Releases: tiiuae/ghaf
Releases · tiiuae/ghaf
Release 26.03.1
This is monthly Ghaf release which has been fully tested on Nvidia Orin NX, Nvidia Orin AGX, Lenovo X1 Carbon Gen11 and System76 Darter Pro platforms
Supported Hardware
The following target hardware is supported by this release:
- NVIDIA Jetson AGX Orin
- NVIDIA Jetson Orin NX
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Lenovo T14 AMD
- Dell Latitude 7230, 7330
- Alienware M18
- NXP i.MX 8M Plus
- System76 Darter Pro
What's Changed
- build(deps): bump step-security/harden-runner from 2.14.2 to 2.15.0 by @dependabot[bot] in #1795
- build(deps): bump github/codeql-action from 4.32.4 to 4.32.5 by @dependabot[bot] in #1794
- build(deps): bump astral-sh/setup-uv from 7.3.0 to 7.3.1 by @dependabot[bot] in #1793
- build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 by @dependabot[bot] in #1792
- version: bump for the next release by @clayhill66 in #1801
- docs: add 26.02.1 release note by @clayhill66 in #1805
- feature(timezone/locale): enable runtime adjustment, move to features by @kajusnau in #1772
- net-vm and nw-packet-forwarder fixes by @vunnyso in #1788
- Bump vhotplug to fix NIC reattachment on resume by @nesteroff in #1786
- Nvidia Orin: Refactoring optee.nix by @TanelDettenborn in #1798
- feat(flatpak): flatpak dynamic desktop entries, waypipe overhaul by @kajusnau in #1800
- Enable logging for release profile by @vunnyso in #1802
- fix(faillock): update maxTries logic following upstream cosmic-greeter fix by @gngram in #1803
- fix(wireguard-gui): populate vmconfig enabledVmNames across host/vm e… by @enesoztrk in #1804
- audit: fix syscall rules for aarch64 and FSS audit path by @everton-dematos in #1806
- docs: bump to the latest versions by @brianmcgillion in #1808
- build(deps): bump tj-actions/changed-files from 47.0.4 to 47.0.5 by @dependabot[bot] in #1816
- build(deps): bump github/codeql-action from 4.32.5 to 4.32.6 by @dependabot[bot] in #1815
- build(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 by @dependabot[bot] in #1814
- build(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 by @dependabot[bot] in #1813
- build(deps): bump cachix/install-nix-action from 31.9.1 to 31.10.0 by @dependabot[bot] in #1812
- feat(yubikey): lock on unplug only if FIDO2 enrolled by @vunnyso in #1810
- Enable Dynamic Policy Management via ghaf-givc by @gngram in #1758
- virtiofs: enable cache, inode file handles by @kajusnau in #1817
- appvm: label virtual apps explicitly by @kajusnau in #1784
- jetson: prevent invalid RTC from rewinding host clock by @vadika in #1807
- flash-script: fix runtime issues by @henrirosten in #1823
- fix(suspend): resolve suspend failures and correct lid switch handling by @vunnyso in #1818
- jetson: fTPM and EK provisioning by @vadika in #1809
- build(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 by @dependabot[bot] in #1829
- build(deps): bump webfactory/ssh-agent from 0.9.1 to 0.10.0 by @dependabot[bot] in #1828
- build(deps): bump github/codeql-action from 4.32.6 to 4.33.0 by @dependabot[bot] in #1827
- build(deps): bump cachix/install-nix-action from 31.10.0 to 31.10.1 by @dependabot[bot] in #1826
- build(deps): bump astral-sh/setup-uv from 7.3.1 to 7.6.0 by @dependabot[bot] in #1825
- virtiofs: disable global cache policy by @kajusnau in #1834
- devshell: flash script and rebuild helper improvements by @kajusnau in #1836
- bump: march bump and adjustments by @kajusnau in #1822
- A/B updates -- volume based by @avnik in #1678
- update the docs dependencies by @brianmcgillion in #1839
- chore(flake): update nixpkgs lock input by @vadika in #1841
- overlay hunt: Remove systemd overlay: upstream patch merged by @vadika in #1843
- verity: enable lz4hc compression on erofs root filesystem by @Mic92 in #1847
- build(deps): bump github/codeql-action from 4.33.0 to 4.34.1 by @dependabot[bot] in #1851
- cross: drop gfortran from fftw in cross-compilation overlay by @vadika in #1850
- overlay hunt: refactor tpm2-tools and tpm2-pkcs11 out of global overlay by @vadika in #1846
- overlay hunt: remove unused libfm overlay by @vadika in #1845
- Jetpack-nixos: bump by @TanelDettenborn in #1824
- fix(chrome-extensions): fix bot check failure during extension build by @kajusnau in #1840
- Optimize flash-script with bmaptool support by @vunnyso in #1848
- cleanup: disable lang switching, reduce log spam by @kajusnau in #1854
- flash-script: avoid cleanup trap exit on iso/img runs by @henrirosten in #1855
- fix(wireguard-gui): polkit regex to match wayland-ghaf display name by @enesoztrk in #1860
- fix(gala): update URL to gala-atrc.azure-atrc.androidinthecloud.net by @rodrigopinotii in #1856
- build(deps): bump cachix/install-nix-action from 31.10.1 to 31.10.3 by @dependabot[bot] in #1867
- build(deps): bump github/codeql-action from 4.34.1 to 4.35.1 by @dependabot[bot] in #1866
- build(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 by @dependabot[bot] in #1865
New Contributors
- @rodrigopinotii made their first contribution in #1856
Full Changelog: ghaf-26.02.1...ghaf-26.03.1
Contributors
Mic92, avnik, and 13 other contributors
Assets 2
Release 26.02.1
This is monthly Ghaf release which has been fully tested on Nvidia Orin NX, Nvidia Orin AGX, Lenovo X1 Carbon Gen11 and System76 Darter Pro platforms
Supported Hardware
The following target hardware is supported by this release:
- NVIDIA Jetson AGX Orin
- NVIDIA Jetson Orin NX
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Lenovo T14 AMD
- Dell Latitude 7230, 7330
- Alienware M18
- NXP i.MX 8M Plus
- System76 Darter Pro
What's Changed
- build(deps): bump astral-sh/setup-uv from 7.2.0 to 7.3.0 by @dependabot[bot] in #1737
- build(deps): bump github/codeql-action from 4.31.11 to 4.32.2 by @dependabot[bot] in #1736
- build(deps): bump step-security/harden-runner from 2.14.1 to 2.14.2 by @dependabot[bot] in #1735
- Refactor bit by bit by @brianmcgillion in #1729
- Fix intel-laptop target by @nesteroff in #1728
- firewall: add IP blacklisting for ping flood attacks by @enesoztrk in #1731
- nvidia-jetpack: move pre-flash commands into writeShellApplication by @vunnyso in #1740
- Refine deferred disk encryption and passphrase handling by @vunnyso in #1726
- docs: bump the docs by @brianmcgillion in #1743
- version bump by @clayhill66 in #1745
- suspend: switch from deep -> s2idle for darp11 by @kajusnau in #1715
- Post refactor fixup by @kajusnau in #1747
- docs: add 26.01.1 release note by @clayhill66 in #1746
- Fixup broken refactor by @brianmcgillion in #1748
- refactor: embrace the features! by @kajusnau in #1749
- cleanup: basic formatting changes by @brianmcgillion in #1750
- fix: nixos-generators deprecated by @brianmcgillion in #1751
- Fix interfaces vm by @brianmcgillion in #1754
- Fix/encryption verity decoupling by @brianmcgillion in #1755
- Decouple encryption from debug profile by @brianmcgillion in #1756
- vtpm: auto assign the baseport to avoid issues by @brianmcgillion in #1757
- build(deps): bump cachix/install-nix-action from 31.9.0 to 31.9.1 by @dependabot[bot] in #1759
- build(deps): bump tj-actions/changed-files from 47.0.1 to 47.0.2 by @dependabot[bot] in #1760
- build(deps): bump github/codeql-action from 4.32.2 to 4.32.3 by @dependabot[bot] in #1761
- desktop: refactor launchers, fix app icons in dock, alt-tab by @kajusnau in #1732
- net-vm: add net-vm features module by @kajusnau in #1763
- Create sysvm attrset by @brianmcgillion in #1766
- partitioning: avoid blocking initrd TTY during TPM2 unlock handoff by @vunnyso in #1764
- fix(laptop): increase net-vm memory for darp11 storeDisk configs by @vunnyso in #1769
- zram: enable zram swap for the vms to reduce pressure by @brianmcgillion in #1770
- build(deps): bump github/codeql-action from 4.32.3 to 4.32.4 by @dependabot[bot] in #1778
- build(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3 by @dependabot[bot] in #1777
- build(deps): bump tj-actions/changed-files from 47.0.2 to 47.0.4 by @dependabot[bot] in #1776
- Update smoke test by @leivos-unikie in #1783
- qemu: fix patch to properly handle lid events by @kajusnau in #1785
- secureboot: rotate bundled enrollment keys from ghaf-infra-pki by @vadika in #1781
- audit: adjust OSPP file activity rules for session users by @everton-dematos in #1782
- Docs: fix broken source url in glossary referencing the Ghaf tree by @mnaamani in #1773
New Contributors
Full Changelog: ghaf-26.01.1...ghaf-26.02.1
Contributors
brianmcgillion, mnaamani, and 9 other contributors
Assets 2
Release 26.01.1
This is monthly Ghaf release which has been fully tested on Nvidia Orin NX, Nvidia Orin AGX, Lenovo X1 Carbon Gen11 and System76 Darter Pro platforms
Supported Hardware
The following target hardware is supported by this release:
- NVIDIA Jetson AGX Orin
- NVIDIA Jetson Orin NX
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Lenovo T14 AMD
- Dell Latitude 7230, 7330
- Alienware M18
- NXP i.MX 8M Plus
- System76 Darter Pro
What's Changed
- idle: use cosmic-idle, allow runtime idle config adjustment by @kajusnau in #1693
- storedisk: add release version of darter pro by @brianmcgillion in #1700
- efitools: add to ghaf host by @brianmcgillion in #1702
- dynamic-hostname: persist identity by @vadika in #1699
- login: fix empty password softlock by @kajusnau in #1698
- build(deps): bump github/codeql-action from 4.31.10 to 4.31.11 by @dependabot[bot] in #1707
- build(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1 by @dependabot[bot] in #1706
- build(deps): bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in #1705
- jetpack: bump and include initrd fix by @brianmcgillion in #1709
- docs: bump the latest packages by @brianmcgillion in #1710
- refactor(about): remove server and add autostart by @mbssrc in #1703
- feat(2fa): Enable 2FA token request proxying by @slakkala in #1681
- fix: acs override to separate iommu groups by @enesoztrk in #1711
- logging: prevent stalls on rotated journald entries by @everton-dematos in #1712
- bump: mid jan by @brianmcgillion in #1701
- bump: get the latest jetpack cuda fixes by @brianmcgillion in #1714
- systemd: Add overlay for systemd to change token prompts type by @vunnyso in #1695
- Fix broken builds by @brianmcgillion in #1716
- initial-setup: disable screen reader by default by @kajusnau in #1717
- ubuntu: create a script for enabling nix dev environment by @brianmcgillion in #1718
- bump: docs by @brianmcgillion in #1720
- efitools: add to aarch64 also by @brianmcgillion in #1719
- bump: start feb bump by @brianmcgillion in #1721
- Log audit phase 1 by @juliuskoskela in #1539
- wifi: patch cosmic to not use secret agent auth by @kajusnau in #1727
Full Changelog: client-release1...ghaf-26.01.1
Contributors
brianmcgillion, vadika, and 8 other contributors
Assets 2
client-release1
What's Changed
- version: bump the version for next cycle by @brianmcgillion in #1679
- docs: add 25.12.1 release note by @clayhill66 in #1680
- audio: rework modules, forward pipewire socket to gui-vm by @kajusnau in #1672
- logging: add clock-jump recovery and tighten Alloy service ordering by @everton-dematos in #1677
- audio: fix dropped pipewire messages by @kajusnau in #1682
- bluetooth: rename adapter, dont enable on boot, adjust cfg by @kajusnau in #1683
- logging: start Alloy after dynamic hostname setter when enabled by @everton-dematos in #1684
- bump: only supporting packages by @brianmcgillion in #1671
- vpn: use new global-protect client by @brianmcgillion in #1685
- docs: bump latest deps by @brianmcgillion in #1690
- Jan bump by @brianmcgillion in #1668
- bump: ghafpkgs update all their dependencies by @brianmcgillion in #1691
- fix(givc): stats manager bug by @mbssrc in #1696
- screenshot: add grim for promptless screenshots in testing by @kajusnau in #1694
- wireguard-gui: add Proton VPN config parsing support by @enesoztrk in #1689
- secureboot: enroll EFI keys on first boot by @vadika in #1692
- feat(about): add about-ghaf application by @mbssrc in #1697
Full Changelog: ghaf-25.12.1...katim-release1
Contributors
brianmcgillion, vadika, and 5 other contributors
Assets 2
Release 25.12.1
This release is for x86 platforms, full testing has been performed with Lenovo X1 Carbon Gen11 and System76 Darter Pro
Supported Hardware
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Dell Latitude 7230, 7330
- Alienware M18
- System76 Darter Pro
What's Changed
- version:bump for the next release by @clayhill66 in #1574
- cosmic: enable nm in login, replace nm-applet with cosmi's builtin by @kajusnau in #1575
- docs: add 25.11.1 release note by @clayhill66 in #1576
- performance module by @kajusnau in #1542
- shfmt: enable shfmt to align all the shell scripts by @brianmcgillion in #1578
- build(deps): bump js-yaml from 4.1.0 to 4.1.1 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #1572
- build(deps): bump github/codeql-action from 4.31.3 to 4.31.5 by @dependabot[bot] in #1584
- build(deps): bump actions/checkout from 5.0.1 to 6.0.0 by @dependabot[bot] in #1583
- build(deps): bump astral-sh/setup-uv from 7.1.3 to 7.1.4 by @dependabot[bot] in #1585
- build(deps): bump starlight-blog from 0.25.0 to 0.25.1 in /docs by @dependabot[bot] in #1581
- build(deps): bump astro from 5.15.6 to 5.16.0 in /docs by @dependabot[bot] in #1582
- cosmic-applets: hide some buttons by @kajusnau in #1580
- modules/partitioning: fix disko builder permission error by @vadika in #1588
- unixbench: remove, it pull compilers to resulting closure by @avnik in #1589
- dynamic-hostname: fix Darter Pro uniqueness issue by @vadika in #1579
- docs: Add YubiKey integration documentation by @vunnyso in #1592
- modules/partitioning: remove xcp workaround by @Mic92 in #1593
- cosmic7: Update to the beta7 by @brianmcgillion in #1564
- AGX Industrial (64GB) target added by @emrahbillur in #1472
- jetpack-nixos: rebased by @brianmcgillion in #1591
- jetpack: fix cuda support by @brianmcgillion in #1595
- feat(givc): enable notifier and exec by @mbssrc in #1596
- Refactor cleanup by @brianmcgillion in #1594
- build(deps): bump github/codeql-action from 4.31.5 to 4.31.6 by @dependabot[bot] in #1598
- Implement PCI device management via vhotplug by @nesteroff in #1528
- performance: fix scheduler, fix dell performance by @kajusnau in #1586
- bump: docs depends and ghafpkgs by @brianmcgillion in #1604
- Ghaf kill switch GUI application by @vunnyso in #1577
- performance: add thermal limit adjustment option by @kajusnau in #1605
- Fix USB input devices hot-plugging by @nesteroff in #1608
- Firmware control by @brianmcgillion in #1607
- microvm: use a store image and not share /nix/store by @brianmcgillion in #1562
- iso: do not copy the system closure only the disk by @brianmcgillion in #1609
- givc: bump to include fix for shutdown hang by @kajusnau in #1610
- sysbench: Add back to the system PATH by @brianmcgillion in #1612
- devshell: add ghaf-flash to devshell, improve readability by @kajusnau in #1613
- cosmic: bump to cosmic beta 8 by @brianmcgillion in #1597
- Storedisk size and ghaf-vms (to list status) by @brianmcgillion in #1614
- killswitch: avoid re-blocking devices already in blocked state by @vunnyso in #1606
- bump: cosmic 9 by @brianmcgillion in #1616
- build(deps): bump github/codeql-action from 4.31.6 to 4.31.7 by @dependabot[bot] in #1618
- build(deps): bump step-security/harden-runner from 2.13.2 to 2.13.3 by @dependabot[bot] in #1621
- build(deps): bump astral-sh/setup-uv from 7.1.4 to 7.1.5 by @dependabot[bot] in #1620
- build(deps): bump actions/checkout from 6.0.0 to 6.0.1 by @dependabot[bot] in #1619
- cosmic: add pre-defined layouts and layout config by @kajusnau in #1617
- Update docs deps 20251209 042454 by @brianmcgillion in #1626
- logging: add MaxFileSec for journald by @everton-dematos in #1565
- Upgrade docs deps 20251209 080940 by @brianmcgillion in #1627
- jetpack-nixos: bump by @TanelDettenborn in #1625
- Bump mid dec by @brianmcgillion in #1629
- GhA: stop building in github runners by @henrirosten in #1631
- Flatpak fix: add browser detection and launch support by @jkuro-tii in #1587
- fix: fix softlock on incorrect password by @kajusnau in #1633
- desktop: add proper light/dark themes, unify chrome vm colors by @kajusnau in #1636
- bot: improve the copilot reviews by @brianmcgillion in #1638
- audit: Centralize ordering and systemd service override by @everton-dematos in #1635
- audio: disable pipewire logs by default by @kajusnau in #1640
- build(deps): bump cachix/install-nix-action from 31.8.4 to 31.9.0 by @dependabot[bot] in #1645
- build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #1644
- build(deps): bump astral-sh/setup-uv from 7.1.5 to 7.1.6 by @dependabot[bot] in #1643
- build(deps): bump tj-actions/changed-files from 47.0.0 to 47.0.1 by @dependabot[bot] in #1642
- build(deps): bump step-security/harden-runner from 2.13.3 to 2.14.0 by @dependabot[bot] in #1641
- cosmic: bump to the latest stable by @brianmcgillion in #1632
- docs: bump by @brianmcgillion in #1648
- Update docs deps 20251216 073030 by @brianmcgillion in #1649
- Improve PCI device auto-detection and enable it in the demo-tower target for network devices by @nesteroff in #1650
- jetpack-nixos: bump by @TanelDettenborn in #1654
- 5080: switch to vhotplug network by @brianmcgillion in #1655
- Agx industrial ethernet by @emrahbillur in #1653
- build(deps): bump github/codeql-action from 4.31.7 to 4.31.9 by @dependabot[bot] in #1659
- ci/eval: rewrite script to use nix-eval-jobs --select by @Mic92 in #1658
- Pass NHLT table in intel-laptop target only when present on the host by @nesteroff in #1661
- docs: Add system logs architecture diagram and notes by @everton-dematos in #1662
- verity-images: Fix the installer to copy the image by @brianmcgillion in #1663
- audit/logging: add time-based audit log retention and journald transport label by @everton-dematos in #1656
- docs: add architecture notes on inter-VM channels, memory wipe, and secret handling by @vadika in #1666
- fix(pci-ports): start PCIe port range from 1 by @vunnyso in #1664
- Active Directory by @mbssrc in #1416
- Integrate Fleet MDM services by @vadika in #1590
- feat(installer): implement deferred disk encryption trigger by @vunnyso in #1670
- bump: wireguard-gui by @enesoztrk in #1615
- build(deps): bump astro from 5.16.5 to 5.16.7 in /docs by @dependabot[bot] in #1675
- build(deps): bump github/codeql-action from 4.31.9 to 4.31.10 by @dependabot[bot] in #1673
- build(deps): bump astral-sh/setup-uv from 7.1.6 to 7.2.0 by @dependabot[bot] in #1674
Full Changelog: ghaf-25.11.1...ghaf-25.12.1
Contributors
Mic92, avnik, and 14 other contributors
Assets 2
Release 25.11.1
This is monthly Ghaf release which has been fully tested on Nvidia Orin NX, Nvidia Orin AGX, Lenovo X1 Carbon Gen11 and System76 Darter Pro platforms
Supported Hardware
The following target hardware is supported by this release:
- NVIDIA Jetson AGX Orin
- NVIDIA Jetson Orin NX
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Lenovo T14 AMD
- Dell Latitude 7230, 7330
- Alienware M18
- NXP i.MX 8M Plus
- System76 Darter Pro
What's Changed
- version: bump for new patches by @brianmcgillion in #1490
- lenovo-x1/gen12: drop Intel MEI communication controller by @vunnyso in #1489
- changing ping limitation config by @enesoztrk in #1488
- Restore default shortcut for lock screen by @gngram in #1485
- docs: Update CICD_general.drawio.png by @ktusawrk in #1491
- bump: use the latest ghafpkgs by @brianmcgillion in #1492
- audit: fix some zizmor audit findings by @brianmcgillion in #1494
- darter-pro: New SKU network pci path by @brianmcgillion in #1496
- doc: wireguard-gui by @enesoztrk in #1497
- add 25.10.1 release note by @clayhill66 in #1500
- docs: add current SLSA status by @ktusawrk in #1495
- Various desktop bug fixes by @kajusnau in #1499
- Update ghafpkgs and support packages by @brianmcgillion in #1503
- lib: fix the propogation to ensure correct lib by @brianmcgillion in #1504
- Updated docs by @brianmcgillion in #1505
- More docs by @brianmcgillion in #1506
- Enable ghaf usb applet by @gngram in #1466
- build(deps): bump astro from 5.14.7 to 5.15.1 in /docs by @dependabot[bot] in #1509
- Fix mismatched variable name by @avnik in #1507
- refactor: enable keep-sorted for large lists by @kajusnau in #1514
- Disable alerts on dangerous trigger by @henrirosten in #1515
- logging: implement journald-based local log retention by @juliuskoskela in #1511
- Enable nixf diagnose by @brianmcgillion in #1516
- chrome-extensions: update session buddy by @kajusnau in #1517
- End oct bump by @brianmcgillion in #1510
- cosmic-config: refactor cosmic config, add ghaf dark and light themes by @kajusnau in #1513
- Fix/xdg url handler by @enesoztrk in #1519
- systemd: restore user-runtime-dir service hardening by @gngram in #1520
- build(deps): bump astro from 5.15.1 to 5.15.3 in /docs by @dependabot[bot] in #1527
- build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #1526
- build(deps): bump github/codeql-action from 4.30.9 to 4.31.2 by @dependabot[bot] in #1525
- build(deps): bump cachix/install-nix-action from 31.8.1 to 31.8.2 by @dependabot[bot] in #1524
- build(deps): bump astral-sh/setup-uv from 7.1.1 to 7.1.2 by @dependabot[bot] in #1523
- Bump november by @brianmcgillion in #1522
- chrome-extensions: fetch pinned versions by default by @kajusnau in #1529
- version: bump for the next release cycle by @brianmcgillion in #1534
- system: deprecated system paramater update by @brianmcgillion in #1533
- system76: Enable all by @brianmcgillion in #1535
- The lsp made me do it by @brianmcgillion in #1540
- cosmic: fix active hint overlapping secctx indicator by @kajusnau in #1541
- Remove OpenSSF Scorecard by @henrirosten in #1518
- Storage fixes by @mbssrc in #1538
- build(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2 by @dependabot[bot] in #1544
- docs: bump by @brianmcgillion in #1551
- Checks on push by @brianmcgillion in #1550
- build(deps): bump cachix/install-nix-action from 31.8.2 to 31.8.3 by @dependabot[bot] in #1554
- build(deps): bump starlight-blog from 0.24.3 to 0.25.0 in /docs by @dependabot[bot] in #1546
- build(deps): bump astral-sh/setup-uv from 7.1.2 to 7.1.3 by @dependabot[bot] in #1553
- ci-tests: fix by @brianmcgillion in #1555
- Prevent running authorized actions in empty environment by @henrirosten in #1556
- bump: Cosmic beta5 by @brianmcgillion in #1543
- Add nixos-rebuild audit rule by @everton-dematos in #1508
- Fix audit rules service on Zathura VM by @everton-dematos in #1557
- installer: use the latest kernel in installer by @brianmcgillion in #1558
- flatpak-vm: Add a vm to allow installing flatpaks using cosmic store by @vunnyso in #1502
- refactor(homes): persist appvm homes by default by @mbssrc in #1560
- Lenovo t14 amd by @Mic92 in #908
- generate-shutdown-ramfs.service failure by @gngram in #1563
- fix(xdg-handlers): manage appuser mimeapps.list via systemd tmpfiles by @enesoztrk in #1559
- Add dynamic hostname generation for hardware-based device identification by @vadika in #1512
- net-vm,gui-vm: Enhance xdg-dbus-proxy with system bus D-Bus proxy by @jkuro-tii in #1432
- Fix printf octal interpretation error in hostname generation by @vadika in #1566
- Add memory wipe on allocation/deallocation by @vadika in #1530
- build(deps): bump github/codeql-action from 4.31.2 to 4.31.3 by @dependabot[bot] in #1570
- build(deps): bump actions/checkout from 5.0.0 to 5.0.1 by @dependabot[bot] in #1569
- build(deps): bump actions/dependency-review-action from 4.8.1 to 4.8.2 by @dependabot[bot] in #1568
- build(deps): bump cachix/install-nix-action from 31.8.3 to 31.8.4 by @dependabot[bot] in #1567
- build(deps): bump astro from 5.15.5 to 5.15.6 in /docs by @dependabot[bot] in #1571
Full Changelog: ghaf-25.10.1...ghaf-25.11.1
Contributors
Mic92, avnik, and 14 other contributors
Assets 2
Release 25.10.1
This is monthly Ghaf release which has been fully tested on Nvidia Orin NX, Nvidia Orin AGX, Lenovo X1 Carbon Gen11 and System76 Darter Pro platforms
Supported Hardware
The following target hardware is supported by this release:
- NVIDIA Jetson AGX Orin
- NVIDIA Jetson Orin NX
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Dell Latitude 7230, 7330
- Alienware M18
- NXP i.MX 8M Plus
- System76 Darter Pro
What's Changed
- build(deps): bump astral-sh/setup-uv from 6.7.0 to 6.8.0 by @dependabot[bot] in #1446
- version: bump for the next target release by @brianmcgillion in #1451
- Docs: bump to the latest by @brianmcgillion in #1450
- docs: add 25.09.3 release note by @clayhill66 in #1454
- Add a CLI tool to manage USB devices, fix USB suspend/resume and make killswitch persistent by @nesteroff in #1445
- chrome: revert dedicated profiles for apps and browser by @kajusnau in #1452
- Add audit rule to log sudo/privilege escalations by @everton-dematos in #1453
- Enable hwdb in systemd by @nesteroff in #1456
- build(deps): bump astro from 5.14.1 to 5.14.4 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #1457
- Bump: control panel by @vunnyso in #1458
- build(deps): bump cachix/install-nix-action from 31.7.0 to 31.8.0 by @dependabot[bot] in #1459
- build(deps): bump actions/dependency-review-action from 4.8.0 to 4.8.1 by @dependabot[bot] in #1460
- build(deps): bump github/codeql-action from 3.30.6 to 4.30.8 by @dependabot[bot] in #1461
- build(deps): bump astral-sh/setup-uv from 6.8.0 to 7.1.0 by @dependabot[bot] in #1462
- bump: mid september bump by @brianmcgillion in #1431
- Refactor trusted browser and add build-time chrome extension support by @kajusnau in #1455
- fix: adding usb quirks for some of eth-to-usb adapters by @enesoztrk in #1464
- kernel: refactor our kernel generation code by @brianmcgillion in #1465
- docs: bump the base package versions by @brianmcgillion in #1468
- microvm: storageVM encryption support for all VMs by @hros-tii in #1408
- Update copyright lines by @ktusawrk in #1470
- dell-7330: enable hotkeys in guivm by @kajusnau in #1469
- build(deps): bump github/codeql-action from 4.30.8 to 4.30.9 by @dependabot[bot] in #1476
- build(deps): bump astral-sh/setup-uv from 7.1.0 to 7.1.1 by @dependabot[bot] in #1475
- build(deps): bump cachix/install-nix-action from 31.8.0 to 31.8.1 by @dependabot[bot] in #1474
- build(deps): bump starlight-links-validator from 0.18.1 to 0.19.0 in /docs by @dependabot[bot] in #1477
- build(deps): bump astro from 5.14.5 to 5.14.7 in /docs by @dependabot[bot] in #1478
- Bump mid oct by @brianmcgillion in #1471
- docs: bump by @brianmcgillion in #1480
- bump: update all the dependencies by @brianmcgillion in #1481
- version: bump by @brianmcgillion in #1482
- session-buddy: Update the hash to version 4.0.5 by @vunnyso in #1484
- rtl8126: fix the kernel version to match kernel by @brianmcgillion in #1486
- Add givc-cli to GUI VM by @avnik in #1473
- Revert "version: bump" by @brianmcgillion in #1487
Full Changelog: ghaf-25.09.3...ghaf-25.10.1
Contributors
avnik, brianmcgillion, and 9 other contributors
Assets 2
Release 25.09.3
This release is an update for x86 platforms, full testing has been performed with Lenovo X1 Carbon Gen11 and System76 Darter Pro
Supported Hardware
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Dell Latitude 7230, 7330
- Alienware M18
- System76 Darter Pro
What's Changed
- version: bump for the next release target by @brianmcgillion in #1429
- docs: bump core versions by @brianmcgillion in #1430
- Yubikey: Remove unused authorizedYubikeys by @vunnyso in #1428
- docs: add 25.09.2 rel note by @clayhill66 in #1435
- Add tls_config support to alloy server by @everton-dematos in #1433
- build(deps): bump actions/dependency-review-action from 4.7.3 to 4.8.0 by @dependabot[bot] in #1440
- build(deps): bump astro from 5.13.10 to 5.14.1 in /docs by @dependabot[bot] in #1441
- build(deps): bump cachix/install-nix-action from 31.6.2 to 31.7.0 by @dependabot[bot] in #1439
- build(deps): bump github/codeql-action from 3.30.3 to 3.30.5 by @dependabot[bot] in #1442
- power: allow system vms to shutdown gracefully, preserve audio on shutdown by @kajusnau in #1434
- Jetpack mainline by @brianmcgillion in #1332
- Add ghaf-killswitch doc & Bump ghafpkgs for fix by @vunnyso in #1437
- Service hardenings by @enesoztrk in #1436
- Audio: Drop the removePciDevice workaround by @vunnyso in #1443
- Extending attack-mitigation module options by @enesoztrk in #1438
- Enable TLS for alloy client to server by @everton-dematos in #1444
- build(deps): bump github/codeql-action from 3.30.5 to 3.30.6 by @dependabot[bot] in #1447
- build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in #1448
Full Changelog: ghaf-25.09.2...ghaf-25.09.3
Contributors
brianmcgillion, enesoztrk, and 5 other contributors
Assets 2
Release 25.09.2
This is monthly Ghaf release which has been fully tested on Nvidia Orin NX, Nvidia Orin AGX, Lenovo X1 Carbon Gen11 and System76 Darter Pro platforms
Supported Hardware
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Dell Latitude 7230, 7330
- Alienware M18
- System76 Darter Pro
What's Changed
- version: bump to the next target by @brianmcgillion in #1385
- Fix multiple code scanning security issues by @brianmcgillion in #1373
- Fix path injection vulnerability in GPS module subprocess call by @Copilot in #1387
- fix(chrome-vm, business-vm): multiple chrome fixes and adjustments by @kajusnau in #1348
- docs: fix the flake init template attribute by @elmankku in #1388
- build(deps): bump github/codeql-action from 3.30.1 to 3.30.2 by @dependabot[bot] in #1392
- cleanup: minor house keeping by @brianmcgillion in #1390
- docs: bump npm packages by @brianmcgillion in #1394
- script: Add script to update docs npm deps by @brianmcgillion in #1376
- Fix malformed mime type by @avnik in #1397
- build(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 by @dependabot[bot] in #1399
- feat(vm-target): simple host ui by @mbssrc in #1400
- Bump givc to support BT mouse and add eventProxy Config by @vunnyso in #1395
- fix(vm): empty event proxy on host by @mbssrc in #1401
- Bump: Update microvm.nix module by @vunnyso in #1402
- docs: add ghaf-25.09.1 release note by @clayhill66 in #1403
- build(deps): bump github/codeql-action from 3.30.2 to 3.30.3 by @dependabot[bot] in #1404
- fix: Element issues by @enesoztrk in #1379
- Protect admin VM from VM controls by @slakkala in #1372
- feat: improve waypipe performance, adjust trusted browser by @kajusnau in #1398
- fix(logging): stop losing admin-vm logs across offline reboots by @everton-dematos in #1396
- bump: drop the qemu 10.1 carry patches by @brianmcgillion in #1405
- Add hardware information service for host-to-guest data passing by @juliuskoskela in #1380
- qemu: Use the new qemu api for battery/lid/power by @brianmcgillion in #1391
- docs: Add fake battery info by @brianmcgillion in #1410
- build(deps): bump astral-sh/setup-uv from 6.6.1 to 6.7.0 by @dependabot[bot] in #1411
- build(deps): bump tj-actions/changed-files from 46.0.5 to 47.0.0 by @dependabot[bot] in #1412
- docs: bump npm packages by @brianmcgillion in #1414
- dependabot: change the frequency of checks by @brianmcgillion in #1415
- feat(boot): enable graphical boot on guivm, fix darp11 graphical boot by @kajusnau in #1406
- disable suspension on darp11, increase guivm core count by @kajusnau in #1417
- Update vhotplug to support new config format and external API by @nesteroff in #1389
- Enabling fail2ban module by @enesoztrk in #1407
- Documentation addons regarding security architecture and features by @vadika in #1419
- Fix ctrl-panel VM starting by @slakkala in #1418
- lenovo-x1-gen11: Add TPM-backed encryption for the persist partition by @hros-tii in #1232
- build(deps): bump cachix/install-nix-action from 31.6.1 to 31.6.2 by @dependabot[bot] in #1422
- docs: bump NPM depends by @brianmcgillion in #1427
- Minor fix and Enable the disk encryption for 'mvp-user-trial' profile by @vunnyso in #1420
New Contributors
Full Changelog: ghaf-25.09.1...ghaf-25.09.2
Contributors
avnik, brianmcgillion, and 13 other contributors
Assets 2
Release 25.09.1
This Ghaf release is for x86 platform only and it has been fully tested with Lenovo X1 Carbon Gen11
Supported Hardware
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Dell Latitude 7230, 7330
- Alienware M18
- System76 Darter Pro
What's Changed
- version: bump for the next release by @brianmcgillion in #1328
- hardware: Add the System76 Darter Pro by @vunnyso in #1327
- gha: Add the new system76 target by @brianmcgillion in #1329
- Fix brightness for System76 and script update by @vunnyso in #1330
- Lock user account after repeated failed login attempts by @gngram in #1324
- New features and bug fixes for login user by @gngram in #1320
- docs: add ghaf-25.08 release note by @clayhill66 in #1333
- Bump givc, enable xpadneo & Add BT device by @vunnyso in #1334
- build(deps): bump astral-sh/setup-uv from 6.5.0 to 6.6.0 by @dependabot[bot] in #1336
- build(deps): bump github/codeql-action from 3.29.10 to 3.29.11 by @dependabot[bot] in #1337
- Firewall blacklisting mechanism & testing by @enesoztrk in #1312
- bugfix: add temporary watchdog service for high-CPU processes by @kajusnau in #1335
- build(deps): bump actions/dependency-review-action from 4.7.2 to 4.7.3 by @dependabot[bot] in #1341
- Keys: add ssh key for Samuli by @leivos-unikie in #1342
- build(deps): bump cachix/install-nix-action from 31.5.2 to 31.6.0 by @dependabot[bot] in #1343
- build(deps): bump github/codeql-action from 3.29.11 to 3.30.0 by @dependabot[bot] in #1346
- build(deps): bump astral-sh/setup-uv from 6.6.0 to 6.6.1 by @dependabot[bot] in #1347
- ARP protection by @mbssrc in #1319
- enable graphical boot, bump ghafpkgs, adjust cosmic config by @kajusnau in #1339
- feat(ghaf-killswitch): Shell application to list, block and unblock by @vunnyso in #1340
- bump: including the qemu 10.1 on top of unstable by @brianmcgillion in #1338
- packages: move some packages to ghafpkgs by @brianmcgillion in #1345
- [StepSecurity] Apply security best practices by @step-security-bot in #1350
- gala: disable gala from the mvp profile by @brianmcgillion in #1349
- Add comprehensive GitHub Copilot instructions for Ghaf development by @Copilot in #1357
- Add GitHub Action to automatically update npmDepsHash for dependabot npm updates by @Copilot in #1355
- Fix sign off in automated workflow for DCO compliance by @Copilot in #1362
- Fix workflow triggers after npm dependency hash updates by @Copilot in #1364
- Add explicit treefmt formatting instruction to copilot-instructions.md by @Copilot in #1370
- Bump mk2 by @brianmcgillion in #1351
- Fix workflow_run triggered builds by checking out latest commit with updated npm hash by @Copilot in #1368
- dependabot: fix the triggering of updated hash by @brianmcgillion in #1371
- build(deps): bump astro from 5.9.2 to 5.13.5 in /docs by @dependabot[bot] in #1352
- build(deps): bump starlight-blog from 0.23.2 to 0.24.1 in /docs by @dependabot[bot] in #1353
- build(deps): bump @astrojs/starlight from 0.34.3 to 0.35.2 in /docs by @dependabot[bot] in #1358
- build(deps): bump sharp from 0.32.6 to 0.34.3 in /docs by @dependabot[bot] in #1359
- build(deps): bump starlight-links-validator from 0.16.0 to 0.17.2 in /docs by @dependabot[bot] in #1360
- docs: bump the npm packages and all the depends by @brianmcgillion in #1374
- aic: add gala as PWA by @brianmcgillion in #1377
- audit: add Nix-specific rules by @everton-dematos in #1344
- build(deps): bump github/codeql-action from 3.30.0 to 3.30.1 by @dependabot[bot] in #1381
- bump: early september by @brianmcgillion in #1383
- build(deps): bump cachix/install-nix-action from 31.6.0 to 31.6.1 by @dependabot[bot] in #1384
Full Changelog: ghaf-25.08...ghaf-25.09.1
Contributors
brianmcgillion, enesoztrk, and 9 other contributors