v1.2.0

What's Changed

• Fix #37: require admin role for org member and management ops by @DerDennisOP in #124
• backend: ci — name checks with org/project context (#122) by @DerDennisOP in #131
• backend: web: add per-IP rate limiting to HTTP layer (#53) by @DerDennisOP in #138
• fix(oidc): verify state, nonce, and ID-token signature; bind by (iss, sub) (#38) by @DerDennisOP in #126
• fix: reject path-traversal filenames in direct-build multipart upload (#39) by @DerDennisOP in #127
• fix: block SSRF in outgoing webhooks — validate URLs and resolved IPs (#40) by @DerDennisOP in #128
• backend: ssh key — remove plaintext fallback on decrypt failure (#42) by @DerDennisOP in #129
• backend: web: require Admin/Write role for project active toggle and repo check (#49) by @DerDennisOP in #134
• backend: web: cap request bodies to prevent OOM via unbounded payloads (#51) by @DerDennisOP in #137
• Remove unused write_key/clear_key footgun in sources::ssh_key (#48) by @DerDennisOP in #133
• backend: web: fix lost-update race on cache NAR traffic metrics (#50) by @DerDennisOP in #135
• backend: worker token — argon2 storage and constant-time verify (#46) by @DerDennisOP in #130
• backend: entity: EvaluationStatus::is_active + ACTIVE const (#56) by @DerDennisOP in #140
• backend: core: secret_file param &str instead of owned String (#60) by @DerDennisOP in #141
• backend: core: cache_key_host helper for URL scheme stripping (#61) by @DerDennisOP in #143
• backend: migration: rename build_depencdency typo, preserve canonical ID (#70) by @DerDennisOP in #145
• backend: scheduler: replace hard-coded status integers in dispatch SQL (#69) by @DerDennisOP in #144
• backend: web: batch evaluations_to_summaries to fix N+1 (#74) by @DerDennisOP in #146
• backend: web: rename load_editable_org → load_unmanaged_org (#54) by @DerDennisOP in #147
• backend: web/proto: collapse CacheOpsHandler / CacheQueryHandler structs (#58) by @DerDennisOP in #148
• backend: web: explicit re-exports in endpoint mod.rs (#63) by @DerDennisOP in #149
• backend: core: drop unused R-prefix aliases, document the rest (#67) by @DerDennisOP in #150
• backend: web: patch_field! / patch_field_with! macros (#76) by @DerDennisOP in #151
• backend: worker: include full error chain in JobFailed payload (#142) by @DerDennisOP in #152
• backend: core: validate CI reporter base_url + disable redirects (#113) by @DerDennisOP in #153
• backend: cache: batch sign sweep + reuse decrypted cache keys (#105) by @DerDennisOP in #154
• backend: cache: protect FOD NARs from TTL eviction (#107) by @DerDennisOP in #155
• backend: proto: cap /proto WS message size + add handshake timeout (#110) by @DerDennisOP in #156
• backend: worker: retry reconnect indefinitely with backoff (#99) by @DerDennisOP in #157
• backend: core: introduce WebDb / WorkerDb newtypes for the two pools (#68) by @DerDennisOP in #158
• backend: collapse Created build status to Queued for API responses by @DerDennisOP in #159
• backend: shared helpers for the duplications measured in #78 by @DerDennisOP in #161
• backend: core: extract provisioning helpers (#57) by @DerDennisOP in #162
• backend: web: route auth middleware errors through WebError (#55) by @DerDennisOP in #163
• backend: web: typed-multipart for direct-build endpoint (#59) by @DerDennisOP in #164
• backend: decompose Cli god object into typed Args + RuntimeConfig (#65) by @DerDennisOP in #165
• backend: shared reqwest client across server / worker / CLI (#79) by @DerDennisOP in #166
• backend: web: unified permission-based access layer (#75) by @DerDennisOP in #167
• backend: graceful shutdown for background tasks (#72) by @DerDennisOP in #168
• backend: core: dedupe transitive-dependents graph walks (#108) by @DerDennisOP in #169
• backend: core: implement GitLab outbound CI reporter (#90) by @DerDennisOP in #170
• backend: switch harmonia deps back to nix-community upstream by @DerDennisOP in #171
• nix: add caddy as a second reverse proxy by @krauterbaquette in #174
• backend: migrate UUID generation from v4 to v7 by @DerDennisOP in #176
• backend: dedupe concurrent same-derivation builds via via link by @DerDennisOP in #177
• backend: collapse WebError to status-mapped variants with stable error_code by @DerDennisOP in #178
• Feat/typed entity ids by @DerDennisOP in #179
• gradient: remove swap_user_for_org_id_is_a_compile_error test by @DerDennisOP in #181
• Auth hardening: sessions, API key lifecycle, JWT cache, audit log by @DerDennisOP in #182
• issue #98: surface evaluation waiting_reason in API + UI by @DerDennisOP in #184
• Project Triggers: configurable evaluation triggers (#116) by @DerDennisOP in #187
• Project concurrency: per-project setting (was per-trigger) by @DerDennisOP in #189
• feat(project): add sign_cache option (closes #125) by @DerDennisOP in #190
• Fire CI pending status when evaluation is queued (#117) by @DerDennisOP in #191
• refactor: derive num_enum primitives on db-backed enums (#80) by @DerDennisOP in #192
• fix(web): enforce authorization on GET /commits/{commit} (#88) by @DerDennisOP in #193
• core: route bootstrap diagnostics through tracing (#82) by @DerDennisOP in #194
• web: extend audit log + migrate tracing to structured fields (#83, #84) by @DerDennisOP in #195
• worker: route eval-worker diagnostics through tracing (#87) by @DerDennisOP in #196
• proto: enforce max_proto_connections on /proto upgrades (#89) by @DerDennisOP in #197
• backend: convert remaining printf-style tracing calls to structured fields by @DerDennisOP in #198
• rename project.evaluation_wildcard to project.wildcard (#73) by @DerDennisOP in #199
• fix(web): wrap multi-step DB writes in transactions (#64) by @DerDennisOP in #200
• Quality: request-id correlation (#86) and FK-chasing log noise (#85) by @DerDennisOP in #201
• RBAC: custom roles per org with bitmask permission system (fixes #103, #81) by @DerDennisOP in #202
• fix: emit trigger on /evals/{eval} so auto-fired runs aren't labelled 'Manual' by @DerDennisOP in #204
• fix: 'Restart failed builds' on all-cached eval no longer hangs in Building by @DerDennisOP in #203
• fix(scheduler): waiting state for stuck pre-build evals (#97) by @DerDennisOP in #206
• fix(http): branded "Gradient" user-agent on outbound requests (#205) by @DerDennisOP in #207
• fix(scheduler): raise wait-time cap so anti-starvation can outscore cached-fresh (#112) by @DerDennisOP in #208
• fix(frontend): truncate long build names in evaluation sidebar (#121) by @DerDennisOP in #209
• fix(worker): graceful eval-pool shutdown on SIGTERM/SIGINT (fix #95) by @DerDennisOP in #210
• feat: prometheus /metrics endpoint with bearer-token auth (#35) by @DerDennisOP in #211
• fix(worker): raise nix-daemon pool acquire timeout and default size by @DerDennisOP in #213
• fix: entry-point metrics for substituted builds + external_cached build fallback by @derd...

v1.1.1

What's Changed

• Unauthenticated worker on /proto → arbitrary NAR write / cache poisoning by @DerDennisOP in #36

Full Changelog: v1.1.0...v1.1.1

v1.1.0

What's Changed

• Migration from SSH Builders to Workers
• Gitea, Forgejo, Gitlab, GitHub Integration
• S3 Cache support
• Integration of Gradient Proto
• Entry Points shown on project page
• Metrics for Entry Points, Evaluations and Caches
• Instance Management / Superuser Role
• Artefacts Download
• Graph Menu
• Documentation improvements

New Contributors

• @go3ranh made their first contribution in #30

Full Changelog: v1.0.0...v1.1.0

v1.0.0

New Features

• Fully new Gradient Frontend
• Substituters can now be configured
• Public Organizations and Caches
• Cache metrics are collected and displayed in frontend
• Refactored Scheduler and Evaluator
• Removed Git binary dependency
• Documentation

Bug Fixes

• Garbage Collection now cleans up nars from deleted caches
• Quoting in project wildcard is now supported

v0.4.0-alpha

This release did not gain new Features. We've made many bug fixes and frontend has been refined to a usable state.

v0.3.0-alpha

New Features

• Remote Builds: support for building nix derivations without having nix installed locally.
• Frontend: improved frontend by a ton.
• Testing: added integration tests, which are fully working now and unit tests.

v0.2.0-alpha

New Features

• Cache: integrated nix store cache.
• User Permissions: There are now more permission groups.
• CLI: The CLI now has way better interfaces

Bug Fixes

• fix: many minor frontend bugs (unfortunately still not usable)
• fix: builds now wont be scheduled when no server is configured
• fix: aborted jobs got skipped on new evaluations

Gradient v0.1.0-alpha

Features

• Organizations: multiple organizations, which work independently from each other (e.g. different servers, user access).
• API: provides a RESTful API with API-Key management for authentication.
• Streaming Logs: real-time log streaming for builds.
• OAuth2: support for OAuth2 for user authentication.