25.11.0

Release Notes - v25.11.0

🎉 Major Features

GitHub Team Management & Security Enhancement

A comprehensive overhaul of GitHub team permissions to improve organization security while maintaining developer access.

New Leads Team Management

• Automatic leads sub-teams: Each project now gets a dedicated -leads sub-team with maintain permissions
• Dynamic membership: Leads are automatically added/removed from leads teams when their status changes
• Retroactive setup: Command to set up leads teams for all existing projects

Team Structure Optimization

• Flattened team hierarchy: Project teams are now siblings (not children) of the Members team to prevent unintended permission inheritance
• Explicit permissions: All 71 active project repositories explicitly assigned to Members team with write access
• Read-only capability: Organization default can now be safely changed from write to read, with write access controlled via team membership

New CLI Commands

flask sync project_leads_team # Setup leads team for a project
flask sync setup_all_projects_leads_teams # Bulk setup for all projects
flask sync add_repo_to_members_team # Add repo to members team
flask sync update_all_projects_members_team # Bulk update all repos
flask sync flatten_project_teams # Flatten active project teams
flask sync flatten_stale_teams # Flatten stale child teamsAll commands support --dry-run for safe testing.

Team Permission Audit Tool

• New check_teams.py script for auditing GitHub team structure
• Identifies permission mismatches, stale teams, and inheritance issues
• Reports on all 136 teams across the organization

API Optimization

• Smart caching: Checks existing permissions before updating to minimize GitHub API calls
• Example: 50 projects with 40 already configured = 11 API calls instead of 50

Database Changes

• Added leads_team_slug field to projects table for tracking leads teams
• Migration: d69ef951e45_add_leads_team_slug.py

Automated Workflows

• New repositories automatically added to members team via webhooks
• Leads team membership syncs automatically with database changes

🐛 Bug Fixes

Docker & CI/CD

• Critical: Updated base image from Debian Buster (EOL) to Debian Bookworm
  • Fixes: apt-get update failures in CI/CD
  • Debian Bookworm supported until ~2028

GitHub API

• Fixed get_team_repos() return type handling (returns list, not response object)
• Resolved migration conflict in leads_team_slug migration

Testing

• Removed unnecessary with context manager usage in pytest-mock
• Fixed mock object returns to be synchronous instead of coroutines
• Added side_effect to properly simulate leads_team_slug updates in tests

✨ Improvements

Testing

• 19 new tests for leads team management features
• Test coverage increased:
  • Overall: 46% → 64%
  • projects/tasks.py: 54% → 65%
  • account/blueprint.py: 43% → 72%
• All 214 tests passing
• Reduced warnings from 336 → 334

Code Quality

• Applied pre-commit formatting fixes
• Removed deprecated pytest-mock patterns
• Refactored mock setups for consistency

📦 Dependency Updates

Python Dependencies

• pytest: 8.3.5 → 8.4.2
• pytest-datadir: 1.7.0 → 1.8.0
• cryptography: 45.0.3 → 46.0.3
• requests[security]: 2.32.3 → 2.32.5
• setuptools: 80.8.0 → 80.9.0
• urllib3: 2.4.0 → 2.5.0
• brotli: 1.1.0 → 1.2.0 (includes security fix)
• pip: 25.1.1 → 25.3

JavaScript Dependencies

• parcel: 2.12.0 → 2.16.1
• @parcel/transformer-sass: 2.12.0 → 2.16.1
• sass: 1.89.0 → 1.94.0
• Fixed micromatch ReDoS vulnerability (moderate severity)

GitHub Actions

• actions/checkout: v4 → v5
• actions/setup-node: v4 → v6
• docker/build-push-action: v5 → v6
• getsentry/action-release: v1 → v3

🔒 Security

• 0 vulnerabilities in npm dependencies (was 1)
• Updated Debian base image to supported version
• Fixed ReDoS vulnerability in micromatch
• Security updates for brotli, requests, and cryptography

📝 Documentation

• Added comprehensive testing patterns guide (AGENTS.md)
• Documented GitHub team permission structure
• Added usage examples for all new CLI commands

🎯 Migration Path

If upgrading from 25.6.2:

1. Deploy the update: git pull && dokku ps:restart jazzband

2. Run migrations: Automatic on deployment

3. Set up teams (one-time):

   1. Flatten any remaining child teams

   dokku run jazzband flask sync flatten_stale_teams --dry-run
   dokku run jazzband flask sync flatten_stale_teams

   2. Ensure all repos in members team

   dokku run jazzband flask sync update_all_projects_members_team --dry-run
   dokku run jazzband flask sync update_all_projects_members_team

   3. Set up leads teams for all projects

   dokku run jazzband flask sync setup_all_projects_leads_teams --dry-run
   dokku run jazzband flask sync setup_all_projects_leads_teams

   4. Verify with audit script

   dokku run jazzband python check_teams.py
   4. Update GitHub org settings (optional):

   • Change organization default permission from write to read
   • Members will retain write access via explicit team membership

⚠️ Breaking Changes

None - all changes are backward compatible.

🙏 Contributors

• @jezdez - Lead maintainer
• @dependabot - Dependency updates

---

Full Changelog: 25.6.2...25.11.0

25.6.2

What's Changed

• Implement bulk upload releases by @jezdez in #1187

Full Changelog: 25.6.1...25.6.2

25.6.1

What's Changed

• Bump redis from 6.1.0 to 6.2.0 by @dependabot in #1185
• Bump pytest-datadir from 1.6.1 to 1.7.0 by @dependabot in #1186

Full Changelog: 25.6.0...25.6.1

25.6.0

What's Changed

• chore: Update Python pip packages by @aleksihakli in #1177
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #1159
• Remove pullapprove config. by @jezdez in #1180
• Bump dokku/github-action from 1.3.0 to 1.6.1 by @dependabot in #1172
• Bump base-x from 3.0.10 to 3.0.11 by @dependabot in #1178
• Bump flask from 3.1.0 to 3.1.1 by @dependabot in #1179
• Bump exceptiongroup from 1.2.1 to 1.2.2 by @dependabot in #1151
• Bump sass from 1.77.8 to 1.79.4 by @dependabot in #1173
• Bump pip from 24.1.2 to 24.2 by @dependabot in #1156
• Bump sentry-sdk[flask] from 2.9.0 to 2.16.0 by @dependabot in #1175
• Bump sqlalchemy from 1.4.52 to 2.0.35 by @dependabot in #1168
• Bump getsentry/action-release from 1 to 3 by @dependabot in #1181
• Add comprehensive test suite covering core functionality and edge cases by @jezdez in #1182

Full Changelog: 24.7.0...25.6.0

24.7.0

What's Changed

• Bump flask-login from 0.6.2 to 0.6.3 by @dependabot in #1109
• Bump sqlalchemy-utils from 0.40.0 to 0.41.1 by @dependabot in #1110
• Fix import in db.py by @jezdez in #1112
• Bump pip from 23.3 to 23.3.2 by @dependabot in #1116
• Bump greenlet from 2.0.2 to 3.0.3 by @dependabot in #1115
• Bump styfle/cancel-workflow-action from 0.12.0 to 0.12.1 by @dependabot in #1123
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #1117
• Fix a typo in installation section of readme by @arthru in #1126

New Contributors

• @arthru made their first contribution in #1126

Full Changelog: 24.1.0...24.7.0

New year's release

What's Changed

• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #1073
• Bump markdown-it-py from 2.1.0 to 2.2.0 by @dependabot in #1064
• Bump wrapt from 1.14.1 to 1.16.0 by @dependabot in #1083
• Bump certifi from 2022.12.7 to 2023.7.22 by @dependabot in #1084
• 📝 Document existence of the Matrix Space by @webknjaz in #1075
• Bump babel from 2.11.0 to 2.14.0 by @dependabot in #1081
• Bump pygments from 2.14.0 to 2.15.0 by @dependabot in #1085
• Bump pip from 23.0.1 to 23.3 by @dependabot in #1088
• Bump urllib3 from 1.26.14 to 1.26.18 by @dependabot in #1089
• Bump werkzeug from 2.2.3 to 2.3.8 by @dependabot in #1086
• Bump flask-admin from 1.6.0 to 1.6.1 by @dependabot in #1063
• Bump cryptography from 39.0.1 to 41.0.6 by @dependabot in #1087
• Bump flask from 2.2.3 to 2.2.5 by @dependabot in #1090
• Bump flask-dance[sqla] from 6.2.0 to 7.0.0 by @dependabot in #1099
• Bump click from 8.1.3 to 8.1.7 by @dependabot in #1100
• Bump sass from 1.58.3 to 1.69.7 by @dependabot in #1096
• Bump pytz from 2022.7.1 to 2023.3.post1 by @dependabot in #1097
• Bump loading-attribute-polyfill from 1.5.4 to 2.1.1 by @dependabot in #1098
• Bump styfle/cancel-workflow-action from 0.11.0 to 0.12.0 by @dependabot in #1091
• Bump actions/checkout from 3 to 4 by @dependabot in #1092
• Bump actions/setup-node from 3 to 4 by @dependabot in #1093
• Bump certifi from 2023.7.22 to 2023.11.17 by @dependabot in #1101
• Bump feedgen from 0.9.0 to 1.0.0 by @dependabot in #1102
• Bump alembic from 1.9.4 to 1.13.1 by @dependabot in #1104
• Bump psycopg2-binary from 2.9.5 to 2.9.9 by @dependabot in #1105
• Bump requests-toolbelt from 0.10.1 to 1.0.0 by @dependabot in #1103
• Bump exceptiongroup from 1.1.0 to 1.2.0 by @dependabot in #1106
• Bump chardet from 5.1.0 to 5.2.0 by @dependabot in #1107
• Bump cryptography from 41.0.6 to 41.0.7 by @dependabot in #1108

New Contributors

• @webknjaz made their first contribution in #1075

Full Changelog: 23.2.0...24.1.0

23.2.0

What's Changed

• Bump pytest from 7.1.2 to 7.1.3 by @dependabot in #1036
• Bump sentry-sdk[flask] from 1.9.7 to 1.9.8 by @dependabot in #1035
• Bump cryptography from 37.0.4 to 38.0.1 by @dependabot in #1038
• Bump certifi from 2022.6.15 to 2022.6.15.1 by @dependabot in #1040
• Bump sqlalchemy from 1.4.40 to 1.4.41 by @dependabot in #1039
• Bump dokku/github-action from 1.1.3 to 1.3.0 by @dependabot in #1041
• Bump styfle/cancel-workflow-action from 0.10.0 to 0.10.1 by @dependabot in #1049
• Bump certifi from 2022.6.15.1 to 2022.9.24 by @dependabot in #1048
• Bump styfle/cancel-workflow-action from 0.10.1 to 0.11.0 by @dependabot in #1053
• Bump flask-compress from 1.12 to 1.13 by @dependabot in #1046
• Bump sentry-sdk[flask] from 1.9.8 to 1.9.9 by @dependabot in #1047
• Bump pytest-mock from 3.8.2 to 3.10.0 by @dependabot in #1051
• Bump certifi from 2022.9.24 to 2022.12.7 by @dependabot in #1055
• Bump json5 from 2.2.1 to 2.2.3 by @dependabot in #1058
• Bump oauthlib from 3.2.0 to 3.2.1 by @dependabot in #1045
• Bump mako from 1.2.1 to 1.2.2 by @dependabot in #1044
• Bump wheel from 0.37.1 to 0.38.1 by @dependabot in #1056
• Bump setuptools from 63.4.2 to 65.5.1 by @dependabot in #1057
• Bump cryptography from 38.0.1 to 39.0.1 by @dependabot in #1059
• Bump werkzeug from 2.2.2 to 2.2.3 by @dependabot in #1060
• Bump oauthlib from 3.2.0 to 3.2.2 by @dependabot in #1061
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #1052

Full Changelog: 22.9.1...23.2.0

22.9.1

What's Changed

• Bump dokku/github-action from 1.1.2 to 1.1.3 by @dependabot in #1033
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #1034
• Bump sentry-sdk[flask] from 1.9.3 to 1.9.7 by @dependabot in #1032
• Bump flask-dance[sqla] from 6.1.0 to 6.1.1 by @dependabot in #1029
• Bump pygments from 2.12.0 to 2.13.0 by @dependabot in #1026
• Bump pytz from 2022.1 to 2022.2.1 by @dependabot in #1025
• Bump secretstorage from 3.3.2 to 3.3.3 by @dependabot in #1027
• refactor: enhance ux by using a sticky table head by @phloose in #1024

New Contributors

• @phloose made their first contribution in #1024

Full Changelog: 22.9.0...22.9.1

22.9.0

What's Changed

• Ensure one e-mail is notified only once by @mpasternak in #1030

New Contributors

• @mpasternak made their first contribution in #1030

Full Changelog: 22.8.6...22.9.0

22.8.6

Full Changelog: 22.8.5...22.8.6