Upgrade Guide
3.32.0 - 2026-06-XX¶
- Orphaned Resources - License Server
Orphaned resources cleanup feature implemented. We need to add these env variables to license-server.
ASPNETCORE_CLEAN_ORPHANED_RESOURCES_ENABLED=true
ASPNETCORE_CLEAN_ORPHANED_RESOURCES_MODE=Log
ASPNETCORE_CLEAN_ORPHANED_RESOURCES_ORG_LIMIT=
ASPNETCORE_CLEAN_ORPHANED_RESOURCES_WAIT_SECONDS=5
ASPNETCORE_CLEAN_ORPHANED_RESOURCES_PAGE_SIZE=100
ASPNETCORE_CLEAN_ORPHANED_RESOURCES_LOCK_HOURS=69
ASPNETCORE_CLEAN_ORPHANED_RESOURCES_ENTERPRISE_BUFFER_DAYS=180
ASPNETCORE_CLEAN_ORPHANED_RESOURCES_STARTER_BUFFER_DAYS=180
ASPNETCORE_CLEAN_ORPHANED_RESOURCES_ENABLED: Turns the cleanup hosted service on/off. The cleanup runs only when this istrue; otherwise the service does nothing.ASPNETCORE_CLEAN_ORPHANED_RESOURCES_MODE:LogorDelete.Logis a dry run that only detects and logs orphaned resources;Deleteactually removes them. Defaults toLog.ASPNETCORE_CLEAN_ORPHANED_RESOURCES_ORG_LIMIT: Optional comma-separated list of organization IDs (GUIDs) to restrict the cleanup to. Empty means all organizations are processed.ASPNETCORE_CLEAN_ORPHANED_RESOURCES_WAIT_SECONDS: Seconds to wait between firing cleanup events for each organization (throttling). Defaults to300.ASPNETCORE_CLEAN_ORPHANED_RESOURCES_PAGE_SIZE: Page size used when paginating organizations during a run. Defaults to100.ASPNETCORE_CLEAN_ORPHANED_RESOURCES_LOCK_HOURS: Duration (hours) of the distributed lock that prevents more than one instance from running the cleanup at the same time. Defaults to69.ASPNETCORE_CLEAN_ORPHANED_RESOURCES_ENTERPRISE_BUFFER_DAYS: Grace period (days) after which an Enterprise organization's resources become eligible to be treated as orphaned. Defaults to3.-
ASPNETCORE_CLEAN_ORPHANED_RESOURCES_STARTER_BUFFER_DAYS: Grace period (days) after which a Starter organization's resources become eligible to be treated as orphaned. Defaults to30. -
Schedule Service Environment Variables
New Service deployed on this version and this service is using these env variables.
ASPNETCORE_ENVIRONMENT=Development
ASPNETCORE_PORT=8036
ASPNETCORE_KEYCLOAK_SERVER_URL=http://localhost:9302
ASPNETCORE_OIDC_EXTERNAL_URL=http://auth.appcircle.io.127.0.0.1.nip.io
ASPNETCORE_KEYCLOAK_CLIENT_ID=
ASPNETCORE_KEYCLOAK_SECRET_ID=
ASPNETCORE_REDIS_ENDPOINT=localhost:36400
ASPNETCORE_REDIS_PREFIX=ScheduleService
ASPNETCORE_KAFKA_SERVER_URLS=localhost:9092
SCHEDULE_SERVICE_DB_CONNECTION_STRING=mongodb://mongo_1:36300,mongo_2:36301,mongo_3:36302?replicaSet=rs
ASPNETCORE_LOG_MIN_LEVEL=Info
ASPNETCORE_HEALTH_PATH=/health
ASPNETCORE_DEEP_HEALTH_PATH=/health/deep
ASPNETCORE_IGNORE_HEALTH_LOGS=true
ASPNETCORE_IGNORE_DEEP_HEALTH_LOGS=true
- Schedule Service Keycloak Client
We need to create a new keycloak client for this service.
- Build Server
Build server integrated with schedule service for this reason we must add a new env variable to buildserver.
SCHEDULE_SERVICE_URL=http://localhost:8036
- Credential Validation - Store Submit Server
A single store credential validation toggle added to storesubmitserver. ASPNETCORE_VALIDATE_STORE_CREDENTIALS enables/disables credential validation for all stores at once.
"ASPNETCORE_VALIDATE_STORE_CREDENTIALS": "true",
- Tester Email Fair-Usage Limit - Distribution Server
Caps the number of tester emails an organization can send (per app-version distribution) within a fixed, calendar-aligned period. Usage is aggregated per root organization (root + all sub-orgs combined). Configured on distributionserver.
ASPNETCORE_TESTER_EMAIL_FAIR_USAGE_LIMIT=50000_1d
ASPNETCORE_TESTER_EMAIL_FAIR_USAGE_LIMITapplies to all organizations.- Value format is
<count>_<period>, where<period>is<number><unit>and the unit is case-sensitive:ssecond,mminute,hhour,dday,wweek,Mmonth,yyear (lowercasem= minute, uppercaseM= month). Examples:100_1m(100 per minute),50000_1d(50000 per day). - The period is a calendar-aligned window, not a rolling one; the count resets at each boundary.
- Reading current usage requires
ASPNETCORE_LICENSE_SERVER_URL(License server). If it is not set or empty, the limit feature is disabled and all emails are sent.
Any missing/invalid configuration or a License-server failure fails open (sending allowed); limits apply only when everything is configured correctly and reachable. When a limit is exceeded the distribution is cancelled and a notification is surfaced in the Notification Center.
3.31.0 – 2026-05-18¶
- Keycloak Upgrade
Keycloak has been upgraded from version 26.5.6 to 26.5.7. With this updated version, an additional environment variable must be configured for the Keycloak service.
KC_SPI_LOGIN_PROTOCOL__OPENID_CONNECT__REQ_PARAMS_DEFAULT_MAX_SIZE=20000
- Tester Encryption Key Added new encryption key to distributionserver and disttesterweb. Value must be 16 characters and encoded to Base64.
ASPNETCORE_TESTER_ENCRYPTION_KEY=MEQzM0RTNGRLNGdWcW5Tcw==
- Store Submit Server URL A new environment variable must be configured for the Store Submit service.
STORE_SUBMIT_SERVER_URL={{.storeSubmit.url}}
3.30.0 – 2026-05-11¶
- Keycloak integration settings added for Webhook service.
The following environment variables must be configured in the Webhook service to enable Keycloak authentication.
{
"ASPNETCORE_KEYCLOAK_SERVER_URL": "http://localhost:9302",
"ASPNETCORE_KEYCLOAK_CLIENT_ID": "****",
"ASPNETCORE_KEYCLOAK_SECRET_ID": "*****",
"ASPNETCORE_KEYCLOAK_REALM": "appcircle",
"ASPNETCORE_OIDC_EXTERNAL_URL": "http://auth.appcircle.io.127.0.0.1.nip.io"
}
- Azure DevOps Services EntraID OAuth connection type added for Build Server.
A new OAuth connection typeAzureDevopsServicesEntraIdis now supported for Azure DevOps-like services using Microsoft Entra ID (formerly Azure AD). Configure the following environment variables in the Build Server settings.
{
"ASPNETCORE_GITSETTINGS__OAUTHS__15__NAME": "AzureDevopsServicesEntraId",
"ASPNETCORE_GITSETTINGS__OAUTHS__15__GITCONNECTOR": "AzureDevopsServicesEntraId",
"ASPNETCORE_GITSETTINGS__OAUTHS__15__GITCONNECTIONTYPE": "OAuth",
"ASPNETCORE_GITSETTINGS__OAUTHS__15__CLIENTID": "*****",
"ASPNETCORE_GITSETTINGS__OAUTHS__15__CLIENTSECRET": "********",
"ASPNETCORE_GITSETTINGS__OAUTHS__15__SCOPE": "*****/vso.code offline_access",
"ASPNETCORE_GITSETTINGS__OAUTHS__15__AUTHORIZEURL": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
"ASPNETCORE_GITSETTINGS__OAUTHS__15__TOKENURL": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
"ASPNETCORE_GITSETTINGS__OAUTHS__15__APIURL": "https://dev.azure.com/",
"ASPNETCORE_GITSETTINGS__OAUTHS__15__REDIRECTURL": "https://api.*****.com/build/v1/callback"
}
- MCP Server deployed
MCP Server service has been added and deployed as part of the 3.30.0 release. This release introduces a new microservice responsible for MCP-related capabilities.
3.29.9 – 2026-04-14¶
- Bitbucket
accountscope added to OAuth settings on Build Server.
Theaccountscope is now required by Bitbucket to retrieve repositories. This has been added to the Bitbucket ENV settings and only affects users running the Bitbucket app on self-hosted environments.
{
"ASPNETCORE_GITSETTINGS__OAUTHS__1__SCOPE": "repository pullrequest email webhook account"
}
3.29.8 – 2026-01-21¶
-
CodePush: CDN support added.
For the full setup, follow theguide. UpdateASPNETCORE_S3_CDN_MAPPINGin the resource service configuration. -
NLog configuration is now environment-driven (self-hosted focused).
Logging and health endpoint settings can be configured via environment variables. If these variables are not set, the previous/default behavior remains unchanged.
{
"ASPNETCORE_LOG_MIN_LEVEL": "Info",
"ASPNETCORE_HEALTH_PATH": "/health",
"ASPNETCORE_DEEP_HEALTH_PATH": "/health/deep",
"ASPNETCORE_IGNORE_HEALTH_LOGS": "true",
"ASPNETCORE_IGNORE_DEEP_HEALTH_LOGS": "true"
}
- Client token URL support added for StoreWeb & TesterWeb.
Environments requiringStoreWebandTesterWebclients to resolve client tokens directly fromStoreApi/TesterApiinstead of Keycloak are now supported. SetASPNETCORE_CLIENT_TOKEN_URLon the respective service to enable this. If not set or left empty, the previous convention built fromAuthUrl+ASPNETCORE_TOKEN_PATHcontinues to work unchanged.
StoreWeb:
{
"ASPNETCORE_CLIENT_TOKEN_URL": "http://api.appcircle.io.127.0.0.1.nip.io/storeapi/v1/auth/client-token"
}
TesterWeb:
{
"ASPNETCORE_CLIENT_TOKEN_URL": "http://api.appcircle.io.127.0.0.1.nip.io/testerapi/v1/auth/client-token"
}
To preserve Keycloak dependency explicitly, set
ASPNETCORE_CLIENT_TOKEN_URLto the full Keycloak token endpoint, e.g.http://auth.appcircle.io.127.0.0.1.nip.io/auth/realms/appcircle/protocol/openid-connect/token.
- Fastlane version can now be pinned for Resign & Publish services.
TheASPNETCORE_FASTLANE_VERSIONenvironment variable is now supported inac-service-resignandac-service-publish. If not set, defaults tolatest.{ "ASPNETCORE_FASTLANE_VERSION": "2.231.1" }