Skip to content
Plugwerk

Plugwerk 1.0.0

Released: 2026-05-13 · GitHub release · Docker image

1.0.0 is the first stable release — every feature shipped through the alpha and beta line is now under a stable API contract. Beyond promotion, the release adds a real S3 storage backend, a scheduler admin dashboard, operator-uploadable branding, and a couple of small but real breaking changes downstream consumers should plan for.

Highlights

Section titled “Highlights”
  • S3-compatible object storage backend — artifacts can now live in S3 (or any S3-compatible target: MinIO, Wasabi, Cloudflare R2, …) instead of the local filesystem. Existing filesystem deployments are unaffected; S3 is opt-in via configuration.
  • Admin scheduler dashboard — every internal scheduled job (orphan reaper, consistency check, …) is now visible in the admin UI with enable/disable toggles, dry-run, and run-now buttons. Operations no longer requires shell access for routine scheduler work.
  • Scheduled orphan-artifact reaper — periodic cleanup of artifact files in storage that no longer have a matching plugin_release row. Coordinated via ShedLock so it runs exactly once across multi-instance deployments.
  • Storage / DB consistency check — admin-triggered scan that reports artifact files missing a DB row and DB rows missing an artifact file. Read-only — surfaces the diff, does not act on it.
  • Operator-uploadable branding — top-bar logo, login-page logo, and favicon can be replaced from the admin UI without rebuilding the image.
  • Effective-config admin view — read-only display of the running plugwerk.* configuration (with secrets redacted). Useful for verifying what an environment actually loaded vs. what an operator thinks they set.
  • general.site_name wired through the UI — the configurable site name now drives the browser tab title, the login-page heading, and the email-template branding instead of being a settings-only value.
  • Security: undecryptable client-secret detection at startup — if PLUGWERK_AUTH_ENCRYPTION_KEY cannot decrypt the stored OIDC client secrets (typically because the key was rotated without a re-encrypt step), the server now fails fast at startup with a clear error instead of failing silently on the next OIDC login.

Breaking changes

Section titled “Breaking changes”
  • Client SDK — PlugwerkUpdateChecker.checkForUpdates(...) now takes a typed InstalledPluginRef parameter instead of Map<String, String>. Hosts that wrote checkForUpdates(Map.of("plugin-id", "1.0.0")) will not compile against the 1.0.0 SDK. Migration is mechanical — wrap each entry in an InstalledPluginRef. The dedicated SDK reference doc update is tracked separately.

Upgrade notes

Section titled “Upgrade notes”

  1. Pull the new image:

    Terminal window
    docker pull plugwerk/plugwerk-server:1.0.0

    :latest now points at this stable release as well.

  2. Verify your PLUGWERK_AUTH_ENCRYPTION_KEY is correct before restarting. The server now refuses to start if it cannot decrypt at least one stored OIDC client secret with the configured key — this is intentional fast-fail. If you rotated the key without re-encrypting, restore the previous key value, restart, and rotate properly via the admin UI before retrying the upgrade.

  3. No action required for filesystem storage installations. S3 is purely additive and opt-in; the existing plugwerk.storage.* filesystem configuration continues to work unchanged.

  4. SDK consumers (PlugwerkUpdateChecker): scan host code for checkForUpdates(...) call sites and migrate Map<String, String> arguments to the new typed InstalledPluginRef form before bumping the SDK dependency to 1.0.0.

  5. Verify the upgrade:

    • curl http://<your-host>/actuator/health returns {"status":"UP"}.
    • Admin → Scheduler lists the internal jobs with their last-run / next-run timestamps.
    • Admin → Effective Configuration shows the loaded plugwerk.* values (with secrets redacted).
    • Existing logins continue to work; existing OIDC providers continue to authenticate.

Other notable changes

Section titled “Other notable changes”
  • CI: .env.example is dispatched to this site on every release — operators always see env-var defaults that match the latest server version.
  • Renovate dependency updates consolidated and pinned through the cycle.
  • Various dependency bumps (Gradle 9.5.1, AWS SDK v2.44.4, slf4j 2.0.18, Swagger annotations 2.2.50).

Full changelog

Section titled “Full changelog”

See the GitHub release notes for the complete commit-level changelog and individual PR links.