woodpecker

v3.15.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 6d Pipelines

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

automation ci-cd devops docker kubernetes woodpeckerci

Affected surfaces

auth deps

Summary

AI summary

Broad release touches 📦️ Dependency, 📚 Documentation, 📈 Enhancement, and 🐛 Bug Fixes.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Uses GitLab username for authentication Uses GitLab username for authentication Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Feature
Feature	Medium	Adds optional flag in depends_on for workflows and steps Adds optional flag in depends_on for workflows and steps Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Adds timezone support for cron schedules Adds timezone support for cron schedules Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Adds CI_PIPELINE_RERUNS environment variable to pipelines Adds CI_PIPELINE_RERUNS environment variable to pipelines Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Adds placeholders to input definitions Adds placeholders to input definitions Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Low	Allows disabling service workspace volumes in Kubernetes Allows disabling service workspace volumes in Kubernetes Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Feature	Low	Shows warning when admin is configured at environment level Shows warning when admin is configured at environment level Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Dependency	Low	Updates uuid dependency to version 14 Updates uuid dependency to version 14 Source: llm_adapter@2026-05-28 Confidence: low	—
Dependency	Low	Updates GitLab API client‑go to version v2.34.0 Updates GitLab API client‑go to version v2.34.0 Source: llm_adapter@2026-05-28 Confidence: low	—
Performance	Low	Updates Go runtime to version 1.26.3 Updates Go runtime to version 1.26.3 Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix
Bugfix	Medium	Fixes missing log close button in UI Fixes missing log close button in UI Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Fixes agent ID persistence after auth to prevent crashloop duplicates Fixes agent ID persistence after auth to prevent crashloop duplicates Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Preserves private flag when GitLab webhook payload omits project visibility Preserves private flag when GitLab webhook payload omits project visibility Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Fixes org lookup panic Fixes org lookup panic Source: llm_adapter@2026-05-28 Confidence: low	—
Bugfix	Low	Prevents duplicate schema linter composition errors Prevents duplicate schema linter composition errors Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Low	Ensures local backend commands run in their own process group and are killed on cancellation (Linux/macOS) Ensures local backend commands run in their own process group and are killed on cancellation (Linux/macOS) Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Low	Adds guards to stop Kubernetes pipeline services upon completion Adds guards to stop Kubernetes pipeline services upon completion Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Refactor	Low	Refactors agent RPC retry logic Refactors agent RPC retry logic Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Refactor	Low	Moves setting of step environment variables into its own function and restores CI_PIPELINE_STATUS variable Moves setting of step environment variables into its own function and restores CI_PIPELINE_STATUS variable Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Other	Low	Groups logs by command in the step logs UI and makes them collapsible Groups logs by command in the step logs UI and makes them collapsible Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Other	Low	Exposes step type to step environment variables Exposes step type to step environment variables Source: granite4.1:30b@2026-05-28-audit Confidence: low	—

Full changelog

3.15.0 - 2026-05-28

❤️ Thanks to all contributors! ❤️

@6543, @AkashKumar7902, @EdwardSalter, @M31ancholy, @anbraten, @hhamalai, @johanvdw, @jolheiser, @julienvincent, @lephuongbg, @mateuszkamola, @qwerty287, @rfinnie, @simonmeyerrr, @wucm667

Special thanks to @geo-chen for finding and reporting vulnerabilities!

🔒 Security

Use Gitlab username [#6653]
Update uuid [#6647]
server: for grpc store extracted agentID in context [#6569]

✨ Features

Support optional flag in depends_on for workflows and steps [#6461]

📈 Enhancement

Use refactored pipeline builder in cli exec [#6453]
Add config to change default pipeline config paths and extensions [#6580]
Allow disabling service workspace volumes in k8s [#6644]
View warning if admin is configured at env level [#6600]
Add timezone support for crons [#6597]
Add CI_PIPELINE_RERUNS environment variable [#6588]
Add placeholders to inputs [#6599]
Refactor server/.../step_builder into pipeline/.../builder [#3967]
Group logs by command in step logs UI and make them collapsible [#6398]
Expose step type to step env [#4290]
pipeline runtime: move setting step environment variables into own func and add CI_PIPELINE_STATUS back [#6516]
Refactor agent rpc retry [#6515]

🐛 Bug Fixes

Fix org lookup panic [#6652]
Deduplicate schema linter composition errors [#6633]
local backend: on linux / mac start commands in own process group and kill the group on cancel [#6609]
k8s: add guards to stop pipeline services upon completion [#6623]
Fix missing log close button [#6584]
fix(agent): persist agent ID after auth to prevent crashloop duplicates [#6543]
fix(gitlab): preserve private flag when webhook payload omits project visibility [#6544]

🧪 Tests

Fix race in local backend tests [#6574]

📚 Documentation

Add note about extension permission [#6646]
Add GitHub OAuth App setup hint to docker-compose page [#6643]
Update pnpm to v11.3.0 [#6639]
Update docs npm deps non-major [#6625]
Docs: Mention that you can use failure: fail [#6611]
Change homepage of woodpecker-shellcheck [#6594]
Update docs npm deps non-major [#6586]
Update pnpm to v11 [#6561]
Update docs npm deps non-major [#6555]
Add 3rd party secret extensions list [#6546]
Update dependency axios to v1.16.0 [#6538]
Update dependency yaml to v2.8.4 [#6536]
Update dependency isomorphic-dompurify to v3.12.0 [#6532]
Update docs npm deps non-major [#6530]

📦️ Dependency

Update module gitlab.com/gitlab-org/api/client-go/v2 to v2.34.0 [#6662]
Update dependency uuid to v14 [#6658]
Lock file maintenance [#6659]
Update golang-packages [#6637]
Update web npm deps non-major [#6638]
Lock file maintenance [#6640]
Update module github.com/google/go-github/v86 to v88 [#6626]
Update web npm deps non-major [#6624]
Update golang-packages [#6622]
Update golang-packages [#6620]
Update module gitlab.com/gitlab-org/api/client-go/v2 to v2.29.0 [#6618]
Update golang-packages [#6614]
Lock file maintenance [#6606]
Update web npm deps non-major [#6604]
Update web npm deps non-major [#6603]
Update web npm deps non-major [#6602]
Update web npm deps non-major [#6601]
Update dependency simple-icons to v16.20.0 [#6596]
Update dependency eslint to v10.4.0 [#6593]
Update dependency @antfu/eslint-config to v9 [#6592]
Update web npm deps non-major [#6591]
Update woodpeckerci/plugin-git Docker tag to v2.9.1 [#6589]
Update postgres Docker tag to v18.4 [#6590]
Update module gitlab.com/gitlab-org/api/client-go/v2 to v2.26.1 [#6587]
Update golang-packages [#6582]
Update module gitlab.com/gitlab-org/api/client-go/v2 to v2.26.0 [#6578]
Update golang-packages [#6571]
Update web npm deps non-major [#6446]
Update module gitlab.com/gitlab-org/api/client-go/v2 to v2.25.0 [#6566]
Update module github.com/google/go-github/v85 to v86 [#6560]
Lock file maintenance [#6563]
Update golang-packages [#6562]
Update dependency mvdan/gofumpt to v0.10.0 [#6558]
Update dependency golangci/golangci-lint to v2.12.2 [#6556]
Update pre-commit hook golangci/golangci-lint to v2.12.2 [#6557]
Update dependency golang to v1.26.3 [#6554]
Update golang-packages [#6548]
Update module gitlab.com/gitlab-org/api/client-go/v2 to v2.24.1 [#6545]
Update golang-packages [#6542]
Lock file maintenance [#6540]
Update module github.com/docker/cli to v29.4.2+incompatible [#6539]
Update golangci/golangci-lint Docker tag to v2.12.1 [#6537]
Update pre-commit hook golangci/golangci-lint to v2.12.1 [#6535]
Update docker.io/woodpeckerci/plugin-docker-buildx Docker tag to v6.1.0 [#6534]
Update dependency golangci/golangci-lint to v2.12.0 [#6533]
Update woodpeckerci/plugin-release Docker tag to v0.3.1 [#6531]
Update docker.io/lycheeverse/lychee Docker tag to v0.24.2 [#6529]

Misc

build: release freebsd/openbsd as binary not container [#6610]
flake.lock: Update [#6656]
Use "sign in/out" [#6579]

Security Fixes

Persist agent ID after auth to prevent crashloop duplicates (fix(agent))
Preserve private flag when GitLab webhook payload omits project visibility (fix(gitlab))

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track woodpecker

Get notified when new releases ship.

About woodpecker

Woodpecker is a simple, yet powerful CI/CD engine with great extensibility.

All releases →