Spinnaker Release 2026.0.0

Breaking Changes

Images

The spinnaker project will be moving docker images from Google’s artifact registry to GHCR going forward. This should save the project significantly on network and storage costs, while also allowing unlimited downloads. As such we’ve started publishing all images to the github packages pages . 2026.0.0 should be the last release consuming images from google artifact registry. Going forward, halyard and other images will start pulling from GHCR instead (incoming PRs shortly on this change). Please update any allowlists, rules, and mirrors to start using GHCR as a package repository. For more information, please join

slack and we’ll answer any questions!

Security fixes

We have HIGH level vulnerabilities in spinnaker tied to user input validation handling on URL calls. Specifically, see the advisories page for more information: https://github.com/spinnaker/spinnaker/security/advisories/ Please upgrade to a supported release as soon as possible.

Features

GHA support for fiat group integration

Thanks to https://github.com/spinnaker/spinnaker/pull/7337 you can now use GitHub Apps to authentication and sync group information for fiat. This is expected to unblock later usage of this same logic in ohter areas at a future date but this ONLY works for FIAT for group information at this point in time. For more information on configuration, please see the documentation .

Clouddriver

https://github.com/spinnaker/spinnaker/pull/7356 adds a way to configure artifact support in clouddriver at build time to reduce image size and dependencies. Previously, support for all artifact types was included in clouddriver, with config flags to enable individual types (e.g. artifacts.bitbucket.enabled, artifacts.gcs.enabled, artifacts.github.enabled, etc.). This PR introduces a new gradle property: artifactTypes that defaults to include all artifact types at build time. There’s no change for the clouddriver artifacts that the Spinnaker project publishes, but the flexibility is there for those who build clouddriver on their own.

artifactTypes=bitbucket,custom,docker,embedded,front50,gcs,github,gitlab,gitrepo,helm,http,ivy,jenkins,kubernetes,maven,oracle,s3

Change the value of artifactTypes to include a subset. Note that the kubernetes cloud provider uses kubernetes artifacts. So, if the kubernetes cloud provider is enabled, kubernetes artifacts are included even if kubernetes isn’t present in artifactTypes. Similarly for the cloudfoundry cloud provider and maven artifacts.

  • clouddriver-artifacts: configurable artifact support (#7356) ( 1a024e44 )

Ability to cancel a zombie via an API call

You can now kill a zombie execution without needing to port forward orca. There’s a new admin controller that supports this for “Admins”.

  • admin: Admin controller for killing pipelines & is admin API check (#7313) ( f616e69e )

Externalized storage

There’s a new feature to externalize more of the pipeline context to an external storage system. Please see the PR for information, documentation and more information . Note this requires S3.

  • kork-artifacts: Adds entity storage feature (#7072) ( 7aa599e0 )

Status codes on preconfigured webhooks

A new small feature which allows adding a wait before monitor and retry status code fields on preconfigured webhooks.

  • webhooks: allow waitBeforeMonitor and retryStatusCodes fields in preconfigured webhooks (#7387) ( 8243f239 )

Fixes

  • fiat-github: Add integration tests and fix token refresh for GitHub App auth (#7353) ( f9794beb )
  • OAuth2: Remove quotes as it is causing URI issues while redirecting. (#7380) (#7383) ( 826e6adf )
  • OAuth2: Remove quotes as it is causing URI issues while redirecting. (#7380) ( 232089d8 )
  • build: actually publish compiled deck-kayenta code (#7389) (#7417) ( 43c99069 )
  • build: actually publish compiled deck-kayenta code (#7389) ( 3f325c90 )
  • build: produce production build of Deck (#7384) ( 62db9e22 )
  • builds: Fix spinnaker.io publishing when using a GitHub App for token (#7498) (#7499) ( 0b696139 )
  • builds: Fix testcontainer due to docker client upgrade issue (#7471) (#7476) ( f9be1e8a )
  • cats-sql: make SqlUnknownAgentCleanupAgent sharding-aware (#7431) ( cdad1f67 )
  • clouddriver-artifacts: fix multiple okhttpclients issue (#7363) ( d70a1803 )
  • clouddriver: update kubectl download URL (#7470) (#7472) ( b39db13d )
  • deck: Attempt two of fixing deck publishing (#7406) ( 4a1dafc4 )
  • deck: Attempt two of fixing deck publishing (backport #7406) (#7410) ( 27f0bf35 )
  • deck: Fix build all for deck/deck-kayenta (#7467) (#7468) ( cb5fe264 )
  • deck: Preserve execution selection when editing form fields (#7439) ( 17dde4b0 )
  • deck: fix artifact not bound error on deck (#7371) ( 6b3ab9d9 )
  • echo: actually increment trigger.errors.accessdenied counter (#7388) ( 6c91f2fb )
  • fiat: make prefix permissions case-insensitive (#7361) ( cccc1fcd )
  • gcp: Fiat batch queries on rate limit would randomly fail (#7385) ( 2c60d34f )
  • gcp: Fix missing pagination token on accelerator lookups (#7420) (#7434) ( fc30c3dc )
  • gcp: Fix missing pagination token on accelerator lookups (#7420) ( 343c3905 )
  • kayentadeck: Fix publishing to NOT tag by latest. This prevents us from hitting an issue where backports fail to publish due to being older versions (#7456) ( 5b3d513e )
  • ldap: publish firstName and lastName for users authenticated via LDAP (#7438) ( 6a6c4066 )
  • npm: Fix npm publishing (#7398) (#7408) ( efa2f298 )
  • npm: Fix npm publishing (#7398) ( 212cedb7 )
  • oauth2: re-implement ExternalAuthTokenFilter to fix spin-cli login (#7392) ( 64ae6f74 )
  • orca-core: fix evaluateVariables stage when evaluation has already failed prior (#7372) ( d897320a )
  • orca/web: properly deserialize webhook status code (#7367) (#7368) ( 6bb03290 )
  • orca/web: properly deserialize webhook status code (#7367) ( f85f74de )
  • orca: Include pipeline config context in template variable validation errors (#7354) ( fe8f20d7 )
  • publishing: Fix deck kayenta had duplicate package block (#7444) (#7445) ( aa57ea00 )
  • publishing: Fix deck kayenta had duplicate package block (#7444) ( 7c7ba0a5 )
  • publishing: Fix image publishing for deck due to NPM trusted publishing change (#7422) (#7423) ( f3b93fbc )
  • publishing: Fix image publishing for deck due to NPM trusted publishing change (#7422) ( f8505b75 )
  • publishing: Tags cant be semver so prefix with release (#7460) ( b134dd11 )
  • queue: pass true for restoreOriginalContext in StageExecution.withAuth (#7357) ( 01d4e9ce )
  • release: Fix release publishing notes to spinnaker.io (#7486) (#7491) ( aa0ea524 )
  • release: Fix string handling on release notes for summary step (#7466) ( 946f0a3f )
  • rosco/helmfile: fix command line arguments list when multiple values files are provided (#7351) ( 5eb1aa0a )
  • saml: Restore allowedAccounts (#7453) ( d430487c )
  • spin-cli: update spin-cli to handle new oauth2 endpoint (#7391) ( 4790896f )
  • spotless: Update to 1.17 of spotless (#7479) (#7482) ( 6e1a6497 )
  • validation: Fixes some url validation handling on underscores (#7428) ( 7c473790 )
  • validation: Fixes some url validation handling on underscores (backport #7428) (#7440) ( 31d40976 )

Other

  • build: Add id permissions to release for deck NPM publishing (#7448) ( ad49e819 )
  • build: migrate to trusted npm publishing (#7379) (#7414) ( 6ea43243 )
  • build: migrate to trusted npm publishing (#7379) ( c0a18c31 )
  • build: remove unused properties (#7375) ( cebafa66 )
  • build: update Deck to Node 24 (#7443) ( ad5cf396 )
  • change: Add GitHub App Authentication Support for Team Membership (#7337) ( 9dd90943 )
  • change: Call Deck/Deck Kayenta workflows via API to work around NPM Trusted Publishing validation (#7455) ( a4550cd1 )
  • change: refactor: Upgrade HttpClient from Apache HttpClient 4.x to 5.x across modules (#7345) ( 091e9248 )
  • clouddriver: log unhandled exceptions with a stack trace during HTTP URL Restrictions check (#7360) ( 3ac0e6c9 )
  • deps: bump actions/cache from 4 to 5 (#7378) ( bbbfd9fa )
  • deps: bump diff from 4.0.2 to 4.0.4 in /deck (#7396) ( be17384c )
  • deps: bump jws from 3.2.2 to 3.2.3 in /deck (#7364) ( ca63e293 )
  • deps: bump jws in /.github/actions/spinnaker-release (#7355) ( b46c1bdd )
  • deps: bump lodash from 4.17.21 to 4.17.23 in /deck-kayenta (#7407) ( 769b6e22 )
  • deps: bump lodash from 4.17.21 to 4.17.23 in /deck/packages/azure (#7426) ( bfc1e330 )
  • deps: bump lodash from 4.17.21 to 4.17.23 in /deck/packages/core (#7427) ( 2f8196f1 )
  • deps: bump lodash from 4.17.21 to 4.17.23 in /deck/packages/dcos (#7403) ( 317c7bcc )
  • deps: bump lodash from 4.17.21 to 4.17.23 in /deck/packages/mocks (#7429) ( 040f8341 )
  • deps: bump lodash from 4.17.21 to 4.17.23 in /deck/packages/titus (#7430) ( 0295d1ce )
  • deps: bump lodash in /deck/packages/appengine (#7401) ( 45708712 )
  • deps: bump lodash in /deck/test/functional (#7402) ( 1ba6dd3b )
  • gradle: allocate 10g of heap space (#7376) ( 2b181b19 )
  • orca/web: reproduce anonymous pipeline trigger user (#7369) (#7374) ( 57f98fe3 )
  • orca/web: reproduce anonymous pipeline trigger user (#7369) ( 52d0968b )
  • release: move from personal app to GHA to do updates on release notes or other purposes (#7465) ( 153155be )
  • upgrades: Upgrade the CLI utilities used by rosco for baking (#7299) ( eb3edf6c )