meshcloud · github-actions · Dec 10, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025
diff --git a/blog/2025-12-10-Release-0.md b/blog/2025-12-10-Release-0.md
@@ -0,0 +1,166 @@
+---
+author: meshcloud
+title: Release 2025.53.0
+---
+
+Release period: 2025-12-03 to 2025-12-10
+
+This release includes the following issues:
+* Automatic User Access Control Assignment
+* Edit User Access During Workspace and Project Creation
+* Open GitHub Workflow Files Directly from Building Block Definition
+* Improved Structure for Platform Authentication Configuration in meshPlatform API
+* Runner Selection for Building Block Integrations
+* Communication Email Header Logo in Preview and Sent Emails
+* Communication Center Email Preview Matches Actual Emails
+* Azure Subscription Name Enforcement
+* Built-In Integrations Exposed via meshIntegration API
+* Streamlined Adding User Access with Modal Dialog
+* Drift Detection of Secrets for meshPlatform API v2-preview
+<!--truncate-->
+
+## Ticket Details
+### Automatic User Access Control Assignment
+**Audience:** User<br>
+
+#### Description
+When you create a new project, you are now automatically added with the highest-ranking role available to you, 
+matching the existing behavior during workspace creation. Asides the Admin Area Workspace Management, where you 
+can still add yourself directly as a workspace manager, the "Add Myself" button has been removed from workspace 
+and project access control overview screens, streamlining the interface and reducing clutter.
+
+Note: This change only affects customers who have access to the new access control v2 feature. If you are using the 
+standard access control interface, this change does not apply to you.
+
+### Edit User Access During Workspace and Project Creation
+**Audience:** User<br>
+
+#### Description
+You can now edit user access assignments directly during workspace and project creation. Previously, you could only add
+or remove users during the creation process, but not modify their roles or expiration dates. This improvement allows
+you to adjust access settings in the creation flow.
+
+Note: This change only affects customers who have access to the new access control v2 feature. If you are using the
+standard access control interface, this change does not apply to you.
+
+### Open GitHub Workflow Files Directly from Building Block Definition
+**Audience:** User<br>
+
+#### Description
+When configuring a GitHub Actions Building Block Definition, you can now open the workflow files directly in GitHub
+from the meshPanel. This makes it easier to verify your configuration and review the workflow implementation without
+manually navigating to the GitHub repository.
+
+#### How to use
+In the Building Block Definition configuration, after entering your GitHub workflow file names (deploy and destroy
+workflows), click the "Open workflow" button next to each field to open the corresponding workflow file in a new tab.
+The button becomes available once you have provided the integration, repository, and branch details.
+
+### Improved Structure for Platform Authentication Configuration in meshPlatform API
+**Audience:** User<br>
+
+#### Description
+The meshPlatform API v2-preview now uses an improved and more consistent structure for configuring platform authentication
+credentials. The authentication configuration has been reorganized to use a unified `auth` pattern across
+all cloud platforms (AWS, Azure, GCP, and AKS). This change makes it easier to understand and configure different
+authentication methods (credentials vs. workload identity) by using a consistent structure with a `type` field
+that clearly identifies the authentication method being used.
+
+#### How to use
+If you are using the meshPlatform API preview-v2 to manage platform configurations, you need to update your API requests to
+use the new structure. Please refer to the updated API documentation for detailed examples of the new configuration structure for each
+platform type.
+
+### Runner Selection for Building Block Integrations
+**Audience:** User<br>
+
+#### Description
+You can now select a specific building block runner when creating or editing integrations for GitHub, GitLab,
+and Azure DevOps. This allows you to choose which runner will execute the building block definitions that use
+this integration.
+
+#### How to use
+When creating or editing an integration, a new "Building Block Runner" section appears below the integration
+configuration. You can select from available runners that match the integration type (e.g., GitHub Workflow
+runners for GitHub integrations). If you change the runner for an existing integration that stores secrets
+(GitHub or Azure DevOps), you'll need to re-enter those secrets as they are encrypted per runner.
+
+### Communication Email Header Logo in Preview and Sent Emails
+**Audience:** User<br>
+
+#### Description
+The email preview in the communication center now displays your organization's logo at the top of the message, matching
+what recipients will see. Additionally, the logo display in actual sent emails has been improved to ensure consistent
+and professional formatting regardless of the original logo size.
+
+#### How to use
+When creating a communication, the email preview will show your configured logo at the top of the message. This preview
+accurately reflects how the logo will appear in emails sent to workspace members, helping you ensure your communications
+maintain a professional appearance.
+
+### Communication Center Email Preview Matches Actual Emails
+**Audience:** User<br>
+
+#### Description
+When you create communications in the communication center, the email preview now shows exactly what recipients will
+receive. The greeting and message content are now displayed in the same format in both the preview and the actual sent
+emails.
+
+#### How to use
+When creating a communication, use the email preview feature to see exactly how your message will appear to recipients.
+The preview accurately reflects the final email layout, including the personalized greeting (when applicable) and the
+message content. This helps you ensure your communication looks professional before sending it to workspace members.
+
+### Azure Subscription Name Enforcement
+**Audience:** User<br>
+
+#### Description
+During Azure replication, meshStack now ensures that the Azure subscription name is correctly applied
+according to the configured subscription name pattern. This step was added to the replication process to guarantee
+that subscription names remain consistent with your naming conventions, even if they were changed manually or
+through other means.
+
+### Built-In Integrations Exposed via meshIntegration API
+**Audience:** User<br>
+
+#### Description
+The meshIntegration API now exposes built-in integrations (Replicator and Metering) as read-only resources. You can 
+retrieve Workload Identity Federation (WIF) configuration details including OIDC issuer, subject identifiers, and token 
+paths for GCP, AWS, and Azure. This enables you to fully automate platform setup by retrieving WIF information via the 
+API before creating the platform in meshStack.
+
+#### How to use
+Filter by integration type (replicator or metering) or retrieve individual integrations by their static UUID. Use the 
+WIF configuration from the status field to configure your cloud platform's identity provider before creating the 
+platform in meshStack. Built-in integrations are read-only and cannot be created, updated, or deleted via the API.
+
+### Streamlined Adding User Access with Modal Dialog
+**Audience:** User<br>
+
+#### Description
+We improved the user experience when adding users to workspaces and projects in the new access control interface 
+(access control v2). Instead of using a dropdown popover, the "Add Users" functionality now opens in a clear modal 
+dialog, providing a more focused and intuitive interface. You can now add multiple users at once and invite new users 
+by email in the same flow, streamlining the process of managing workspace and project access.
+
+Note: This change only affects customers who have access to the new access control v2 feature. If you are using the 
+standard access control interface, this change does not apply to you.
+
+### Drift Detection of Secrets for meshPlatform API v2-preview
+**Audience:** User<br>
+
+#### Description
+The meshPlatform API v2-preview now supports drift detection for platform configuration secrets. Previously, 
+GET responses returned a placeholder value for secrets, making it impossible to detect when secrets were changed 
+outside of Terraform or other API clients. Now, secrets are returned with a hash value that enables drift detection 
+while maintaining security by never exposing the actual secret values. This is a breaking change for the v2-preview 
+API, so existing API clients need to adapt to the new secret representation structure.
+
+#### How to use
+When creating or updating platforms via the API, you can provide secret values using a "plaintext" property. 
+GET responses return a "hash" property instead of the actual secret or a placeholder. Terraform providers and 
+other API clients can store this hash and compare it on subsequent reads to detect when secrets have been changed 
+outside of their control. When updating a platform, you can either provide a new secret value to update it, or 
+provide the hash from a previous response to keep the existing secret unchanged. For details on the new secret 
+structure, see the API documentation at https://docs.meshcloud.io/api/mesh-platform-post-v/.
+
@@ -15,9 +15,18 @@ Platform engineers can offer "GitHub Actions Building Blocks" that trigger a Git
 
 **Note:** Follow Steps 1 and 2 only the first time you set up a GitHub Action Workflow integration. After the initial setup, you can go directly to Step 3 for additional triggers.
 
-## Step 1: Set Up the GitHub Platform in meshStack
+## Step 1: Set Up the GitHub Integration in meshStack
 
-To set up GitHub as a platform, go to the Admin area in meshStack, select **Platforms**, and click on **Create New Platform** at the top right. Complete the required fields and select **GitHub** as the platform type.
+To set up GitHub as an integration, go to the Admin area in meshStack, 
+select **Integrations**, and click on **Create Integration** at the top right. 
+Select **GitHub Integration** as the integration type and complete the required fields.
+
+The Platform Builder area also allows managing integrations for that workspace.
+Integrations are always bound to a meshStack workspace and
+cannot be transferred or shared.
+
+You can also set up the integration while configuring the building block definition,
+[see below](#step-3-create-a-workflow-trigger).
 
 ## Step 2: Configure Pipeline Automation
 
@@ -30,8 +39,8 @@ First of all you will need a so-called GitHub App. This is what meshStack uses t
 Once you have your GitHub App, meshStack needs to know the following to be integrated with GitHub:
 
 - the owner of the GitHub organization
-- the ID of the GitHub App
-- the app’s private key (this is a .pem file)
+- the Application ID of the GitHub App (*not* Client ID)
+- the app’s private key (this is a `*.pem` file)
 
 Those values are available to you once you [installed the GitHub App to a repository](https://docs.github.com/en/apps/using-github-apps/installing-your-own-github-app) and [generated a private key](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/managing-private-keys-for-github-apps#generating-private-keys).
 
@@ -136,7 +145,40 @@ on:
         required: true
 ```
 
-This setup allows application teams to quickly and efficiently access automation workflows from the marketplace, enhancing their productivity and reducing the need for Git expertise.
+Within a job, you need to decode the `buildingBlockRun` input.
+Define a job step to decode all Building Block inputs as follows and provide them to following steps:
+```yaml
+jobs:
+  some-job:
+    runs-on: ubuntu-latest # ships with jq already!
+    steps:
+      # ... some other steps
+      - name: Decode buildingBlockRun inputs
+        id: decodeBuildingBlockInputs
+        shell: bash
+        env:
+          # pass in indirectly as env variable to avoid cluttering the job log with a large base64 string
+          BUILDING_BLOCK_RUN_INPUT: ${{ inputs.buildingBlockRun }}
+        run: |
+          set -euo pipefail
+          base64 -d <<<"$BUILDING_BLOCK_RUN_INPUT" \
+          | jq -er '
+            .spec.buildingBlock.spec.inputs
+            | unique_by(.key)
+            | .[]
+            | "\(.key)=\(.value)"
+            ' \
+          | tee -a "$GITHUB_OUTPUT" # assumes no secrets are passed in as inputs, as they're printed by tee!
+      # ... do something with the output (example):
+      - name: Some step using an input
+        run: |
+          # Assumes the building block definition has an input called 'github_handle'
+          echo '${{ steps.decodeBuildingBlockInputs.outputs.github_handle }}'
+```
+<!-- Above step "Decode buildingBlockRun inputs" is actually used here:
+https://github.com/meshcloud/github-copilot-licenses/blob/79450d14d70d149d8a207edbc9df51078cb113e2/.github/actions/setup/action.yml#L40-L49
+-->
+<!-- TODO: Once https://github.com/meshcloud/meshfed-release/pull/9016 is merged/release, the unique_by(.key) workaround can be removed -->
 
 ### Status Updates
 

@@ -7,8 +7,7 @@ meshcloud will operate your meshStack installation as a managed service for you.
 
 ## Standard Backup Configuration
 
-Backup are facilitated once a day. Backup files will be stored for 30 days. Depending on the cloud platform hosting the meshStack environment
-the backup files will be stored in the available object storage of the cloud provider (e.g. AWS S3, GCP Cloud Storage) using an appropriate data encryption method supported by the provider (e.g. key based encryption).
+Backup frequency is set to once per day, with a retention period of 30 days. Storage location is dependent on the cloud platform hosting meshStack;
+files are placed in the cloud provider's object storage (e.g., AWS S3 or GCP Cloud Storage) and protected via the provider's standard data encryption methods (e.g., key-based encryption).
 
-> If you have deviating requirements regarding backup frequency and/or retention please contact [email protected].
-> It is also possible to provide you access to the object storage in order to transfer the files in a central backup solution within your organization.
+> If custom backup frequency and retention or the export of backups to a specific destination is required, please reach out to [email protected].
@@ -38,8 +38,12 @@ traceability. Events capture what happened, when it happened and who triggered
 the event.
 
 Workspace Owners and Managers can view events related to their specific
-Workspaces in the "Compliance" tab in their workspace. Administrators have
-access to all events in the "Admin Area" under "Compliance".
+Workspaces in the "Compliance" tab in their workspace. Administrators and
+users with the "Auditor" role have access to all events in the "Admin Area"
+under "Compliance".
+
+Events can also be exported via API. See the "Event Logs" section in our API
+documentation for more details.
 
 At the moment, the following objects are logged:
 
@@ -58,7 +62,10 @@ At the moment, the following objects are logged:
 | OSB Service Instance            | Created, updated, deleted                                                                                                |
 | OSB Service Binding             | Created, updated, deleted                                                                                                |
 | meshStack Copilot System Prompt | Created, updated, deleted                                                                                                |
-| Payment Method                  | [Feature Request](https://feedback.meshcloud.io/feature-requests/p/event-logs-for-payment-methods)                       |
+| Payment Method                  | Created, updated, deleted                                                                                                |
+| Policies                        | Created, updated, deleted                                                                                                |
+| API Keys                        | Created, updated, deleted                                                                                                |
+| API Users                       | Created, updated, deleted                                                                                                |
 | Admin Settings                  | [Feature Request](https://feedback.meshcloud.io/feature-requests/p/event-logs-for-welcome-and-landing-page-and-settings) |
 
 ## API Access Logs