to shell applications via environment variables. - Adjustments to template directory handling. ##### 🧪 Testing & Maintenance - Added unit tests for `getHomeDir`. - Upgraded `core-js` dependency. - Internal optimizations and minor fixes. #### Changelog - [`e49d030`](https://github.com/semaphoreui/semaphore/commit/e49d0305384212b84b5c4b2ec194d00ed88da40c) Merge pull request [#3619](https://github.com/semaphoreui/semaphore/issues/3619) from semaphoreui/perf/optimize\_db\_queries #### What's Changed - \[Snyk] Upgrade core-js from 3.47.0 to 3.48.0 by [@fiftin](https://github.com/fiftin) in [#3611](https://github.com/semaphoreui/semaphore/pull/3611) - Add semaphore task details to shell apps as environment variables by [@riton](https://github.com/riton) in [#3597](https://github.com/semaphoreui/semaphore/pull/3597) - test: add unit tests for getHomeDir function by [@Copilot](https://github.com/Copilot) in [#3615](https://github.com/semaphoreui/semaphore/pull/3615) - home to template dir by [@fiftin](https://github.com/fiftin) in [#3612](https://github.com/semaphoreui/semaphore/pull/3612) - fix(perms): respect role permisisons for templates on ui by [@fiftin](https://github.com/fiftin) in [#3617](https://github.com/semaphoreui/semaphore/pull/3617) - fix(ui): check permissions for intergrations and roles by [@fiftin](https://github.com/fiftin) in [#3618](https://github.com/semaphoreui/semaphore/pull/3618) - perf(tasks): descrese db queries by [@fiftin](https://github.com/fiftin) in [#3619](https://github.com/semaphoreui/semaphore/pull/3619) **Full Changelog**: <https://github.com/semaphoreui/semaphore/compare/v2.17.2...v2.17.4> ### [`v2.17.3`](https://github.com/semaphoreui/semaphore/compare/v2.17.2...v2.17.3) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.2...v2.17.3) ### [`v2.17.2`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.2) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.17.0...v2.17.2) #### Release Summary This release introduces high availability improvements, enhanced integrations, and important security and dependency updates. ##### ✨ New Features - **Active-active high availability** Added support for active-active HA deployments, allowing multiple Semaphore UI nodes to operate simultaneously for improved scalability and resilience. - **Integration task details via headers** Integrations can now return created task details through response headers, enabling better automation workflows and easier external system integration. ##### 🔒 Security & Maintenance - Security updates for **axios** and **go-git**. - Dependency updates including **express**, **qs**, **webpack**, and **lodash** for improved stability and performance. ##### 👋 Community - Welcome **[@riton](https://github.com/riton)**, who made their first contribution to Semaphore UI. #### What's Changed - chore(deps): bump qs and express in /web by [@dependabot](https://github.com/dependabot)\[bot] in [#3607](https://github.com/semaphoreui/semaphore/pull/3607) - chore(deps): update dependency axios to v1.13.5 \[security] by [@renovate](https://github.com/renovate)\[bot] in [#3603](https://github.com/semaphoreui/semaphore/pull/3603) - chore(deps): bump axios from 1.13.2 to 1.13.5 in /web by [@dependabot](https://github.com/dependabot)\[bot] in [#3602](https://github.com/semaphoreui/semaphore/pull/3602) - feat: Allow integration to return created task details through headers by [@riton](https://github.com/riton) in [#3598](https://github.com/semaphoreui/semaphore/pull/3598) - feat: add active-active ha by [@fiftin](https://github.com/fiftin) in [#3608](https://github.com/semaphoreui/semaphore/pull/3608) - chore(deps-dev): bump webpack from 5.95.0 to 5.105.0 in /web by [@dependabot](https://github.com/dependabot)\[bot] in [#3593](https://github.com/semaphoreui/semaphore/pull/3593) - fix(deps): update module github.com/go-git/go-git/v5 to v5.16.5 \[security] by [@renovate](https://github.com/renovate)\[bot] in [#3596](https://github.com/semaphoreui/semaphore/pull/3596) - chore(deps-dev): bump lodash from 4.17.21 to 4.17.23 in /web by [@dependabot](https://github.com/dependabot)\[bot] in [#3576](https://github.com/semaphoreui/semaphore/pull/3576) **Full Changelog**: <https://github.com/semaphoreui/semaphore/compare/v2.17.0...v2.17.2> ### [`v2.17.0`](https://github.com/semaphoreui/semaphore/releases/tag/v2.17.0) [Compare Source](https://github.com/semaphoreui/semaphore/compare/v2.16.51...v2.17.0) <a href="https://semaphoreui.com/releases/semaphore-v2_17"> <img width="1536" height="800" alt="image" src="https://github.com/user-attachments/assets/6f8be428-a050-425e-acd1-ce3f0ed85ab0" /> <a href="https://semaphoreui.com/releases/semaphore-v2_17"> ##### [Semaphore 2.17 Release Details](https://semaphoreui.com/releases/semaphore-v2_17) 1. Syslog support 2. CLI improvements: - Import project - `--register` flag for `runner` command 3. UI improvements: - Custom views - New expended textarea behavior 4. **Stop all tasks** button for a template 5. **Custom roles** *(Enterprise)* 6. **Devolution Server integration** *(Enterprise)* #### Links - Create best docker container [![](https://img.shields.io/badge/docker_configurator-0050ab?style=for-the-badge\&logo=docker)](https://semaphoreui.com/install/docker/2_17/) [![](https://img.shields.io/badge/helm_chart-0e1689?style=for-the-badge\&logo=helm)](https://artifacthub.io/packages/helm/semaphoreui/semaphore) - Join our responsive community [![discord](https://img.shields.io/badge/discord_community-510b80?style=for-the-badge\&logo=discord)](https://discord.gg/5R6k7hNGcH)  </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).

renovate-bot added the dependencies renovate labels 2026-05-10 10:39:24 -04:00

renovate-bot force-pushed renovate/docker-compose-semaphoreui-semaphore-v2-18-2 from d45a5e4dab to e99744e7cd

2026-05-10 11:46:06 -04:00

Compare

renovate-bot force-pushed renovate/docker-compose-semaphoreui-semaphore-v2-18-2 from e99744e7cd to 5215cb33f9

2026-05-10 13:20:38 -04:00

Compare

renovate-bot force-pushed renovate/docker-compose-semaphoreui-semaphore-v2-18-2 from 5215cb33f9 to b43239bb8e

2026-05-10 15:04:56 -04:00

Compare

renovate-bot force-pushed renovate/docker-compose-semaphoreui-semaphore-v2-18-2 from b43239bb8e to b64cd47786

2026-05-10 15:48:47 -04:00

Compare

renovate-bot force-pushed renovate/docker-compose-semaphoreui-semaphore-v2-18-2 from b64cd47786 to a864cac0d7

2026-05-10 16:29:32 -04:00

Compare

Trez.One force-pushed renovate/docker-compose-semaphoreui-semaphore-v2-18-2 from a864cac0d7 to 7c50a0885e

2026-05-10 17:19:51 -04:00

Compare

Trez.One force-pushed renovate/docker-compose-semaphoreui-semaphore-v2-18-2 from 7c50a0885e to 201d639265

2026-05-10 17:56:43 -04:00

Compare

Trez.One force-pushed renovate/docker-compose-semaphoreui-semaphore-v2-18-2 from 201d639265 to 62e31960bb

2026-05-10 17:58:01 -04:00

Compare

renovate-bot force-pushed renovate/docker-compose-semaphoreui-semaphore-v2-18-2 from 62e31960bb to d17115e761

2026-05-10 19:00:47 -04:00

Compare

renovate-bot force-pushed renovate/docker-compose-semaphoreui-semaphore-v2-18-2 from d17115e761 to 9065a96c4e

2026-05-10 19:21:47 -04:00

Compare

renovate-bot added 1 commit 2026-05-10 19:33:17 -04:00

🔧 Renovate: Update (minor) semaphoreui/semaphore Docker tag to v2.18.2

Renovate Image Tag Deployment / Renovate PR Deployment (pull_request) Successful in 4m34s

Details

9c3dbd815c

renovate-bot force-pushed renovate/docker-compose-semaphoreui-semaphore-v2-18-2 from 9065a96c4e to 9c3dbd815c

2026-05-10 19:33:17 -04:00

Compare

Trez.One merged commit 059cc83c81 into main

2026-05-10 19:35:32 -04:00

Trez.One deleted branch renovate/docker-compose-semaphoreui-semaphore-v2-18-2

2026-05-10 19:35:33 -04:00

Sign in to join this conversation.

2 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Trez/rinoa-docker#2487