Release 2026-01-13 - (expected chart version 5.25.0)

.envrc

@@ -15,7 +15,7 @@ store_paths=$(echo "$nix_files" ./services/nginz/third_party/nginx-zauth-module/
 layout_dir=$(direnv_layout_dir)
 env_dir=./.env
 
-export NIX_CONFIG='extra-experimental-features = nix-command'
+export NIX_CONFIG='extra-experimental-features = nix-command flakes'
 
 [[ -d "$layout_dir" ]] || mkdir -p "$layout_dir"
 
@@ -27,7 +27,7 @@ if [[ ! -d "$env_dir" || ! -f "$layout_dir/nix-rebuild" || "$store_paths" != $(<
     fi
   fi
   echo "🔧 Building environment"
-  $bcmd build -f nix wireServer.devEnv -Lv --out-link ./.env --fallback
+  $bcmd build '.#wireServer.devEnv' -Lv --out-link ./.env --fallback
   echo "$store_paths" >"$layout_dir/nix-rebuild"
 fi
 

CHANGELOG.md

@@ -1,3 +1,131 @@
+# [2026-01-13] (Chart Release 5.25.0)
+
+## Release notes
+
+
+* Operators: if you override `galley.settings.featureFlags.cells` in your Helm values, update your override to include the newly required cells config fields (channels/groups/one2one/users/collabora/publicLinks/storage/metadata); if you use the chart defaults, no action is needed. (#4903)
+
+
+## API changes
+
+
+* Create new API version V15 and finalize API version V14 (#4942)
+
+* The `PUT /teams/:tid/features/cells` endpoint has changed in API version V14 and requires additional config values. (#4903)
+
+* Add new fields to apps: category, description, creator (#4879)
+
+* Add "get app" endpoint to Brig (`GET /teams/:tid/apps/:id`) (#4879)
+
+* Add [pagination to SCIM groups](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.4) in Spar /scim/v2/Groups
+
+
+## Features
+
+
+* Add `meetingsPremium` feature flag to distinguish premium teams from trial teams. Meetings created by premium team members are marked as non-trial. Public endpoints: GET/PUT /teams/:tid/features/meetingsPremium. Internal endpoints: GET/PUT/PATCH /i/teams/:tid/features/meetingsPremium and lock status management.
+
+  Add `meetings` feature flag to control access to the meetings API. When disabled, all meetings endpoints return 403 Forbidden. The feature is enabled and unlocked by default. Public endpoints: GET/PUT /teams/:tid/features/meetings. Internal endpoints: GET/PUT/PATCH /i/teams/:tid/features/meetings and lock status management. (#4915)
+
+* New team feature config `cellsInternal` (#4889, #4907, #4940)
+
+* The `cells` feature flag now contains a set of additional configuration values (#4903)
+
+* nginx-ingress-services chart: Add support for cert-manager Certificate
+  privateKey rotation policy configuration. This allows preserving private
+  keys across certificate renewals for client key pinning scenarios.
+
+  Configuration options:
+  - `tls.privateKey.rotationPolicy` - for ingress certificates
+  - `federator.tls.privateKey.rotationPolicy` - for federator certificate
+
+  Setting rotationPolicy to "Never" preserves the private key, enabling
+  scenarios where clients pin the server's public key rather than the
+  certificate itself. (#4945)
+
+* Allow configuring page size and parallelism for conversation migration to
+  PostgreSQL. This can be configured like this:
+
+  ```yaml
+  background-worker:
+    config:
+      migrateConversationsOptions:
+        pageSize: 10000
+        parallelism: 2
+  ```
+  (#4904)
+
+* Introduce new metrics for better tracking of conversation migration to postgresql:
+  1. `wire_local_convs_migration_failed`
+  2. `wire_user_remote_convs_migration_failed`
+
+  If any of these become `1`, it means the migration has failed. The logs would
+  contain the error. In order to restart the migration, the background-worker must
+  be restarted. (#4891)
+
+* Commits with a broken group info are now let through if the group was already broken (#4883)
+
+* When a SAML IdP is created on a multi-ingress domain (implying that
+  multi-ingress domains are configured in Spar) the domain is added as `domain`
+  field to that IdP's `extraInfo` (`WireIdP` type in Haskell.) To avoid confusion
+  in later lookups, at most one IdP can be configured per multi-ingress domain.
+  If multi-ingress is not configured or it's not configured for the specific
+  domain, no `domain` field gets added to the IdP. This guards against creating
+  multiple IdPs and then assigning them to multi-ingress domains. Thus, users who
+  don't use multi-ingress don't observe any change. This feature only opens the
+  door to later provide an IdP for a multi-ingress domain. (#4778)
+
+
+## Bug fixes and other updates
+
+
+* Fixed notification endpoint returning an empty page with `hasMore=true` (#4871)
+
+* Fix SCIM groups endpoint to only return SCIM-managed groups, not wire-managed groups (#4906)
+
+* Fixed: change user idp, external_id  or emails via scim (scim user update / patch failed to update parts of `ValidScimId`). (#4887)
+
+* Add `<?xml version="1.0" encoding="UTF-8"?>` to SAML/XML output. (#4898)
+
+* Make Swagger schema instances for `GET /search/results` and `GET /teams/{tid}/search` distinct (#4921)
+
+* Fix swagger docs for `GET` and `POST` on `/conversations/{cnv}/code` to show
+  that the response will always include the `uri` field. (#4911)
+
+* Reduce gc_grace_period for all conversation related tables to 1 day. This will
+  help restart the postgresql migration after a day, if it fails mid way. Lowering
+  it too much runs the risk of offline nodes resurrecting deleted data. (#4899)
+
+* Make underlying users for apps findable from `GET /search/contacts` (#4920)
+
+* Reject messages in MLS groups while in epoch 0. (#4811)
+
+* Optimize Postgresql queries for getting conversation members (#4896, #4896)
+
+* Since 5.23.23 (5866babe26f6b49511320dedb5b58a289ddcdbd4) RabbitMQ settings are
+  mandatory for Brig in both, federated and non-federated setups. Unfortunately,
+  this wasn't reflected in Brig's Helm chart. So, non-federated deployments were
+  failing. (#4886)
+
+
+## Internal changes
+
+
+* Upgrade nixpkgs and dependencies (icluding GHC from 9.8 to 9.10) (#4909)
+
+* Upgrade ormolu to match GHC 9.10. (#4923)
+
+* Fix postgres migrations on CI test runs (#4931)
+
+* Add `mls-users` tool to list all active users that don't support MLS. (#4888)
+
+* Add a golden test for `IdP` (de-) serialization to ensure the format doesn't change due to future developments. (#4927)
+
+* Explain MultiIngressSSO test helper functions a bit better. (#4882)
+
+* Use nix flakes instead of niv and manually pinned git dependencies (#4933)
+
+
 # [2025-11-26] (Chart Release 5.24.0)
 
 ## Release notes

Makefile

@@ -69,8 +69,13 @@ full-clean: clean
 
 .PHONY: clean
 clean:
+ifeq ("$(package)", "all")
 	cabal clean
-	-rm -rf dist
+else
+	-if ( test -e dist || test -e dist-newstyle ); then  find dist* -type d -name '$(package)-*' -exec rm -rf {}; fi
+endif
+  # `/dist` and `.ghc.environment` shouldn't be created or used by anybody any more, we're just making sure here.
+	-rm -rf dist .ghc.environment
 	-rm -f "bill-of-materials.$(HELM_SEMVER).json"
 
 .PHONY: clean-hint
@@ -81,16 +86,15 @@ clean-hint:
 	@echo -e ">>> to never have to remember submodules again, try 'git config --global submodule.recurse true'"
 	@echo -e "\n\n\n"
 
-.PHONY: cabal.project.local
 cabal.project.local:
-	cp ./hack/bin/cabal.project.local.template ./cabal.project.local
+	cp ./hack/cabal.project.local.template ./cabal.project.local
 
 # Usage: make c package=brig test=1
 .PHONY: c
 c: treefmt c-fast
 
 .PHONY: c
-c-fast:
+c-fast: cabal.project.local
 	cabal build $(WIRE_CABAL_BUILD_OPTIONS) $(package) || ( make clean-hint; false )
 ifeq ($(test), 1)
 	./hack/bin/cabal-run-tests.sh $(package) $(testargs)
@@ -298,7 +302,7 @@ treefmt-check:
 
 .PHONY: build-image-%
 build-image-%:
-	nix-build ./nix -A wireServer.imagesNoDocs.$(*) && \
+	nix build '.#wireServer.imagesNoDocs.$(*)' && \
 	./result | docker load | tee /tmp/imageName-$(*) && \
 	imageName=$$(grep quay.io /tmp/imageName-$(*) | awk '{print $$3}') && \
 	echo 'You can run your image locally using' && \
@@ -314,8 +318,11 @@ upload-images:
 upload-images-dev:
 	./hack/bin/upload-images.sh imagesUnoptimizedNoDocs
 
+HOOGLE_IMAGE_DIR := $(shell mktemp -d -t wire-server-hoogle-image.XXXXXX)
+
 upload-hoogle-image:
-	./hack/bin/upload-image.sh wireServer.hoogleImage
+	nix -v --show-trace -L build ".#wireServer.hoogleImage" --out-link $(HOOGLE_IMAGE_DIR)/image --fallback
+	./hack/bin/upload-image.sh $(HOOGLE_IMAGE_DIR)/image
 
 #################################
 ## cassandra / postgres management
@@ -660,7 +667,7 @@ helm-template-%: clean-charts charts-integration
 	./hack/bin/helm-template.sh $(*)
 
 sbom.json:
-	nix -Lv build -f nix wireServer.bomDependencies && \
+	nix -Lv build '.#wireServer.bomDependencies' && \
 	nix run 'github:wireapp/tom-bombadil#create-sbom' -- --root-package-name "wire-server"
 
 # Ask the security team for the `DEPENDENCY_TRACK_API_KEY` (if you need it)

cabal.project

@@ -49,6 +49,7 @@ packages:
   , tools/db/inconsistencies/
   , tools/db/migrate-sso-feature-flag/
   , tools/db/migrate-features/
+  , tools/db/mls-users/
   , tools/db/move-team/
   , tools/db/phone-users/
   , tools/db/repair-handles/
@@ -68,14 +69,32 @@ benchmarks: True
 program-options
     ghc-options: -Werror
 
--- NOTE:
--- - these packages are not provided by nix, reason being, that
---   there is a bug in the nixpkgs haskell compatibility which
---   makes it such that they cannot be installed by the nixpkgs code
--- - these packages have bounds that are justified with their current
---   dependency set, however, we have updated their dependencies, such
---   that they work with newer base and ghc (api) versions
-allow-newer:
-  , proto-lens-protoc:base
-  , proto-lens-protoc:ghc
-  , proto-lens-setup:Cabal
+-- This flags removes build-tool-depends when compiling things in the dev
+-- environment.
+-- https://github.com/NixOS/nixpkgs/issues/130556#issuecomment-2762237786
+package polysemy-wire-zoo
+  flags: +nix-dev-env
+package dns-util
+  flags: +nix-dev-env
+package wire-subsystems
+  flags: +nix-dev-env
+package wai-utilities
+  flags: +nix-dev-env
+package wire-api-federation
+  flags: +nix-dev-env
+package http2-manager
+  flags: +nix-dev-env
+package hscim
+  flags: +nix-dev-env
+package extended
+  flags: +nix-dev-env
+package metrics-wai
+  flags: +nix-dev-env
+package wire-server-enterprise
+  flags: +nix-dev-env
+package spar
+  flags: +nix-dev-env
+package wire-message-proto-lens
+  flags: +nix-dev-env
+package types-common-journal
+  flags: +nix-dev-env

cassandra-schema.cql

@@ -1114,7 +1114,7 @@ CREATE TABLE galley_test.team_conv (
     AND crc_check_chance = 1.0
     AND dclocal_read_repair_chance = 0.1
     AND default_time_to_live = 0
-    AND gc_grace_seconds = 864000
+    AND gc_grace_seconds = 86400
     AND max_index_interval = 2048
     AND memtable_flush_period_in_ms = 0
     AND min_index_interval = 128
@@ -1295,7 +1295,7 @@ CREATE TABLE galley_test.member (
     AND crc_check_chance = 1.0
     AND dclocal_read_repair_chance = 0.1
     AND default_time_to_live = 0
-    AND gc_grace_seconds = 864000
+    AND gc_grace_seconds = 86400
     AND max_index_interval = 2048
     AND memtable_flush_period_in_ms = 0
     AND min_index_interval = 128
@@ -1381,7 +1381,7 @@ CREATE TABLE galley_test.member_remote_user (
     AND crc_check_chance = 1.0
     AND dclocal_read_repair_chance = 0.1
     AND default_time_to_live = 0
-    AND gc_grace_seconds = 864000
+    AND gc_grace_seconds = 86400
     AND max_index_interval = 2048
     AND memtable_flush_period_in_ms = 0
     AND min_index_interval = 128
@@ -1508,7 +1508,7 @@ CREATE TABLE galley_test.user (
     AND crc_check_chance = 1.0
     AND dclocal_read_repair_chance = 0.1
     AND default_time_to_live = 0
-    AND gc_grace_seconds = 864000
+    AND gc_grace_seconds = 86400
     AND max_index_interval = 2048
     AND memtable_flush_period_in_ms = 0
     AND min_index_interval = 128
@@ -1600,7 +1600,7 @@ CREATE TABLE galley_test.mls_group_member_client (
     AND crc_check_chance = 1.0
     AND dclocal_read_repair_chance = 0.1
     AND default_time_to_live = 0
-    AND gc_grace_seconds = 864000
+    AND gc_grace_seconds = 86400
     AND max_index_interval = 2048
     AND memtable_flush_period_in_ms = 0
     AND min_index_interval = 128
@@ -1654,7 +1654,7 @@ CREATE TABLE galley_test.conversation (
     AND crc_check_chance = 1.0
     AND dclocal_read_repair_chance = 0.1
     AND default_time_to_live = 0
-    AND gc_grace_seconds = 864000
+    AND gc_grace_seconds = 86400
     AND max_index_interval = 2048
     AND memtable_flush_period_in_ms = 0
     AND min_index_interval = 128
@@ -1698,7 +1698,7 @@ CREATE TABLE galley_test.subconversation (
     AND crc_check_chance = 1.0
     AND dclocal_read_repair_chance = 0.1
     AND default_time_to_live = 0
-    AND gc_grace_seconds = 864000
+    AND gc_grace_seconds = 86400
     AND max_index_interval = 2048
     AND memtable_flush_period_in_ms = 0
     AND min_index_interval = 128
@@ -2050,6 +2050,7 @@ CREATE TABLE spar_test.issuer_idp (
 CREATE TABLE spar_test.idp (
     idp uuid PRIMARY KEY,
     api_version int,
+    domain text,
     extra_public_keys list<blob>,
     handle text,
     issuer text,

charts/background-worker/templates/configmap.yaml

@@ -90,6 +90,8 @@ data:
     {{- end }}
 
     migrateConversations: {{ .migrateConversations }}
+    migrateConversationsOptions:
+{{toYaml .migrateConversationsOptions | indent 6 }}
 
     backendNotificationPusher:
 {{toYaml .backendNotificationPusher | indent 6 }}

charts/background-worker/values.yaml

@@ -66,6 +66,9 @@ config:
   # `settings.postgresMigration.conversation` with `migration-to-postgresql`
   # before setting this to `true`.
   migrateConversations: false
+  migrateConversationsOptions:
+    pageSize: 10000
+    parallelism: 2
 
   backendNotificationPusher:
     pushBackoffMinWait: 10000 # in microseconds, so 10ms

charts/brig/templates/configmap.yaml

@@ -96,6 +96,7 @@ data:
       host: wire-server-enterprise
       port: 8080
     {{- end }}
+    {{- end }}
 
     {{- with .rabbitmq }}
     rabbitmq:
@@ -108,7 +109,6 @@ data:
       caCert: /etc/wire/brig/rabbitmq-ca/{{ .tlsCaSecretRef.key }}
       {{- end }}
     {{- end }}
-    {{- end }}
 
     {{- with .aws }}
     aws:

charts/brig/templates/deployment.yaml

@@ -146,7 +146,6 @@ spec:
             value: {{ join "," .noProxyList | quote }}
           {{- end }}
           {{- end }}
-          {{- if .Values.config.enableFederation }}
           - name: RABBITMQ_USERNAME
             valueFrom:
               secretKeyRef:
@@ -157,7 +156,6 @@ spec:
               secretKeyRef:
                 name: brig
                 key: rabbitmqPassword
-          {{- end }}
           ports:
             - containerPort: {{ .Values.service.internalPort }}
           startupProbe:

charts/brig/templates/secret.yaml

@@ -32,10 +32,8 @@ data:
   {{- if .oauthJwkKeyPair }}
   oauth_ed25519.jwk: {{ .oauthJwkKeyPair | b64enc | quote }}
   {{- end }}
-  {{- if $.Values.config.enableFederation }}
   rabbitmqUsername: {{ .rabbitmq.username | b64enc | quote }}
   rabbitmqPassword: {{ .rabbitmq.password | b64enc | quote }}
-  {{- end }}
   {{- if .elasticsearch }}
   elasticsearch-credentials.yaml: {{ .elasticsearch | toYaml | b64enc }}
   {{- end }}