PikoCI is an open-source CI/CD server written in Go. A single binary, no dependencies, pipeline-as-code in HCL. v0.7.0 is the security and compliance release. A lot shipped in this one.
Approval gates
Jobs can now require human approval before continuing. Add an approve block to any job and the pipeline pauses with a purple "Waiting for Approval" status until someone with Maintain access approves or rejects it.
job "deploy" {
get "git" "main" { passed = ["test"] }
approve "deploy to production" {
approvals = 2
notify "discord" "deploy-alerts" {}
}
task "deploy" {
run "exec" { path = "./deploy.sh" }
}
}
Approve or reject via the UI, CLI (pikoci builds approve), or API. Each approval is recorded with who approved and when. If you need two people to sign off before a production deploy, set approvals = 2.
Audit log
Every significant action on a team now has a permanent append-only record: pipeline changes, manual triggers, approvals, secret modifications, membership changes. 16 event types in total, filterable by user, event type, and date range. Available via the UI, CLI, and API. Read access and above can view it.
OIDC and OAuth2
Single sign-on with GitHub, Google, GitLab, Keycloak, Microsoft, or any OIDC provider. Configure providers from the admin UI with built-in templates, link existing accounts, and optionally disable local username/password auth entirely.
Secrets masking in build logs
Secret values are now automatically replaced with *** in build log output, both in real-time streaming and stored logs. If a task accidentally echoes a secret, it never appears in the UI. Values shorter than 3 characters are skipped to avoid masking noise.
Build report export
Export a complete JSON report for any build containing the full status, each step's result, logs, approval records, and resource version data. Available from the UI (Export button on the build detail page), CLI (pikoci builds report my-pipeline deploy 42), and API.
Useful for compliance, incident review, or just keeping a record of what deployed and when.
Secret chaining
Secret path and key fields can now reference other variables, resolved in dependency order with cycle detection. This means you can build secrets that depend on other secrets. Useful for patterns like using a vault token to fetch another secret's path.
Worker team isolation
Team-scoped worker tokens restrict workers to only run builds for their team. Global workers automatically defer to team workers when available, so teams with dedicated infrastructure get their own capacity without affecting others.
Role rename
The role names have been updated to match GitHub's model: Viewer→Read, Operator→Write, Maintainer→Maintain. The database migrates automatically on upgrade.
Session security
Two new session security improvements: configurable session expiration via --session-lifetime (e.g. 24h, 7d, 30d), and automatic session invalidation when a password is changed. All existing sessions for that user are revoked immediately. Passwords now also enforce a minimum 8-character length.
Performance
N+1 query elimination across pipeline, job list, and resource list endpoints. Build polling now fetches all active builds in a single request instead of one HTTP call per build every 2 seconds. Modulepreload hints collapse 4 browser discovery rounds to 1 parallel fetch.
Release notes · pikoci.com · github.com/pikoci/pikoci · Apache 2.0




Top comments (0)