A guide to the high-impact breaking changes in GitLab 17.0

GitLab 17.0 is coming on May 16. This version, a major release, will include many exciting improvements to GitLab, but also removes some deprecated features. Visit the Deprecations page to see what is scheduled for removal in 17.0 and keep reading for an overview of the highest impact removals.

Additionally, this year we are introducing three windows during which we expect breaking changes to be enabled on GitLab.com:

• 2024-04-22 09:00 UTC to 2024-04-24 22:00 UTC

• 2024-04-29 09:00 UTC to 2024-05-01 22:00 UTC

• 2024-05-06 09:00 UTC to 2024-05-08 22:00 UTC

Note: Some breaking changes may fall slightly outside of these windows in exceptional circumstances.

Update: We have created a public issue with more details about which changes should land in which windows.

High-impact breaking changes in GitLab 17.0

We have identified the following high-impact removals in 17.0. We define “high impact” as potentially disrupting critical workflows, such as continuous integration (CI), continuous deployment (CD), compliance, or the availability of the instance. That’s why we suggest you should prioritize these breaking changes first when preparing for the major release. While you can find detailed information on each breaking change in the linked documentation, we’ve provided some notes about the affected features and potential impact in this overview.

Self-managed deployment

• Postgres 13 deprecated
  • Impacts all self-managed customers. Failing to upgrade to Postgres 14 will break the deployment.
  • Postgres 14 is already supported starting from GitLab 16.2.0.
• omniauth-azure-oauth2 gem is deprecated
  • Impacts self-managed customers who use the omniauth-azure-oauth2 provider for authentication.
  • Without migration to omniauth_openid_connect, users will no longer be able to sign in using the Azure login button.
• Min concurrency and max concurrency in Sidekiq options
  • Impacts GitLab deployments that have sidekiq['min_concurrency'] and sidekiq['max_concurrency'] configured in their gitlab.rb.
  • Failure to migrate will break the deployment.

CI

• Registration tokens and server-side runner arguments in POST /api/v4/runners endpoint

  • Impacts custom automations that provision runners.
  • Potentially breaks CI pipelines by disabling runner provisioning.

• File type variable expansion fixed in downstream pipelines

  • Impacts pipelines using downstream pipelines passing File-type variables to the downstream pipeline.
  • Changed behavior may break the downstream pipeline due to a change in variable content.

• after_script keyword will run for canceled jobs

  • Impacts pipelines using the after_script keyword.
  • Changed behavior may break pipelines or cause unexpected pipeline results.

• Old versions of JSON web tokens are deprecated, HashiCorp Vault integration will no longer use CI_JOB_JWT by default, and JWT /-/jwks instance endpoint is deprecated

  • Impacts pipelines relying on the CI_JOB_JWT or CI_JOB_JWT_V2 CI variables.
  • The removal of the variable may break Vault integrations or otherwise cause pipelines to fail.

CD

• The pull-based deployment features of the GitLab agent for Kubernetes is deprecated

  • Impacts projects using the GitLab agent for Kubernetes for deployments.
  • The change may break CD workflows relying on the GitLab agent for Kubernetes.
  • The agent itself is not deprecated and still used for a number of features, like communicating with the cluster, its API endpoints and pushing information about events in the cluster to GitLab.

• Agent for Kubernetes option ca-cert-file renamed

  • Impacts customers installing Kubernetes agents behind a self-signed certificate.
  • The change may impact CD workflows relying on connecting Kubernetes clusters to GitLab via the agent.

Package

• npm package uploads now occur asynchronously

  • Impacts projects publishing npm or Yarn packages to the GitLab registry.
  • Due to the asynchronous upload, pipelines may break that expect packages to be available as soon as they are published.

• Dependency Proxy: Access tokens to have additional scope checks

  • Impacts projects using the Dependency Proxy with a group access token or personal access token that have insufficient scopes.
  • Because tokens without the required scopes will fail, this may break pipelines by rejecting docker login and docker pull requests.

• Maven repository group permissions

  • Impacts projects using the Maven repository at the group level where user permissions are not set up correctly.
  • Because users without correct permissions will fail to access the requested packages, this change may break pipelines for those users.

GitLab.com

• Upgrading the operating system version of GitLab SaaS runners on Linux

  • Impacts pipelines using saas-linux-*-amd64 tagged shared runners on GitLab.com that use outdated Docker-in-Docker or Kaniko versions.
  • The outdated versions will be unable to detect the container runtime and fail, breaking the pipeline.

• Deprecating Windows Server 2019 in favor of 2022

  • Impacts pipelines using shared-windows and windows-1809 tagged shared runners on GitLab.com.
  • Affected jobs will not be picked up by runners, thus blocking the pipeline.
  • You can identify affected jobs by searching for the deprecated tags in your .yml files.

• Removal of tags from small SaaS runners on Linux

  • Impacts pipelines using shared runners tagged docker, east-c, gce, git-annex, linux, mongo, mysql, ruby, or shared on GitLab.com.
  • Affected jobs will not be picked up by runners, thus blocking the pipeline.
  • You can identify affected jobs by searching for the deprecated tags in your .yml files.

Ultimate only

• Security policy fields newly_detected and match_on_inclusion are deprecated

  • Impacts groups and projects that have merge request approval policies (previously: scan result policies) enabled and use the deprecated keywords.
  • Without migration, the rules enforced by the policies will stop working, causing potential compliance violations.

• Required Pipeline Configuration is deprecated

  • Impacts Ultimate self-managed customers using required pipeline configuration.
  • Without migration, the required configuration will no longer be used by projects, impacting all pipelines that are run on the instance.

• Proxy-based DAST is deprecated

  • Impacts projects that are using DAST with the variable DAST_BROWSER_SCAN set to false.
  • Without migration, DAST scans in existing pipelines will fail.

See all removals in GitLab 17.0

For more detailed information and to see all the removals coming up in this year's major release, please visit the Deprecations page.