Bytebase 3.18.0 - May 14, 2026

​

☁️ Bytebase Cloud Upgrade

Bytebase Cloud is now a true multi-tenant SaaS.

• One account, many workspaces — with a workspace switcher and self-serve leave/delete.
• Passwordless sign-in by email code (no more passwords in Cloud).
• Global SSO — sign in with Google, GitHub, or your org’s IdP without picking a workspace first.
• Self-serve subscription plan upgrade and cancel from inside the app.
• Pro plan: unlimited user seats available, billed per user.

​

🔔 Other Notable Changes

• Plan edits surfaced in issue activity — Plan edits now appear in the issue activity feed for approver visibility.
• API breaking changes — require_2fa → require_mfa, plan_spec_update → plan_update (restructured payload), and Issue.ApprovalStatus moved to top-level. See Change Details.
• Terraform provider 3.18.0 required — Adds write-only sensitive fields and a provider-level custom_header block. Requires Terraform CLI 1.11+. See Migration Guide.

​

🚀 Features

• AWS RDS IAM auth for the Bytebase metadata database — Authenticate the metadata PostgreSQL via AWS RDS IAM tokens.
• Google Chat webhook integration — Add Google Chat as a project webhook destination.
• MariaDB — Support DML rollback / prior-backup, matching MySQL behavior.
• CosmosDB — Support cross-partition queries.

​

🎄 Enhancements

• Bytebase Action — Add --custom-header flag for header-based access proxies in CI/CD pipelines.
• Issues stuck in CHECKING can be retried via a new RetryIssueApproval API.
• Improve SQL analysis reliability across PostgreSQL, MySQL, and MSSQL for advisor rules, query span, completion, and schema diff.
• Improve PostgreSQL and CockroachDB metadata-backed schema diff reliability.
• Show gh-ost start/end events in task run logs.
• Show DDL/DML environment warnings across role grant, role request, and issue creation flows.
• Show expired roles inline in the members table and member detail panel.
• Show database group titles in plan selectors and human-readable instance/database names in member-role scopes.
• Whitelist redirect URIs in OAuth dynamic client registration.
• Restore audit logs for Login / Signup / ExchangeToken; add audit events for retry approval and email-code / password-reset paths.
• Default the SQL Editor query role to the least-privileged SQL select role.
• Improve the SQL statement matching for JIT access grants.
• TiDB — Support extra DataSource connection parameters, including connection packet compression.
• TiDB — SQL Editor Ctrl+Enter now runs the cursor statement, matching MySQL / PostgreSQL behavior.
• ClickHouse — AggregateFunction(...) errors from SELECT * now suggest using -Merge + GROUP BY or finalizeAggregation().

​

🐞 Bug Fixes

• Fix multi-change plans targeting the same database group being rejected.
• Fix PIPELINE_COMPLETED webhook event missing when failed tasks are skipped.
• Fix per-sheet plan check summary preservation during approval checks.
• PostgreSQL — Fix query span bugs affecting masking and query analysis.
• Databricks — Apply user-selected row limit to SQL Editor queries.

​

📃 Change Details

​

API Breaking Changes

1. require_2fa renamed to require_mfa The field on WorkspaceProfileSetting reflects the broader MFA scope (no longer 2FA-only). Affected routes: any caller updating workspace profile settings via SettingService.UpdateSetting writing WorkspaceProfileSetting. Update references in your config or IaC. 2. IssueComment.plan_spec_update renamed to plan_update The per-spec event (single sheet replacement) is replaced by a before/after snapshot of Plan.Spec[], so the comment carries the full diff of every plan spec change in one event. Affected routes: any consumer of IssueService.ListIssueComments or issue activity events that previously read plan_spec_update. Update to read plan_update.from_specs / to_specs. 3. Issue.ApprovalStatus moved to top-level ApprovalStatus Nested enum Issue.ApprovalStatus is removed; the same enum now lives at the top level in common.proto and is referenced by both Issue.approval_status and Plan.approval_status. Enum values and ordinals are unchanged (CHECKING=1, PENDING=2, APPROVED=3, REJECTED=4, SKIPPED=5). Affected routes: clients that referenced the nested enum type by name (for example, generated Go or TS types). Update imports or type references; wire format is unchanged.

​

⚙️ Install and Upgrade

• Fresh install
• Upgrade

Before upgrading: 1) Back up the metadata — in-place downgrade is not supported. 2) Do not run multiple containers on the same data directory. 3) Terraform users: upgrade Bytebase server first, then apply the new Terraform config.