Server 4.9.0 Changelog

Before Upgrading

See the CircleCI server 4.9 release notes and upgrade guide for this release.

NOTE: Vault is being deprecated and will no longer be supported in server 5.0. Refer to our script for steps to migrate to Tink.

What’s New in Release 4.9.0

The v4.9 release introduces serial groups for job serialization, automatic retries for workflows and steps, and improved caching with Zstd compression.

NEW FEATURES

• Serial Groups: A native mechanism for serializing job execution across workflows. Jobs can now be configured to run sequentially using the serial-group key, preventing race conditions in deployments and other concurrent operations. For more information, see the docs.

• Automatic Workflow Reruns: Workflows can now be configured to automatically rerun on failure using the max_auto_reruns configuration key. For more information, see the changelog.

• Automatic Step Retries: Individual steps within jobs can now be configured to automatically retry on failure. For more information, see the changelog.

• Faster Checkout with Blobless Method: The checkout step now supports a method option that enables blobless checkout for faster repository cloning. For more information, see the changelog.

• Zstd Cache Compression: Cache compression now uses Zstd by default, providing faster compression and decompression with better compression ratios. For more information, see the changelog.

• Job-level Cache Retention Controls: Cache retention can now be configured at the job level, allowing more granular control over cache lifecycle. For more information, see the changelog.

• OIDC Token Reliability Improvements: Enhanced retry handling for OIDC token generation, improving reliability in environments with transient network issues. For more information, see the changelog.

• Configurable Max Run Time: Build jobs now support a configurable maximum run time through the builds_service.custom_max_run_time Helm value, allowing operators to override the default 5-hour limit.

• Dark Mode: Users can now enable “Dark mode” through the CircleCI web app, see the changelog.

CHANGES

• Some CircleCI job statuses that were previously marked as skipped were changed to failed, see the changelog.
• Reduced time to start jobs for very large and complex workflows, see the changelog.
• Personal Access Token (PAT) management has been migrated to the authentication-service. PATs are automatically migrated during the upgrade process.
• Context APIs are now served by the CIAM gateway for improved performance and scalability.
• Redis has been updated to the version 6.2.20 to address CVE-2025-49844.
• The feature-flags service has been removed as it is not required for Server installations.
• Deleting contexts double confirmation now asks for the name of the context, see the changelog.
• Branches now displayed in branch picker regardless of trigger settings, see the the changelog.
• Workflow start time & duration are now copyable from CircleCI web app, see the changelog.
• URL Addressable Orbs - Removes the barriers to reusable config by allowing any file in your VCS to become a CircleCI orb. Allowlist rules maintain security and compliance, see the documentation.

BUG FIXES

• Fixed incorrect trigger event display for scheduled workflows. For more information, see the changelog.
• Fixed an issue where pipelines showed errors when all workflows are filtered out. For more information, see the changelog.
• Fixed branch filter dropdown functionality. For more information, see the changelog.
• Fixed project count on “User homepage”, see the changelog.

NEW SERVICES

New services introduced with this release:

• lock-job-provider - Provides job serialization capabilities for serial groups feature (includes internalapi and consumer components)
• no-op-job-provider - Handles no-operation job types used by serial groups

SERVICE CHANGES

• feature-flags - The feature flags service has been removed as it is not utilized by execution services in Server.

DATABASE MIGRATIONS

The following databases will run migrations when upgrading to this version:

• authentication-service
• insights-service
• lock-job-provider
• no-op-job-provider
• oidc-tasks-service
• permissions-service
• runner-admin

KNOWN ISSUES

Using a custom signed certificate will result in an x509 error for Docker, Machinem, and Runner jobs. A fix will be provided shortly in the future.

To learn more about Server 4.9 installation, migration, or operations please review our documentation.

Server 4.8.0 Changelog

Before Upgrading

See the CircleCI server 4.8 release notes and upgrade guide for this release.

NOTE: Vault is being deprecated and will no longer be supported in server 5.0. Refer to our script for steps to migrate to Tink.

What’s New in Release 4.8.0

The v4.8 release introduces further security improvements and support for flexible job dependencies.

NEW FEATURES

• Nomad UI is now accessible.
• Amazon Message Queue (AMQ) is now supported.
• Added support for configuring IOPS and throughput parameters for EC2 instances in the machine provisioner. New parameters can be found in the values.yaml reference.
• CircleCI Server now supports nomad servers externalized from your Kubernetes cluster. You may now deploy nomad servers on your own VM instances. This should improve the performance and stability of your nomad clusters.
• Support for Expression-based job filters
• Support for flexible job dependency.
• Support for Dynamic When Statements for Workflows (Breaking Change)
• Support for Windows container runner preview

NEW SERVICE:

• public-api-service

REMOVALS:

• web-ui-user-settings
• web-ui-org-settings
• web-ui-insights
• web-ui-project-settings
• web-ui-runners
• Support for launch-agent.
• Already-disabled v2 runner API endpoints.

CHANGES

• Moved from CircleCI fork back to upstream Hashicorp Nomad for improved stability and security updates.
• Nomad clients require IPv6 support within the kernel.
• JSON logging is enabled for Clojure services. This change allows customers to ingest logs from these services to their log aggregators in a familiar and consistent format.
• All containers now run with runAsNonRoot: true
• Telegraf will now include circleci_server_version in all the metrics it collects.
• The frontend container now uses the circleci-www-api image instead of the previously named frontend image.
• Clojure containers have moved to Java 21.
• Kong has been updated to 3.4.2
• Rerun workflow endpoint now has a rate limit of 20 requests per 5 seconds (max burst: 10)
• In server-terraform, the included Nomad images are now based on Ubuntu 22.04 with CgroupsV1 enabled. CgroupsV2 is currently unsupported. These nomad AMIs are built automatic security updates enabled.

PERFORMANCE IMPROVEMENTS:

• Database Operations: Optimized workflow storage to avoid N+1 database queries, reducing latency and improving concurrency.
• Workflow Status API: Now uses stored workflow status instead of generating it from job data, improving response times.
• Compiled Config Size: Removed unused job definitions from compiled configs, reducing size for customers with large configurations.

BUG FIXES

• Expression based restrictions via API have been fixed.
• Job handlers no longer silently drop on partial failure.
• Fixed broken branch picker functionality.
• SSH reruns in air-gapped installs have been restored.
• Broken pipelines now show triggering information in the UI.

DATABASE MIGRATIONS

The following services will run migrations when upgrading to this version:

• workflows-conductor
• authentication-svc
• builds-service
• branch-service
• contexts-service
• cron-service
• distributor
• domain-service
• insights-service
• machine-provisioner
• orb-service
• permissions-service
• runner-admin

NOTES

Customers that are using “S3-compatible” object storage should ensure that their object storage supports S3’s default data integrity protections. This includes (but is not limited to) Minio RELEASE.2025-01-20T14-49-07Z and Nutanix Objects v5.1.1.

KNOWN ISSUES

• Docker jobs may take an extra 60 seconds to conclude under certain circumstances.
• RDS is not compatible due to certain permissions checks; this will be fixed in 4.8.1.
• Vault may not refresh its client token after a month of uptime. Migrate to Tink to resolve this issue.
• Retry with SSH for jobs using the machine executor advertises a private IP address. For this reason, retry with SSH for jobs using the machine executor works as standard for public installations, but for private installs you would need to ensure that you can access the private IP advertised. For example, by using a VPN into your VPC.
• Machine builds using instances with IMDSv1 enabled is not supported

To learn more about Server 4.8 installation, migration, or operations please review our documentation.

Before Upgrading

See the CircleCI server 4.7 release notes and upgrade guide for this release.

NOTE: Vault is being deprecated and will no longer be supported in server 5.0. Refer to our script for steps to migrate to Tink.

What’s New in Release 4.7.0

The v4.7 release introduces security improvements with the implementation of rootless containers.

NEW FEATURES

• Approval jobs can now be canceled through the CircleCI UI or via the API.
• Windows container runner preview

CHANGES

• Server components now run as rootless containers, enhancing security.
• The Nomad server ReplicaSet is now scaled to 5 pods by default, which improves execution stability at scale.
• Nomad clients require IPv6 support within the kernel.
• Configuration for the RabbitMQ PersistantVolumeClaim (PVC) is now exposed through server Helm values. For more details, see the docs.

BUG FIXES

• Resolved an issue where frontend pods would not automatically detect and apply a new server license.
• Fixed a bug where a workflow could be prematurely marked as failed before all non-blocking jobs were run.
• Fixed a configuration issue that could cause connection refusals between Kong and Soketi following an upgrade to version 1 of Soketi.
• Addressed a typo in the Helm values for machine_provisioner.machine_agent_base_url. The correct template value should be machine_provisioner.agent_base_url.

SERVICE CHANGES

Deprecated components removed with this release:

• web-ui-404: Previously served the 404 error page. Its functionality has now been merged into the main web-ui component.
• Support for GitHub Enterprise versions <= 2.2: Code supporting these versions has been removed, as they are no longer supported by GitHub.

DATABASE MIGRATIONS

The following databases will run migrations when upgrading to this version:

• authenticationservice
• conductor_production

KNOWN ISSUES

• SSH reruns in air-gap will time out, leaving the job in an error state
• Vault may not refresh its client token after a month of uptime. Migrate to Tink to resolve this issue.
• Retry with SSH for jobs using the machine executor advertises a private IP address. For this reason, retry with SSH for jobs using the machine executor works as standard for public installations, but for private installs you would need to ensure that you can access the private IP advertised. For example, by using a VPN into your VPC.
• CircleCI 1.0 builds are not supported. If an attempt is made to run a 1.0 build, no feedback will be available in the application to indicate the cause of the issue. If a build is run on your installation and does not show up in the CircleCI application, use the CircleCI CLI to validate the project configuration and get details of the possible cause of the issue.
• Machine builds using instances with IMDSv1 enabled is not supported

To learn more about Server 4.7 installation, migration, or operations please review our documentation.

This version will reach EOL in August 2025 and can be skipped when upgrading from 4.3 or 4.4. We recommend upgrading directly to 4.7 for the latest security patches.

Before Upgrading

See the CircleCI server 4.6 release notes and upgrade guide for this release.

NOTE: Vault is being deprecated and will no longer be supported in server 5.0. Refer to our script for steps to migrate to Tink.

What’s New in Release 4.6.0

The v4.6 release introduces various UI refreshments and improvements.

NEW FEATURES

• Several enhancements to the CircleCI web app, including:
  • A new “User Homepage”.
  • Updated styling for the left-hand navigation bar.
  • Top navigation bar that allows easy access to user-level actions.
• Pipelines are now labeled whenever they are rerun from start or fail, or with SSH.
• Project-based context restrictions. For more information see the docs.

CHANGES

• Old, expired workflows are now automatically canceled after 90 days.
• The pipeline.in_setup pipeline parameter has been removed.
• Kong, which is used for server API management, has been upgraded from 2.x to 3.x.

BUG FIXES

• Fixed a bug that prevented jobs from being rerun with SSH.
• Resolved an issue that prevented project loading on the Insights dashboard.
• Addressed regressions from server 4.2:
  • Introduced a configuration option at the organization level to set the default resource class for a Docker job. In server 4.3, this was previously hardcoded to large.
  • Added support for absolute paths in defining a GCP network under the machine provisioner configuration. This feature is particularly useful for VM jobs using shared networks, enabling explicit network selection. This corrects a regression from the previous VM service architecture.

NEW SERVICES

New services introduced with this release:

• authentication-service - provides an interface for user and identity management in the CircleCI system

DATABASE MIGRATIONS

The following databases will run migrations when upgrading to this version:

• builds_service
• conductor_production
• permissions

KNOWN ISSUES

• SSH reruns in air-gap will time out, leaving the job in an error state
• Vault may not refresh its client token after a month of uptime. Migrate to Tink to resolve this issue.
• Retry with SSH for jobs using the machine executor advertises a private IP address. For this reason, retry with SSH for jobs using the machine executor works as standard for public installations, but for private installs you would need to ensure that you can access the private IP advertised. For example, by using a VPN into your VPC.
• CircleCI 1.0 builds are not supported. If an attempt is made to run a 1.0 build, no feedback will be available in the application to indicate the cause of the issue. If a build is run on your installation and does not show up in the CircleCI application, use the CircleCI CLI to validate the project configuration and get details of the possible cause of the issue.
• Open ID Connect Tokens are not generated and not available.

To learn more about Server 4.6 installation, migration, or operations please review our documentation.

CircleCI server v4.0.0 is now generally available. The feature set for this release are equal to server v3.x. The installation and upgrade processes for v4.x have changed significantly.

Server v4.x offers greatly improved security handling, installation, and update processes. Server v4.x is installed using helm charts and images that can be pulled ahead of time to comply with your security processes. Installation processes can also use artifacts pulled from customer-managed registries. Server v4.x makes improved use of Kubernetes secrets and removes the requirement to grant permissions and network access to third-party tools.

Before upgrading

See the CircleCI server 4.x release notes for upgrade notes for this release.

What’s new in release 4.0.0

New features

• Two new Arm resource classes are now available xlarge and 2xlarge. For more information on using Arm, see the Arm docs.
• CircleCI server v4.x images and helm charts are available for licenced users.

Fixes

• Fixed a bug that was causing a huge quantity of error logs in the distributer-internal pod.
• Prometheus is no longer included by default in CircleCI server v4.x.
• The default concurrency limit has been increased to avoid it being reached.
• Docker layer caching volumes are now deleted after 3 days if unused. Previously they were deleted after 7 days.
• kong is now placed behind NGINX to simplify loadbalancer setup.
• The loadbalancer has been renamed from circleci-traefik to circleci-proxy.
• Workflow configurations that are stored in PostgreSQL will migrated to the Object Storage.

Known issues

• Telegraf needs to have its configuration overwritten and base64 encoded.
• When migrating from 3.x to 4.x, workflow configuration migrations will run as an init job and the workflows-conductor-event-consumer and the workflows-conductor-grpc-handler pods will not start until the migration completes. Customers with large PostgreSQL databases should plan accordingly. Migration time can be reduced by scaling the workflow-conductor pods.
• Webhook-service may not work with an externalized Vault.
• Vault may not refresh its client token after a month of uptime.
• Retry with SSH for jobs using the machine executor advertises a private IP address. For this reason, retry with SSH for jobs using the machine executor works as standard for public installations, but for private installs you would need to ensure that you can access the private IP advertised. For example, by using a VPN into your VPC.
• CircleCI 1.0 builds are not supported. If an attempt is made to run a 1.0 build, no feedback will be available in the application to indicate the cause of the issue. If a build is run on your installation and does not show up in the CircleCI application, users should be directed to use the CircleCI CLI to validate the project configuration and get details of the possible cause of the issue.

To learn more about Server 4.x installation, migration, or operations please see our documentation.

What’s New in Release 3.0.0

Server 3.0 is now generally available. The newest version of server offers the ability to scale under heavy workloads, all within your own Kubernetes cluster and private network, while still enjoying the full CircleCI cloud experience. Server 3.0 includes the latest CircleCI features, such as orbs, scheduled workflows, matrix jobs, and more. For existing customers interested in migrating from 2.19 to 3.x, contact your customer success manager. Server 3.0 will receive monthly patch releases and quarterly feature releases.

New Features

• New UI
• Orbs for Server
• Pipelines
• Config 2.1
• API 2.0
• Scheduled Workflows
• Matrix Jobs
• And much more…

Known Issues

• No support for external data stores (Postgres, Mongo, Vault). This feature will be implemented in a future release.
• It is currently possible for multiple organizations under the same CircleCI server account to have contexts with identical names. This should be avoided as doing so could lead to errors and unexpected behavior. This will be fixed in a future patch release.
• CircleCI 1.0 builds are not supported. If an attempt is made to run a 1.0 build, no feedback will be available in the application to indicate the cause of the issue. If a build is run on your installation and does not show up in the CircleCI application, users should be directed to use the CircleCI CLI to validate the project configuration and get details of the possible cause of the issue.
• CircleCI currently assigns a public load balancer for the frontend services. For some customers, their infrastructure or security groups won’t allow this. We will provide an optional internal local balancer for the frontend services in a future release.
• Telegraf metrics collection customization is not yet available.
• Support for GPU builders is not yet available.

To learn more about Server 3.0 installation, migration, or operations please see our documentation.

CircleCI 2.0 is a completely updated CI/CD platform that starts every run with a clean image which is automatically provisioned just-in-time for Linux jobs on the CircleCI application installed in your private cloud. The CircleCI 2.0 platform includes significant performance, stability, and reliability improvements along with first-class Docker support, Workflows (pipelines), Resource Allocation, and Contexts. The Management Console (Replicated) also includes new options for enabling 2.0 Builders and appropriate default settings.

If you have CircleCI installed you may access CircleCI 2.0 features on your current installation with no restrictions under your current agreement and support level. However, you must contact your CircleCI account representative for assistance with upgrading, to obtain migration scripts, and to receive a new license channel.

• CircleCI 2.0.0 is only available on AWS and may be installed with Terraform or manually.
• Teams may create a CircleCI 2.0 .circleci/config.yml file in their repositories to add new 2.0 projects incrementally while continuing to build 1.0 projects which use a circle.yml configuration file.

Documentation for the installable 2.0 application is available at CircleCI 2.0 Documentation for the following topics:

• Administrator’s Overview
• Administration FAQ
• Security Features
• Installing CircleCI 2.0 on Amazon Web Services with Terraform
• Configuring High Availability
• Administrative Variables, Monitoring, and Logging
• Introduction to Nomad Cluster Operation
• Backing up CircleCI Data