bytebase

☁️ Bytebase Cloud Upgrade

Bytebase Cloud is now a true multi-tenant SaaS.

• One account, many workspaces — with a workspace switcher and self-serve leave/delete.
• Passwordless sign-in by email code (no more passwords in Cloud).
• Global SSO — sign in with Google, GitHub, or your org's IdP without picking a workspace first.
• Self-serve subscription plan upgrade and cancel from inside the app.
• Pro plan: unlimited users.

🔔 Other Notable Changes

• Plan edits surfaced in issue activity — Plan edits now appear as audit comments in the issue activity feed for approver visibility.

• API breaking changes — require_2fa → require_mfa, plan_spec_update → plan_update (restructured payload), and Issue.ApprovalStatus moved to top-level. See Change Details.

• Terraform provider 3.18.0 required — Adds write-only sensitive fields and a provider-level custom_header block. Requires Terraform CLI 1.11+. See Migration Guide.

🚀 Features

• AWS RDS IAM auth for the Bytebase metadata database — Authenticate the metadata PostgreSQL via AWS RDS IAM tokens.

• Google Chat webhook integration — Add Google Chat as a project webhook destination.

• Bytebase Action custom headers — Add --custom-header flag for header-based access proxies in CI/CD pipelines.

• Retry issue approval — Issues stuck in CHECKING can be retried via a new RetryIssueApproval API.

• CosmosDB — Support cross-partition queries.

• MariaDB — Support DML rollback / prior-backup, matching MySQL behavior.

• TiDB — Support extra DataSource connection parameters, including connection packet compression.

🎄 Enhancements

• Improve SQL analysis reliability across PostgreSQL, MySQL, and MSSQL for advisor rules, query span, completion, and schema diff.

• Improve PostgreSQL and CockroachDB metadata-backed schema diff reliability.

• Show gh-ost start/end events in task run logs.

• Show DDL/DML environment warnings across role grant, role request, and issue creation flows.

• Show expired roles inline in the members table and member detail panel.

• Show database group titles in plan selectors and human-readable instance/database names in member-role scopes.

• Whitelist redirect URIs in OAuth dynamic client registration.

• Restore audit logs for Login / Signup / ExchangeToken; add audit events for retry approval and email-code / password-reset paths.

• Default the SQL Editor query role to the least-privileged SQL select role.

• Improve the SQL statement matching for JIT access grants.

• MongoDB — Replace mongosh with the native Go driver.

• TiDB — SQL Editor Ctrl+Enter now runs the cursor statement, matching MySQL / PostgreSQL behavior.

• ClickHouse — AggregateFunction(...) errors from SELECT * now suggest using -Merge + GROUP BY or finalizeAggregation().

🐞 Bug Fixes

• Fix multi-change plans targeting the same database group being rejected.

• Fix PIPELINE_COMPLETED webhook event missing when failed tasks are skipped.

• Fix per-sheet plan check summary preservation during approval checks.

• PostgreSQL — Fix query span bugs affecting masking and query analysis.

• Databricks — Apply user-selected row limit to SQL Editor queries.

📃 Change Details

API Breaking Changes

1. require_2fa renamed to require_mfa

The field on WorkspaceProfileSetting reflects the broader MFA scope (no longer 2FA-only).

| Field | Before | After |
| --- | --- | --- |
| WorkspaceProfileSetting.require_2fa | require_2fa (bool) | require_mfa (bool) |

Affected routes: any caller updating workspace profile settings via SettingService.UpdateSetting writing WorkspaceProfileSetting. Update references in your config or IaC.

2. IssueComment.plan_spec_update renamed to plan_update

The per-spec event (single sheet replacement) is replaced by a before/after snapshot of Plan.Spec[], so the comment carries the full diff of every plan spec change in one event.

| Field | Before | After |
| --- | --- | --- |
| IssueComment.plan_spec_update — PlanSpecUpdate { spec, from_sheet, to_sheet } (single spec/sheet change) | IssueComment.plan_update — PlanUpdate { from_specs, to_specs } (repeated Plan.Spec) |

Affected routes: any consumer of IssueService.ListIssueComments or issue activity events that previously read plan_spec_update. Update to read plan_update.from_specs / to_specs.

3. Issue.ApprovalStatus moved to top-level ApprovalStatus

Nested enum Issue.ApprovalStatus is removed; the same enum now lives at the top level in common.proto and is referenced by both Issue.approval_status and Plan.approval_status. Enum values and ordinals are unchanged (CHECKING=1, PENDING=2, APPROVED=3, REJECTED=4, SKIPPED=5).

| Type | Before | After |
| --- | --- | --- |
| Enum location | bytebase.v1.Issue.ApprovalStatus | bytebase.v1.ApprovalStatus |

Affected routes: clients that referenced the nested enum type by name (for example, generated Go or TS types). Update imports or type references; wire format is unchanged.

https://github.com/bytebase/bytebase/compare/3.17.1...3.18.0

Before upgrading: 1) Back up the metadata — in-place downgrade is not supported. 2) Do not run multiple containers on the same data directory. 3) Terraform users: upgrade Bytebase server first, then apply the new Terraform config.