Skip to main content

Release Notes

warning

MintPress should be upgraded sequentially, one version at a time, unless there are no breaking changes between them. Skipping versions may result in data loss and unexpected behaviour.

Follow the upgrade guide for more information on how to upgrade MintPress.

[2026-06-29]

Added

  • The Git fetch command is now logged at the start of the fetch output, making it easier to diagnose connectivity and authentication failures by showing the exact command OpsChain ran. See activity details for more information.
  • The FUSE device plugin daemonset now supports additional environment variables via fuseDevicePlugin.env in values.yaml. See fuseDevicePlugin.env for details.
  • Administrators now have a Clusters tab in the system information area that shows every high availability cluster's deployment configuration. You can compare two clusters against each other to spot configuration drift, and compare versions of a cluster's recorded configuration over time.
  • Authentication settings can now be configured via the GUI in the system configuration page.
  • The name of the cluster you are currently connected to is now shown in the version info dialog.
  • If an editable setting is misconfigured in a way that prevents you from signing in, an operator can now recover by overriding it from the deployment. Setting OPSCHAIN_OVERRIDE_<SETTING> in your values.yaml re-applies the supplied value to the matching setting on the next boot, and the override is recorded in the audit history. See overriding a database setting from a deploy for more information.
  • Concurrent image builds can now be throttled to improve performance on busy clusters. See image build settings for details.
  • Forked step processes now set a meaningful process title (e.g. opschain-action deploy, mintpress_ctl.rb run_action) so that active steps are identifiable by their script and action in process monitoring tools such as ps or top. See identifying running OpsChain processes for more information.
  • The expected actions tree for an asset now expands MintModel steps in an actions.rb change to include their full tree — matching what will execute at runtime. For more information about running MintModel steps from an actions.rb, see running MintModel actions as child steps.
  • It is now possible to skip specific steps when starting or retrying a change or workflow run. Set a skip_steps array of glob patterns on the change, workflow run, scheduled change, or scheduled workflow — any step whose identifier matches a pattern is automatically skipped at runtime (full_path is matched for change steps; MintModel steps are matched by their hierarchical step name as it appears in the step tree (e.g. **/Install jdk Binaries); name for workflow steps). See skipping steps for more information.
    • The mask is carried forward automatically on retry, so previously-skipped steps remain skipped without needing to be resubmitted. It can also be overridden at retry time.
    • Approval steps are always exempt — a step with requires_approval_from set will run regardless of any matching pattern.
    • Creating or retrying a change where skip_steps would skip the root step is rejected with a validation error.
  • A new runner.use_fork_for_mintpress_ctl_rb setting controls whether the MintModel executor forks or spawns a new process when running mintpress_ctl.rb. The default (true) preserves existing behaviour; set to false to run in a new process instead.
  • Assigning a template version to multiple assets at once now automatically refreshes each asset's actions, so the available actions reflect the newly assigned version without a manual refresh. If an asset's actions cannot be refreshed, the assignment still succeeds and the affected assets are reported in the response warnings.
  • The settings editors now provide JSON schema autocomplete and inline validation. As you edit the settings for a project, environment, asset, agent, or template version (or the system configuration), you now get key and value suggestions and invalid keys are flagged, matching the schema the server enforces on save.
  • The image build logs now show the commit author alongside the commit SHA and message, making it easier to identify who authored the code an image was built from.
  • It is now possible to update an existing Git remote's URL, allowing its credentials, scheme, or port to be changed without recreating the remote. The host and repository path are immutable — a URL that points the remote at a different repository is rejected, since the existing clone and recorded commit SHAs are tied to the original. As when creating a remote, superusers can opt to scan and trust the new host's SSH key when switching to an SSH URL.
  • Git remotes that use an SSH URL now accept a dedicated passphrase for the SSH key, kept separate from HTTP(S) passwords. SSH key data is required when using an SSH URL, and supplying a passphrase for a non-SSH remote (or a password for an SSH remote) is rejected with a clear error.
  • Two additional settings are now configurable from the admin settings page in the GUI: git_remote.fetch_stale_threshold, which controls how long OpsChain waits before retrying a stale in-progress Git fetch, and log.step_pod_events, which controls whether Kubernetes pod events are included in step logs.
  • When a MintModel generation fails, a "View generated MintModel" button is now shown alongside the error, allowing you to inspect whatever partial output was produced before the failure.
  • The workflow editor now offers autocomplete suggestions when configuring child steps, making it easier to select the correct step name without having to remember exact identifiers.

Fixed

  • Fixed an issue where cancelling the generation of an asset's actions could leave the asset displaying actions belonging to a different asset.
  • Fixed a rare issue where registering a value for sensitive-data masking could cause a step to hang indefinitely if the masker was unavailable. Masking now uses a bounded timeout with retries, so the step fails promptly instead of hanging.
  • You can now trust additional SSH hosts for Git authentication via the new known_hosts global setting, without replacing the bundled known_hosts file. Entries are merged with the bundled defaults, and because they are stored in the database they are preserved across Helm upgrades and redeploys and replicate across high availability clusters. Each entry is validated when saved, so malformed lines are rejected. See adding entries via the known_hosts setting for more information.
  • When creating a Git remote, superusers can now opt to automatically scan and trust the remote's SSH host key. OpsChain registers the scanned key in the known_hosts setting before testing connectivity (trust on first use), so a remote can be added even when its host was not previously trusted. The scanned entry is returned in the response, and the operation is restricted to superusers.
  • Fixed an issue where the step input arguments form was not rendering correctly after an API response format change, causing arguments to be displayed incorrectly or not at all.
  • Fixed an issue where MintModel generation errors were not correctly surfacing any partial results or the phase output and render log viewer buttons.
  • Fixed an issue in the workflow step tree where an incorrect change label was shown in the tooltip on workflow run steps.

Changed

  • The installation guide has been updated to limit access to the installation user and clarify the required sudo privileges.
  • Settings that can be configured via the GUI or API no longer require a restart of the OpsChain API to take effect.
  • A defined set of settings is now managed by the deployment. These are only configurable via your values.yaml file and apply at install and upgrade time. See settings managed by the deployment for the full list.
  • The skip_on_retry attribute on steps is now computed from the owning change's or workflow run's skip_steps array. Patching a step with skip_on_retry: true/false continues to work and translates into an update to that array. skip_on_retry is deprecated and will be removed in a future release. Migrate to skip_steps on the change or workflow run. See skipping steps for more information.
  • Image builds now pull docker.io base images through the bundled in-cluster registry mirror rather than reaching out to Docker Hub directly, reducing external egress and avoiding Docker Hub rate limits.
  • When debug mode is enabled for an asset, the MintModel render logs now also include the MintPress context, the asset's properties, the filtered properties, and the MintPress properties supplied to the MintModel Steps API, making MintModel generation failures easier to diagnose.
  • The Git remote add and edit form has been redesigned with a clearer HTTPS/SSH credential selector. When editing an existing remote, the URL can now also be updated directly in the form.
  • The MintModel "Latest" tab now independently fetches the freshest asset state each time it is opened, ensuring the view always reflects up-to-date data.
  • When an asset does not have a valid MintModel, the messaging on the "Latest" tab has been simplified — detailed error information is no longer shown inline, and instead a direct link to the Generate tab is provided.
  • The admin settings page has been reorganised: Authentication settings now have their own dedicated section, the API settings section has been removed, and Build service settings have been consolidated into a single section.

[2026-06-18]

Added

  • Container image builds now automatically retry up to 3 times when a transient BuildKit error is detected (e.g. a gRPC connection drop). The retry count is configurable via the build_service.max_image_build_retries setting.
  • A new OpsChain.step helper creates a composable wrapper step that combines wait, input, and ignore failure behaviours in a single call. See the step wrapper documentation for more information.
  • A new OpsChain.ignore_failure_step helper is available for wrapping actions as child steps. It creates a thin wrapper action with ignore_failure: true so the change continues even if the step fails. See the ignore failure steps documentation for more information. This is particularly useful for MintModel steps which can't be marked as ignore_failure in the actions.rb natively.
  • A new OpsChain.query helper allows action code to query the OpsChain API server directly, retrieving live node, MintModel, properties, or settings data during a change. The request authenticates with the short-lived API key injected into the step context, which is only generated when the token.change_api_key_expiry_days (or token.agent_api_key_expiry_days) setting is enabled. See the querying the API documentation for more information.
  • The Git logs can now be viewed whilst a template version is being refreshed.
  • API responses now support sparse fieldsets, allowing clients to restrict the fields returned for each resource type using fields[resource_type]=field1,field2 query parameters. See the sparse fieldsets guide for more information.
  • The steps API now returns an additional description field. This is populated for MintModel steps, to provide additional details.
  • A new git_remote.fetch_stale_threshold setting controls how long OpsChain will wait for an in-progress Git fetch before performing a fresh fetch of its own. See the Git remote settings documentation for more information.
  • An event is now created when the actions are regenerated for an asset.
  • A timestamp now shows how long it took to generate a MintModel when running a change.
  • New on_failure.dump_properties setting controls whether resolved resource properties are dumped to the change logs, when a resource controller fails during a change. See the on_failure.dump_properties documentation for more information.
  • New controller.mask_properties settings controls whether sensitive properties supplied to resource controllers are added to the data masker prior to being supplied to the controller. See the controller.mask_properties documentation for more information.
  • The list MintModels and list MintModel history API endpoints now support the limit query parameter to restrict results and filtering and sorting via filter query parameters. See the API filtering & sorting guide for more information.
  • The MintModels and MintModel history API endpoints now support the include query parameter, allowing related resources (e.g. mintmodel_history, mintmodel, opschain_changes) to be sideloaded in a single request. The MintModel history show endpoint includes mintmodel and opschain_changes by default; pass include= (empty) to suppress them.
  • Step tree search — a search bar is now available at the top of the step tree on changes, workflow runs, and workflow overviews. You can type to highlight matching step names and navigate through results with the arrow keys or Enter, making it much easier to locate a specific step in large or complex runs.
  • Step status filter badges — the step tree header now shows a summary of how many steps are in each status (running, waiting, failed, succeeded, etc.). Clicking a status badge highlights all matching steps on the canvas and jumps to the first one, allowing you to quickly focus on steps that need attention without scrolling through the entire tree.
  • Canvas minimap — a minimap overlay now appears in the bottom-right corner of the step tree canvas for changes, workflow runs, and workflow overviews. You can click or drag on the minimap to jump to any part of the tree, which is particularly useful for large runs with many steps.
  • Canvas zoom and fit controls — zoom in, zoom out, fit-to-view, and fit-to-width buttons are now available on the step tree canvas. These controls appear as a floating toolbar, replacing the need to use the scroll wheel alone.
  • Expand/collapse by depth level — the step tree toolbar now includes controls to expand or collapse the tree to a specific depth level. You can step through levels one at a time, making it easier to get an overview of a large change before drilling into details.
  • MintModel phased output viewer — when viewing the latest or generated MintModel for an asset, a "View phased outputs" button is now available when phase output data exists. This opens a panel showing the asset's data at each stage of the MintModel generation pipeline (initial, post-scaleout, post-business-rules, post-resolve, and final). You can also compare any two phases side by side using a diff view.
    • Note: this is only shown when enable_mintmodel_debug is present and set to true under the asset settings.
  • MintModel render logs viewer — a "View render logs" button now appears on the MintModel page when render logs are available, allowing you to inspect the raw output from the rendering process.
  • Git revision fetch progress — when a template version is fetching its git revision, a live progress indicator now appears showing the current fetch stage (e.g. counting objects, receiving objects) along with a percentage. A full scrollable log of the fetch output can be viewed by clicking the indicator.
  • Assets table additional columns — the assets listing table now shows the assigned template name, template version number and state, and the status of action generation (e.g. "Generated", "Generating", "Not available") for each asset. MintModel assets are also labelled directly in the Name column.
  • Data cleanup audit history filter — a new option to delete audit history (jobs) is now available in the data cleanup configuration, with an optional age filter so that only records older than a specified number of days are removed.
  • Audit history richer source links and detail — events in the audit history now include contextual links directly to the relevant resource (change, step, template version, workflow, scheduled activity, git remote, policy, etc.). Hovering a source link shows a tooltip with key details such as status, action, project, and who created it. The individual event detail page now presents the message, path, and progress log as distinct readable sections rather than a raw JSON dump.
  • Audit history project and workflow names in source — where previously only internal codes were shown, source links in the audit history now display human-readable names for projects and workflows.
  • Bulk delete for authorisation policies — You can now select multiple authorisation policies from the table and delete them all at once using the new "Bulk actions" menu. A confirmation dialog lists the policies to be deleted before anything is removed, and any failures are reported individually without blocking the rest of the deletions.

Fixed

  • When generating a MintModel, a new history record is now only skipped if the asset's most recent MintModel history entry already references the same MintModel. Previously, any existing history entry for the same MintModel would be reused, meaning a return to an older model state would not be recorded in the asset's history.
  • Fixed use of nested MintModel steps within an actions.rb (it would inconsistently fail before).
  • Orphaned template versions whose parent template had been deleted are removed on upgrade. An opschain:migration:update event is created for each removed record to allow for auditing.
  • Orphaned MintModel history records whose parent MintModel no longer exists are removed on upgrade. An opschain:migration:update event is created for each removed record to allow for auditing.
  • Fixed conversion of WebLogic property names by forcing the activesupport camelcase implementation in mintpress_ctl.rb.
  • Audit history invalid source links — source links were previously broken for several event types including deleted resources, scheduled activities, git remotes, and authorisation policies. These now resolve correctly.
  • MintModel compare wrong versions loaded — selecting a MintModel version to compare was previously using an incorrect identifier, causing the wrong data to be loaded. This has been corrected.
  • Logs from MintModel steps that were shown on error cleanup are now shown as expected.
  • Actions list sorted alphabetically (case-insensitive) — The list of actions available on an asset is now sorted in a consistent case-insensitive alphabetical order, so actions starting with uppercase or lowercase letters appear in the expected position rather than grouped by case.
  • Git remote link on change details was broken — The link to the git repository on the change detail page was navigating to the truncated display label instead of the full URL. This has been corrected so the link always opens the right destination.

Changed

  • MintModel generation is now skipped during change initialisation when a cached model already exists for the current properties. This avoids a redundant MintModel API call when the asset's MintModel and properties have not changed since the last generation.
  • MintModel "Latest" tab — the latest MintModel view now shows when the MintModel was generated, and surfaces phase output and render log buttons directly in the toolbar when available. If the asset does not have a valid MintModel, a clear message is shown with a Retry button and a shortcut to the Generate tab.
  • MintModel "Compare" tab — the compare view now fetches its own history independently rather than relying on shared data, and errors during loading are handled gracefully with a proper error state.
  • Audit history refresh rate — the audit history page now refreshes every 5 seconds (previously 15 seconds) so that new events appear more promptly.
  • The OpsChain pods now enforce runAsNonRoot: true and avoid entering the pod as root.
  • The LDAP refresh events now carry more detail. The start events record the search base, filter, and timeout, the success event records the per-type entry counts (distinguishing freshly searched counts from cached counts when a type is skipped) and the elapsed search time for each type searched, and all refresh events now include the LDAP host and port. A start event is now only emitted when a filter is actually searched, avoiding a misleading event when the group filter is absent or invalid.

[2026-06-04]

Added

  • The api.env, apiWorker.env, imageCopyJob.env, ldap.env, logAggregator.env, mintModelApi.env, mintModelStepsApi.env, and registryReconcile.env values.yaml settings have been added to allow additional environment variables to be injected into their respective containers. See the additional settings guide for more information.
  • The MintModel executor now logs the mintpress_ctl.rb command that will be run during MintModel steps.
  • An actions.rb file can now run steps defined by the asset's MintModel. Learn more.
  • You can now compare any two nodes (projects, environments, assets, or agents) side by side. The comparison shows differences in settings, properties, assigned templates, agents, and MintModel output between the two nodes. An indicator is shown on the node when it is part of an active comparison.
  • A new LDAP refresh button is available in the Manage Security section to manually trigger an LDAP directory sync without having to wait for the next scheduled refresh.
  • A new deletable permission can now be configured in authorisation policies, giving finer control over who can delete resources.

Changed

PostgreSQL downtime on upgrade

This upgrade modified the default PostgreSQL settings for the database cluster. When deploying, this will cause a short downtime of the database cluster. To avoid any downtime, you can increase the number of database replicas locally and set the db.cnpg.primaryUpdateMethod setting to switchover in your values.yaml file before deploying. See the database settings documentation for more information.

  • The PostgreSQL settings have been adjusted to improve performance in production workloads.
  • The registry reconciliation job is now enabled by default. To disable it, you must now set the registryReconcile.enabled setting to false in your values.yaml file before deploying. See the image cleanup settings and the container image cleanup guides for more information.
  • The worker.* and mintmodel_executor.* settings have been removed and consolidated into the runner.* settings.
    • The existing worker.* or mintmodel_executor.* settings (globally, for projects, for environments, and for assets) are automatically migrated to runner.* on upgrade (but not for changes). Note, if you used these settings you must audit the updates - see the opschain:migration:update event referenced below.
    • The worker.reuse_actions_rb setting is now runner.reuse_actions_rb.
    • An opschain:migration:update event is created for the settings that were changed during upgrade to allow for auditing.
    • Note: changes that had override settings for worker.* or mintmodel_executor.* won't be able to be retried after this update (they can still be repeated, but you will need to update the settings).
  • The agent base image is now based on the same image as the runner, executor and worker.
  • Locally authenticated user accounts can now log in to OpsChain whilst the LDAP server is inaccessible (without needing to change any config).
  • The asset's MintModel history is now updated when actions are refreshed (if the MintModel has changed). Previously, the MintModel used during action refresh was not saved to the asset's history.
  • LDAP integration has been modified to use a background job to synchronise a local store of the LDAP users and groups. See the LDAP synchronisation settings documentation for more information on the new LDAP settings.
  • The template type field is now read-only when editing an existing template, preventing accidental changes to a type that may already be in use.
  • The worker image configuration fields (repository, name, and tag) have been removed from the runner configuration page in Admin settings, as these are no longer managed from the GUI.
  • MintModel generation changes:
    • it now provides more explicit details of failures found when parsing lib classes and modules.
    • a new enable_mintmodel_debug settings has been added to enable extra debug logging for MintModel generation.
    • OpsChain.context and OpsChain.properties are now available within your ERB template to provide more context when concretising the MintModel.

Fixed

  • The edit option in the template actions menu was not opening the edit dialog correctly. This has been fixed.
  • The link to update a git remote from the template layout actions was pointing to the wrong location. This has been fixed.
  • When opening the edit dialog for an existing template, the form fields were not being filled in with the current values. This has been fixed.
  • Navigating to the latest MintModel tab could show stale data. It now re-fetches automatically when the tab is opened.
  • When validating multiple template versions with the same commit, the first validation result no longer causes the others to be removed.
  • The create_local_user task can now be used when the LDAP server is unreachable.
  • The performance of the back end queries that support the policy administrator screens have been improved.
  • The Activities queries have been optimised to improve performance when there are large numbers of activities and user authorisation rules.

[2026-05-26]

Added

  • The authorisation of scheduled activities has been improved.
  • A job to clean up images from the OpsChain image registry has been added and can be configured via the values.yaml file. See the image cleanup settings and the container image cleanup guide for more information.

Changed

  • The runner, executor and worker images are all based on the same base image.
    • This means the mintpress user has been removed from the image, hence the image always runs as opschain.
    • The /opt/mintpress path still exists and contains the MintPress SDK.
    • The home directory of the opschain user remains /opt/opschain.
    • The worker.name configuration default has been updated to opschain-runner-enterprise. This is an automated update.

[2026-05-21]

Added

  • The requires_approval_from usernames and ldap groups can now be sourced from the relevant node's properties. See the settings documentation for more information.

Important breaking changes

  • The OpsChain API will no longer start if the token.secret_key setting (which is originally set from the OPSCHAIN_TOKEN_SECRET_KEY value in your values.yaml) is not set or is empty. This setting was introduce in 2026-04-21 and must be set as part of the security configuration. OpsChain will no longer startup with it unset to prevent accidental misconfiguration.
    • This relates to CVE-2026-45363.
    • Note that changing the value of token.secret_key was broken previously, see the release notes below for more details.

Changed

  • Upgraded all images to AlmaLinux 9.7.
  • CVE-2026-45363 has been mitigated.

Fixed

  • Changing the token.secret_key setting now works as expected.
  • The 2026-05-18 release introduced a bug in the secret resolution API which caused manual lookup of secrets to fail. This has been fixed.

[2026-05-18]

Known issues

  • Changing the token.secret_key setting will make the server return 500 errors for any user who was logged in before the setting changed. Clearing your browser cookies for the OpsChain server will fix this for the affected user.

Fixed

  • When an action fails to execute, the error indicating where the action was defined has been improved to handle MintPress SDK actions.
  • Correct rebuilding of agent image when the template version changes.
  • When multiple parallel steps modify properties in ways that can't be handled, the step moves to failed (rather than system error). This improves/fixes retry of these changes.
  • Steps that report Unable to construct a step result processor for step "..." due to: No such file or directory @ rb_sysopen /steps/.../step_result.json are now marked as failed.
  • Fixed syntax error found (SyntaxError) and invalid multibyte character 0xE2 reported in actions.rb due to incorrect character encoding handling.
  • Fixed issue where the build service would get stuck in a Pending state during an upgrade due to an issue with the fuse-device-plugin. See the FUSE device plugin settings for more information.
  • Running nested steps from the actions GUI for MintModel actions now works.
  • Refresh tokens (and refresh cookies) are now properly revoked when a token destroy request is made to the API.
  • When a page fails to load, the error message is now shown in a consistent position rather than floating in the middle of the page.
  • When a user does not have permission to view properties or settings, a clear "not authorised" message is now shown instead of an unhandled error.
  • Fixed an issue where the admin settings editor did not correctly respect the user's update permissions.
  • Fixed repeating a change that involved nested actions — the correct action path is now used.
  • Fixed the activity volume chart on the dashboard, where the legend and chart area were displaying incorrect colours.
  • Fixed elapsed time in the activities list to count from when a change was created rather than when it started running, giving a more accurate total duration.

Added

  • OpsChain actions and wait steps can now be defined with a custom step_name. When the OpsChain GUI displays the step tree for a change, the step that executes the action will be labelled with the supplied step_name rather than the action method name.
  • You can now include input steps in your actions.rb. These act like regular wait steps however they require the user to provide specific input values in order to continue the step. See the input steps documentation for more information.
  • Each change step now includes a state_timing object in the step response that includes timestamps for when the step entered and exited each state.
  • On completion, the change response now includes a state_timing_summary object, providing a summary of the number of seconds spent building the image, running the step, waiting for user input, and system overhead.
  • The settings version and properties versions endpoints now accept the limit query parameter to limit the rows returned.
  • The default OpsChain Dockerfile can now be downloaded from the OpsChain server. Learn more.
  • New converged_settings endpoints have been added to the API to allow retrieval of the converged settings for a change, template version, asset, environment or project. These endpoints mimic the existing converged_properties endpoints, returning settings rather than properties.
  • The notify JSON supplied when creating a change is now stored with the change and is available in the change response under notify.
  • When a change re-uses the result of a step that already ran successfully in a previous attempt, this is now clearly indicated in the step tree. A history icon appears on the step node, and the step detail panel shows a notice with a link to the original run where the step completed.
  • Steps that require approval now show a full breakdown of all required approvers, their groups, and the current state of each approval in a popover. You can see who has approved or rejected, when they did so, and any message they left. The summary on the step node updates as approvals come in (e.g. "Requires approval (1 of 3)").
  • A new Inherited settings tab is available on the settings page for all node types (projects, environments, assets, and agents). This shows the fully resolved settings that a node will use at runtime, accounting for values inherited from parent nodes. Each setting can be annotated with its source via a "Show/Hide sources" toggle. The same view is also available on the Change settings tab.
  • Settings can now be viewed and compared directly from a template version's detail page.
  • All notification toasts (success, error, and info) now include a Copy button to copy the message text to the clipboard. Notifications also stay visible for longer before auto-dismissing.
  • When opening the "Compare versions" tab for settings or properties, the two most recent versions are now pre-selected automatically, so you can see what changed straight away without having to pick versions manually. Up to 500 versions are now loaded, and they are listed in chronological order.
  • When a step in a change requires user-provided values before it can proceed, a dedicated dialog is now shown to collect those inputs. Each field is presented with its name, type, and description. Once submitted, the change continues automatically. After a step has been continued, users can view the values that were supplied at the time — the same dialog opens in a read-only mode, showing what was entered and who submitted it (including any message they left).
  • The ignore_failure option has been added to actions with child steps. Child step failure will no longer cause the parent step to fail when this option is enabled. This can be used to allow a change to continue running even if a non-critical step fails.

Changed

  • The long-running database query timeout configuration has now been split.
  • The fuse-device-plugin will now only run if the buildService.rootless and fuseDevicePlugin.enabled settings are set to true. Consider enabling it if you are running a Kernel version older than 5.11. Refer to the FUSE device plugin settings for more information.
  • The change approval feature has been enhanced to support action specific approval. See the requires approval from setting in the settings documentation for more information.
  • The step and change approved_by, continued_by, rejected_by and cancelled_by attributes will now be returned in the same format [{ "username": "peter", "message": "user supplied message", "date": "2026-05-12T04:53:05Z"}]
  • The log_lines link in each step response now reflects the actual step where the logs where generated. For a regular change, this will be a link to the current step's logs. For a retried change, if the original step succeeded during one of the previous attempts, the link will point to the original step's logs.
  • Changes will now store the converged settings that were used to run the change. Settings queries during the change execution will use the persisted settings for the change rather than the current system values. This ensures changes will be unaffected by any settings changes that occur during their execution.
  • The updated_at date for a token is now updated to the current date and time each time the token is used.
  • the action_methods argument for the controller method in actions.rb has been removed and its functionality has been absorbed into the available_actions argument. See the actions documentation for more information.
  • The timing section on a change's detail page now shows a breakdown of how time was spent during the change run. At a glance you can see execution time and system time as separate figures. Clicking the timing area opens a detailed view that breaks down time spent in each phase — such as time spent running, waiting for approvals, and building images — alongside a full state-by-state timeline with start and end times.
  • When a waiting step requires input arguments before it can continue, the GUI now presents a dedicated "Provide input arguments" dialog instead of the plain continue action.
  • Repeating a change: When repeating a change, the original override settings and properties are now fetched accurately — including for changes that were themselves a repeat of an earlier run. A loading indicator is shown while this is happening, and a clear error message is displayed if the values cannot be retrieved.
  • Links to git commits and repositories now work correctly for a wider range of Git hosting providers, including Azure DevOps (both modern and legacy URLs), AWS CodeCommit, Oracle Cloud Infrastructure, and Sourcehut, in addition to GitHub, GitLab, and Bitbucket. SSH remote URLs are now also converted into browser-friendly links automatically.
  • Change Git details: The Git remote URL and revision are now truncated in the change detail card for readability, with the full values available on hover. A direct "Go to commit" link also appears in the hover card.
  • Top activities panel: The dashboard activity table column order and layout have been improved.

Removed

  • The bespoke singular MintPress SSH key support has been removed. This means the mintPressSSHKey configuration has been removed from the chart.
    • This means the mintpress-ssh-key secret can be removed after update (this secret is not removed automatically). The uninstall documentation shows how secrets can be removed. (Note, it references different secrets.)

    • We suggest putting SSH keys into OpsChain file properties (via the secret vault) instead as it is more flexible. The example below shows how this can be added to your properties (do not remove any existing properties):

      {
      "opschain": {
      "files": {
      "/opt/mintpress/.ssh/id_rsa": {
      "format": "base64",
      "mode": "0600",
      "content": "{{ SSH private key contents, base64 encoded - just like `mintPressSSHKey` }}"
      }
      },
      "env": {
      "SSH_KEY_PATH": "/opt/mintpress/.ssh/id_rsa"
      }
      }
      }

[2026-04-30]

Important breaking changes

  • lazy blocks no longer automatically derive a resource (or controller). This means the property definition such as lazy_property(lazy { :resource }) needs to be called with ref (or resource), e.g. lazy_property(lazy { ref(:resource).controller }).
  • Strings and symbols no longer provide access to a controller with an equivalent name automatically (i.e. 'resource'.controller is no longer supported). The resource must be reference via ref (or resource) explicitly, e.g. ref('resource').controller.
  • The literal keyword has been removed. Due to the changes to lazy blocks (above) it is no longer required.

Fixed

  • Handling of resource property resource resolution has now been improved to avoid infinite recursion.
  • It is no longer possible to refetch a template version Git revision while a change is running for this template version because this would lead to the change failing.
  • Fixed issue where the run change and run workflow dialog would hold on to previous values.
  • Improved search on available actions of an asset including a total and filtered count.

Changed

  • The full error message is now shown when MintModel generation fails.
  • Tabs on run change and workflow dialog now show a small checkmark if the values under the respective tabs have been altered or added from a previously run change. These include property and setting overrides, as well as metadata.
  • Minor adjustments to colours on the dashboard widgets.
  • Minor adjustments to colours on trees (change, workflow run, workflow overview and available actions).

Added

  • The change step response now includes details about how long the image took to build. Note: this may be null if the step didn't need to build an image.
  • The action server now sets a process title (OpsChain action server) so that it can be more easily identified when debugging. See identifying running OpsChain processes for more information.
  • The parallel_change_worker_steps setting can now be overridden with change settings overrides, or via the parent asset, environment, or project.
  • On change failure OpsChain will now output the details of the resource whose action failed.
  • The keyword ref now has an alias resource to make it clearer what it returns. Both names can be used interchangeably.
  • When an action fails to execute, the error now shows where the action was defined.
  • Change properties now show a loader when fetching change/step properties.

[2026-04-23]

Added

  • When an action raises an exception during processing, OpsChain will now output the names of all resource types and resources that have been defined by the actions.rb. Where possible, the property values of each resource's properties will also be included.

Changed

  • The OpsChain API now uses less memory (in particular PSS).

Fixed

  • Only MintModel actions that are specified with available_actions are displayed in the GUI. This only affects MintModel actions.
  • When a MintPress change API returns a unprocessable_content response, it no longer creates change that will be stuck in initializing.

[2026-04-21]

Important breaking changes

  • The mintpress.executor_image.name and mintpress.executor_image.pull_policy properties have been replaced by settings. To override the MintModel executor image, configure the MintModel executor settings. Due to the schema used in OpsChain properties, these properties need to be removed before changes can be run, etc.
  • The OpsChain API can now be accessed using bearer tokens. See the Tokens endpoints in the Security section of the OpsChain API docs for more information. To support the new token generation logic, you will need to add the OPSCHAIN_TOKEN_SECRET_KEY to your values.yaml before deployment. The Ruby SecureRandom.hex(64) method can be used to generate a 512bit (128 character) secure string to use as the token secret key.
  • An email address is now required when creating users with the OpsChain user utilities.

Added

  • The agent.image_override, mintmodel_executor.image_override, runner.image_override and worker.image_override settings have been added.
  • A new debug toolbox has been added to help debugging and troubleshooting OpsChain deployments and networking issues.
  • OpsChain now provides better error messages for typos in resources, for example suggesting a property name that may have been intended instead.
  • The OpsChain DSL now provides the OpsChain.run_action keyword for running another action programmatically.
  • A new OpsChain dashboard has been added to the GUI to provide a high-level overview of the system's status and health, as well as quick access to important resources and information.
  • A new OPSCHAIN_DATABASE_STATEMENT_TIMEOUT settings has been added to allow configuring a timeout for database statements to prevent long-running queries from impacting the performance of the system. The default value is 50s.
  • The update_local_user_email_address utility has been added.

Changed

  • The blocking queue and waiting queue information is now reported separately in the API and GUI for better visibility of the reason why a change or workflow run is waiting to start.
  • The performance of OpsChain action execution has been improved when a large number of resources are defined.
  • Template versions that contain no actions with descriptions are now considered valid. Template versions with no actions defined at all are still considered invalid.
  • If an actions.rb has a default action without a description, a default description is added to ensure it shows up in the GUI.
  • The OpsChain API and workers now terminate long-running database queries based on the OPSCHAIN_DATABASE_STATEMENT_TIMEOUT setting.
  • The create_user and create_local_user commands now require an email address.

Fixed

  • Action description are displayed correctly for actions defined within a controller.
  • MintModel assets now generate their actions correctly.
  • The performance of the internal change activities endpoint has been improved for non-superuser users.
  • Running scheduled changes has been fixed.
  • The /opt/opschain/.ssh and /opt/mintpress/.ssh folders are now created with non-root ownership.
  • The action server is no longer started if worker.reuse_actions_rb is false. Previously it was started but not used.
  • The action server now handles errors during the server startup more correctly. This means changes won't get stuck when there are file permission issues in file properties.
  • The API licence validation was intermittently failing and reporting the licence was expired/missing. This has been resolved and the API will now correctly report the licence status.
  • Modifying the DockerHub username and password via the advanced configuration settings now updates the Kubernetes image pull secret with the new credentials.
  • Accessing post change converged properties for an aborted change will no longer report an error and instead return the properties before the change as aborted.
  • The performance of LDAP queries has been improved, in turn improving the performance of the various security screens in the GUI.

Known issues

  • When a typo is present in actions.rb, the error message may report ArgumentError: wrong number of arguments (given 4, expected 0..3) (ArgumentError). If this happens, the actual cause will be shown further down.

[2026-03-27]

Important breaking changes

  • OpsChain's secret vault storage backend has changed to be database-based rather than file-based, allowing the secret vault to operate in high availability setups.
  • When running a change with pod_per_change_step set to false, OpsChain will now only parse the actions.rb once. This means the top level of this file can't contain any variables that are expected to change throughout the run.
    • To return to the former functionality, set worker.reuse_actions_rb to false.
  • A new OPSCHAIN_ENCRYPTION_SEED_KEY setting has been added to the values.yaml file to supersede the mintpressTransportableKey setting. This key is used to seed the encryption of sensitive data within OpsChain. If you're upgrading from a previous version, set this to the same value as the mintpressTransportableKey setting in your values.yaml file or the contents of the ~/.limepoint/localKey file - if present in your system. The mintpressTransportableKey setting will be ignored in a future release. Refer to the encryption keys guide for more information.
  • The original_change and original_workflow_run metadata attributes in changes and workflow runs have been nested under an opschain parent in the metadata object to avoid potential conflicts with user-defined metadata attributes. In addition, they have been renamed to original_change_id and original_workflow_run_id respectively to better reflect their content.

Added

  • The literal keyword has been added to OpsChain actions.
  • Code which calls .controller or .properties on a string or symbol will now resolve the controller or properties (respectively) for an equivalently named resource (if defined). Learn more.
  • You can now provide alternative DNS names for the CNPG-generated TLS certificates for your database clusters. Read more in the high availability setup guide.
  • OpsChain bulk property assignment can now use the lazy keyword, e.g. properties(lazy { { something: 'slow' } }).
  • If an OpsChain change or workflow run encounters a system failure, a new status "system error" will be applied to the activity.

Changed

  • When not using pod_per_change_step, the actions.rb file will only be loaded once (by default) to improve change performance.
    • To get the old experience (where actions.rb is loaded once per step) set worker.reuse_actions_rb to false.
  • Asset index responses no longer include the asset's actions. This information can be retrieved from the asset show endpoint.

Fixed

  • If the child step definitions returned from an action are invalid, the error will now be properly reported in the parent step's logs rather than causing the entire change to fail without explanation.

[2026-03-19]

Important breaking changes

  • OpsChain agents must be stopped before upgrading. Following the upgrade, each agent image must be rebuilt, and then the agent can be started.

Added

  • A new policy assignment show endpoint has been created to allow the API to return a single policy assignment for a given authorisation policy.
  • Encrypted settings are now able to be decrypted in the GUI when the user has the appropriate permissions.

Fixed

  • Attempting to save multiple default channels of the same type now results in a humanised error message.
  • The OpsChain audit history screen now recognises the superuser role and display all events. Where a user is not the superuser, the security mappings have been corrected to ensure the user can view all events they have access to.
  • MintModel changes will no longer remain stuck in pending and instead will run as expected.
  • The OpsChain DSL duplicate action definition error is now aware of resources and provides better errors.
  • The Audit screen now displays all events the user has access to and respects the superuser role.

[2026-03-16]

Important breaking changes

  • OpsChain agents must be stopped before upgrading. Following the upgrade, each agent image must be rebuilt, and then the agent can be started.

Added

  • Changes and workflow runs can now be created via the event subscriber system. These activities will be tagged with the source event that triggered them, allowing you to click through to the source event in the GUI and view the event details.

Fixed

  • OpsChain no longer reports an error for actions with the same name defined in different resources or namespaces.
  • Resolved issue with step context validation for null requires_approval_from values.
  • API documentation for the workflow create endpoint has been updated to include references to the create_new_version meta attribute.
  • It is no longer possible to provide an empty array as the value for the user_names array in the requires_approval_from setting.

Changed

  • The workflow and change wait step notifications have been enhanced to provide additional information to the notified user.
  • Stack traces in the event data are now displayed in a more readable format by the audit history screens.

[2026-03-13]

Important breaking changes

  • MintPress now requires the OPSCHAIN_GUI_BASE_URL variable to be included in your values.yaml file. This variable should specify the base URL for the MintPress GUI (e.g. https://mintpress.example.com). It is required to ensure links within external notifications are valid and the OpsChain API pod will fail to startup if it is not configured.
  • OpsChain agents must be stopped before upgrading. Following the upgrade, each agent image must be rebuilt, and then the agent can be started.

Added

  • Agents running in OpsChain are now configured with access to the API. Learn more.
  • When using automated certificate management, the generated CA is now automatically loaded into the trusted CA store in OpsChain.
  • When starting an agent, the desired image SHA can now be specified. This must be an image SHA that corresponds with an image build for the same template version. This means the agent can't be started until an image build has succeeded for the current template version.
  • Events for action generation and agent tasks are now included in the event list API.
  • Users can now configure their Slack member id in their notification preferences to receive notifications via Slack (requires a global Slack bot channel to be configured in the administration screens).
  • If users have an email address configured in their LDAP record, or they supply a value in their notification preferences, this will be used to send email notifications to the user. (requires a global SMTP channel to be configured in the administration screens).
  • Workflow wait steps and approval steps now notify the relevant user(s) that the workflow is waiting for approval/to be continued
  • Change approval steps now notify the relevant user(s) that the change is waiting for approval.
  • Users can now elect to be notified when:
    • properties or settings are changed for a project, environment or asset they have access to.
    • various workflow events (started, cancelled, completed, failed) occur for workflows they have access to.
    • various change events (started, cancelled, completed, failed) occur for changes they have access to.
  • A new event subscription system has been implemented allowing filters to be created to identify specific OpsChain events and then perform tasks in response. These tasks can be calling external webhooks, sending notifications to users or channels, or running changes or workflows.

Changed

  • Agents, builds, changes and workflow runs will now be blocked if the log aggregator is stuck or unresponsive to minimize the risk of log loss. If this happens for a prolonged time, an event will be logged every 5 minutes warning about the issue. Once the log aggregator is back online, the blocked resources will resume their operations normally.
  • The agent.sh script is now run with all OpsChain properties environment variables exported.
  • Agents can't be started until their image is built.
  • The asset list API no longer includes the following fields: mintmodel_valid, actions, and erb_file_content. These can be retrieved from the asset show API.
  • The worker image settings (worker.image_tag, worker.name, and worker.repository) can now be overridden in change settings.
  • OpsChain action definitions now use less memory (RAM).
  • The requires_approval_from setting for change approvals now accepts an object consisting of an array of usernames and an array of LDAP groups.
  • The notify tab of the create change and create workflow run dialogs has been redesigned to reflect the new notification preferences and channels.

Fixed

  • The performance for some critical API endpoints has been improved.
  • Fixed a bug where changes wouldn't respect the allow_parallel.changes setting.
  • The opschain-show-properties and opschain-show-context commands no longer log info messages to standard out, which fixes their use in a Linux pipeline when using repository properties.

[2026-02-23]

Added

  • The MintPress Helm chart now supports configuring environment variables in the opschain-image-registry pod. See the example in the chart values.yaml for reference.

Fixed

  • MintPress no longer attempts to connect to the LDAP server when LDAP authentication is not enabled.

[2026-02-20]

Added

  • MintPress now supports agents, a mechanism for executing long-running agents.
  • New Agents UI pages now allow you to view agent info, status, logs and events, as well as add, update and manage agents.
  • New Agent settings section added under Administration -> Configuration.
  • MintModel compare screen now automatically loads the last two MintModels for comparison.
  • Text on the titlebar of all dialogs is now selectable and doesn't drag the dialog when trying to select text.

Changed

  • Template versions Git SHA's are now only refreshed if the Git revision is changed, or the fetch is specifically requested.
  • All settings are now encrypted at rest.
  • The log aggregator now buffers logs in disk rather than memory, reducing the risk of losing logs if Fluentd can't flush them. The PVC size can be configured via the logAggregator.volume.size setting in your values.yaml file. The default value is 1GB.
  • Logs from step runners, template version action generation and agent tasks will now be buffered and their respective pods will try forwarding them to the log aggregator for up to 5 minutes before these logs are lost. Workers will now try forwarding change, step, build and workflow run transitions logs to the log aggregator until their memory buffers are full. If that happens, the logs will be written directly to the database, meaning they won't be sent to your additional log output plugins in case of a persistent log aggregator failure.
  • The members column from the LDAP groups table has been temporarily removed for an upcoming API change.
  • Visual overhaul to headers across all pages for a consistent look and feel focusing on UX improvements.
    • All pages share the same header with distinct actionable sections for info, navigation, and context aware actions.
    • Header badges to clearly differentiate between pages.
    • Breadcrumbs are visually more subtle and now show dropdowns for listing workflows as well.
    • Various fixes to workflow editor for increased reliability when editing details.

Fixed

  • MintModel ERB rendering has been fixed.
  • Fetch failures that are caused by remote files not existing now reflect this rather than reporting that the Git remote does not exist.
  • Viewing converged properties for templated assets now include template-specific properties
  • UI/UX fixes:
    • Pressing escape after search on canvas view (tree renderers) closes the search box instead of not doing anything.
    • The date and time selector component now has more compact time fields, ensuring they don't overflow the calendar's width area.
    • The bookmarks component now shows the node type instead of the word "node".
    • Various fixes to the workflow editor for increased reliability when editing details.
    • The node navigation is now split in two sections (navigation and settings/properties) and has a refreshed design.

Known limitations

  • MintPress agents debug logs are only available for the event-ttl as configured in k3s. This is one hour by default.

[2026-01-27]

Important breaking changes

  • MintPress database is now managed by the CNPG operator. Configuring the operator is required to successfully upgrade to this version. Before upgrading, follow the steps described in the install the CNPG operator section of the high availability setup guide to install the operator in your cluster. We recommend you read the entire guide to understand the upgrade implications and the new features provided by the operator. After installing the CNPG operator and upgrading MintPress, a new database cluster will be available in your Kubernetes cluster.

Added

  • Changes (and scheduled changes) now support settings overrides. The Dockerfile path, the base runner image settings, the worker image settings, the mintmodel_executor image settings, the pod_per_change_step setting, the remove_change_worker_pod setting, and the repo_folder can now be overridden for a change.
  • Workflow runs now provide logging, highlighting the start and end of each step within the workflow run.
  • Workflow wait steps now support a reset_on_retry boolean attribute, allowing you to configure whether the wait step should be reset when the workflow run is retried. By default, this is set to true to ensure approval/wait steps require a response during the retry. Note: if all steps that depend on the wait step were successful, the wait step will not be retried.
  • The current build context is now logged at the start of change logs, providing details of the Git revision and commit message the change is running from.
  • The change retry API endpoint now accepts the refresh_sha attribute. This allows you to retry incomplete change steps, using the latest commit for the branch/tag the change was created for. If the change is for a templated asset, this flag will cause the change to be retried using the template version currently assigned to the asset.
  • Workflow steps and change steps now include a step_sequence attribute, reflecting their position within the parent's step tree.
  • The change and workflow run GUI pages now support retry and repeat when displaying existing activities.
  • The GUI breadcrumb connectors now provide a list of child items allowing you to quickly navigate to other items within the same parent.

Fixed

  • Change worker pod startup failure is now reported in the relevant change's logs.
  • Usernames are no longer case-sensitive.
  • Active workflow runs can longer report a blocking queue.
  • Workflow run retries no longer duplicate successful child changes and workflow runs.
  • Workflow and change retries now respect the existing queue, ensuring they only start when the queue allows them to.
  • Error reporting from the MintModel generation process has been standardised to ensure the JSON error response is structured consistently.
  • The default memory limit for the OpsChain image registry has been increased to 1GiB to prevent out-of-memory issues.
  • The user who approved/continued a workflow wait step is now copied to the retried workflow run's wait step.
  • Various GUI formatting and overflow issues have been resolved.

[2025-12-11]

Added

  • Added the following optional settings to the values.yaml environment variables to provide additional LDAP configuration options: OPSCHAIN_LDAP_GROUPS_FILTER, OPSCHAIN_LDAP_USERS_FILTER, OPSCHAIN_LDAP_LOGGING_ENABLED and OPSCHAIN_LDAP_USE_ADMIN_TO_BIND.

Fixed

  • Fixed support for group filters in the Administration LDAP settings page.

[2025-12-10]

Added

  • Template versions now have their own properties that will be applied to all assets using that template version.
  • Introduced LDAP caching to reduce OpsChain's load on external LDAP servers.
  • Template versions can now be locked to prevent updates to their attributes and related Git commit SHA.
  • Improved logging of pod startup and shutdown events to assist with debugging.
  • Change property overrides can now be modified within actions by using the OpsChain.properties_for(:change) method.
  • Converged step properties can now be accessed for all change steps. Including the action_stage query parameter as pre or post allows the caller to access the properties before or after each step has run.
  • Additional LDAP settings have been incorporated into the OpsChain settings to provide support for user and group filters.
  • Workflow run override properties are now stored with each workflow run and are visible in the GUI.

Changed

  • OpsChain's Helm charts are now available via OCI registry. Visit the installation documentation for more information on how to install and upgrade OpsChain using the new Helm charts.
  • To improve caching, the default Dockerfile no longer copies the .git directory into the image by default. See the custom step runner Dockerfile documentation to see how to use a custom Dockerfile which will allow the contents of the .git directory to be added to the image.
  • Build Dockerfiles and base images are now configurable via node-specific settings.
  • Trow has been upgraded 0.9.2 and now has its own garbage collection process - removing the need for the OpsChain image registry garbage collector deployment.
  • Fluentd has been updated to 1.19.1-2.1 deployment.
  • Templates are now accessed via their UUID rather than template code to enable support for archiving templates.
  • Introduced session specific caching of Rails cache values to reduce database load.
  • The Database information panels have been enhanced in the Administration pages to provide more in-depth information.
  • Authorisation meta has been added to template and template version API responses to indicate whether the user is authorised to update the resource.
  • Workflow metadata is now copied into child changes and workflow runs when they are created.
  • By default, duplicate definitions of an action no longer extend the action and instead raise an exception. This can be overridden by supplying the ignore_defined: true keyword argument.

Fixed

  • Workflow status and change status background jobs have been optimized to ensure change and workflow statuses are updated in a timely manner.
  • Worker pods are now correctly removed when a single pod change root step is cancelled.
  • Uncategorised log lines are now assigned the action category by default.
  • OpsChain worker images no longer report warnings relating to calling fields, count and records methods on nil.
  • OpsChain worker heartbeat logic has been improved to resolve workers being restarted by Kubernetes.
  • The API response performance has been improved across the majority of endpoints.
  • The file name of invalid properties files, whether OpsChain file properties or Git repository properties files are reported in the action logs.

[2025-11-12]

Added

  • Logs now include a category field. All the logs coming from OpsChain will be either output, system or status. Logs generated from user defined actions will have the action category.
  • A helper UI has been added to allow uploading files to properties and optionally save the file content to the secret vault.

Changed

  • The base runner Dockerfile has been optimized for performance. By default, it will no longer include the Git repository's .git folder in the image.
  • Some workflow schemas have been updated. Refer to the API documentation for the latest version.
  • The workflow editor has been improved for better usability.
  • The log lines are now colored based on their category.

Important breaking changes

  • OpsChain image registry has been updated and now includes an internal garbage collector. The upgrade process requires stopping OpsChain and running a few steps to ensure the garbage collector is working correctly:
  • Stop OpsChain
  • Delete the old statefulset: kubectl delete statefulset.apps/opschain-image-registry
  • Delete the old garbage collector deployment: kubectl delete deployment.apps/opschain-image-registry-gc
  • Deploy OpsChain with the new version and wait for it to be ready.
  • Get the image registry persistent volume: PV_NAME=$(kubectl get pvc/data-vol-opschain-image-registry-0 -o jsonpath='{.spec.volumeName}')
  • Ensure your KUBERNETES_NAMESPACE environment variable is set to the namespace of the OpsChain deployment. (e.g. export KUBERNETES_NAMESPACE=opschain)
  • Go into the persistent volume's folder in the host filesystem (the path may vary if you are not using k3s): cd /var/lib/rancher/k3s/storage/${PV_NAME}_${KUBERNETES_NAMESPACE}_data-vol-opschain-image-registry-0
  • Update the file ownership: chown -R 1000:3000 *
  • Enter the OpsChain API container: kubectl exec -it deploy/opschain-api -- "/usr/bin/container_start.sh" "/bin/bash"
  • Once inside the container, do a manual copy of the runner images into the image registry: bundle exec rake opschain:copy_runner_image

Fixed

  • The policy rule editor now supports uppercase characters, dashes and colons in the rule name to allow matching namespaced actions.