2026.1 Series Release Notes

22.0.0-10

Security Issues

  • Added a new cron_triggers:publicize policy (admin_only) and enforcement on create when scope is public. Previously, the cron trigger POST endpoint hardcoded the scope to private and ignored the scope field from the request body, so cron triggers could never be created as public. The scope field is now properly passed through to the database.

  • Added a new dynamic_actions:publicize policy (admin_only) and enforcement on both create and update operations when scope is public. Previously, the dynamic actions POST endpoint did not persist the scope field and neither POST nor PUT enforced a publicize policy, allowing any user with create or update access to make dynamic actions public.

  • Added a new environments:publicize policy (admin_only) and enforcement on both create and update operations when scope is public. Previously, the environment POST endpoint did not accept the scope field in the request body and neither POST nor PUT enforced a publicize policy, allowing any user with update access to make environments public.

  • Added a new workbooks:publicize policy (admin_only) and enforcement on both create and update operations when scope is public. Previously, any project owner could make workbooks public as there was no publicize policy check on the workbook endpoints.

  • All code_sources and dynamic_actions API policies are now restricted to admin users only (admin_only). Previously, these policies defaulted to admin_or_owner, allowing any project owner to create, read, update, and delete code sources and dynamic actions. Operators who need to restore the previous behavior can override the relevant policies in their policy.yaml.

  • The publicize policy for workflows, actions, and event triggers is now restricted to admin users only (admin_only). Previously, any project owner could make these resources public. A new code_sources:publicize policy has also been added with the same admin_only default, and publicize checks are now enforced on both create and update operations for code sources and event triggers where they were previously missing.

22.0.0

New Features

  • The std.ssh action has a new return_result_on_error parameter. When it is set, the std.ssh action also returns with SUCCESS state when the remote command returns non-zero. Users of the std.ssh action should then use the return value structure to decide if the workflow should fail.