enterprise-release: 26.1 Documentation

.claude/settings.json

@@ -0,0 +1,7 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(git check-ignore *)"
+    ]
+  }
+}

changelog/seqera-enterprise/v26.1.md

@@ -0,0 +1,208 @@
+---
+title: Seqera Platform Enterprise v26.1
+date: 2026-04-07
+tags: [enterprise]
+---
+
+Significant integration, troubleshooting, and management improvements.
+
+:::info
+The legacy distribution endpoint at `cr.seqera.io/private` is deprecated. Only bug fixes for existing major releases will continue to be published there. New major releases of Seqera Platform are available from `cr.seqera.io/enterprise`. Seqera will provide updated credentials for the new endpoint — [contact your Seqera representative](https://support.seqera.io) if you need access.
+:::
+
+## Feature updates and improvements
+
+### Studios
+
+- Improved Studios session management and stability.
+- Updated Studios micromamba builds to use `conda/micromamba:v2` and Wave 1.33.0.
+- Added `nameStrategy` configuration option to Studios workspace settings.
+- Renamed Studios settings route from `data-studios` to `studios`.
+- Added ability to edit stopped Studios without restarting them.
+- Container registry improvements:
+  - Configurable container repository path for custom image builds.
+  - Configurable container image naming strategy (default, tag prefix, image suffix, none).
+- Studios work with Wine/XFCE/VNC (Windows compatible OS).
+
+### Compute environments
+
+- Added separate head and worker pool support for Azure Batch compute environments in both Forge and manual modes.
+- Added ability to disable a compute environment.
+- Improved Seqera Compute integration.
+- Improved compute environment form warning display with individual stacked alerts.
+
+### Azure
+
+- Changed default Azure Batch job timeout to 7 days and exposed it as a new configuration item.
+- Updated default Azure termination policy in compute environment creation form.
+- Added VNet and subnet support for Azure Batch compute environments.
+- Added support for separate managed identity client IDs for head and compute jobs in Azure Batch.
+- Enabled Entra (service principal) credentials for Azure Batch Forge pool creation and Fusion v2.
+
+### AWS
+
+- Added AWS credential modes with support for key-based and role-based access.
+- Added AWS External ID support for role-based credentials.
+
+### GCP
+
+- Added Workload Identity Federation (WIF) credential support for Google Batch and Google Cloud compute environments.
+- Added support for network tagging in Google Batch.
+- Added boot disk image selection for Google Batch compute environments.
+- Added support for multiple machine types in Google Batch compute environments.
+- Configurable retry behavior for tasks with null exit codes in Google Batch compute environments.
+
+### Pipelines
+
+- Redesigned workflow notification email templates with updated styling.
+- Added GitHub App manifest flow for credential creation.
+- Improved clipboard UX in workflow details header.
+- Updated schema radio control copy.
+- Redesigned report preview modal header layout and modal.
+- Registered Nextflow CLI as a static OIDC client for authorization code with PKCE flow.
+- Enriched the `POST /trace/create` response with platform metadata to reduce downstream API calls from Nextflow. (link needed)
+
+### Datasets
+
+- Added preview support for linked (URL-referenced) dataset versions.
+
+### Data Explorer
+
+- Added data lake support in Data Explorer.
+- Added Molstar 3D viewer for PDB and CIF file preview.
+- Added extensible view mode selection for JSON files in Data Explorer (JSON, IGV, and plain text).
+- Updated Data Explorer to display non-native browser files as text when opened in a new tab.
+- Added Fusion symlink resolution to the Data Explorer API.
+- Increased the maximum data link name length to 512 characters.
+
+### Access control
+
+- Added required description field to custom role creation.
+- Exposed roles API endpoints in the OpenAPI specification.
+- Added SSO domain-based redirect for the login guard.
+
+### Monitoring and observability
+
+- Added real-time active user count display in the admin panel.
+- Added workspace usage metrics.
+- Added CSV export for audit logs v2 with configurable maximum record limit.
+- Added audit event metadata (owner ID, workspace ID) to Studios audit events.
+- Switched audit logs v2 to token-based pagination for improved performance.
+- Added comprehensive audit logging for SSO lifecycle events.
+- Migrated telemetry usage queries to use the audit logs v2 table.
+- Updated the audit log cleaner to handle both v1 and v2 audit log tables.
+- Added CSV export button to the admin audit logs v2 table.
+- Added descriptions and documentation metadata to audit event types.
+- Added audit event metadata to the remaining Studios session audit events.
+- Added audit event metadata (owner ID, workspace ID) to all data link audit events.
+- Added `target_name` field to the audit log v2 data model.
+- Renamed outdated audit event types to use consistent naming conventions.
+- Deprecated the legacy `/admin/audit-logs` (v1) endpoint.
+- Added target resource names to all audit event emission points.
+- Refined audit log v2 target resource context labels in API, UI, and CSV export.
+- Added a `TOWER_AUDIT_LOG_V2_WRITE_MODE` setting supporting `v1`, `v2`, and `dual` modes.
+- Removed unused `instanceId` and `instanceName` columns from the audit log v2 table.
+- Updated the audit log v2 admin table to display resource names alongside target IDs.
+- Added target organization, workspace, and user context to audit log v2 interfaces.
+
+### General
+
+- Bumped Micronaut from 4.7.6 to 4.8.3.
+- Improved admin workspace list toolbar responsiveness.
+- Applied updated status icons across platform components.
+- Redesigned page header layout with improved toolbar and breadcrumb integration.
+- Added automatic breadcrumb navigation to page headers.
+- Updated delete workspace confirmation modal text to clarify the impact of deletion.
+- Removed the unused Containers page.
+- Removed the dynamic resource labels feature toggle (feature is now always active).
+
+#### New environment variables in 26.1
+
+The following environment variables are new or changed in 26.1. See the [Configuration overview](./configuration/overview) for the full descriptions and defaults:
+
+- [`TOWER_DATA_STUDIO_ALLOWED_WORKSPACES`](./configuration/overview#data-features) — control which workspaces have Studios enabled.
+- [`TOWER_AUDIT_LOG_V2_WRITE_MODE`](./configuration/overview#audit-log-v2) — switch between v1, v2, and dual-write audit log tables.
+- [`TOWER_AUDIT_LOG_V2_CSV_EXPORT_MAX_LOGS`](./configuration/overview#audit-log-v2) — cap the number of records in a CSV export.
+- [`TOWER_AUDIT_LOG_V2_PRE_POST_CHANGE_ENABLED`](./configuration/overview#audit-log-v2) — capture pre/post change state images.
+- [`TOWER_CRON_AUDIT_LOG_CLEAN_UP_*`](./configuration/overview#audit-log-v2) — tune the audit log cleanup cron job.
+- [`TOWER_COMPUTE_ENV_CLEANUP_*`](./configuration/overview#compute-environment-cleanup) — tune the cron job that transitions compute environments stuck in `CREATING` or `DELETING` states.
+- New Studios family variables for default lifespan, privacy default, list page size, feature manifest URL, Connect iframe scoping, Wave build status checks, disallowed registries, and startup metrics. See [Data features](./configuration/overview#data-features).
+
+## Bug fixes
+
+### Studios
+
+- Added workspace existence check before creating Studios workspace settings.
+- Fixed R-IDE icon styling.
+- Added validation of git repository configuration files when creating a Studio.
+- Fixed broken navigation from Studio details page for private Studios.
+
+### Compute environments
+
+- Fixed Google Batch machine type migration to be portable across MySQL and MariaDB.
+- Removed hardcoded prediction model configuration from AWS Cloud platform provider.
+- Fixed metering event handling to batch events when more than 100 events are received, preventing silent data loss.
+- Removed default `terminateAsync` implementation to enforce explicit provider implementations.
+- Fixed Workload Identity Federation (WIF) log retrieval by setting the project ID on the Cloud Logging client.
+- Fixed WIF log retrieval by resolving GCP project numbers to project names for Cloud Logging filters.
+- Fixed WIF credential context propagation for log retrieval and data link operations.
+- Propagated AWS Forge disposal failures instead of silently swallowing exceptions.
+- Pinned `google-cloud-storage` to a compatible version to fix `NoClassDefFoundError` on GCS data link access.
+- Returned an actionable error message when an Azure Batch pool is missing during job submission.
+- Propagated GCP Forge disposal failures instead of silently ignoring resource deletion errors.
+- Enabled cloud cache for Kubernetes compute environments with local PVC paths.
+- Reverted unintended cloud cache change for Kubernetes compute environments.
+
+### Pipelines
+
+- Fixed pipeline implicit default version resolution.
+- Removed logs from AI debug button URL to prevent URI too large errors.
+- Replaced `document.write` with client-side form submission in GitHub App manifest flow to fix Firefox blank page issue.
+- Made workflow job cancellation idempotent to prevent 500 errors on concurrent cancel requests.
+- Fixed parallel requests to pipeline info in the launch form.
+
+### Datasets
+
+- Fixed `LazyInitializationException` in avatar resolution during dataset creation.
+- Fixed dataset name field to apply input normalization (spaces converted to underscores).
+- Fixed column order preservation in dataset preview for TSV files.
+
+### Data Explorer
+
+- Fixed IGV MIME type detection in Data Explorer.
+
+### Access control
+
+- Fixed refresh token JWT secret configuration for enterprise deployments.
+- Hardened the Auth0 OAuth2 flow with retries against `ResponseClosedException` errors.
+- Fixed `auth0org_id` column naming to align with Hibernate naming strategy.
+- Fixed erroneous `@QueryValue` annotations on SSO controller path variables causing 404 errors.
+- Fixed `@PermissionRequired` interceptor binding with `@Type` annotation.
+- Fixed `@JWTAuthRequired` interceptor binding with `@Type` annotation to prevent silent bypass.
+
+### Monitoring and observability
+
+- Fixed dashboard drop-down scrolling and character overflow.
+- Fixed task logging to use populated `taskId` instead of empty `id`.
+- Fixed `user_sign_in` audit events to correctly populate the actor field with the signing user's ID.
+
+### General
+
+- Fixed side navigation width not updating in Safari when toggling the collapsed state.
+- Fixed credits banner appearing during page load.
+- Fixed oversized icon on the forbidden access page.
+
+## Upgrade notes
+
+No breaking changes. Standard upgrade procedure applies.
+
+### Configuration changes
+
+- `TOWER_AUDIT_LOG_V2_ENABLED` and `TOWER_AUDIT_LOG_V2_WRITE_MODE` added as configuration options.
+
+  - `TOWER_AUDIT_LOG_V2_WRITE_MODE`: Turns on the v2 Audit Log for parallel writes with v1 Audit Log.
+  - `TOWER_AUDIT_LOG_V2_ENABLED`: Turns on or off the v2 Audit Log view from the Admin Panel.
+
+### Database migrations
+
+Database migrations run automatically during upgrade. No manual steps required.

docusaurus.config.js

@@ -417,6 +417,15 @@ export default async function createConfigAsync() {
     ].filter(Boolean),
 
     themeConfig: getSeqeraThemeConfig({
+      seqera: {
+        docs: {
+          versionDropdown: {
+            'platform-enterprise': {
+              showCurrent: process.env.INCLUDE_NEXT ? true : false,
+            },
+          },
+        },
+      },
       typesense: {
         typesenseCollectionName: 'seqera_docs',
         searchPagePath: '/search',

netlify.toml

@@ -17,7 +17,7 @@
   DOCUSAURUS_SSG_WORKER_THREAD_COUNT = "1"
 
 [context.deploy-preview.build.environment]
-  INCLUDE_NEXT=""
+  INCLUDE_NEXT="true"
   EXCLUDE_CHANGELOG=""
   EXCLUDE_PLATFORM_CLI="true"
   EXCLUDE_PLATFORM_ENTERPRISE=""

platform-enterprise_docs/enterprise-sidebar.json

@@ -230,7 +230,8 @@
         "seqera-ai/installation",
         "seqera-ai/authentication",
         "seqera-ai/command-approval",
-        "seqera-ai/use-cases"
+        "seqera-ai/use-cases",
+        "seqera-ai/projects"
       ]
     },
        {

platform-enterprise_docs/enterprise/_templates/docker/docker-compose.yml

@@ -47,7 +47,7 @@ services:
       - $HOME/.tower/db/redis:/data
 
   migrate:
-    image: cr.seqera.io/enterprise/platform/migrate-db:v25.3.6
+    image: cr.seqera.io/enterprise/platform/migrate-db:v26.1
     platform: linux/amd64
     command: -c "/migrate-db.sh"
     networks:
@@ -64,7 +64,7 @@ services:
         condition: service_healthy
 
   cron:
-    image: cr.seqera.io/enterprise/platform/backend:v25.3.6
+    image: cr.seqera.io/enterprise/platform/backend:v26.1
     platform: linux/amd64
     command: -c '/tower.sh'
     networks:
@@ -85,7 +85,7 @@ services:
 
 
   backend:
-    image: cr.seqera.io/enterprise/platform/backend:v25.3.6
+    image: cr.seqera.io/enterprise/platform/backend:v26.1
     platform: linux/amd64
     command: -c '/wait-for-it.sh db:3306 -t 60; /tower.sh'
     networks:
@@ -110,7 +110,7 @@ services:
       - cron
 
   frontend:
-    image: cr.seqera.io/enterprise/platform/frontend:v25.3.6
+    image: cr.seqera.io/enterprise/platform/frontend:v26.1
     platform: linux/amd64
     networks:
       - frontend

platform-enterprise_docs/enterprise/configuration/configtables/audit_log_v2_env.yml

@@ -0,0 +1,36 @@
+---
+-
+  Environment variable:            '`TOWER_AUDIT_LOG_V2_WRITE_MODE`'
+  Description: >
+    Determine which audit log tables receive write operations. Accepted values are `v1` (legacy table only), `v2` (v2 table only), or `dual` (both tables simultaneously).
+  Value:                'Default: `v1`'
+-
+  Environment variable:            '`TOWER_AUDIT_LOG_V2_CSV_EXPORT_MAX_LOGS`'
+  Description: >
+    Maximum number of records allowed in a single audit log CSV export.
+  Value:                'Default: `500000`'
+-
+  Environment variable:            '`TOWER_AUDIT_LOG_V2_PRE_POST_CHANGE_ENABLED`'
+  Description: >
+    Enable capturing pre/post change state images for audit log target resources.
+  Value:                'Default: `false`'
+-
+  Environment variable:            '`TOWER_CRON_AUDIT_LOG_CLEAN_UP_ENABLED`'
+  Description: >
+    Enable the audit log cleanup cron job.
+  Value:                'Default: `true`'
+-
+  Environment variable:            '`TOWER_CRON_AUDIT_LOG_CLEAN_UP_INTERVAL`'
+  Description: >
+    Interval at which the audit log cleanup cron job runs.
+  Value:                'Default: `5m`'
+-
+  Environment variable:            '`TOWER_CRON_AUDIT_LOG_CLEAN_UP_DELAY`'
+  Description: >
+    Initial delay before the audit log cleanup cron job starts after application startup.
+  Value:                'Default: `10s`'
+-
+  Environment variable:            '`TOWER_CRON_AUDIT_LOG_CLEAN_UP_CHUNK_SIZE`'
+  Description: >
+    Maximum number of audit log records deleted per cleanup run.
+  Value:                'Default: `1000`'

platform-enterprise_docs/enterprise/configuration/configtables/compute_env_cleanup_env.yml

@@ -0,0 +1,36 @@
+---
+-
+  Environment variable:            '`TOWER_COMPUTE_ENV_CLEANUP_ENABLED`'
+  Description: >
+    Enable the compute environment cleanup cron job, which transitions compute environments stuck in `CREATING` or `DELETING` states.
+  Value:                'Default: `false`'
+-
+  Environment variable:            '`TOWER_COMPUTE_ENV_CLEANUP_DELAY`'
+  Description: >
+    Initial delay before the compute environment cleanup cron job runs for the first time after application startup.
+  Value:                'Default: `1m`'
+-
+  Environment variable:            '`TOWER_COMPUTE_ENV_CLEANUP_INTERVAL`'
+  Description: >
+    Interval at which the compute environment cleanup cron job runs.
+  Value:                'Default: `1h`'
+-
+  Environment variable:            '`TOWER_COMPUTE_ENV_CLEANUP_BATCH_SIZE`'
+  Description: >
+    Number of organizations processed per batch in the compute environment cleanup job.
+  Value:                'Default: `10`'
+-
+  Environment variable:            '`TOWER_COMPUTE_ENV_CLEANUP_TIME_OFFSET`'
+  Description: >
+    Delay between consecutive batch tasks in the compute environment cleanup job.
+  Value:                'Default: `60s`'
+-
+  Environment variable:            '`TOWER_COMPUTE_ENV_CLEANUP_STUCK_CREATING_TIMEOUT`'
+  Description: >
+    Time after which a compute environment stuck in the `CREATING` state is transitioned to `ERRORED`.
+  Value:                'Default: `1h`'
+-
+  Environment variable:            '`TOWER_COMPUTE_ENV_CLEANUP_STUCK_DELETING_TIMEOUT`'
+  Description: >
+    Time after which a compute environment stuck in the `DELETING` state is transitioned to `INVALID`.
+  Value:                'Default: `1h`'