Semaphore v2.18 introduces new features and improvements for infrastructure automation and DevOps teams. This release focuses on enhancing developer experience and streamlining infrastructure-as-code workflows.
Cloud Secret Manager Integration
Organizations using cloud platforms need a way to pull secrets directly from their cloud provider’s secret management service at runtime, avoiding credential duplication and leveraging existing rotation policies. This feature adds native integrations with AWS Secrets Manager and Azure Key Vault as Enterprise-only capabilities.
Pro
- AWS Secrets Manager integration — pull secrets at runtime from AWS Secrets Manager using IAM roles, access keys, or assumed roles. Supports JSON-structured secrets with field extraction and automatic rotation. (#2248)
- Azure Key Vault integration — pull secrets at runtime from Azure Key Vault using managed identity or service principal authentication. Supports secrets, keys, and certificates with automatic rotation. (#2248, #3170)
Multiple Variable Groups per Template
Semaphore currently allows attaching a single Variable Group (Environment) to each task template. This forces users to duplicate variables across groups when multiple templates share common settings, or to create monolithic Variable Groups that contain everything. This feature enables composing multiple Variable Groups per template and fixes the numerous bugs in variable handling — serialization, precedence, propagation, and survey variable lifecycle.
Community
- Multi-environment composition — allow attaching multiple Variable Groups to a single task template so that shared variable sets (e.g., common defaults, per-region overrides) can be composed and reused across templates. (#2612)
- Clone Variable Groups — add a clone action so environments that differ by only a few values can be set up without recreating all fields from scratch. (#3295)
- Reusable survey variable sets — decouple survey variables from task templates into standalone assignable objects, avoiding per-template duplication. (#2212)
- Fix extra-vars JSON serialization — serialize complex extra-vars as proper JSON instead of Go map strings, fixing
jsondecodefailures in Terraform/OpenTofu. (#3748, #1644, #2619) - Fix survey variable precedence — resolve silent override when the same variable name exists in both Environment extra-vars and survey; define clear precedence or raise an error. (#3108)
- Fix empty/optional survey variable handling — ensure optional survey variables are consistently omitted or passed as empty strings, not randomly mixed. (#2182)
- Survey defaults for scheduled tasks — allow specifying default values for survey variables when scheduling tasks, so automated runs do not fail on required prompts. (#2244)
- Pass survey variables as environment variables for bash tasks — expose survey variables as OS environment variables instead of CLI arguments for shell-type tasks. (#2433)
- Pass survey variables during Tofu/Terraform init — forward survey variables to the
initphase, not justplan/apply, to support variable-driven backend configs. (#2554) - Jinja2 references in Extra CLI Arguments — allow referencing survey and environment variables in the Extra CLI Arguments field using template syntax (e.g.,
-l {{ hosts }}). (#1053) - Environment variables in run preparation — make environment variables available during the preparation phase (e.g.,
galaxy install, Git role auth) not just during task execution. (#3178) - Load extra-vars from repository file — support loading extra-vars from a JSON/YAML file in the repository instead of inline in the UI, enabling GitOps workflows. (#2343)
- Override environment at runtime via API — allow passing a different Variable Group when launching a task via API. (#1367, #3291)
Pro
- Complex survey variable types — support dynamic list-of-objects survey variables (e.g., VLAN configurations) passed as structured JSON arrays. (#3557)
- Per-schedule variable overrides — attach custom variable values to scheduled jobs so the same template can run on different schedules with different parameters. (#2378)
- Dynamic variable values from user context — auto-populate variables with the logged-in user’s identity (e.g.,
{{ current_user }}). (#2524, #909)
Enterprise
- Mark variables as private — add a “private” flag on variables that prevents values from appearing in run logs, task history, and API responses. (#2887)
- Restrict environment variable visibility — limit Variable Group contents to admin roles only, preventing credential exposure in shared project templates. (#1126)
- Build-level variable snapshots — snapshot variable values at task execution time so re-runs use the original values, not current ones. (#1097)