What's new in Semaphore UI 2.17

Semaphore v2.17 introduces new features and improvements for infrastructure automation and DevOps teams. This release focuses on enhancing developer experience and streamlining infrastructure-as-code workflows.

Key Features Overview #

• Custom issuer name in TOTP app
  You can now specify a custom issuer name when registering Semaphore with a TOTP (Time-based One-Time Password) authenticator app. This enables clearer identification of Semaphore accounts within authenticator apps, improving usability—especially for users managing multiple 2FA tokens.
  Learn more »

• Read secrets from environment variables
  You can now link a secret to an environment variable.
  Learn more »

• One-time scheduled tasks
  You can now schedule a task for a specific date and time (not just via a cron schedule). It will run only once.
  Learn more »

• Customizable views
  You can now customize template views with much more flexibility.
  Learn more »

• Stop all tasks
  The Stop all button lets you stop all running tasks for a template at once. This is useful when you need to quickly halt a rollout or cancel jobs started by mistake.
  Learn more »

• Syslog server support
  Semaphore can now send its logs to an external syslog server, making it easier to centralize log collection and integrate with existing monitoring and alerting pipelines.
  Learn more »

• Rollback database migrations
  You can now roll back database migrations, making it easier to safely downgrade Semaphore if needed.
  Learn more »

• Drag and drop for survey variables, CLI args, etc
  You can now reorder survey variables, CLI arguments, and other list items via drag and drop.
  Learn more »

• Project export and import via CLI
  Export and import projects from the command line to simplify backups, migrations, and repeating setups across environments.
  Learn more »

• CLI tool to migrate from BoltDB to SQLite/MySQL/Postgres
  A new CLI migrator helps move Semaphore data from BoltDB to SQLite, MySQL, or Postgres. BoltDB is being deprecated and will be removed in v3.0.
  Learn more »

• Devolutions Server support (Enterprise)
  Enterprise installations can now integrate with Devolutions Server as a secrets backend, similar to HashiCorp Vault.
  Learn more »

• Custom roles and Extended RBAC (Enterprise)
  Define custom roles with tailored permissions to match your organization’s access model.
  Learn more »

• Active-active high availability (Enterprise)
  Define custom roles with tailored permissions to match your organization’s access model.
  Learn more »

• Improved logging
  Logs now include more detailed context.
  Learn more »

• Subscription key via environment variable (PRO)
  PRO subscription keys can now be provided via an environment variable, which is convenient for containerized and automated deployments.
  Learn more »

Features #

Custom issuer name in TOTP app #

Semaphore v2.17 introduces a new option to customize the issuer name displayed in TOTP (Time-based One-Time Password) authenticator apps.

Purpose:
The issuer name helps users identify which account in their authenticator app belongs to Semaphore, especially useful when managing accounts from multiple organizations or environments.

How to Configure:

You can set the issuer name in two ways:

1. Environment Variable

   Set the environment variable SEMAPHORE_TOTP_ISSUER to your desired issuer name when starting Semaphore.

   Example (Docker Compose):

   environment:
     - SEMAPHORE_TOTP_ISSUER=MyCompany Semaphore
   

   Example (Standalone):

   SEMAPHORE_TOTP_ISSUER="MyCompany Semaphore" ./semaphore server
   

2. Configuration File

   In your config.json file, set the following option inside the auth section:

   {
     "auth": {
       "totp": {
         "issuer": "MyCompany Semaphore"
       }
     }
   }
   

Precedence:
If both the environment variable and the config file option are set, the environment variable (SEMAPHORE_TOTP_ISSUER) takes precedence.

Default Value:
If not set, the default issuer name will be Semaphore.

Result:
When users add their Semaphore TOTP account to an authenticator app, the selected issuer name will appear, making it easier to distinguish between multiple accounts.

For full details on all available environment variables, see the installation environment variable documentation.

One-time scheduled tasks #

Semaphore now supports one-time schedules in addition to cron schedules. Use this when you need a task to run at a specific date and time and execute only once.

Use cases:

• Run a maintenance task during an approved change window
• Kick off a one-off rollout or backfill job

Customizable views #

Template views are now more customizable, allowing you to tailor what’s shown and how it’s organized to better match your workflow.

1. Now you can move the All tab to any place in the bar.

2. You can hide the All tab from regular project users entirely.

3. You can change the default template sorting for a specific view.

Typical improvements include:

• Better organization of template-related information
• More flexibility in how view content is arranged

Stop all tasks #

You can now stop all running tasks for a template with a single action. This helps you quickly halt a rollout or cancel jobs that were started accidentally.

Syslog server support #

Semaphore can now forward logs to an external syslog server, making it easier to centralize log collection and integrate with existing monitoring and alerting pipelines.

config.json:

{
  "syslog": {
    "enabled": true,
    "network": "udp",
    "address": "localhost:514",
    "tag": "semaphore"
  }
}

Environment variables:

export SEMAPHORE_SYSLOG_ENABLED=True
export SEMAPHORE_SYSLOG_NETWORK=udp
export SEMAPHORE_SYSLOG_ADDRESS=localhost:514
export SEMAPHORE_SYSLOG_TAG=semaphore

Rollback database migrations #

Database migrations can now be rolled back. This makes it safer to recover from an upgrade issue and can simplify downgrades when necessary.

semaphore migrate --undo-to 2.16

Drag and drop for survey variables, CLI args, etc #

You can now reorder survey variables, CLI arguments, and other list items via drag and drop, making templates easier to maintain and review.

Project export and import via CLI #

Semaphore now supports automatic project importing.

Docker container accepts environment variables SEMAPHORE_IMPORT_PROJECT_FILE and SEMAPHORE_IMPORT_PROJECT_NAME for this.

If you need to import a project from the CLI, you can use the following command:

semaphore project import --file /path/to/the/backup.json --project-name "Demo project"

If the project name isn’t provided, the project name from the backup metadata will be used.

To import all projects from a directory, use the following command:

semaphore project import --dir /path/to/the/dir

To export a project, you can use the following command:

semaphore project export --project-name "Demo project" --file /path/to/the/backup.json

If you want to export all projects to a directory:

semaphore project export --dir /path/to/the/dir

By combining this command with cron, you can implement automatic project backups.

CLI tool to migrate from BoltDB to SQLite/MySQL/Postgres #

A new CLI migrator helps you move Semaphore data from BoltDB to SQLite, MySQL, or Postgres. BoltDB is being deprecated and will be removed in v3.0.

semaphore migrate --from-boltdb /path/to/boltdb/file

Devolutions Server support (Enterprise) #

Enterprise installations can now integrate with Devolutions Server as a secrets backend, similar to HashiCorp Vault.

Custom roles and Extended RBAC (Enterprise) #

Semaphore UI now supports custom project-level and global roles, enabling fine-grained access control for tasks and templates. RBAC has been extended with more granular controls across Semaphore resources, helping teams apply least-privilege access more precisely.

Enterprise users can define custom roles with tailored permissions to match organizational access requirements.

Project owners and managers can assign these roles to specific templates and grant them targeted permissions for running, viewing, or managing tasks.

Active-active high availability (Enterprise) #

In a standard single-node setup, one Semaphore process does everything: serves the web UI, runs scheduled jobs, executes tasks, and pushes live updates to browsers. If that process goes down, everything stops. ​

With active-active HA, you run multiple identical Semaphore instances behind a load balancer. All of them are fully active at the same time - there is no “primary” or “standby.” Any node can serve any request, run any task, or fire any schedule. They coordinate through a shared Redis instance to avoid stepping on each other. ​ All instances connect to the same two backends:

• Database (Postgres or MySQL) — the single source of truth for all persistent data: projects, templates, schedules, task history, users, etc.
• Redis — the coordination layer. Redis serves three purposes:
  • Distributed locks — to prevent two nodes from running the same thing
  • Pub/Sub messaging — to relay real-time events between nodes
  • Shared task queue state — so all nodes see the same queue

{
  "ha": {
    "enabled": true,
    "node_id": "node1",
    "redis": {
      "addr": "localhost:6379"
    }
  }
}

Improved logging #

Logging has been improved to provide more context and clarity, helping you troubleshoot failures and understand what happened during a run.

Subscription key via environment variable (PRO) #

PRO subscription keys can now be provided via an environment variable, which is helpful for containerized deployments and CI/CD-driven rollouts.