Major Enhancements
Make sure that the token in .kube/config is in sync with the one in the user's session
A new "Advanced" tab has been added to the "Workspace Details" view, which allows re-injecting your current Kubernetes credentials and Podman registry login into the CDE containers. Use this if your kubeconfig has expired or was not injected correctly when the workspace started.
Configure DevWorkspace Operator with imported certificates.
When custom TLS certificates are imported into the che-operator, the operator now automatically configures the DevWorkspace Operator (DWO) using the tlsCertificateConfigmapRef reference. This ensures that secure, trusted certificate configurations are seamlessly propagated across all workspace components without requiring manual post-deployment intervention from administrators.
Bug Fixes
Restore user identity in workspace terminals
A regression caused oc whoami and other CLI tools in workspace terminals to report the Pod's service account identity instead of the logged-in user's identity. This prevented users from performing cluster operations that required their personal RBAC permissions.
The fix restores OAuth token injection by routing the Kubernetes Watch through the user's identity rather than the backend service account. A polling fallback was also added so that workspaces with longer startup times (exceeding 300 seconds) still receive the correct kubeconfig and credentials.
Prevent devfile commands from being removed on workspace start
User-defined devfile commands were silently stripped from the workspace spec during startup. The AI tool cleanup routine (sanitizeStaleAiTools()) was inadvertently matching user-defined command IDs against its removal patterns, deleting commands that did not belong to any AI tool injector.
The fix adds a check ensuring that only commands whose slug matches a registered AI tool are considered for cleanup, leaving all other commands untouched.
Open an existing workspace when the factory URL contains a branch path
When the "Create New" option was disabled on the Dashboard, navigating to a GitHub URL that included an explicit branch path (e.g., /tree/my-branch) still created a duplicate workspace instead of opening the existing one. This happened because the factory parameter parser only read the ?revision= query parameter and ignored branch information embedded in the URL path.
The fix extends the revision extraction logic to also recognize branch names from the /tree/<branch> path segment, with the explicit query parameter still taking precedence.
Git askpass scripts may fail when a user runs git clone in a Che Code terminal
Fix library paths ensuring that git askpass scripts succeed when run within a Che Code integrated terminal.