Changelog
Notable changes to OrchStep, by version.
All notable changes to OrchStep are documented here. This is the canonical changelog: it is shown on each GitHub release and on the docs site at orchstep.dev/changelog.
The format is based on Keep a Changelog, and OrchStep follows Semantic Versioning.
0.14.0 - 2026-06-27
Added
-
Scoped environment. Environment variables now scope like application vars: a called task's own
env:/dotenv:are its defaults, the calling step'senv:overrides them, and they unwind when the task returns — so a callee's environment no longer leaks into the caller's later steps or sibling tasks (batteries-included + inversion-of-control, no global leakage). -
Project dotenv in
orchstep_config.yml. Declare adotenv:list in the project config; it's applied after--env(sodeploy_{{ vars.environment }}.envresolves;?= optional). This is the externalized, declared home for dotenv — OrchStep no longer auto-loads a stray.env/.envrcfrom the current directory (loading is always from a committed file, a trust boundary). -
Ad-hoc runner (
orchstep do). Run any shell command or script with your OrchStep context —{{ vars.X }}/{{ env.X }}resolved fromdefaults, environment groups/environments (--env),dotenv, and--var/--vars-file— without writing a task. Bare passthrough output, real exit code. Four input modes: inline (orchstep do 'echo {{ vars.version }}'), stdin/pipe, a script file (--script, usable as a shebang#!/usr/bin/env -S orchstep do --script), and an interactive stateful REPL.--renderpreviews the rendered command without running it. With noorchstep.ymlat all, it discovers a conventionalenvironments/directory (rich per-environment application vars, including whole objects, layered by group) and.env/.envrc, and injects both into any command — "dotenv++ for applications" (OrchShell). The repeatable--dotenvflag loads dotenv files after--env, so a templated profile path likedeploy_{{ vars.environment }}.envresolves (with?for optional files). -
Working directory (
dir:). Set the working directory for a task or step's shell commands. Valid at workflow, task, and step level, with precedence step > task > workflow > the workflow directory. Relative paths resolve against the workflow file's directory (so workflows are location-independent); absolute paths are used as-is and~is expanded. Great for monorepos:tasks: test: dir: backend # every step runs in ./backend steps: - { name: unit, func: shell, do: go test ./... }
Fixed
- Workflow descriptions in the banner and task menu now preserve their original line breaks, blank lines, and indentation instead of being reflowed into one paragraph.
- Friendlier, actionable load/run errors:
- Missing
<required>environment variables now explain what is required, how to provide it (shellexportor adotenv:file), and link the docs. task not foundnow suggestsorchstep list-tasks.workflow file not foundnow suggestsorchstep initor--file.dotenv file not foundnow explains the optional?suffix and links the docs.required.orchstepversion mismatch andmodule not foundnow link the docs.
- Missing
0.13.0 - 2026-06-26
Added
- Update check. OrchStep now checks for newer versions and security advisories. After a successful command (at most once every 48 hours), it makes one best-effort, fail-silent request and prints an upgrade or security notice with the install link; it is silent when you are up to date.
- Privacy by design: the check sends only the version, OS/arch, and a CI flag —
no identifiers, no IP stored, no workflow content. Disable it entirely with
ORCHSTEP_NO_UPDATE_CHECK=1(theDO_NOT_TRACKconvention is also honored). See Telemetry & Privacy.
0.12.0 - 2026-06-24
Added
- Saved run aliases.
orchstep run <alias>resolves a saved alias to a task plus its run options; manage them with thealiassubcommand. (This release also fixed the alias feature so it ships in the released binary.)
0.11.0 - 2026-06-24
Added
- Web dashboard (
orchstep serve). A local web UI to launch runs, watch live execution and the flow graph, drill into per-step context, and browse history.
0.10.0 - 2026-06-17
Added
- Signed releases: each release now ships a keyless cosign signature and an SPDX SBOM per archive.
- Declarative environment management:
env:/dotenv:, the<required>sentinel, and secret masking viaconfig.env_policy.
Older history is available in the GitHub releases.