Skip to content

woodpecker

Pipelines

Woodpecker is a simple, yet powerful CI/CD engine with great extensibility.

Track releases GitHub Website
Go Latest v3.15.0 · 6d ago Security brief →

Features

  • Runs as a lightweight CI/CD server (≈100 MB RAM) and agents (≈30 MB RAM)
  • Uses SQLite by default for its database, minimizing external dependencies
  • Highly extensible through plugins

Recent releases

View all 4 releases →
Review required
v3.15.0 Mixed
Auth Dependencies

Security, Cron Timezone, Log UI, Dependency Updates

Open
Upgrade now
v3.14.1 Security relevant
Auth

agent_id spoof prevention

Open
v3.14.0 Breaking risk
Security fixes
  • fix(web): escape HTML in commit messages to prevent XSS
Notable features
  • Support one-shot agent execution mode
  • Add external secret extension implementation
  • Allow disabling isolated home directory for local agents
Full changelog

3.14.0 - 2026-05-01

❤️ Thanks to all contributors! ❤️

@6543, @Aex12, @AhmadNajiKam, @CrimsonFez, @LUKIEYF, @LoricAndre, @M31ancholy, @MartinSchmidt, @Pnkcaht, @Sim-hu, @TumbleOwlee, @api2062, @bclermont, @brainbaking, @cliffmccarthy, @confusedsushi, @dccdis, @hhamalai, @hnb2, @lephuongbg, @mehrdadbn9, @mofr93, @myers, @myselfghost, @njaaazi, @packrat386, @paulovitorbal, @qwerty287, @rfinnie, @rhafer, @samoli, @savv, @stardothosting, @utafrali, @wucm667

🔒 Security

  • docs: bump follow-redirects [#6441]
  • chore(deps): update dependency axios to v1.15.0 [security] [#6417]
  • fix(deps): update go.opentelemetry.io/otel to v1.43.0 [#6416]
  • WebUI: remove "lodash" dep [#6369]
  • Sanitize agent introduced pipeline/workflow/step state changes and log streaming [#6308]
  • Send 404 if logs are not allowed to access [#6349]
  • Prevent registering as arbitrary agents with system token [#6283]
  • Update fast-xml-parser [#6258]
  • Update dompurify and svgo [#6198]
  • Update edwards25519 [#6143]

✨ Features

  • Support one-shot agent execution mode [#6150]
  • Add external secret extension implementation [#6252]
  • Allow disabling isolated home directory for local agents [#6251]
  • Add Container Registry credential extension [#5993]
  • Support exclusive config extensions [#5978]

📈 Enhancement

  • Kubernetes: precreate workingDir as nonroot when required [#6322]
  • Kubernetes: Support allowPrivilegeEscalation and capabilities backend_options [#6307]
  • Refactor: remove Auth() from Forge interface [#6505]
  • Move wait for log uploads logic out of logger and tracer into pipeline runtime [#6471]
  • Make agent reconnect retry timeout configurable [#6470]
  • Handle re-created forge repos gracefully [#6370]
  • Cleanup server store step interface [#6476]
  • Docker/K8s: add config for stop timeout [#6445]
  • Docker backend should retry to delete volume on "in use" error [#6381]
  • Move skip pipeline by commit message into pipeline/frontend package [#6437]
  • Init server/scheduler package and use it as proxy for queue & pubsub [#6418]
  • Unify server API parameters to snake_case [#6404]
  • Add netrc option for config/registry extension [#6333]
  • Docker backend: replace docker SDK with moby SDK [#6357]
  • Deprecate commit avatar envs [#6356]
  • Refactor server/pubsub into interface [#6318]
  • Separate cron field [#6346]
  • Refactor pipeline runtime code [#6166]
  • Show Woodpecker version on pipeline details [#6316]
  • Unify import aliases [#6328]
  • Improve linter warning when step has no when block [#6314]
  • Improve error message when no workflows for manual were found [#6313]
  • Server return conflict status when stale repo causes duplicate insert [#6276]
  • Show global/org registries in org/repo registries tab [#6291]
  • Report skipped step state as soon as it's determined [#6295]
  • Only add compatibility environment variables for drone-ci to plugins [#6271]
  • Refactor: pass backend explicitly when creating pipeline engine runtime [#6268]
  • Compare admins case-insensitively [#6261]
  • Allow to cancel on failure [#6158]
  • Refactor so storage detects if Insert fails because of unique constraint [#6259]
  • Add server config for maximum log lines shown in web UI [#6250]
  • Add "Load more" pagination to pipeline list [#6200]
  • Use upstream slices.Concat and remove utils.MergeSlices [#6185]
  • Add enhanced function for error message handling in http request for configuration fetching [#5712]
  • Remove fixed badge width in UI [#6157]
  • Improve Debian packages [#6085]
  • Refactor pipeline engine [#6073]
  • Show cancellation reason in pipeline details [#6072]
  • Document required forge methods [#6049]
  • Dynamic log following [#6036]
  • Per-Workflow and Per-Workflow-Step badge generation [#5977]
  • Render MD in pipeline titles [#5999]
  • Simplify and Fix server task queue [#6017]
  • Update Architecture: move pipeline/rpc => rpc & server/{grpc => rpc} [#6012]
  • Implement retry logic in HTTP Send method [#5857]
  • CLI: Allow single output template [#5882]
  • Improve service syntax related docs and tests nits [#5991]
  • Remove deactivated secrets type from container definition [#5983]

🐛 Bug Fixes

  • fix(web): escape HTML in commit messages to prevent XSS [#6523]
  • fix(cli,server): fix trusted flags copy-paste bug and server nil pointer panic [#6501]
  • Add refname to bitbucket commit status [#6482]
  • Fix send on closed channel panic in SSE stream handlers [#6456]
  • Add WOODPECKER_FORCE_IGNORE_SERVICE_FAILURE config to preserve non-breaking behavior by default [#6448]
  • Fix race in pipeline runtime [#6451]
  • Fix race in server LogEntry logger [#6449]
  • Kubernetes: detached steps are no services [#6435]
  • Support dots in image names [#6431]
  • Fix erroneous linter error for plugin privileges [#6424]
  • Add connection timeout and graceful shutdown to agent RPC client [#6414]
  • Fix Windows container exit code handling and error checks [#6411]
  • Bitbucket: Remove usage of deprecated /user/permissions/repositories [#6401]
  • Bitbucket: Fix parsing /user/workspaces response [#6396]
  • Fix CLI exec with workflow matrix feature, where variables are not substituted. [#6162]
  • Fix enable repo with same name and owner on second forge [#6375]
  • Fix workflow being skipped and marked as failed when agent starts before server [#6361]
  • Only redirect after login [#6348]
  • Set workflow services stuck in running state to finished [#6337]
  • Fix bitbucket api deprecations [#6324]
  • Fix workflow serialize to omit skip_clone if false [#6319]
  • Fix build deb rpm packages [#6309]
  • Enable crons if created via CLI [#6228]
  • Fix message on gitlab tag event [#6196]
  • Bitbucket DC: resolve annotated tag SHA to commit SHA before posting build status [#6203]
  • Prevent leaking goroutines on canceled steps [#6186]
  • Fix when.status filter evaluation and add workflow-level support [#6183]
  • Fix status merging with skipped pipelines [#6176]
  • Update pipeline config schema [#6156]
  • Fix OAuth token refresh race condition with singleflight [#6153]
  • Use priority-based merging to determine pipeline and workflow status [#6119]
  • Only set tag env on tags [#6142]
  • Fix bitbucket email [#6102]
  • Report status for detached steps and services [#6039]
  • Don't propagate workflow error from agent back to agent [#6056]
  • Fix pipeline cancellation status handling and step state synchronization [#6011]
  • Add retry logic for CreatePipeline with backoff [#6067]
  • Fix OAuth token refresh in webhook handling for Bitbucket and GitHub [#6059]
  • Refresh token before forge calls [#6035]
  • Local backend: cleanup generated script for cmd.exe shell [#6029]
  • Local backend: setup clone step respects context [#6030]
  • Fix: Agent now gracefully handles running containers when killed [#6018]
  • Local backend: handle canceled steps case [#6008]

🧪 Tests

  • e2e test wait for grpc server teardown and stop agents [#6479]
  • Add more test cases for rpc label filter [#6483]
  • Fix flaky TestJWTManager [#6478]
  • Add e2e pipeline restart test [#6469]
  • Init minimal e2e tests [#6391]
  • Enhance datastore DB test setup [#6450]
  • Dummy backend support cancel [#6390]
  • Extend workflow integration tests [#6272]
  • Add registry service tests [#6330]
  • Add workflow integration test [#6270]
  • Increase timeout for migration tests [#6206]
  • Ignore fixtures for coverage [#6197]
  • Use tabs for indentation in embedded JSON [#6103]
  • Add tests for CLI output formatting and pipeline metadata environment variables [#6076]
  • Ignore mocks for coverage [#6074]

📚 Documentation

  • docs: better description for when.status filter [#6517]
  • docs: Add woodpecker-shellcheck lint to awesome list [#6521]
  • Lock file maintenance [#6508]
  • Update docs npm deps non-major [#6496]
  • Add Laravel Forge plugin [#6491]
  • Add 'entrypoint' property to service in schema [#6487]
  • Lock file maintenance [#6472]
  • Update dependency axios to v1.15.1 [#6468]
  • Update dependency marked to v18.0.2 [#6465]
  • Update docs npm deps non-major [#6463]
  • Update dependency marked to v18 [#6425]
  • Update docs npm deps non-major [#6422]
  • chore(deps): update dependency fuse.js to v7.3.0 [#6382]
  • chore(deps): update docs npm deps non-major [#6376]
  • chore(deps): update dependency typescript to v6 [#6336]
  • chore(deps): update docs npm deps non-major [#6335]
  • Add CI check for docs on feature PRs [#6315]
  • chore(deps): update dependency isomorphic-dompurify to v3.6.0 [#6288]
  • chore(deps): update dependency yaml to v2.8.3 [#6287]
  • Add agentscan to plugin docs [#6285]
  • Add opengrep plugin [#6282]
  • chore(deps): update docs npm deps non-major [#6281]
  • Sort glossary items alphabetically [#6255]
  • chore(deps): update docs npm deps non-major [#6240]
  • plugin: ascii junit report: renamed gh username [#6232]
  • chore(deps): update dependency svgo to v4 [#6214]
  • chore(deps): update docs npm deps non-major [#6210]
  • Update serialize-javascript [#6182]
  • chore(deps): update docs npm deps non-major [#6173]
  • chore(deps): update dependency isomorphic-dompurify to v3 [#6147]
  • chore(deps): update docs npm deps non-major [#6137]
  • Add deprecation policy [#6068]
  • fix(deps): update dependency @easyops-cn/docusaurus-search-local to ^0.55.0 [#6125]
  • Improve selinux docs [#6066]
  • Document how to ignore failure on services [#6106]
  • chore(deps): update docs npm deps non-major [#6109]
  • fix(deps): update dependency @easyops-cn/docusaurus-search-local to ^0.54.0 [#6091]
  • chore(deps): update dependency axios to v1.13.5 [#6090]
  • chore(deps): update docs npm deps non-major [#6088]
  • chore(deps): update dependency isomorphic-dompurify to v2.36.0 [#6086]
  • fix(deps): update docs npm deps non-major [#6052]
  • Update Module Interaction Diagram [#6019]
  • Add Buildah plugin link [#6050]
  • chore(deps): update docs npm deps non-major [#6045]
  • Add Homebrew package [#6037]
  • chore(deps): update dependency axios to v1.13.3 [#6010]
  • chore(deps): update docs npm deps non-major [#6000]
  • Fix docusaurus md link deprecation [#5979]
  • chore(deps): update docs npm deps non-major [#5982]

📦️ Dependency

  • Update golang-packages [#6524]
  • Update module github.com/google/go-github/v84 to v85 [#6500]
  • Update module github.com/getkin/kin-openapi to v0.136.0 [#6503]
  • Update woodpeckerci/plugin-git Docker tag to v2.9.0 [#6499]
  • Update docker.io/mysql Docker tag to v9.7.0 [#6498]
  • Update docker.io/lycheeverse/lychee Docker tag to v0.24.1 [#6497]
  • Update golang-packages to v0.36.0 [#6485]
  • Update golang-packages [#6477]
  • Update pre-commit hook rbubley/mirrors-prettier to v3.8.3 [#6462]
  • Update module k8s.io/client-go to v0.35.4 [#6460]
  • Update golang-packages [#6459]
  • Update docker.io/woodpeckerci/plugin-trivy Docker tag to v1.4.5 [#6447]
  • Update docker.io/woodpeckerci/plugin-ready-release-go Docker tag to v4.1.1 [#6440]
  • Update module gitlab.com/gitlab-org/api/client-go/v2 to v2.18.0 [#6439]
  • Update docker.io/woodpeckerci/plugin-codecov Docker tag to v2.3.1 [#6438]
  • Lock file maintenance [#6430]
  • Update dependency dotenv to v17.4.2 [#6428]
  • Update dependency simple-icons to v16.16.0 [#6427]
  • Update web npm deps non-major [#6423]
  • Update pre-commit hook rbubley/mirrors-prettier to v3.8.2 [#6421]
  • Update dependency golang to v1.26.2 [#6420]
  • fix(deps): update module github.com/docker/cli to v29.4.0+incompatible [#6403]
  • fix(deps): update module github.com/mattn/go-sqlite3 to v1.14.41 [#6397]
  • chore(deps): lock file maintenance [#6392]
  • chore(deps): update dependency dotenv to v17.4.1 [#6389]
  • chore(deps): update dependency marked to v17.0.6 [#6387]
  • chore(deps): update dependency simple-icons to v16.15.0 [#6385]
  • fix(deps): update golang-packages [#6384]
  • chore(deps): update dependency fuse.js to v7.3.0 [#6383]
  • chore(deps): update dependency @antfu/eslint-config to v8 [#6378]
  • chore(deps): update web npm deps non-major [#6377]
  • fix(deps): update module github.com/lib/pq to v1.12.2 [#6371]
  • fix(deps): update module google.golang.org/grpc to v1.80.0 [#6363]
  • fix(deps): update golang-packages [#6343]
  • chore(deps): lock file maintenance [#6344]
  • chore(deps): update dependency simple-icons to v16.14.0 [#6341]
  • chore(deps): update web npm deps non-major [#6334]
  • chore(deps): update docker.io/woodpeckerci/plugin-ready-release-go docker tag to v4.1.0 [#6331]
  • fix(deps): update module code.gitea.io/sdk/gitea to v0.24.1 [#6321]
  • chore(deps): lock file maintenance [#6306]
  • fix(deps): update module github.com/charmbracelet/huh to v2 [#6243]
  • chore(deps): update dependency golangci/golangci-lint to v2.11.4 [#6301]
  • chore(deps): update pre-commit hook golangci/golangci-lint to v2.11.4 [#6302]
  • chore(deps): update web npm deps non-major [#6279]
  • fix(deps): update module github.com/zalando/go-keyring to v0.2.7 [#6280]
  • fix(deps): update module github.com/mattn/go-sqlite3 to v1.14.37 [#6253]
  • chore(deps): update dependency jsdom to v29 [#6246]
  • chore(deps): update woodpeckerci/plugin-release docker tag to v0.3.0 [#6241]
  • chore(deps): update dependency vite to v8 [#6242]
  • chore(deps): update pre-commit non-major [#6212]
  • chore(deps): update dependency vue-i18n to v11.3.0 [#6217]
  • chore(deps): update dependency golang to v1.26.1 [#6207]
  • fix(deps): update module github.com/docker/cli to v29.3.0+incompatible [#6201]
  • fix(deps): update module github.com/yaronf/httpsign to v0.4.2 [#6188]
  • chore(deps): update dependency eslint-plugin-vue-scoped-css to v3 [#6178]
  • chore(deps): update dependency @intlify/eslint-plugin-vue-i18n to v4.3.0 [#6177]
  • fix(deps): update module github.com/google/go-github/v83 to v84 [#6172]
  • chore(deps): update postgres docker tag to v18.3 [#6169]
  • fix(deps): update golang-packages [#6160]
  • chore(deps): update dependency vue-tsc to v3.2.5 [#6141]
  • chore(deps): update docker.io/golang docker tag to v1.26 [#6121]
  • chore(deps): update docker.io/lycheeverse/lychee docker tag to v0.23.0 [#6122]
  • chore(deps): update dependency @types/node to v24.10.12 [#6087]
  • chore(deps): update eslint monorepo to v10 (major) [#6083]
  • chore(deps): update dependency @antfu/eslint-config to v7.3.0 [#6084]
  • chore(deps): update dependency @vueuse/core to v14.2.0 [#6048]
  • fix(deps): update dependency vue-router to v5 [#6046]
  • chore(deps): update woodpeckerci/plugin-git docker tag to v2.8.1 [#6006]
  • chore(deps): update docker.io/mysql docker tag to v9.6.0 [#6002]
  • fix(deps): update module github.com/urfave/cli/v3 to v3.6.2 [#5989]

Misc

  • Add s3 cache plugin to docs [#6467]
  • Fix license headers [#6205]
  • Add agentscan plugin [#6284]
View release on GitHub
v3.13.0 New feature
Security fixes
  • Updated quic-go packages
  • Fixed repo permissions cleanup
Notable features
  • CLI contexts
  • Secret notes feature
  • Pod affinity/anti-affinity support
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
7,195
Forks
579
Languages
Go Vue TypeScript
View on GitHub Homepage Documentation

Community & Support

Community Sponsor / Fund Sponsor / Fund

Similar tools

Lidarr
automaker

Alternative to

GitHub Actions GitLab CI Jenkins Travis CI CircleCI

Beta — feedback welcome: [email protected]