DEV Community

Cover image for PikoCI v0.7.0: Approval gates, audit log, OIDC, secrets masking, and build reports
Francesc Gil
Francesc Gil

Posted on

PikoCI v0.7.0: Approval gates, audit log, OIDC, secrets masking, and build reports

PikoCI is an open-source CI/CD server written in Go. A single binary, no dependencies, pipeline-as-code in HCL. v0.7.0 is the security and compliance release. A lot shipped in this one.

Approval gates

Jobs can now require human approval before continuing. Add an approve block to any job and the pipeline pauses with a purple "Waiting for Approval" status until someone with Maintain access approves or rejects it.

job "deploy" {
  get "git" "main" { passed = ["test"] }

  approve "deploy to production" {
    approvals = 2
    notify "discord" "deploy-alerts" {}
  }

  task "deploy" {
    run "exec" { path = "./deploy.sh" }
  }
}
Enter fullscreen mode Exit fullscreen mode

Approve or reject via the UI, CLI (pikoci builds approve), or API. Each approval is recorded with who approved and when. If you need two people to sign off before a production deploy, set approvals = 2.

Audit log

Every significant action on a team now has a permanent append-only record: pipeline changes, manual triggers, approvals, secret modifications, membership changes. 16 event types in total, filterable by user, event type, and date range. Available via the UI, CLI, and API. Read access and above can view it.

OIDC and OAuth2

Single sign-on with GitHub, Google, GitLab, Keycloak, Microsoft, or any OIDC provider. Configure providers from the admin UI with built-in templates, link existing accounts, and optionally disable local username/password auth entirely.

Secrets masking in build logs

Secret values are now automatically replaced with *** in build log output, both in real-time streaming and stored logs. If a task accidentally echoes a secret, it never appears in the UI. Values shorter than 3 characters are skipped to avoid masking noise.

Build report export

Export a complete JSON report for any build containing the full status, each step's result, logs, approval records, and resource version data. Available from the UI (Export button on the build detail page), CLI (pikoci builds report my-pipeline deploy 42), and API.

Useful for compliance, incident review, or just keeping a record of what deployed and when.

Secret chaining

Secret path and key fields can now reference other variables, resolved in dependency order with cycle detection. This means you can build secrets that depend on other secrets. Useful for patterns like using a vault token to fetch another secret's path.

Worker team isolation

Team-scoped worker tokens restrict workers to only run builds for their team. Global workers automatically defer to team workers when available, so teams with dedicated infrastructure get their own capacity without affecting others.

Role rename

The role names have been updated to match GitHub's model: Viewer→Read, Operator→Write, Maintainer→Maintain. The database migrates automatically on upgrade.

Session security

Two new session security improvements: configurable session expiration via --session-lifetime (e.g. 24h, 7d, 30d), and automatic session invalidation when a password is changed. All existing sessions for that user are revoked immediately. Passwords now also enforce a minimum 8-character length.

Performance

N+1 query elimination across pipeline, job list, and resource list endpoints. Build polling now fetches all active builds in a single request instead of one HTTP call per build every 2 seconds. Modulepreload hints collapse 4 browser discovery rounds to 1 parallel fetch.


Release notes · pikoci.com · github.com/pikoci/pikoci · Apache 2.0

Top comments (0)