From d3daf6d4f3ca78fd47c4d7177ff24302538fe0f9 Mon Sep 17 00:00:00 2001 From: Pratyush Sharma <56130065+pratyush618@users.noreply.github.com> Date: Sun, 17 May 2026 13:43:49 +0530 Subject: [PATCH] chore(release): 0.12.3 --- crates/taskito-async/Cargo.toml | 2 +- crates/taskito-core/Cargo.toml | 2 +- crates/taskito-python/Cargo.toml | 2 +- crates/taskito-workflows/Cargo.toml | 2 +- docs/content/docs/more/changelog.mdx | 30 ++++++++++++++++++++++++++++ py_src/taskito/__init__.py | 2 +- pyproject.toml | 2 +- 7 files changed, 36 insertions(+), 6 deletions(-) diff --git a/crates/taskito-async/Cargo.toml b/crates/taskito-async/Cargo.toml index cc76b24..4f35f9c 100644 --- a/crates/taskito-async/Cargo.toml +++ b/crates/taskito-async/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "taskito-async" -version = "0.12.2" +version = "0.12.3" edition = "2021" [dependencies] diff --git a/crates/taskito-core/Cargo.toml b/crates/taskito-core/Cargo.toml index c317be9..6d46529 100644 --- a/crates/taskito-core/Cargo.toml +++ b/crates/taskito-core/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "taskito-core" -version = "0.12.2" +version = "0.12.3" edition = "2021" [features] diff --git a/crates/taskito-python/Cargo.toml b/crates/taskito-python/Cargo.toml index 1101e5e..ae24dd9 100644 --- a/crates/taskito-python/Cargo.toml +++ b/crates/taskito-python/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "taskito-python" -version = "0.12.2" +version = "0.12.3" edition = "2021" [features] diff --git a/crates/taskito-workflows/Cargo.toml b/crates/taskito-workflows/Cargo.toml index 21ed107..84a94c1 100644 --- a/crates/taskito-workflows/Cargo.toml +++ b/crates/taskito-workflows/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "taskito-workflows" -version = "0.12.2" +version = "0.12.3" edition = "2021" [dependencies] diff --git a/docs/content/docs/more/changelog.mdx b/docs/content/docs/more/changelog.mdx index efd8396..cc555d9 100644 --- a/docs/content/docs/more/changelog.mdx +++ b/docs/content/docs/more/changelog.mdx @@ -5,6 +5,36 @@ description: "Release history for taskito — every notable change, fix, and fea All notable changes to taskito are documented here. +## 0.12.3 + +### Added + +- **Dashboard SSO (OAuth & OIDC).** Native sign-in for Google, GitHub, and any OIDC-compliant provider (Okta, Auth0, Keycloak, Microsoft Entra) sits alongside the existing password login. Multiple named OIDC providers run side-by-side, each rendered as its own button on the login screen. Configuration is env-var driven (`TASKITO_DASHBOARD_OAUTH_*`); the `oauth` extra (`pip install 'taskito[oauth]'`) pulls in `authlib`, `joserfc`, and `requests`. Security: PKCE S256, single-use server-side `state` (5-min TTL), nonce verification, JWKS-validated ID tokens, issuer/audience/expiry checks, open-redirect protection on the post-login `next` URL, HTTPS-only redirect URIs outside `localhost`. Allowlists by Google Workspace domain, GitHub org, or OIDC email domain. Promote OAuth users to `admin` via an explicit `TASKITO_DASHBOARD_OAUTH_ADMIN_EMAILS` list, with a first-user-wins fallback for empty deployments. Password login can be disabled entirely with `TASKITO_DASHBOARD_PASSWORD_AUTH_ENABLED=false`. +- **Dashboard SSO operator guide.** New `Dashboard › SSO (OAuth & OIDC)` doc walks through registering OAuth clients with Google, GitHub, and generic OIDC providers, plus the full env-var reference, allowlist semantics, security model, and troubleshooting cookbook. Includes a Mermaid sequence diagram of the end-to-end flow. + +### Changed + +- **Docs nav: dedicated `Dashboard` section.** The dashboard documentation outgrew `Observability` — five pages (overview, authentication, SSO, task overrides, REST API) versus three actual observability topics. Moved them into their own top-level Guides section and stripped redundant prefixes from page titles (`Dashboard Authentication` → `Authentication`, etc.). All cross-section links updated. + +### Fixed + +- **`WebhookManager` delivery thread leak.** `reload()` unconditionally spawned a daemon thread on every `Queue` construction. With ~800 tests each creating a fresh `Queue`, macOS CI runners blew through the per-process thread limit and panicked in `r2d2`'s reaper / tokio's worker-thread spawn (`Resource temporarily unavailable`). The thread now starts only when at least one subscription exists, matching the pre-0.12.2 behaviour. +- **`EncryptedSerializer.loads` exception handling.** A blanket `except Exception` re-wrapped *every* failure as `ValueError`, including programmer errors like `MemoryError` that should propagate untouched. The catch is now narrowed to `cryptography.exceptions.InvalidTag` (the one expected failure mode); the original exception is preserved on `__cause__` for debugging. The `InvalidTag` class is also pre-cached on `__init__` so `loads` avoids a per-call import. This also fixed two latent test failures (`test_wrong_key_fails`, `test_tampered_ciphertext_fails`) that only surfaced once a release pulled in `cryptography` via the OAuth extra. + +### Internal + +- **`HttpClient` Protocol for OAuth providers.** `GoogleProvider` / `GitHubProvider` / `GenericOIDCProvider` previously typed their `http` parameter as `requests.Session`, forcing every test to use `# type: ignore[arg-type]` to inject a stub. The Protocol captures the small subset of `Session` actually used (one `get` method) so production code passes a `requests.Session` and tests pass an in-memory stub — no nominal-type fight, no runtime casts. +- **CI installs the `oauth` extra.** `uv sync --extra dev` was leaving `authlib` / `joserfc` / `requests` uninstalled, so the OAuth test modules failed collection with `ModuleNotFoundError` once they shipped. Both lint and test jobs now sync `--extra dev --extra oauth`. `requests` is also pinned explicitly in the `oauth` extra (Authlib does not declare it as a hard dep). +- **Cross-version mypy compatibility on JWKS decoding.** `joserfc.jwk.KeySet.import_key_set` was widened to accept dict-shaped JWKS in mypy 2.x; mypy 1.x still requires the `KeySetSerialization` TypedDict. Suppressed with the standard `# type: ignore[arg-type, unused-ignore]` dual pattern so the file lints under both versions. + +### Test counts at release + +- Rust: 95 tests (default), 107 with `--features workflows` +- Python: 896 collected across 74 files (up from 592 / 58 at 0.12.2) +- Dashboard (vitest): 106 tests across 10 files + +--- + ## 0.12.2 ### Fixed diff --git a/py_src/taskito/__init__.py b/py_src/taskito/__init__.py index 3779223..ef95f14 100644 --- a/py_src/taskito/__init__.py +++ b/py_src/taskito/__init__.py @@ -108,4 +108,4 @@ __version__ = _get_version("taskito") except PackageNotFoundError: - __version__ = "0.12.2" + __version__ = "0.12.3" diff --git a/pyproject.toml b/pyproject.toml index 91e36c3..d4735b0 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "maturin" [project] name = "taskito" -version = "0.12.2" +version = "0.12.3" description = "Rust-powered task queue for Python. No broker required." requires-python = ">=3.10" license = { file = "LICENSE" }