Whiskers v0.12.1 is out — a patch release focused on security hardening, bundling the features that landed right after the 0.12.0 tag was cut.
Security
- SSH host keys are now verified (trust-on-first-use, pinned in
<data>/ssh-keys/known_hosts). Behavior change: an intentionally rebuilt server needs its line refreshed in that file before reconnecting. - Fail-closed authorization: every endpoint and page requires authentication unless it explicitly opts out (login, setup wizard, health probes, HMAC webhooks). The SignalR hub is no longer reachable anonymously.
- The MCP bearer scheme is parsed case-insensitively (RFC 7235).
Transparency note: these three items were already listed in the 0.12.0 changelog, but the published 0.12.0 artifacts were built before they landed — they ship starting with this release. The changelog has been corrected accordingly.
New
- Git-based deployments: clone/pull a repository on a target server and bring it up with Docker Compose — deploy tokens live vault-only, and the new
git-deploywebhook action enables push-to-deploy straight from CI. - Private container registries (v1): manage registries in Settings with vault-stored credentials; image pulls authenticate automatically by registry-host match.
- Localized navigation (English/German) across the entire app navigation and chrome.
- The audit log now also covers scheduler and webhook management; every push runs the full test suite in CI.
Upgrading
Image: ghcr.io/lupusmalusdeviant/whiskers:0.12.1 · Helm chart: oci://ghcr.io/lupusmalusdeviant/charts/whiskers. Full details in the changelog; all assets on the GitHub release.
