Release 2026-01-13 - (expected chart version 5.25.0) #4949
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Master->Develop after release
Clarify test helpers' meanings: Explain a bit better what the test helpers in MultiIngressSSO are about.
* Always provide RabbitMQ settings in Brig's Helm chart Since 5866bab RabbitMQ settings are mandatory for Brig. Before this commit they were only required if federation was enabled. * Provide RabbitMQ credentials in tests as well As RabbitMQ should be around anyways, it cannot hurt to be prepared to use it in integration tests. * Add changelog
* Add utility to get group info * Check existing group before throwing mismatch error * Fix equality in group info check * Test previously broken group * Refactor existing mismatch logic * Add CHANGELOG entry * Lint
- Renamed FederatorAccess to FederationAPIAccess and moved it to wire-subsystems - Moved ProposalStore from Galley.Effects.ProposalStore to Wire.ProposalStore - Introduced ConversationSubsystemConfig to consolidate configuration dependencies previously accessed via Input Opts and Input Env
Domains are only added to `WireIdP` when the Z-Host is configured as multi-ingress domain. There can only be one IdP per domain - Adding more is forbidden and results in error responses. (Other processes need an unamabiguous mapping from Domain to IdP.)
: Add "get app" endpoint (#4879) * Add app fields: category, description, creator * Add get app endpoint (stub; useful for integration tests) * Extend app API test * Add changelog Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Wire.Postgres: Introduce runSesssion This will allow running multiple statements in the same session * ConversationStore.Postgres: Remove use of `OR` and expsensive sorting when getting members Using `OR` makes the index usage less efficient. The ordering is also very expensive for postgresql.
* Add: failing integration test. * Fix: don't drop saml changes in scim user update/patch on the floor. * Fix: integration tests * Drive-by fixes & tweaks. * Haddocks. * Make postgres schema dumping deterministic. * Simplify email selection semantics in newVeidFromBrigUser. It's slightly less insane now, but it does change behavior in some (untested) corner cases.
…n to PostgreSQL (#4904)
* Add missing path to helm * Improve captured HTTP path name
…s, not wire-managed groups (#4906)
* Add mls-users skeleton * Find active users * Remove unneeded galley cassandra use * Fix user query * Add CHANGELOG entry * Regenerate haskell packages * Fix warnings * Ormolu * Fix year * Fix logic in getUserResult * Rename included to matches
This is more semantically correct and allows us to guarantee that there will always be a URI returned with the code.
Co-authored-by: Akshay Mankar <itsakshaymankar@gmail.com> Co-authored-by: Sven Tennie <sven.tennie@wire.com> Co-authored-by: Gautier DI FOLCO <gautier.difolco@wire.com>
Allowing any newer version of protoc led to issues running the Haskell Language Server (HLS). This override in `cabal.project` has now been removed. A newer version than the one available via Nix shouldn't be required.
Co-authored-by: Akshay Mankar <akshay@wire.com>
…build-tool-depends when using cabal.project to compile (#4932) * nix/overlay.nix: Delete dead code * HLS: Disable hlint haskell/haskell-language-server#4674 * cabal: Allow hiding build-tool-depends when compiling in nix dev env NixOS/nixpkgs#130556 (comment) * nix: Use cabal-install 3.12 HLS doesn't like it when cabal-install is 3.16 but all the custom setups use lib:Cabal <= 3.14. Since GHC 9.10 comes with lib:Cabal 3.12, things don't work so well.
The IdP entity is (de-) serialized in requests and thus should have golden tests to ensure the format doesn't change.
… namespaces older than 2 hours (#4937)
…4933) * Initailize flake * Remove niv stuff * flake: Add nixpkgs 24.11 for cabal 3.12 * flake: Keep the same rev for nixpkgs, so other problems can be tackled later * Use the flake in all scripts * ciImage: Enable flakes * nix: Expose explicit derivation that allows building all images at once * nix: Use flake inputs to pin haskell dependencies * flake.nix: Use branch names instead of revs for haskell pins Also use published versions of warp and http2, they already contain the changes that were pinned * hack: Remove the need to build wireServer.imageList the images.all derivation builds a nice link farm which can be used instead.
…nning (#4945) * nginx-ingress-services: enable RotationPolicy setting for cert key pinning * better var handling
zebot
added
the
ok-to-test
battermann
approved these changes
Jan 14, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[2026-01-13] (Chart Release 5.25.0)
Release notes
galley.settings.featureFlags.cellsin your Helm values, update your override to include the newly required cells config fields (channels/groups/one2one/users/collabora/publicLinks/storage/metadata); if you use the chart defaults, no action is needed. (WPB-22170 backend additional config values in cells feature flag #4903)API changes
Create new API version V15 and finalize API version V14 (WPB-22702 Finalize API version v14 #4942)
The
PUT /teams/:tid/features/cellsendpoint has changed in API version V14 and requires additional config values. (WPB-22170 backend additional config values in cells feature flag #4903)Add new fields to apps: category, description, creator (WPB-21294: Add fields to apps: category, description, creator; WPB-21295: Add "get app" endpoint #4879)
Add "get app" endpoint to Brig (
GET /teams/:tid/apps/:id) (WPB-21294: Add fields to apps: category, description, creator; WPB-21295: Add "get app" endpoint #4879)Add pagination to SCIM groups in Spar /scim/v2/Groups
Features
Add
meetingsPremiumfeature flag to distinguish premium teams from trial teams. Meetings created by premium team members are marked as non-trial. Public endpoints: GET/PUT /teams/:tid/features/meetingsPremium. Internal endpoints: GET/PUT/PATCH /i/teams/:tid/features/meetingsPremium and lock status management.Add
meetingsfeature flag to control access to the meetings API. When disabled, all meetings endpoints return 403 Forbidden. The feature is enabled and unlocked by default. Public endpoints: GET/PUT /teams/:tid/features/meetings. Internal endpoints: GET/PUT/PATCH /i/teams/:tid/features/meetings and lock status management. (WPB-21964: introduce Wire Meetings feature flags #4915)New team feature config
cellsInternal(WPB-22168 backend new feature flag cells internal #4889, WPB-22168 [fix-up] set the defaults of the cells feature correctly #4907, WPB-22654 Update CellsInternal Feature Flag #4940)The
cellsfeature flag now contains a set of additional configuration values (WPB-22170 backend additional config values in cells feature flag #4903)nginx-ingress-services chart: Add support for cert-manager Certificate
privateKey rotation policy configuration. This allows preserving private
keys across certificate renewals for client key pinning scenarios.
Configuration options:
tls.privateKey.rotationPolicy- for ingress certificatesfederator.tls.privateKey.rotationPolicy- for federator certificateSetting rotationPolicy to "Never" preserves the private key, enabling
scenarios where clients pin the server's public key rather than the
certificate itself. (nginx-ingress-services: enable RotationPolicy setting for cert key pinning #4945)
Allow configuring page size and parallelism for conversation migration to
PostgreSQL. This can be configured like this:
(Allow configuring page size and parallelism for conversation migration to PostgreSQL #4904)
Introduce new metrics for better tracking of conversation migration to postgresql:
wire_local_convs_migration_failedwire_user_remote_convs_migration_failedIf any of these become
1, it means the migration has failed. The logs wouldcontain the error. In order to restart the migration, the background-worker must
be restarted. (ConversationStore.Migration: log and emit metric if a migration fails #4891)
Commits with a broken group info are now let through if the group was already broken (Skip group info mismatch error for broken groups #4883)
When a SAML IdP is created on a multi-ingress domain (implying that
multi-ingress domains are configured in Spar) the domain is added as
domainfield to that IdP's
extraInfo(WireIdPtype in Haskell.) To avoid confusionin later lookups, at most one IdP can be configured per multi-ingress domain.
If multi-ingress is not configured or it's not configured for the specific
domain, no
domainfield gets added to the IdP. This guards against creatingmultiple IdPs and then assigning them to multi-ingress domains. Thus, users who
don't use multi-ingress don't observe any change. This feature only opens the
door to later provide an IdP for a multi-ingress domain. (Add multi-ingress domains to SCIM IdPs #4778)
Bug fixes and other updates
Fixed notification endpoint returning an empty page with
hasMore=true([WPB-21706] empty notification page with has_more = True #4871)Fix SCIM groups endpoint to only return SCIM-managed groups, not wire-managed groups (WPB-22101: fix SCIM groups endpoint to only return SCIM-managed groups, not wire-managed groups #4906)
Fixed: change user idp, external_id or emails via scim (scim user update / patch failed to update parts of
ValidScimId). ([WPB-22154] fix: move user between SCIM tokens #4887)Add
<?xml version="1.0" encoding="UTF-8"?>to SAML/XML output. ([WPB-22287] fix saml xml headers #4898)Make Swagger schema instances for
GET /search/resultsandGET /teams/{tid}/searchdistinct (WPB-22297: Fix ToSchema instance for SearchResult #4921)Fix swagger docs for
GETandPOSTon/conversations/{cnv}/codeto showthat the response will always include the
urifield. (Move code URI from ConversationCode to ConversationCodeInfo #4911)Reduce gc_grace_period for all conversation related tables to 1 day. This will
help restart the postgresql migration after a day, if it fails mid way. Lowering
it too much runs the risk of offline nodes resurrecting deleted data. (Reduce gc_grace_period for all conversation related tables to 1 day #4899)
Make underlying users for apps findable from
GET /search/contacts(Find apps fromGET /search/contacts#4920)Reject messages in MLS groups while in epoch 0. (reject MLS messages while in epoch 0 #4811)
Optimize Postgresql queries for getting conversation members (Optimize Postgresql queries for getting converstaion members #4896, Optimize Postgresql queries for getting converstaion members #4896)
Since 5.23.23 (5866bab) RabbitMQ settings are
mandatory for Brig in both, federated and non-federated setups. Unfortunately,
this wasn't reflected in Brig's Helm chart. So, non-federated deployments were
failing. (Fix: brig always requires rabbitmq #4886)
Internal changes
Upgrade nixpkgs and dependencies (icluding GHC from 9.8 to 9.10) (WPB-16262 update nix packages #4909)
Upgrade ormolu to match GHC 9.10. (WPB-22515: upgrade ormolu #4923)
Fix postgres migrations on CI test runs (WPB-22577 Postgres migration for backendA fails on CI #4931)
Add
mls-userstool to list all active users that don't support MLS. (List active users that don't support MLS #4888)Add a golden test for
IdP(de-) serialization to ensure the format doesn't change due to future developments. (Add IdP golden test #4927)Explain MultiIngressSSO test helper functions a bit better. (Explain MultiIngressSSO test helpers #4882)
Use nix flakes instead of niv and manually pinned git dependencies (Use nix flakes instead of niv and manually pinned git dependencies #4933)