Releases: charmbracelet/soft-serve
v0.8.2
Prevent path traversal attacks
This is a security release to patch an issue where a malicious user could take over other user's repositories. Please upgrade your Soft Serve instances to prevent these attacks from happening.
Changelog
Bug fixes
- 22d00e9: fix(ssh): cmd: remove unnecessary call to utils.SanitizeRepo (@aymanbagabas)
- a8d1bf3: fix: prevent path traversal attacks (#631) (@aymanbagabas)
- 9cd64aa: fix: using lipgloss tables instead of tablewriter (#618) (@caarlos0)
Verifying the artifacts
First, download the checksums.txt
file, for example, with wget
:
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.2/checksums.txt'
Then, verify it using cosign
:
cosign verify-blob \
--certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.2/checksums.txt.pem' \
--signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.2/checksums.txt.sig' \
./checksums.txt
If the output is Verified OK
, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum
:
sha256sum --ignore-missing -c checksums.txt
Done! You artifacts are now verified!
Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.
v0.8.1
Patch x/crypto/ssh
This is a small patch release to fix x/crypto/ssh vulnerability https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ
Changelog
Verifying the artifacts
First, download the checksums.txt
file, for example, with wget
:
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.1/checksums.txt'
Then, verify it using cosign
:
cosign verify-blob \
--certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.1/checksums.txt.pem' \
--signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.1/checksums.txt.sig' \
./checksums.txt
If the output is Verified OK
, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum
:
sha256sum --ignore-missing -c checksums.txt
Done! You artifacts are now verified!
Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.
v0.8.0
Soft Serve 0.8.0 puts you in control
This release contains new features and important bug fixes to different Soft Serve components. You now can services that you don't need as well as use a custom config path different from the data directory.
Toggle Server Componenets
Soft Serve runs 4 different services that listen to various ports to serve Git repositories and metadata over the network. It has an SSH server, HTTP server, Git TCP server, and a Prometheus stats server. They all start when you run soft serve
! Now, you can disable unwanted components in your config file or via environment variables.
git:
# Disable Git daemon TCP server
enabled: false
stats:
# Disable Promethues stats server
enabled: false
Custom Config Path
Soft Serve defaults to reading your config.yaml
from $SOFT_SERVE_DATA/config.yaml
. Now, you can have a custom path for the config file using $SOFT_SERVE_CONFIG_LOCATION
.
export SOFT_SERVE_CONFIG_LOCATION=$HOME/.soft-serve.yaml
soft serve
Changelog
New Features
- c354d5f: feat: optionally pull config from a custom file (envvar), default to data path. (#557) (@fire833)
- 069db27: feat: support toggling servers on/off in configuration (#594) (#612) (@jaw)
- 0540b4d: feat: test framework supports turning off -race flag (#605) (@jaw)
- 446ec63: feat: update go.mod to use go 1.22 and toolchain go1.23.2 (@aymanbagabas)
Bug fixes
- c78da07: fix(config): add SOFT_SERVE_CONFIG_LOCATION to Environ (@aymanbagabas)
- 00be796: fix(config): add default values for the enabled fields (@aymanbagabas)
- 7c45a99: fix(daemon): close listener only once (#615) (@aymanbagabas)
- 85b4625: fix: add missing arg length check to fix runtime panic (#568) (@christophershirk)
- 3aa71e0: fix: git daemon listens only when starting it (#607) (@jaw)
- 1de446f: fix: prevent enumeration of private repo (#614) (@kyokugirl)
- a2cf786: fix: respect anon-access on ssh (@aymanbagabas)
- 5d5c55e: fix: test framework supports ensuring specific port is open (#606) (@jaw)
- 6658cf1: fix: update position constant in
JoinHorizontal
(#552) (@aditipatelpro)
Other work
Verifying the artifacts
First, download the checksums.txt
file, for example, with wget
:
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.0/checksums.txt'
Then, verify it using cosign
:
cosign verify-blob \
--certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.0/checksums.txt.pem' \
--signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.0/checksums.txt.sig' \
./checksums.txt
If the output is Verified OK
, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum
:
sha256sum --ignore-missing -c checksums.txt
Done! You artifacts are now verified!
Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.
v0.7.6
Changelog
Bug fixes
- f23ea48: fix(ssh): pass GIT_PROTOCOL from ssh session down to binary (@aymanbagabas)
Verifying the artifacts
First, download the checksums.txt
file, for example, with wget
:
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.6/checksums.txt'
Then, verify it using cosign
:
cosign verify-blob \
--certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.6/checksums.txt.pem' \
--signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.6/checksums.txt.sig' \
./checksums.txt
If the output is Verified OK
, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum
:
sha256sum --ignore-missing -c checksums.txt
Done! You artifacts are now verified!
Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.
v0.7.5
Changelog
New Features
- e02c00f: feat(tests): add a testcase for
soft man
(@aymanbagabas) - fc81914: feat: add ssh lfs-transfer tests (@aymanbagabas)
- c3915b2: feat: run test coverage against postgres (@aymanbagabas)
- a985ccd: feat: test ssh ui output (@aymanbagabas)
- 40d76a1: feat: update integration tests (#434) (@aymanbagabas)
Bug fixes
- 81ee0ec: fix(git): hang on git i/o error (@aymanbagabas)
- f801b96: fix(meta): use "chore" prefix for dependabot (@aymanbagabas)
- 43f087f: fix(mirror): add user missing from context (@nilium)
- b15f874: fix(mirror): don't need git gc (@aymanbagabas)
- 07076f8: fix(mirror): skip LFS instead of failing to mirror a repo (@nilium)
- 0e77ee9: fix(ssh): allocate pty and use the latest tea middleware (@aymanbagabas)
- 621d920: fix(ssh): check of empty pk and tidy context mw (@aymanbagabas)
- d54c6de: fix(ssh): emulate pty on windows (@aymanbagabas)
- 6c917ac: fix(test): path separator on windows (@aymanbagabas)
- 8c9777d: fix(test): tidy testscript and skip ssh-lfs test (@aymanbagabas)
- 6e9db8e: fix(web): superfluous write (@aymanbagabas)
- 8c181bc: fix(web): write http prefix before references (@aymanbagabas)
- abd5580: fix(webhook): we don't care about the default branch if it's missing (@aymanbagabas)
- b06b555: fix: disable soft-browse test (@aymanbagabas)
- 143918b: fix: executable path in hooks (#459) (@wahjava)
- 047b6a7: fix: invalid error on empty repo collabs (#466) (@aymanbagabas)
- 0191234: fix: lint (@aymanbagabas)
- 194455d: fix: lint issues (@aymanbagabas)
- d119d53: fix: only use glamour for mk files (#467) (@aymanbagabas)
- aa15af5: fix: tidy notify os interrupt signals (@aymanbagabas)
- 7b97817: fix: unquote git quoted filenames (@aymanbagabas)
- 920e4a7: fix: use lipgloss renderers (@aymanbagabas)
- bb59bee: fix: use the latest git-lfs-transfer and update implementation (@aymanbagabas)
Dependency updates
- cd964a6: feat(deps): bump github.com/go-git/go-git/v5 from 5.10.1 to 5.11.0 (@dependabot[bot])
- 45ce909: feat(deps): bump github.com/golang-jwt/jwt/v5 from 5.1.0 to 5.2.0 (#437) (@dependabot[bot])
- e064c39: feat(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 (@dependabot[bot])
- dbe42e3: feat(deps): bump github.com/prometheus/client_golang (@dependabot[bot])
- 3e75d86: feat(deps): bump github.com/rogpeppe/go-internal (@dependabot[bot])
- 538de6a: feat(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (@dependabot[bot])
- 3d02df4: feat(deps): bump golang.org/x/crypto from 0.17.0 to 0.18.0 (@dependabot[bot])
- d1d7d7f: feat(deps): bump golang.org/x/sync from 0.5.0 to 0.6.0 (@dependabot[bot])
- afeae6c: feat(deps): bump modernc.org/sqlite from 1.27.0 to 1.28.0 (@dependabot[bot])
Documentation updates
- 87d61a3: docs(README): add Windows install instruction for Winget (#304) (@kbdharun)
- 83495e2: docs: add CLI instructions for mirrors to README (#543) (@rubenhoenle)
- 876db8d: docs: correct spelling of read-only (@mkirl)
- 11c0bc5: docs: update readme root.go to main.go (#478) (@pratikkuikel)
Other work
- bba9b26: Correct make repo private command in README.md (#515) (@troylusty)
- 15d661f: Create CODEOWNERS (@maaslalani)
- 6ddae64: Simplify installation with brew (#534) (@skatkov)
- b5f5721: build: fix golanci-lint configs (@caarlos0)
- b4da757: ci: sign & notarize macos binaries (#537) (@caarlos0)
- ca7c2bb: docs(docker README): Update docker file with SOFT_SERVE_INITIAL_ADMIN_KEYS env variable for both docker and compose examples (@CRBroughton)
- 4daebdd: sec: do not append session envs to git run (#544) (@caarlos0)
Verifying the artifacts
First, download the checksums.txt
file, for example, with wget
:
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.5/checksums.txt'
Then, verify it using cosign
:
cosign verify-blob \
--certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.5/checksums.txt.pem' \
--signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.5/checksums.txt.sig' \
./checksums.txt
If the output is Verified OK
, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum
:
sha256sum --ignore-missing -c checksums.txt
Done! You artifacts are now verified!
Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.
v0.7.4
Changelog
Bug fixes
- 178b9d5: fix(daemon): tests after upgrading go-git (@aymanbagabas)
- fc2c62f: fix(daemon): timeout test (@aymanbagabas)
- fa23c9c: fix(ui): dry glamour chroma renderer (@aymanbagabas)
- e419a93: fix(ui): go back on esc (@aymanbagabas)
- 0a38578: fix(ui): hide clone command while browse only (@aymanbagabas)
- 812d840: fix(ui): render about page using glamour (@aymanbagabas)
Dependency updates
- 4ccd373: feat(deps): bump github.com/charmbracelet/log from 0.3.0 to 0.3.1 (#431) (@dependabot[bot])
- 0ec24e3: feat(deps): bump github.com/go-git/go-git/v5 from 5.10.0 to 5.10.1 (#429) (@dependabot[bot])
- 8e5966a: feat(deps): bump golang.org/x/crypto from 0.15.0 to 0.16.0 (#430) (@dependabot[bot])
Other work
Verifying the artifacts
First, download the checksums.txt
file, for example, with wget
:
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.4/checksums.txt'
Then, verify it using cosign
:
cosign verify-blob \
--certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.4/checksums.txt.pem' \
--signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.4/checksums.txt.sig' \
./checksums.txt
If the output is Verified OK
, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum
:
sha256sum --ignore-missing -c checksums.txt
Done! You artifacts are now verified!
Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.
v0.7.3
Changelog
Bug fixes
- 63786d0: fix(web): superfluous write (@aymanbagabas)
Verifying the artifacts
First, download the checksums.txt
file, for example, with wget
:
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.3/checksums.txt'
Then, verify it using cosign
:
cosign verify-blob \
--certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.3/checksums.txt.pem' \
--signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.3/checksums.txt.sig' \
./checksums.txt
If the output is Verified OK
, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum
:
sha256sum --ignore-missing -c checksums.txt
Done! You artifacts are now verified!
Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.
v0.7.2
Changelog
Bug fixes
- e0148ca: fix(http): times out on large repositories (#428) (@aymanbagabas)
- 6dc3c59: fix: lint issues (@aymanbagabas)
Dependency updates
- 49f34dd: feat(deps): bump github.com/charmbracelet/log from 0.2.5 to 0.3.0 (#424) (@dependabot[bot])
- e6713ba: feat(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 (#423) (@dependabot[bot])
- ccb46a4: feat(deps): bump github.com/golang-jwt/jwt/v5 from 5.0.0 to 5.1.0 (#422) (@dependabot[bot])
- 40423e8: feat(deps): bump github.com/gorilla/handlers from 1.5.1 to 1.5.2 (#419) (@dependabot[bot])
- fabeb84: feat(deps): bump github.com/gorilla/mux from 1.8.0 to 1.8.1 (#417) (@dependabot[bot])
- b5fa038: feat(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 (#418) (@dependabot[bot])
- 71d2cd0: feat(deps): bump golang.org/x/crypto from 0.14.0 to 0.15.0 (#425) (@dependabot[bot])
- d5e81ad: feat(deps): bump golang.org/x/sync from 0.4.0 to 0.5.0 (#420) (@dependabot[bot])
- 1383d18: feat(deps): bump modernc.org/sqlite from 1.26.0 to 1.27.0 (#416) (@dependabot[bot])
Verifying the artifacts
First, download the checksums.txt
file, for example, with wget
:
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.2/checksums.txt'
Then, verify it using cosign
:
cosign verify-blob \
--certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.2/checksums.txt.pem' \
--signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.2/checksums.txt.sig' \
./checksums.txt
If the output is Verified OK
, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum
:
sha256sum --ignore-missing -c checksums.txt
Done! You artifacts are now verified!
Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.
v0.7.1
Local browsing, webhooks, stash, and blame views! You can now browse local repositories by running soft
in any repo to see commits, files, diffs, stash, and blame.
Soft Serve now supports repository webhooks so you can get notifications about repository changes. See repository webhooks for more information.
Changelog
New Features
- 8f182ec: feat(ci): add codecov config (@aymanbagabas)
- 56a17a3: feat(ui): show committer in blame (@aymanbagabas)
- 02e1617: feat: browse local repositories (#369) (@aymanbagabas)
- e2e79fe: feat: job config (#402) (@jolheiser)
- 29de922: feat: update to latest env (#412) (@caarlos0)
Bug fixes
- f76ae7a: fix(config): add jobs default config (@aymanbagabas)
- 03ba1ab: fix(gomod): use git-module fork (@aymanbagabas)
- 35582d2: fix: remove unwanted gitattributes (@aymanbagabas)
- f915f4d: refactor,fix: add rename lfs objects migration (#409) (@aymanbagabas)
Dependency updates
- da50842: feat(deps): bump github.com/charmbracelet/keygen from 0.4.3 to 0.5.0 (#398) (@dependabot[bot])
- 9503c88: feat(deps): bump github.com/charmbracelet/lipgloss from 0.8.0 to 0.9.1 (#401) (@dependabot[bot])
- d1ab2b5: feat(deps): bump github.com/charmbracelet/log from 0.2.4 to 0.2.5 (#394) (@dependabot[bot])
- a735362: feat(deps): bump github.com/charmbracelet/wish from 1.1.1 to 1.2.0 (#407) (@dependabot[bot])
- e319131: feat(deps): bump github.com/go-git/go-git/v5 from 5.9.0 to 5.10.0 (#404) (@dependabot[bot])
- 5852219: feat(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 (#405) (@dependabot[bot])
- 7ec3a38: feat(deps): bump github.com/google/uuid from 1.3.1 to 1.4.0 (#406) (@dependabot[bot])
- 6662e1a: feat(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 (#400) (@dependabot[bot])
- 5df79ee: feat(deps): bump golang.org/x/sync from 0.3.0 to 0.4.0 (#395) (@dependabot[bot])
Other work
- 0846323: Repository webhooks (#375) (@aymanbagabas)
- 139be67: doc: update readme (#413) (@aymanbagabas)
- 0f41cab: refactor: rename pkgs (#408) (@aymanbagabas)
Verifying the artifacts
First, download the checksums.txt
file, for example, with wget
:
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.1/checksums.txt'
Then, verify it using cosign
:
cosign verify-blob \
--certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.1/checksums.txt.pem' \
--signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.7.1/checksums.txt.sig' \
./checksums.txt
If the output is Verified OK
, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum
:
sha256sum --ignore-missing -c checksums.txt
Done! You artifacts are now verified!
Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.
v0.6.2
Changelog
Bug fixes
- 407c4ec: fix(ssh): add authentication middleware (@aymanbagabas)
Dependency updates
- d6b6f7c: feat(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.6 to 2.0.7 (#392) (@dependabot[bot])
- 53832a9: feat(deps): bump github.com/prometheus/client_golang (@dependabot[bot])
- 6f0a418: feat(deps): bump modernc.org/sqlite from 1.25.0 to 1.26.0 (#391) (@dependabot[bot])
Verifying the artifacts
First, download the checksums.txt
file, for example, with wget
:
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.6.2/checksums.txt'
Then, verify it using cosign
:
cosign verify-blob \
--certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.6.2/checksums.txt.pem' \
--signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.6.2/checksums.txt.sig' \
./checksums.txt
If the output is Verified OK
, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum
:
sha256sum --ignore-missing -c checksums.txt
Done! You artifacts are now verified!
Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.