We understand that migrations to new resource classes take time, so we’ve added a way to temporarily disable resource class brownouts while you transition. Simply navigate to Organization Settings > Advanced > Enable resource class brownouts to control this setting.

This gives you more flexibility during your migration, though please note that deprecated resource classes will still reach their end-of-life date as scheduled, at which point they’ll no longer be available, regardless of your brownout settings.

We’ll announce the end-of-life schedule for each resource class well in advance, giving you plenty of time to plan your transition. Currently, only Mac M1 and M2 resource classes are being deprecated, with a scheduled EOL date of February 16th, 2026. We’ll keep you informed about any future changes through our changelog and email announcements.

Note

This is the last update for Server 4.7 as it has reached end of life. Please upgrade to Server 4.8.x.

Fixes

• Updated the IMDS client in machine-agent to fallback to IMDSv1 if it can’t communicate with IMDSv2
• Fixed incorrect kong HTTP header
• Fixed a bug where failed pipelines would produce an url that points to circleci.com rather than the CircleCI Server’s domain
• Fix for intermittent “S3 ExpiredToken” errors which occurred during workspace uploads for jobs running longer than 15 minutes

Image Updates

• approval-job-provider-migrator
• audit-log-service
• authentication-svc
• branch-service
• branch-service-migrator
• builds-service
• builds-service-migrator
• circle-www-api
• cron-service
• cron-service-migrator
• domain-service
• domain-service-migrator
• init-known-hosts
• machine-provisioner
• machine-provisioner-migrator
• orb-service
• orb-service-analytics-migrator
• orb-service-migrator
• policy-service
• runner-admin
• runner-admin-migrator
• server-postgres
• server-rabbitmq
• server-redis
• web-ui
• web-ui-authentication
• web-ui-insights
• web-ui-onboarding
• workflows-conductor
• workflows-conductor-migrator

You can now promote artifacts across environments to ensure the code you tested in staging is exactly what goes to production.

Why we built this: Rebuilding your code for each environment creates uncertainty. Is the code in production exactly what you tested in staging? When something breaks, was it a code change or an environment difference? Teams need confidence that what passed validation is exactly what’s being deployed.

How it works:

• Your CI pipeline publishes a versioned artifact (Docker image, JAR, binary) once. After that artifact passes validation in staging, you can promote that exact same artifact to production, other regions, or any environment without rebuilding.

When you’re ready to promote:

• Navigate to the Deploys page and select the artifact version you want to promote
• Choose your target environment from the dropdown
• The same verified artifact moves across your deployment pipeline

This means no more rebuilding for each environment, no more wondering if staging and prod are running identical code, and faster deployments when rolling out to multiple regions.

A new “Test Overview” widget is now visible in the Tests tab on your job page. When test results are uploaded, you’ll now see:

• Total number of tests run
• Test results breakdown (passed, failed, skipped by the test runner or Smarter Testing)
• Time saved from skipping tests with Smarter Testing

Want to reduce your test execution time? Sign up for early access to try Smarter Testing during our preview period.

The Xcode 26.2.0 image is now available to be used in CircleCI pipelines on the M4 Pro resource classes.

Please see the full manifest for information about the software included with this image release.

Known issues:

• iOS 26 simulators sporadically freeze during boot and may fail to start. We recommend pre-booting simulators and, if they don’t start within 60 seconds, terminate them and restart them.
• Device IDs are inconsistently changing across VMs in Xcode 26. This is an OS-level issue that can affect builds relying on consistent device identifiers. We’ve opened a support ticket with Apple and encourage affected users to do the same to help prioritize a fix.

You can now view detailed information about your GitHub App installation directly in CircleCI under Organization Settings > VCS Connections. This includes when the app was installed or last updated, which permissions have been granted, and what repository access level has been configured.

This information is visible to all users in your organization and can help you troubleshoot common issues:

• Installation timestamps help identify when your GitHub App was installed and updated
• Permission details let you verify whether newly requested permissions have been accepted in GitHub
• Repository access level shows whether the app has access to all repos or only selected ones, which can help diagnose issues with repository visibility in CircleCI

Previously, this information was only available on the GitHub installation page and required GitHub admin access. Having it in CircleCI makes it easier to diagnose configuration issues without leaving the platform.

We’ve added a new organization setting called “Enable minor AI-powered features” (under Organization Settings > Advanced) that gives you granular control over smaller AI-powered features across the platform.

This setting currently controls access to our natural language to cron translation feature for GitHub App schedule triggers, and will be used for similar AI-powered convenience features as we add them.

This allows you to manage your AI feature preferences at the organization level, separate from our larger AI capabilities like intelligent build failure summaries and Chunk.

Server 4.9.0 Changelog

Before Upgrading

See the CircleCI server 4.9 release notes and upgrade guide for this release.

NOTE: Vault is being deprecated and will no longer be supported in server 5.0. Refer to our script for steps to migrate to Tink.

What’s New in Release 4.9.0

The v4.9 release introduces serial groups for job serialization, automatic retries for workflows and steps, and improved caching with Zstd compression. In addition, MongoDB 4.4 or higher is required before upgrading to v4.9.

NEW FEATURES

• Serial Groups: A native mechanism for serializing job execution across workflows. Jobs can now be configured to run sequentially using the serial-group key, preventing race conditions in deployments and other concurrent operations. For more information, see the docs.

• Automatic Workflow Reruns: Workflows can now be configured to automatically rerun on failure using the max_auto_reruns configuration key. For more information, see the changelog.

• Automatic Step Retries: Individual steps within jobs can now be configured to automatically retry on failure. For more information, see the changelog.

• Faster Checkout with Blobless Method: The checkout step now supports a method option that enables blobless checkout for faster repository cloning. For more information, see the changelog.

• Zstd Cache Compression: Cache compression now uses Zstd by default, providing faster compression and decompression with better compression ratios. For more information, see the changelog.

• Job-level Cache Retention Controls: Cache retention can now be configured at the job level, allowing more granular control over cache lifecycle. For more information, see the changelog.

• OIDC Token Reliability Improvements: Enhanced retry handling for OIDC token generation, improving reliability in environments with transient network issues. For more information, see the changelog.

• Configurable Max Run Time: Build jobs now support a configurable maximum run time through the builds_service.custom_max_run_time Helm value, allowing operators to override the default 5-hour limit.

• Dark Mode: Users can now enable “Dark mode” through the CircleCI web app, see the changelog.

CHANGES

• Some CircleCI job statuses that were previously marked as skipped were changed to failed, see the changelog.
• Reduced time to start jobs for very large and complex workflows, see the changelog.
• Personal Access Token (PAT) management has been migrated to the authentication-service. PATs are automatically migrated during the upgrade process. This changes requires that the mongoDB instance used by your CircleCI server is at least MongoDB 4.4. You will need to upgrade your mongoDB instance before upgrading to server 4.9.0. Please reference our MongoDB Upgrade instructions if your mongoDB instance is not externalized.
• Context APIs are now served by the CIAM gateway for improved performance and scalability.
• Redis has been updated to the version 6.2.20 to address CVE-2025-49844.
• The feature-flags service has been removed as it is not required for Server installations.
• Deleting contexts double confirmation now asks for the name of the context, see the changelog.
• Branches now displayed in branch picker regardless of trigger settings, see the the changelog.
• Workflow start time & duration are now copyable from CircleCI web app, see the changelog.
• URL Addressable Orbs - Removes the barriers to reusable config by allowing any file in your VCS to become a CircleCI orb. Allowlist rules maintain security and compliance, see the documentation.

BUG FIXES

• Fixed incorrect trigger event display for scheduled workflows. For more information, see the changelog.
• Fixed an issue where pipelines showed errors when all workflows are filtered out. For more information, see the changelog.
• Fixed branch filter dropdown functionality. For more information, see the changelog.
• Fixed project count on “User homepage”, see the changelog.

NEW SERVICES

New services introduced with this release:

• lock-job-provider - Provides job serialization capabilities for serial groups feature (includes internalapi and consumer components)
• no-op-job-provider - Handles no-operation job types used by serial groups

SERVICE CHANGES

• feature-flags - The feature flags service has been removed as it is not utilized by execution services in Server.

DATABASE MIGRATIONS

The following databases will run migrations when upgrading to this version:

• authentication-service
• insights-service
• lock-job-provider
• no-op-job-provider
• oidc-tasks-service
• permissions-service
• runner-admin

KNOWN ISSUES

Using a custom signed certificate will result in an x509 error for Docker, Machinem, and Runner jobs. A fix will be provided shortly in the future.

To learn more about Server 4.9 installation, migration, or operations please review our documentation.

CircleCI OIDC tokens now include two additional claims:

• oidc.circleci.com/workflow-id
• oidc.circleci.com/job-id

These claims provide unique identifiers (UUIDs) for the specific workflow and job, enabling more precise access control policies when authenticating with cloud providers.

You can read more at Using OpenID Connect tokens in jobs

The Insights Snapshot Badge functionality will reach end-of-life on January 12, 2026. After this date, the feature will no longer be available.

As previously announced, this feature is being deprecated. We have updated our community forum with this confirmed date. Impacted users have been notified directly.

As of today, December 3, 2025, the default resource class for macOS jobs for all paid plan organizations has changed from macos.m1.medium.gen1 to m4pro.medium.

Quick reminder:

• If you don’t specify a resource class in your configuration, your jobs are already using the faster m4pro.medium - no action needed.
• Per our previous announcement, m4pro.medium is priced at 200 credits/min compared to 150 credits/min for the previous default, though faster execution times may offset the higher per-minute rate - see our price list for details.
• Your jobs may fail if your configuration specifies an Xcode version that is not available on m4pro.medium. For these cases, you can update your configuration to specify a resource class that does support the required Xcode version. For more information on which Xcode versions are available on which resources classes, see our documentation.
• If your configuration explicitly specifies a different resource class, we recommend updating it to m4pro.medium or removing the resource class specification to avoid configuration parsing issues when these resource classes reach their end of life on February 16, 2026.

For full details, see our original announcement.

We’ve launched a new email notifications experience that gives you more control over your inbox. You can now opt into a “My Work” filter to receive email alerts only for builds you personally triggered.

Getting Started: Enable the “My Work” filter in your notification settings to reduce notification noise and stay focused on your own work.

Learn More:

• Read the documentation
• Share your feedback to help us improve this feature

You can now convert plain English descriptions into cron syntax when setting up GitHub App schedule triggers. Type a description like “every weekday at 9am” or “twice daily” and get the corresponding cron expression automatically generated. You can review and edit the generated syntax before saving.

Some examples:

MFA Now Required

MFA is now required for all CircleCI accounts that use email and password Authentication. Customers with active sessions will be prompted to setup MFA when their session expires.

For more information see the docs.

Web Interface Session Length Has Changed

• Active user session timeout reduced from 1 year to 30 days
• Inactive user session timeout reduced from 2 weeks to 3 days

What This Means

• Active user sessions will be required to re-authenticate after 30 days (previously 1 year).
• Inactive accounts will be required to re-authenticate after 3 days (previous 2 weeks).
• • Email and password authentication users will be required to setup MFA on re-authentication.
• SSO customers can still set custom session timeouts via their IdP provider.
• This change applies to all CircleCI web interface sessions.

Why We’re Making This Change

The session length update brings CircleCI in line with NIST (National Institute of Standards and Technology) recommended security practices and reduces the risk of unauthorized access from dormant sessions.

MFA required for all email and password authentication accounts improves overall account security and aligns with industry best practices.

Unregistered users that trigger builds are now listed individually in Plans > Usage > Users, rather than appearing under a single unregistered user entry.

An unregistered user is how CircleCI tracks users (including automated systems or bots) that trigger builds, but have not signed up for CircleCI. This includes tools or services that perform actions on your behalf, such as CI bots, automation scripts, or dependency update bots, like Renovate.

Each unique active unregistered user counts toward your monthly active user total. Pricing structure remains unchanged (5 free users on Free/Performance plans, then per-user pricing for additional users).

Read this support article to learn more about active users.

Following our Xcode image retention policy we will be deprecating Xcode 16.2 on January 14th 2026.

We will be performing 24 hour brownouts from 00:00:01 to 23:59:59 UTC during which these images will be unavailable. The brownout and deprecation schedule can be found below.

The Xcode 26.2 Beta 2 image is now available to be used in CircleCI pipelines on the M4 Pro resource classes.

Please see the full manifest for information about the software included with this image release.

Known issues:

• iOS 26 simulators sporadically freeze during boot and may fail to start. We recommend pre-booting simulators and, if they don’t start within 60 seconds, terminate them and restart them.
• Metal Toolchain is currently non-functional. A workaround is available by running the following commands before use:

    xcodebuild -downloadComponent metalToolchain -exportPath /tmp/MetalExport/
    sed -i '' -e 's/17C5038g/17A5241e/g' /tmp/MetalExport/MetalToolchain-17C5038g.exportedBundle/ExportMetadata.plist
    xcodebuild -importComponent metalToolchain -importPath /tmp/MetalExport/MetalToolchain-17C5038g.exportedBundle

• Device IDs are inconsistently changing across VMs in Xcode 26. This is an OS-level issue that can affect builds relying on consistent device identifiers. We’ve opened a support ticket with Apple and encourage affected users to do the same to help prioritize a fix.

We’ve added clear visibility when OpenAI’s Zero Data Retention policy prevents Chunk from generating fixes for flaky tests.

Zero Data Retention is an OpenAI security setting that blocks any data from being stored or logged by OpenAI’s API, which prevents Chunk from performing the analysis needed to diagnose test failures. If you’re using OpenAI as your model provider with Zero Data Retention enabled, you’ll now see a “Model restricted” indicator in the Chunk Tasks UI with guidance on how to resolve the issue.

The Xcode 26.1.1 image is now available to be used in CircleCI pipelines on the M4 Pro resource classes.

Please see the full manifest for information about the software included with this image release.

Known issues:

• OS 26 simulators sporadically freeze during boot and may fail to start. We recommend pre-booting simulators and, if they don’t start within 60 seconds, terminate them and restart them.
• Metal Toolchain is currently non-functional. A workaround is available by running the following commands before use:

    xcodebuild -downloadComponent metalToolchain -exportPath /tmp/MetalExport/
    sed -i '' -e 's/17A5295f/17A5241e/g' /tmp/MetalExport/MetalToolchain-17A5295f.exportedBundle/ExportMetadata.plist
    xcodebuild -importComponent metalToolchain -importPath /tmp/MetalExport/MetalToolchain-17A5295f.exportedBundle

• Device IDs are inconsistently changing across VMs in Xcode 26. This is an OS-level issue that can affect builds relying on consistent device identifiers. We’ve opened a support ticket with Apple and encourage affected users to do the same to help prioritize a fix.

It is now possible to configure pipelines to be triggered by commenting run-ci on a GitHub pull request.

This gives teams more control over when pipelines run - for example allow re-running pipelines without pushing new commits, or triggering builds for draft PRs and work-in-progress branches.

This trigger option is available to all organizations using GitHub, as long as they have installed the CircleCI GitHub App integration. Access it by adding a new GitHub trigger to a GitHub App pipeline.

Support for custom comment keywords is on the roadmap.

For more information and a full list of GitHub trigger event options, visit the Docs page.

CircleCI OIDC tokens now include 3 new claims for enhanced authentication workflows:

• oidc.circleci.com/org-id
• oidc.circleci.com/pipeline-id
• oidc.circleci.com/pipeline-definition-id

These claims are available in both V1 and V2 token formats and provide more granular control when configuring trust policies with cloud providers.

For full details on all available OIDC claims and how to use them, see Using OpenID Connect tokens in jobs.

As of today, November 10, 2025, the default resource class for macOS jobs for Free plan organizations changes from macos.m1.medium.gen1 to m4pro.medium.

All macOS jobs for Free plan organizations are now running on m4pro.medium, regardless of the resource class specified in your configuration.

Quick reminder:

• If you don’t specify a resource class in your configuration, your jobs are already using the faster m4pro.medium - no action needed.
• If your configuration explicitly specifies a different resource class, we recommend updating it to m4pro.medium or removing the resource class specification to avoid configuration parsing issues when these resource classes reach end of life on February 16, 2026.

For full details, see our original announcement.

Runner Release 3.1.7

Both Machine and Container Runner:

Addressed CVEs in dependencies of the runner agent binary.

Container Runner:

The orchestrator init container’s resource requirements are now configurable via orchestrator.resources in the Helm values (chart version v101.1.6+).

For Ad-Hoc Tasks, Chunk now pushes changes to a branch and triggers your CI pipeline to validate them. If the pipeline fails, Chunk will attempt to fix the issues and push updated changes.

This helps ensure your code passes basic checks like linting and formatting, reducing frustration from broken code.

Note: Ad-Hoc Tasks currently update existing branches or apply changes to new ones, pull request creation functionality is coming soon.

Starting November 10, 2025, the default resource class for macOS jobs for Free plan organizations will change from macos.m1.medium.gen1 to m4pro.medium. This means that all macOS jobs for Free plan organizations will run on m4pro.medium, regardless of the resource class specified in your configuration. The m4pro.medium resource class offers significantly better performance and faster build times compared to previously available resources.

Note: This change only affects customers on a Free plan. For customers on Performance or Scale plans, the default resource class change will happen on December 3, 2025, as announced here.

What you should do:

• If you are on a free plan and don’t specify a resource class in your configuration, no action is needed - your jobs will automatically use m4pro.medium.
• If your macOS job configuration explicitly specifies a resource class, we recommend either updating it to m4pro.medium or removing the resource class specification from your configuration. This is important because when M1 and M2 resource classes reach end of life on February 16, 2026 (see deprecation notice), configurations that explicitly reference these deprecated resource classes will fail to parse.
• Note that m4pro.medium is priced at 200 credits/min compared to 150 credits/min for the previous default, though faster execution times may offset the higher per-minute rate

The Xcode 26.1 image is now available to be used in CircleCI pipelines on the M4 Pro resource classes.

Please see the full manifest for information about the software included with this image release.

Known issues:

• OS 26 simulators sporadically freeze during boot and may fail to start. We recommend pre-booting simulators and, if they don’t start within 60 seconds, terminate them and restart them.
• Metal Toolchain is currently non-functional. A workaround is available by running the following commands before use:

    xcodebuild -downloadComponent metalToolchain -exportPath /tmp/MetalExport/
    sed -i '' -e 's/17A5295f/17A5241e/g' /tmp/MetalExport/MetalToolchain-17A5295f.exportedBundle/ExportMetadata.plist
    xcodebuild -importComponent metalToolchain -importPath /tmp/MetalExport/MetalToolchain-17A5295f.exportedBundle

• Device IDs are inconsistently changing across VMs in Xcode 26. This is an OS-level issue that can affect builds relying on consistent device identifiers. We’ve opened a support ticket with Apple and encourage affected users to do the same to help prioritize a fix.

We’ve updated schedule triggers for the GitHub App integration to use standard CRON format instead of our CircleCI-specific scheduling format.

With CRON syntax, you can now schedule pipelines down to specific minutes, giving you more precise control over when your workflows run. The interface displays your CRON string translated into plain English, and includes template buttons for common scheduling patterns.

The minimum scheduling interval remains 5 minutes, and a random delay of up to 10 minutes continues to be applied to all scheduled pipelines for load spreading.

All existing GitHub App schedule triggers have been automatically converted to CRON format. No action is required.

This change applies only to GitHub App schedule triggers. GitHub OAuth and Bitbucket schedule triggers are not affected.

Coming soon:

Natural language translation to CRON syntax will be available in an upcoming release.

The Xcode 26.1 RC (Release Candidate) image is now available to be used in CircleCI pipelines on the M4 Pro resource classes.

Please see the full manifest for information about the software included with this image release.

Known issues:

• OS 26 simulators sporadically freeze during boot and may fail to start. We recommend pre-booting simulators and, if they don’t start within 60 seconds, terminate them and restart them.
• Metal Toolchain is currently non-functional. A workaround is available by running the following commands before use:

    xcodebuild -downloadComponent metalToolchain -exportPath /tmp/MetalExport/
    sed -i '' -e 's/17A5295f/17A5241e/g' /tmp/MetalExport/MetalToolchain-17A5295f.exportedBundle/ExportMetadata.plist
    xcodebuild -importComponent metalToolchain -importPath /tmp/MetalExport/MetalToolchain-17A5295f.exportedBundle

• Device IDs are inconsistently changing across VMs in Xcode 26. This is an OS-level issue that can affect builds relying on consistent device identifiers. We’ve opened a support ticket with Apple and encourage affected users to do the same to help prioritize a fix.

Chunk will now attempt to automatically create a cci-agent-setup.yml file if one doesn’t exist in your repository.

You can also manually generate one by navigating to Organization Settings → Chunk Tasks, selecting the […] menu for your desired task, then going to Chunk Environment and clicking “Create File in GitHub”.

We’ve resolved a bug where the “More Details” section was missing from Chunk pull request descriptions. PR bodies now include a link to view the full task execution in the CircleCI web app, providing quick access to logs and execution details.

On December 3, 2025, the default resource class for macOS jobs will change from macos.m1.medium.gen1 to m4pro.medium for customers on a paid plan (Performance and Scale). Free plan customers transitioned to this default on November 10th.

What this means:

If you haven’t explicitly specified a resource class in your macOS job configuration:

• your jobs will automatically run on the faster m4pro.medium resource starting December 3rd
• note that m4pro.medium is priced at 200 credits/min compared to 150 credits/min for the previous default, though faster execution times may offset the higher per-minute rate - see our price list for details
• no action is required unless you want to opt in early or select a different resource class

If your jobs are explicitly configured with a specific resource class, they will continue to use those specifications.

Why we’re making this change:

The m4pro resource class offers significantly better performance, resulting in faster build times for most workloads.

What you can do:

• To start using m4pro.medium before December 3rd, update your configuration to explicitly specify the resource class
• To continue using macos.m1.medium.gen1 after December 3rd, you can explicitly specify it in your configuration - however, please note this resource class will reach end of life on February 16, 2026 (see deprecation notice)
• Review our macOS resource class documentation for all available options

We just shipped an update to Active Versions.

What’s new: Active Versions is now prominently displayed at the top of the timeline view, making it effortless to see what’s deployed where.

Why it matters: Previously this was buried in nested menus. Now it’s front and center where teams need it most.

How it works: 3 active version cards appear by default at the top of the timeline. Click “See More” to expand and view up to 9 versions/environments at once.

The Xcode 26.1 Beta 3 image is now available to be used in CircleCI pipelines on the M4 Pro resource classes.

Please see the full manifest for information about the software included with this image release.

Known issues:

• OS 26 simulators sporadically freeze during boot and may fail to start. We recommend pre-booting simulators and, if they don’t start within 60 seconds, terminate them and restart them.
• Metal Toolchain is currently non-functional. A workaround is available by running the following commands before use:

    xcodebuild -downloadComponent metalToolchain -exportPath /tmp/MetalExport/
    sed -i '' -e 's/17A5295f/17A5241e/g' /tmp/MetalExport/MetalToolchain-17A5295f.exportedBundle/ExportMetadata.plist
    xcodebuild -importComponent metalToolchain -importPath /tmp/MetalExport/MetalToolchain-17A5295f.exportedBundle

• Device IDs are inconsistently changing across VMs in Xcode 26. This is an OS-level issue that can affect builds relying on consistent device identifiers. We’ve opened a support ticket with Apple and encourage affected users to do the same to help prioritize a fix.

What’s changing: The CircleCI GitHub App now subscribes to pull_request_review_comment events from GitHub.

What to expect: If you have the CircleCI GitHub App installed, you received an email from GitHub notifying you of this change. When you click “Review permission request” in the email, you’ll see the notice below.

Action required – You’ll need to accept this permission request before CircleCI can start processing these events for your organization. Click “Accept new permissions” in the email or visit your GitHub App settings to approve the change.

The notice shows “unchanged permissions” because the GitHub permissions needed for this event were already granted to the CircleCI App—we’re simply subscribing to an additional event type using those existing permissions.

Why we’re making this change: This event subscription enables two new capabilities:

• Chunk interactions: Trigger pipelines and invoke AI agents directly from PR comments (e.g., @chunk-ai fix flaky tests)
• Future trigger options: Configure pipelines to run based on specific PR comments