Releases: bytebase/bytebase
Release list
Release 3.20.0
🔔 Notable Changes
-
Export Center and data-export approval flow deprecated — The standalone Export Center and the separate data-export approval flow are deprecated; data export is handled through the just-in-time data-export approval flow in the SQL Editor.
-
7 low-signal SELECT-only SQL review rules removed — These rules only ever fired on
SELECT, and served no purpose in the DDL/DML change-review workflow. Stored review policies are cleaned automatically on upgrade, so existing configurations keep working. See Change Details. -
Terraform provider 3.20.0 required — Upgrade the Bytebase server first, then move to provider 3.20.0. It covers this release's breaking changes:
EXPORT_DATAdeprecated in the approval flow; announcementleveldeprecated in favor oftheme; the workspace maximum request-expiration field renamed; and environment and issue-label colors moved to the color protocol message. It also adds Vaulttoken_typesupport and fixes review-config state-diff and webhook-URL-in-state handling. Remove the seven deleted SQL review rule types from your review configs. See Change Details.
🚀 Features
-
Access requests always use the maximum expiration cap — Requesting access no longer lets a user pick a longer window than the workspace allows; the request duration is bounded by the configured maximum. The workspace setting is renamed accordingly. See Change Details
-
Custom theme for SQL Editor and announcements — Choose the SQL Editor color theme or define your own from Settings. Workspace announcements get the same treatment, with configurable background and text colors, replacing the deprecated announcement
level. -
Workspace announcement theme — The announcement
levelfield is deprecated; announcements now take an explicitthemewith configurable background and text colors. -
Self-hosted — GCP Cloud SQL IAM authentication for the external PostgreSQL metadata database. On GKE with Workload Identity, the metadata database connects to Cloud SQL via IAM authentication with no static password, with Helm chart and high-availability documentation.
🎄 Enhancements
-
Plan detail — Consolidated plan-lifecycle actions in the header, which now shows the plan's primary "what's next" action (or current status) at every stage; relative times reveal their absolute timestamp on hover across the app; plus editing targets beside the title, adding a change from the changes tab strip, a consolidated review-activity timeline, the matched approval-flow title on the AIO page, and skipped-task reasons.
-
SQL parsing — Improved Omni parser compatibility across multiple SQL engines, covering SQL Review, schema workflows, statement splitting, completion, and execution. For MariaDB specifically, the SQL Editor no longer flags valid MariaDB-only syntax as errors: sequences and
NEXT VALUE FOR,RETURNINGon INSERT/REPLACE/DELETE, system-versioned and application-time-period tables, parenthesized row constructors, and UUID/INET types. -
Vault — The HashiCorp Vault external-secret integration adds a
token_typefield: the token can be provided asPLAIN,ENVIRONMENT(environment variable), orFILE.
🐞 Bug Fixes
-
GitOps — Fix release checks not populating risk levels, which made high-risk statements such as
DROP TABLEshowNonein the GitHub Action check output. -
Custom OAuth2 SSO — Fix userinfo lookup failing against Oracle Cloud Infrastructure (OCI) IAM Identity Domains, which surfaced as a misleading JSON parse error.
-
Fix the "Manually select" database picker freezing the browser on large deployments, by loading one page on open with a "Load more" affordance instead of draining every page at once.
-
Fix the workspace title being uneditable on the setup page, and a missing project-scope feature check when listing database groups.
-
MySQL/MariaDB — Fix schema sync over-fetching foreign-key and trigger metadata across databases, and use the MariaDB-native
CHECK_CONSTRAINTSquery. -
gh-ost — Trim a trailing semicolon so the attempt-instant-DDL path stays valid.
📃 Change Details
Access Request Expiration
Access requests are now bounded by the workspace maximum expiration, and the workspace setting field is renamed.
| Change | Before | After |
|---|---|---|
| Workspace setting field | maximum_role_expiration_in_seconds |
maximum_request_expiration_in_seconds |
| Behavior | Requesters could set an expiration independent of the cap | Request duration is capped at the workspace maximum |
The existing value is carried to the new field automatically on upgrade.
Removed SQL Review Rules
These 7 SELECT-only review rules are removed:
| Removed rule |
|---|
STATEMENT_SELECT_FULL_TABLE_SCAN |
STATEMENT_QUERY_MINIMUM_PLAN_LEVEL |
STATEMENT_DISALLOW_USING_FILESORT |
STATEMENT_DISALLOW_USING_TEMPORARY |
STATEMENT_MAXIMUM_JOIN_TABLE_COUNT |
STATEMENT_JOIN_STRICT_COLUMN_ATTRS |
STATEMENT_MAXIMUM_LIMIT_VALUE |
Stored review policies are cleaned automatically on upgrade, so existing configurations continue to load. Rules that also cover DML or VIEW statements are intentionally kept.
Terraform Impact
Move to terraform-provider-bytebase 3.20.0 after upgrading the server.
| Change | Type | Action |
|---|---|---|
EXPORT_DATA approval source deprecated |
Breaking | Remove EXPORT_DATA from approval-flow config; use the JIT data-export flow |
Announcement level → theme |
Breaking | Replace level with theme (background / text) under workspace_profile.announcement |
| Maximum request-expiration field renamed | Breaking | Rename maximum_role_expiration_in_seconds to maximum_request_expiration_in_seconds in workspace_profile |
| Environment and issue-label colors moved to color protocol message | Breaking | Update color values to the new color message representation |
Vault token_type |
Feature | Optionally set PLAIN, ENVIRONMENT, or FILE in data_sources.external_secret |
| Review-config state diff / webhook URL in state | Fix | No action required |
| Seven SQL review rules removed | Breaking | Remove the removed rule types (e.g. STATEMENT_MAXIMUM_LIMIT_VALUE) from your review config |
Before upgrading: 1) Back up the metadata — in-place downgrade is not supported. 2) Do not run multiple containers on the same data directory. 3) Terraform users: upgrade Bytebase server first, then apply the new Terraform config.
Release 3.19.1
🎄 Enhancements
- Plan review on the plan detail page — A unified Review section now lives directly on the plan detail page: approval flow, activity timeline, and rejection banner.
- SQL Editor query history — Query history is reworked, and any history item now has a direct, shareable URL that reopens its exact statement and database connection.
- Faster large SQL scripts and reviews — Splitting, DML transform, statement-range mapping, and SQL review now scale linearly on large multi-statement scripts, reducing the processing time of a 100k-line-SQL-statement by 98% (from 22s to 0.45s).
- StarRocks — Dedicated StarRocks parser support: stops false syntax errors on StarRocks-specific DDL/DML (generated columns, async materialized views,
INSERT OVERWRITE, CTE-prefixedDELETE/UPDATE), adds query lineage, and syncs StarRocks materialized views. - Consistent date & time picker — All date/time controls (run-task scheduler, role/permission expiration, time-range filters) now use one styled, app-themed picker; the whole field opens the picker, and custom expiration times are available again.
🐞 Bug Fixes
- Fix table- and schema-scoped
bb.sql.ddl/bb.sql.dmlgrants being silently denied for writes in the SQL Editor — such grants are now honored per write-target table. - PostgreSQL — Fix SQL Editor crash when a query returns a timestamp outside the supported range, and make metadata sync read columns and foreign tables from
pg_catalogso privilege filtering can no longer hide them, producing valid, replayable schema dumps. - MySQL — Fix Sync Schema reporting false-positive diffs between identical databases (a regression from 3.17.0), and produce valid SQL for CHECK constraints and stored-routine headers in schema dumps.
- MSSQL — Fix SQL Editor failing to resolve columns of an encrypted or otherwise unparseable view by falling back to synced column metadata.
- Fix the instance Databases tab resetting to the first page after clicking Load more, and missing-license feedback when adding a read-only connection to an unlicensed instance.
- Fix SQL review rules with required list values failing to save with an
InvalidArgumenterror when no values were added. - Fix GitOps release checks reporting a
Nonerisk level — per-result and aggregate risk levels are now reported correctly in bytebase-action output. - DingTalk — Fix direct-message webhook notifications failing to resolve recipients when their phone numbers were not populated.
Before upgrading: 1) Back up the metadata — in-place downgrade is not supported. 2) Do not run multiple containers on the same data directory. 3) Terraform users: upgrade Bytebase server first, then apply the new Terraform config.
Release 3.19.0
🔔 Notable Changes
-
Just-in-time data export - Users can now request just-in-time data export access in the SQL editor and go through the approval workflow to export. Your existing data-export approval rules are migrated to the just-in-time approval flow. Please review and update the ordering of migrated rules according to the instruction on top of the Custom Approval page. See Details.
-
Terraform - Just-in-time data export flows through
REQUEST_ACCESSapproval, please add data-export rules (request.data_export == true) under theREQUEST_ACCESSsource in your Terraform configuration - otherwise the nextterraform applywill drop the auto-backfilled rules and JIT exports skip approval. -
Active VCS user tracking for GitOps — Non-bot PR/MR authors seen by
bytebase-releaseworkflows on GitHub, GitLab, and Bitbucket now count as active VCS users over a 90-day window and are enforced against the license user limit. Track usage and download the user list as CSV from the Subscription page. -
bytebase-action enforces the version compatibility window —
bytebase-action checkandbytebase-action rolloutnow fail with an error (previously a warning) when the action version is too far from the server version. Pin your CI to a compatible action version, or use thecloudtag on Bytebase Cloud. See Change Details.
🎄 Enhancements
-
MySQL — Improve gh-ost prerequisite validation messages by distinguishing inaccessible binlog status, disabled binary logging, missing replication privileges, unsupported binlog format, and validation query failures.
-
SQL Editor — Saving an untitled worksheet now prompts for a title, and searching the result panel indicates when nothing matches.
🐞 Bug Fixes
-
SQL Editor — Fixed query execution and admin mode being blocked when opening the editor from a database page, along with several smaller UI fixes. Local editor state is now scoped per workspace on Bytebase Cloud.
-
Restore the custom expiration time option when granting project roles, honoring the workspace maximum role expiration cap.
-
Fix AI assistant compatibility with GPT-5-style models by omitting unsupported request parameters.
-
Fix hosted MCP clients (claude.ai web, ChatGPT, VS Code for the Web) being rejected during OAuth dynamic client registration on self-hosted instances. Callbacks are pinned to exact vendor hosts, so arbitrary
https://redirects remain blocked. -
Self-hosted (Helm) — Chart 1.1.3 restores
bytebase.versionas the single image knob; non-Azure deployments no longer silently resolve to thelatestimage. -
Spanner — Fix SQL Editor queries failing with "disallowed query type" in normal mode.
-
Doris/StarRocks — Fix window functions inside a CTE body failing to parse in the SQL Editor.
-
TiDB — Fix prior-backup rollback for alias-target multi-table DELETE, cyclic view references crashing query analysis, and advisor line numbers for statements separated by blank lines.
📃 Change Details
bytebase-action Compatibility Window
bytebase-action check and bytebase-action rollout now fail with an error when the action/CLI version falls outside the supported compatibility window of the target Bytebase server (previously a warning).
| Deployment | Compatibility requirement |
|---|---|
| Bytebase Cloud | Dated action versions (cloud-YYYYMMDD) within the last 7 days; use the cloud action tag to stay current |
| Self-hosted | Same major version, within a 2-minor-version window of the server |
| Version relationship | Behavior |
|---|---|
| Exact match | Success log |
| Within window, mismatched | Warn and continue (unchanged) |
| Outside window | Error — command exits non-zero (new) |
Action required: pin your CI to an action version within the window of your server version (self-hosted), or use the cloud tag (Cloud).
Before upgrading: 1) Back up the metadata — in-place downgrade is not supported. 2) Do not run multiple containers on the same data directory. 3) Terraform users: upgrade Bytebase server first, then apply the new Terraform config.
Release 3.18.1
🎄 Enhancements
-
Plan detail page improvements.
- Refreshed layout. Cleaner layout with at-a-glance plan-check status across all specs and consistent database-target display through every phase.
- Release-backed plan flow simplified. Release-backed (GitOps) plans now show only two phases — CHANGES and DEPLOY — with minor UI refinements throughout.
-
SaaS: MCP discovery works against Bytebase Cloud. MCP clients (Claude Code, Cursor, etc.) can now complete the OAuth flow against
cloud.bytebase.comwithout manual configuration. -
PostgreSQL — Compatible with pgbouncer transaction pooling (statement cache disabled) and PostgreSQL 18 (built-ins like
uuidv7()and 80+ others are recognized by SQL analysis and schema diff). -
TiDB — DML rollback / prior-backup preview now works. Queries against columns added out-of-band trigger the standard metadata-resync-and-retry path (matching MySQL / PostgreSQL).
-
gh-ost migrations honor the configured data-source SSH tunnel for both the MySQL connection and the binlog reader.
-
Query data source — Non-read-only automatic SQL Editor queries now use the admin data source when the query data policy allows it. Read-only queries are unaffected.
-
Demo mode removed. The
--demoserver flag has been removed. This mode was for internal demos (it loads a baked-in SQL dump and a sample admin) and was never intended for production use — if you have--demoin your startup script, drop it and configure instances and users normally.
🐞 Bug Fixes
-
Workload identities are distinguished from service accounts in the members table, and the graphical CEL expression editor is restored for project member role grants.
-
Large target sets in the issue / plan target overflow view no longer freeze or mis-render.
-
The plan list creator filter actually returns users now, and the review badge ("Bypassed" / "Under Review") reads consistently with plan detail.
-
PostgreSQL — Multi-host failover honors Bytebase's configured TLS material on every host, not just the primary.
-
The Sync Database success toast renders the actual database name instead of the literal
{{name}}placeholder.
🏗️ Terraform Update
- Terraform provider 3.18.1 required — Marks the webhook URL as write-only and adds
APP_IMsupport tobytebase_setting. See Migration Guide.
Before upgrading: 1) Back up the metadata — in-place downgrade is not supported. 2) Do not run multiple containers on the same data directory. 3) Terraform users: upgrade Bytebase server first, then apply the new Terraform config.
Release 3.18.0
☁️ Bytebase Cloud Upgrade
Bytebase Cloud is now a true multi-tenant SaaS.
- One account, many workspaces — with a workspace switcher and self-serve leave/delete.
- Passwordless sign-in by email code (no more passwords in Cloud).
- Global SSO — sign in with Google, GitHub, or your org's IdP without picking a workspace first.
- Self-serve subscription plan upgrade and cancel from inside the app.
- Pro plan: unlimited user seats available, billed per user.
🔔 Other Notable Changes
-
Plan edits surfaced in issue activity — Plan edits now appear in the issue activity feed for approver visibility.
-
API breaking changes —
require_2fa→require_mfa,plan_spec_update→plan_update(restructured payload), andIssue.ApprovalStatusmoved to top-level. See Change Details. -
Terraform provider 3.18.0 required — Adds write-only sensitive fields and a provider-level
custom_headerblock. Requires Terraform CLI 1.11+. See Migration Guide.
🚀 Features
-
AWS RDS IAM auth for the Bytebase metadata database — Authenticate the metadata PostgreSQL via AWS RDS IAM tokens.
-
Google Chat webhook integration — Add Google Chat as a project webhook destination.
-
MariaDB — Support DML rollback / prior-backup, matching MySQL behavior.
-
CosmosDB — Support cross-partition queries.
🎄 Enhancements
-
Bytebase Action - Add
--custom-headerflag for header-based access proxies in CI/CD pipelines. -
Issues stuck in
CHECKINGcan be retried via a newRetryIssueApprovalAPI. -
Improve SQL analysis reliability across PostgreSQL, MySQL, and MSSQL for advisor rules, query span, completion, and schema diff.
-
Improve PostgreSQL and CockroachDB metadata-backed schema diff reliability.
-
Show gh-ost start/end events in task run logs.
-
Show DDL/DML environment warnings across role grant, role request, and issue creation flows.
-
Show expired roles inline in the members table and member detail panel.
-
Show database group titles in plan selectors and human-readable instance/database names in member-role scopes.
-
Whitelist redirect URIs in OAuth dynamic client registration.
-
Restore audit logs for Login / Signup / ExchangeToken; add audit events for retry approval and email-code / password-reset paths.
-
Default the SQL Editor query role to the least-privileged SQL select role.
-
Improve the SQL statement matching for JIT access grants.
-
TiDB — Support extra DataSource connection parameters, including connection packet compression.
-
TiDB — SQL Editor
Ctrl+Enternow runs the cursor statement, matching MySQL / PostgreSQL behavior. -
ClickHouse —
AggregateFunction(...)errors fromSELECT *now suggest using-Merge+GROUP BYorfinalizeAggregation().
🐞 Bug Fixes
-
Fix multi-change plans targeting the same database group being rejected.
-
Fix
PIPELINE_COMPLETEDwebhook event missing when failed tasks are skipped. -
Fix per-sheet plan check summary preservation during approval checks.
-
PostgreSQL — Fix query span bugs affecting masking and query analysis.
-
Databricks — Apply user-selected row limit to SQL Editor queries.
📃 Change Details
API Breaking Changes
1. require_2fa renamed to require_mfa
The field on WorkspaceProfileSetting reflects the broader MFA scope (no longer 2FA-only).
| Field | Before | After |
|---|---|---|
WorkspaceProfileSetting.require_2fa |
require_2fa (bool) |
require_mfa (bool) |
Affected routes: any caller updating workspace profile settings via SettingService.UpdateSetting writing WorkspaceProfileSetting. Update references in your config or IaC.
2. IssueComment.plan_spec_update renamed to plan_update
The per-spec event (single sheet replacement) is replaced by a before/after snapshot of Plan.Spec[], so the comment carries the full diff of every plan spec change in one event.
| Field | Before | After |
|---|---|---|
IssueComment.plan_spec_update — PlanSpecUpdate { spec, from_sheet, to_sheet } (single spec/sheet change) |
IssueComment.plan_update — PlanUpdate { from_specs, to_specs } (repeated Plan.Spec) |
Affected routes: any consumer of IssueService.ListIssueComments or issue activity events that previously read plan_spec_update. Update to read plan_update.from_specs / to_specs.
3. Issue.ApprovalStatus moved to top-level ApprovalStatus
Nested enum Issue.ApprovalStatus is removed; the same enum now lives at the top level in common.proto and is referenced by both Issue.approval_status and Plan.approval_status. Enum values and ordinals are unchanged (CHECKING=1, PENDING=2, APPROVED=3, REJECTED=4, SKIPPED=5).
| Type | Before | After |
|---|---|---|
| Enum location | bytebase.v1.Issue.ApprovalStatus |
bytebase.v1.ApprovalStatus |
Affected routes: clients that referenced the nested enum type by name (for example, generated Go or TS types). Update imports or type references; wire format is unchanged.
Before upgrading: 1) Back up the metadata — in-place downgrade is not supported. 2) Do not run multiple containers on the same data directory. 3) Terraform users: upgrade Bytebase server first, then apply the new Terraform config.
Release 3.17.1
🎄 Enhancements
-
Instance TLS — Support reading TLS certificates from a configured file path, and redesign TLS configuration with Disabled / TLS / Mutual TLS options.
-
SQL Review — Add
STATEMENT_DISALLOW_TRUNCATErule for Oracle, PostgreSQL, MySQL, and MSSQL. ImproveSTATEMENT_WHERE_DISALLOW_FUNCTIONS_AND_CALCULATIONSto only flag functions and calculations on indexed columns, and extend it to Oracle and PostgreSQL.
🐞 Bug Fixes
-
Fix access/role grant issue approval showing a spurious "project not found" error toast.
-
Fix Test Connection on instance create dropping passwords resolved from AWS Secrets Manager and other external secret backends.
-
Oracle — Fix PL/SQL parser to accept expressions (e.g. DATE literals) in
CREATE TABLEpartition range bounds. -
MSSQL — Fix query span extraction for views whose WHERE clause contains a correlated
EXISTS/NOT EXISTSsubquery. -
Cassandra — Fix request context propagation in query span extraction.
Before upgrading: 1) Back up the metadata — in-place downgrade is not supported. 2) Do not run multiple containers on the same data directory. 3) Terraform users: upgrade Bytebase server first, then apply the new Terraform config.
Release 3.17.0
🔔 Notable Changes
-
Unified Plan lifecycle view — the Plan detail page shows the full lifecycle of a database change, giving developers one place to follow a change from draft to deployment.
- The three phases of a database change — change, review, deploy — are shown in sections, allowing developers to edit change, view approval result, and execute deployment in this single page.
- Issue page is now dedicated primarily for review and approval. Developers will need to go to the plan page to edit changes and create a rollout when needed.
-
API breaking changes — Worksheet API moves to project scope (
/v1/projects/{id}/worksheets),ListDatabasesnow requires workspace ID (/v1/workspaces/{id}/databases),branding_logomoves from workspace profile setting to workspace message,GRANT_REQUESTissue type renamed toROLE_GRANT,UpdateSubscriptionAPI deprecated in favor ofUploadLicense, and classification description and level description fields removed with level type changed from string to number. See Change Details. -
CEL filter syntax change — Substring-search filters now use
contains()instead ofmatches()across plan, database, instance, project, group, user, service account, workload identity, query history, access grant, and database metadata table filters. See Change Details. -
Read-only data source consolidation — Each instance now allows at most one read-only data source. If more than one is configured, only the first is kept after migration; extra read-only data sources are removed.
-
Remove Pro plan 20-user seat cap — Pro plan no longer has a user limit.
-
Terraform provider — Updated for 3.17.0 API breaking changes. Supports get, create, update, and list identity providers. See Migration Guide.
🚀 Features
-
High Availability (HA) — Support licensed multi-replica deployments backed by a shared external PostgreSQL metadata database. Active replicas are tracked via heartbeats, and background runners coordinate safely across replicas.
-
Page Agent — Add an in-app AI assistant with tool-calling, threaded resumable conversations, DOM-aware autocomplete, and token usage tracking.
-
Issue Approved webhook event — Support a new webhook event type for issue approval, with redesigned Slack message format.
-
MCP
query_databasetool — Add a new MCP tool for executing SQL queries against managed databases with automatic database resolution. -
CosmosDB — Support local emulator connection and dynamic data masking for all 13 query feature areas.
🎄 Enhancements
-
Support executing stored procedures (
CALL/EXEC) in SQL Editor by classifying stored procedure execution as DML. -
Support issue type filter in advanced search (Database Change, Role Grant, Database Export, Access Grant).
-
Replace data classification file upload with an inline JSON editor and enhance the data classification editor.
-
Support masking exemption by classification level, and redesign masking exemption list page.
-
Redesign data export creation UI.
-
Migrate the frontend from Vue to React across all major pages including settings, projects, databases, instances, plans, issues, and audit logs.
-
Upgrade SQL parsing engine for PostgreSQL, MySQL, MongoDB, and CosmosDB from ANTLR to omni parser, improving SQL syntax coverage, consistency across SQL review / schema diff / auto-completion, and error message quality.
-
Add configurable
--timeoutflag forbytebase-actionfor large SQL checks. -
Expose
--enable-json-loggingflag in the Helm chart for structured log output.
🐞 Bug Fixes
-
Fix false schema diff noise caused by PostgreSQL trigger ordering and CRLF / whitespace normalization.
-
Fix SQL editor metadata sync retry flood.
-
Fix OAuth discovery to return usable URLs in self-hosted mode.
-
Fix stale debounced query reverts in advanced search.
-
Fix gh-ost directives in migration-based GitOps workflow.
-
PostgreSQL — Fix CRLF line endings causing query truncation in SQL splitter, schema load failure by excluding aggregates from function sync, array subscript handling in column reference normalization, whitespace between LIMIT and FOR UPDATE clause, and nested SELECTs in wrapper statements and CTEs for SQL review.
-
MySQL — Fix unqualified SET columns in prior backup for UPDATE JOIN, missing
multiStatementsparam in IAM auth DSN, and role sync for anonymous users. -
TiDB — Remove non-transaction statement handling.
-
Oracle — Strip trailing null bytes from schema definitions.
📃 Change Details
API Breaking Changes
1. Worksheet API moves to project scope:
| Method | Before | After |
|---|---|---|
| List | /v1/worksheets |
/v1/{parent=projects/*}/worksheets |
| Get | /v1/{name=worksheets/*} |
/v1/{name=projects/*/worksheets/*} |
| Create | /v1/worksheets |
/v1/{parent=projects/*}/worksheets |
| Update | /v1/{worksheet.name=worksheets/*} |
/v1/{worksheet.name=projects/*/worksheets/*} |
| Delete | /v1/{name=worksheets/*} |
/v1/{name=projects/*/worksheets/*} |
2. APIs that no longer accept workspaces/- (must use workspaces/{id}):
| Service | Affected Operations |
|---|---|
| DatabaseService | ListDatabases |
3. Other breaking changes:
| Change | Affected Routes | Details |
|---|---|---|
| Branding logo | GET/PATCH /v1/workspaces/{id} |
branding_logo removed from workspace profile setting; use logo field on workspace message |
| Issue type enum | POST /v1/{parent=projects/*}/issues, GET /v1/{parent=projects/*}/issues, POST /v1/{parent=projects/*}/issues:search |
GRANT_REQUEST renamed to ROLE_GRANT |
| Subscription API | PATCH /v1/subscription |
Deprecated; use PATCH /v1/subscription/license (UploadLicense) |
| Data source ID | POST /v1/{name=instances/*/databases/*}:query, POST /v1/{name=instances/*/databases/*}:export |
data_source_id auto-resolved server-side; at most one read-only data source per instance (extra removed during migration) |
| Classification level | GET/PATCH /v1/settings/{name}, POST /v1/queryHistories:search |
Level type changed from string to int; description field removed |
CEL Filter Syntax Change
Substring-search CEL filters now use contains() instead of matches(). Existing clients that send filters such as title.matches("..."), name.matches("..."), resource_id.matches("..."), email.matches("..."), host.matches("..."), port.matches("..."), statement.matches("..."), query.matches("..."), or table.matches("...") must switch to the corresponding contains() form.
This applies to plan, database, instance, project, group, user, service account, workload identity, query history, access grant, and database metadata table filters.
Before upgrading: 1) Back up the metadata — in-place downgrade is not supported. 2) Do not run multiple containers on the same data directory. 3) Terraform users: upgrade Bytebase server first, then apply the new Terraform config.
Release 3.16.1
🎄 Enhancements
-
Change issue approval status label from "Done" to "Approved" for clarity.
-
Add fast-follow refresh mode so rollout status updates more quickly after user actions.
-
CosmosDB — Support more query syntax in SQL editor.
🐞 Bug Fixes
-
Fix internal error after login caused by InputOtp null check regression.
-
Fix popover dismissing when interacting with label selector during plan/issue creation.
-
Fix invalid issue type filter in Export Center.
-
Fix webhook detail page broken by UUID resource_id migration.
-
Harden 3.16 upgrade migration scripts to be idempotent and handle edge cases.
-
PostgreSQL — Fix schema dump incorrectly including pg_bitmapindex system schema.
Before upgrading: 1) Back up the metadata — in-place downgrade is not supported. 2) Do not run multiple containers on the same data directory. 3) Terraform users: upgrade Bytebase server first, then apply the new Terraform config.
Release 3.16.0
🔔 Notable Changes
-
Workspace API breaking changes - Policy API:
/v1/policies→/v1/workspaces/{id}/policies. All workspace-scoped APIs now require explicit workspace ID instead of/v1/workspaces/-. See change details at the bottom. -
User API breaking changes - Decouple identity types and migrate Service Accounts and Workload Identities into separate data models. The unified User API no longer handles these identity types;
User.user_typeandUserTypeenum are removed. See change details at the bottom. -
Legacy service account email migration - Legacy emails with
{name}@service.bytebase.comand{name}@{project}.service.bytebase.comare auto-migrated. Use the dedicated Service Account and Workload Identity services introduced in 3.15.0. -
Resource ID migration - Several API resource IDs migrate from sequential integers to opaque UUID strings (revision, changelog, issue comment, project webhook). Previously bookmarked integer IDs will no longer work. See change details at the bottom.
-
Non-release database migrations now run in parallel; only release-based migrations remain sequential per database.
-
Terraform provider 3.16.1 required - Covers workspace policy API changes, UserType removal, resource ID migration, and JIT approval flow. See Migration Guide
🚀 Features
-
Just-In-Time (JIT) Data Access - Users without database access can request approval to execute a specific read-only query. Enable JIT in project settings and configure approval rules with the new
REQUEST_ACCESSsource type. Once approved, the grant is scoped to that query and auto-expires after the configured duration. -
Add GitOps landing page with guided setup for workload identity selection and CI/CD YAML generation.
-
Elasticsearch & MongoDB - Support dynamic data masking. Masking is configured per-collection through the Catalog using
objectSchema(not the column-based configuration used by relational databases). Global masking rules and masking exemption are not supported for document databases at this time.
🎄 Enhancements
-
Redesign issue list with streamlined layout and improved information density. Support sorting by created/updated time, all approval status options (Checking, Pending, Approved, Rejected, Skipped) in advanced search filter, and more prominent approval status in issue detail.
-
Standardize timestamp display to relative time with absolute time tooltip.
-
Redesign Create Instance page as a full-page layout.
-
Support access-token authentication for Bytebase Action, enabling CI/CD pipelines to authenticate to Bytebase via workload identity federation.
-
Add pre-execution drift validation that detects schema changes before executing stale tasks.
-
Support copying the entire query result in SQL Editor.
-
Update default AI model placeholders to current-generation models (GPT-4o, Gemini 2.5 Flash, Claude Sonnet 4).
-
MongoDB & Elasticsearch - Preview query results in document view or table view. Live syntax checking and auto-complete in SQL Editor.
-
BigQuery & Spanner - Support Workload Identity Federation credentials for non-GCP hosted Bytebase.
-
Oracle - Add ROW STORE COMPRESS syntax support.
-
PostgreSQL - Support
search_pathresolution via current user in schema -
PostgreSQL & Oracle - Improve schema sync accuracy.
🐞 Bug Fixes
-
Fix issues incorrectly moved to DONE by migration 3.14/0034.
-
Skip databases without environments during task creation.
-
Classify CALL/EXEC stored procedure statements as DML to allow execution in SQL Editor.
-
MariaDB - Fix SQL review plan check not blocking rollout on ERROR-level violations.
-
MSSQL - Fix error messages missing line number when rolling out multiple statements.
-
Oracle - Fix UTF-8 encoding issues in comment fields during schema sync.
-
TiDB - Fix DROP INDEX IF EXISTS walk-through, CHECK_CONSTRAINTS query compatibility for TiDB < 7.4.0, and SQL export resource extraction.
3.15.1...3.16.0
Warning 1): Bytebase does not support in-place downgrade. Make sure to back up your metadata before upgrading. 2) Never run multiple containers on the same data directory. Stop and remove the old one first to avoid corruption.
📃 Change Details
Workspace API Breaking Changes
1. Policy API path changes (workspace-level policies only):
| Method | Before | After |
|---|---|---|
| Get | /v1/{name=policies/*} |
/v1/{name=workspaces/*/policies/*} |
| List | /v1/policies |
/v1/{parent=workspaces/*}/policies |
| Create | /v1/policies |
/v1/{parent=workspaces/*}/policies |
| Update | /v1/{policy.name=policies/*} |
/v1/{policy.name=workspaces/*/policies/*} |
| Delete | /v1/{name=policies/*} |
/v1/{name=workspaces/*/policies/*} |
Environment, instance, and database-level policy bindings are unchanged.
2. APIs that no longer accept workspaces/- (must use workspaces/{id}):
| Service | Affected Operations |
|---|---|
| ServiceAccountService | CreateServiceAccount, ListServiceAccounts |
| WorkloadIdentityService | CreateWorkloadIdentity, ListWorkloadIdentities |
| DatabaseService | ListDatabases |
| WorkspaceService | GetIamPolicy, SetIamPolicy |
User API Breaking Changes
| Change | Details |
|---|---|
User.user_type field removed |
Reserved field 5. Use dedicated Service Account / Workload Identity services. |
UserType enum removed |
Deleted from user_service.proto. |
WorkloadIdentityConfig moved |
From User message to workload_identity_service.proto. |
ActuatorInfo.user_stats removed |
Replaced with int32 activated_user_count. |
CreateUser behavior |
Only creates end users. Service accounts / workload identities must use their dedicated services. |
ListUsers behavior |
Only returns end users. |
Resource ID Migration
Resource IDs in the following API resource names change from sequential integers to UUID strings:
| Resource | Resource Name Pattern | ID Format Change |
|---|---|---|
| Revision | instances/{id}/databases/{db}/revisions/{id} |
integer → UUID |
| Changelog | instances/{id}/databases/{db}/changelogs/{id} |
integer → UUID |
| Issue Comment | projects/{id}/issues/{uid}/issueComments/{id} |
integer → UUID |
| Project Webhook | projects/{id}/webhooks/{id} |
integer → UUID |
Existing records receive randomly generated UUIDs during migration. Any previously bookmarked or cached integer IDs will stop working.
Release 3.15.1
🎄 Enhancements
-
Add SQL Editor Read User role for read-only SQL Editor access (SELECT, EXPLAIN, INFO — no DDL/DML).
-
Enforce
bb.issues.updatepermission requirement to edit issues, even for issue creators.
🐞 Bug Fixes
-
Fix DDL/DML error modal not showing.
-
Fix REST API
GetSchemaStringendpoint returning parse error. -
Fix SQL Editor double-click-drag word selection in reverse direction.
-
PostgreSQL — Fix schema dump losing overloaded functions and missing quotes for CamelCase columns in index/constraint DDL.
Warning 1): Bytebase does not support in-place downgrade. Make sure to back up your metadata before upgrading. 2) Never run multiple containers on the same data directory. Stop and remove the old one first to avoid corruption.