gitlab-org/gitlab-foss v18.9.0

on GitLab

Zero Downtime Upgrades are now officially supported for Cloud Native Hybrid deployments.

Enterprise customers require their DevSecOps platform to be available at all times, making upgrade-related downtime a significant operational concern.
Until now, Zero Downtime Upgrades were only supported for Linux package-based high availability deployments, which drove many customers toward VM-based architectures even when cloud-native Kubernetes deployments would have better suited their infrastructure strategy.

We've been upgrading our own Cloud Native Hybrid SaaS instances with zero downtime for years.
With this release, we're bringing that same operational experience to self-managed customers running GitLab on Kubernetes.

The upgrade procedure has been comprehensively tested and is now fully documented, giving you the confidence to maintain availability during version upgrades.

Managing completed initiatives and abandoned projects is now easier.
You can now archive entire groups, including all subgroups and projects, in one action, eliminating the need to manually archive each project individually.

When you archive a group:

• All nested subgroups and projects are automatically archived.
  
• Archived content moves to the Inactive tab with clear status badges.
  
• Group data remains fully accessible in read-only mode for reference or restoration.
  
• Write permissions are disabled across the archived group and its content.
  

Beyond the Settings page, you can archive groups and projects directly from the actions menu in list views. No more navigating through multiple screens for simple administrative tasks.
This highly requested feature dramatically reduces administrative overhead while keeping your workspace organized with clear separation between active and inactive work.
Share your feedback in epic 18616.

Starting with GitLab 18.9, Valkey is bundled as an opt-in replacement for Redis in the Linux package.
Redis changed their license to AGPLv3, which is not suitable for open source customers. To guarantee security and maintainability for our
GitLab Self-Managed customers, we are transitioning from Redis to Valkey, a community-driven fork that maintains the permissive BSD license.

Transition timeline:

• GitLab 18.9 (this release): Valkey is bundled as an opt-in replacement (beta). You can switch from Redis to Valkey at your convenience. Valkey Sentinel support
  is included.
  
• GitLab 19.0 (May 2026): Valkey becomes the default and Redis binaries are removed from the Linux package. Existing Redis configuration settings remain
  functional and are honored for backwards compatibility.
  

This transition only affects the bundled Redis in Linux packages. Customers on scaled architectures using external Redis deployments can continue to use Redis.
We are monitoring the potential feature divergence between Redis and Valkey and will provide guidance as the ecosystem evolves.

You can now browse repository files with a collapsible file tree. The tree provides
a comprehensive view of your project structure, so you can expand and collapse directories
inline, jump between files in different parts of your repository, and maintain context
while you work.

The file tree appears as a resizable sidebar when you view repository files or directories.
You can toggle visibility with keyboard shortcuts, filter files by name or extension,
and navigate through complex project hierarchies. The tree synchronizes with your current
location, so when you select a file in the main content area, the tree updates to show
that file.

Your existing repository structure and file organization remain unchanged. With fewer page
loads required to move between files, this feature scales from small projects to large
codebases with thousands of files.

Ensuring commits are cryptographically signed is essential for code integrity and meeting
compliance requirements. Previously, web-based commit signing was only available for GitLab Self-Managed.

GitLab.com now supports web-based commit signing. When enabled for a group or project, commits
created through the GitLab web interface are automatically signed with the GitLab signing key and are
displayed with a Verified badge, providing cryptographic proof of authenticity for your repositories.

Key details:

• Enable in group or project settings based on your requirements.
  
• All web-based commits (Web IDE edits, merges, API operations) are automatically signed when enabled.
  

This brings the GitLab.com security capabilities in line with GitLab Self-Managed and provides
the foundation for comprehensive commit signing policies across your organization.

Reviewing commits with many changed files or substantial modifications can be slow.
Rapid Diffs technology now powers the commits page (/-/commits/<SHA>), delivering faster
loading times, smoother scrolling, and more responsive interactions.

With Rapid Diffs, you'll notice:

• A pagination-free experience.
  
• Faster initial load, so you can start working with code sooner.
  
• A refreshed interface with a new file browser for quicker navigation between files.
  
• Responsive interactions, even with large numbers of changed files.
  

All existing functionality is preserved. As Rapid Diffs expands to other areas of GitLab, the same performance benefits will follow.

The GitLab import API now supports Bitbucket Cloud API tokens, providing a more secure way to
import repositories from Bitbucket Cloud.

Atlassian has deprecated app passwords
in favor of API tokens, and we're planning to remove support for app passwords in 19.0.

Importing from Bitbucket Cloud through the GitLab UI is not affected by this change.

Previously, pipeline inputs could only be defined directly within a pipeline's spec section. This limitation made it challenging to reuse input configuration across multiple projects.

In this release you can now include input definitions from external files using the familiar include keyword. Being able to maintain a list of inputs in a separate place helps you have a manageable solution across many projects or pipelines. You can maintain centralized input configurations and even dynamically manage input values from external sources.

You can now view timestamps on each CI job log line to identify performance bottlenecks and debug long-running jobs. Timestamps are displayed in UTC format. Use timestamps to troubleshoot performance issues, identify bottlenecks, and measure the duration of specific build steps. Requires GitLab Runner 18.7 or later for GitLab Self-Managed.

Previously, teams lacked visibility into how CI/CD Catalog component projects were being used across their organization. Now you can view usage counts and adoption patterns at a high level, helping you understand which component projects are most valuable and optimize your catalog investments.

You can now view security and compliance reports from child pipelines directly in merge request widgets. Previously, you had to manually navigate through multiple pipelines to identify security issues, creating inefficient workflows especially with monorepos and complex testing setups.

With this enhancement, the merge request widget displays reports from child pipelines directly alongside parent pipeline results, with each child pipeline's reports presented individually and artifacts available for download. This provides a unified view of all security checks, significantly reducing time spent investigating failures and enables faster merge request reviews when using parent-child pipelines.