release: 0.12.0 (#75)

* codegen metadata

* feat(api): add WarmpoolAdmin and WarmpoolViewer roles to ResourceRole

* codegen metadata

* feat(api): add runner_side_agent capability to RunnerCapability

* codegen metadata

* codegen metadata

* feat(api): add audit_only to VetoExec and ExecutableDenyList

* fix(types): rename ExecutableDenyList to VetoExecPolicy in organization policies

* codegen metadata

* codegen metadata

* release: 0.12.0

---------

Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com>

Author: stainless-app[bot]

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "0.11.0"
+  ".": "0.12.0"
 }

.stats.yml

@@ -1,4 +1,4 @@
 configured_endpoints: 175
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/gitpod%2Fgitpod-8f6ee769411e2d21a2f437d49eb2f16880fcef0db52ac1985f2a3963af45f6a0.yml
-openapi_spec_hash: 28f2d9d7e36f1f0ecd13052054449249
-config_hash: 3f1278a7a2a9285f57e81f148743e99e
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/gitpod%2Fgitpod-1923b5d3865532d64d80c22746aa63991bbf227cf1cbefc8cdb14a374c4c5b89.yml
+openapi_spec_hash: 304200ebfa8622f5f6846895528f06e3
+config_hash: 469d30a2d44895c8c53a5aac370a56f1

CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## 0.12.0 (2026-02-18)
+
+Full Changelog: [v0.11.0...v0.12.0](https://github.com/gitpod-io/gitpod-sdk-go/compare/v0.11.0...v0.12.0)
+
+### Features
+
+* **api:** add audit_only to VetoExec and ExecutableDenyList ([3957348](https://github.com/gitpod-io/gitpod-sdk-go/commit/39573483e5b4013a283ce4075a6b71e79b1d1ce4))
+* **api:** add runner_side_agent capability to RunnerCapability ([926e67e](https://github.com/gitpod-io/gitpod-sdk-go/commit/926e67e5bd00498dc91b7735414c796b5db3784a))
+* **api:** add WarmpoolAdmin and WarmpoolViewer roles to ResourceRole ([e00b441](https://github.com/gitpod-io/gitpod-sdk-go/commit/e00b441d8ed0c1a0eb7d373415e373000e5b9439))
+
+
+### Bug Fixes
+
+* **types:** rename ExecutableDenyList to VetoExecPolicy in organization policies ([8353604](https://github.com/gitpod-io/gitpod-sdk-go/commit/8353604971c6a4d35ed29ddd046120e424fefc8b))
+
 ## 0.11.0 (2026-02-11)
 
 Full Changelog: [v0.10.0...v0.11.0](https://github.com/gitpod-io/gitpod-sdk-go/compare/v0.10.0...v0.11.0)

README.md

@@ -24,7 +24,7 @@ Or to pin the version:
 <!-- x-release-please-start-version -->
 
 ```sh
-go get -u 'github.com/gitpod-io/gitpod-sdk-go@v0.11.0'
+go get -u 'github.com/gitpod-io/gitpod-sdk-go@v0.12.0'
 ```
 
 <!-- x-release-please-end -->

aliases.go

@@ -336,6 +336,12 @@ const ResourceRoleWebhookViewer = shared.ResourceRoleWebhookViewer
 // This is an alias to an internal value.
 const ResourceRoleWarmpoolRunner = shared.ResourceRoleWarmpoolRunner
 
+// This is an alias to an internal value.
+const ResourceRoleWarmpoolAdmin = shared.ResourceRoleWarmpoolAdmin
+
+// This is an alias to an internal value.
+const ResourceRoleWarmpoolViewer = shared.ResourceRoleWarmpoolViewer
+
 // This is an alias to an internal type.
 type ResourceType = shared.ResourceType
 

api.md

@@ -483,15 +483,17 @@ Methods:
 
 Params Types:
 
-- <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#ExecutableDenyListParam">ExecutableDenyListParam</a>
+- <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#KernelControlsAction">KernelControlsAction</a>
+- <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#VetoExecPolicyParam">VetoExecPolicyParam</a>
 
 Response Types:
 
 - <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#AgentPolicy">AgentPolicy</a>
 - <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#CrowdStrikeConfig">CrowdStrikeConfig</a>
-- <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#ExecutableDenyList">ExecutableDenyList</a>
+- <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#KernelControlsAction">KernelControlsAction</a>
 - <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#OrganizationPolicies">OrganizationPolicies</a>
 - <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#SecurityAgentPolicy">SecurityAgentPolicy</a>
+- <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#VetoExecPolicy">VetoExecPolicy</a>
 - <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#OrganizationPolicyGetResponse">OrganizationPolicyGetResponse</a>
 - <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#OrganizationPolicyUpdateResponse">OrganizationPolicyUpdateResponse</a>
 

environment.go

@@ -2063,6 +2063,8 @@ func (r vetoJSON) RawJSON() string {
 
 // exec controls executable blocking
 type VetoExec struct {
+	// action specifies what action kernel-level controls take on policy violations
+	Action KernelControlsAction `json:"action"`
 	// denylist is the list of executable paths or names to block
 	Denylist []string `json:"denylist"`
 	// enabled controls whether executable blocking is active
@@ -2072,6 +2074,7 @@ type VetoExec struct {
 
 // vetoExecJSON contains the JSON metadata for the struct [VetoExec]
 type vetoExecJSON struct {
+	Action      apijson.Field
 	Denylist    apijson.Field
 	Enabled     apijson.Field
 	raw         string
@@ -2098,6 +2101,8 @@ func (r VetoParam) MarshalJSON() (data []byte, err error) {
 
 // exec controls executable blocking
 type VetoExecParam struct {
+	// action specifies what action kernel-level controls take on policy violations
+	Action param.Field[KernelControlsAction] `json:"action"`
 	// denylist is the list of executable paths or names to block
 	Denylist param.Field[[]string] `json:"denylist"`
 	// enabled controls whether executable blocking is active

environment_test.go

@@ -76,6 +76,7 @@ func TestEnvironmentNewWithOptionalParams(t *testing.T) {
 			KernelControlsConfig: gitpod.F(gitpod.KernelControlsConfigParam{
 				Veto: gitpod.F(gitpod.VetoParam{
 					Exec: gitpod.F(gitpod.VetoExecParam{
+						Action:   gitpod.F(gitpod.KernelControlsActionUnspecified),
 						Denylist: gitpod.F([]string{"string"}),
 						Enabled:  gitpod.F(true),
 					}),
@@ -198,6 +199,7 @@ func TestEnvironmentUpdateWithOptionalParams(t *testing.T) {
 			KernelControlsConfig: gitpod.F(gitpod.KernelControlsConfigParam{
 				Veto: gitpod.F(gitpod.VetoParam{
 					Exec: gitpod.F(gitpod.VetoExecParam{
+						Action:   gitpod.F(gitpod.KernelControlsActionUnspecified),
 						Denylist: gitpod.F([]string{"string"}),
 						Enabled:  gitpod.F(true),
 					}),
@@ -380,6 +382,7 @@ func TestEnvironmentNewFromProjectWithOptionalParams(t *testing.T) {
 			KernelControlsConfig: gitpod.F(gitpod.KernelControlsConfigParam{
 				Veto: gitpod.F(gitpod.VetoParam{
 					Exec: gitpod.F(gitpod.VetoExecParam{
+						Action:   gitpod.F(gitpod.KernelControlsActionUnspecified),
 						Denylist: gitpod.F([]string{"string"}),
 						Enabled:  gitpod.F(true),
 					}),

internal/version.go

@@ -2,4 +2,4 @@
 
 package internal
 
-const PackageVersion = "0.11.0" // x-release-please-version
+const PackageVersion = "0.12.0" // x-release-please-version

organizationpolicy.go

@@ -168,44 +168,21 @@ func (r crowdStrikeConfigJSON) RawJSON() string {
 	return r.raw
 }
 
-// ExecutableDenyList contains executables that are blocked from execution in
-// environments.
-type ExecutableDenyList struct {
-	// enabled controls whether executable blocking is active
-	Enabled bool `json:"enabled"`
-	// executables is the list of executable paths or names to block
-	Executables []string               `json:"executables"`
-	JSON        executableDenyListJSON `json:"-"`
-}
-
-// executableDenyListJSON contains the JSON metadata for the struct
-// [ExecutableDenyList]
-type executableDenyListJSON struct {
-	Enabled     apijson.Field
-	Executables apijson.Field
-	raw         string
-	ExtraFields map[string]apijson.Field
-}
-
-func (r *ExecutableDenyList) UnmarshalJSON(data []byte) (err error) {
-	return apijson.UnmarshalRoot(data, r)
-}
+// KernelControlsAction defines how a kernel-level policy violation is handled.
+type KernelControlsAction string
 
-func (r executableDenyListJSON) RawJSON() string {
-	return r.raw
-}
-
-// ExecutableDenyList contains executables that are blocked from execution in
-// environments.
-type ExecutableDenyListParam struct {
-	// enabled controls whether executable blocking is active
-	Enabled param.Field[bool] `json:"enabled"`
-	// executables is the list of executable paths or names to block
-	Executables param.Field[[]string] `json:"executables"`
-}
+const (
+	KernelControlsActionUnspecified KernelControlsAction = "KERNEL_CONTROLS_ACTION_UNSPECIFIED"
+	KernelControlsActionBlock       KernelControlsAction = "KERNEL_CONTROLS_ACTION_BLOCK"
+	KernelControlsActionAudit       KernelControlsAction = "KERNEL_CONTROLS_ACTION_AUDIT"
+)
 
-func (r ExecutableDenyListParam) MarshalJSON() (data []byte, err error) {
-	return apijson.MarshalRoot(r)
+func (r KernelControlsAction) IsKnown() bool {
+	switch r {
+	case KernelControlsActionUnspecified, KernelControlsActionBlock, KernelControlsActionAudit:
+		return true
+	}
+	return false
 }
 
 type OrganizationPolicies struct {
@@ -256,9 +233,8 @@ type OrganizationPolicies struct {
 	// restrictions. If empty or not set for an editor, we will use the latest version
 	// of the editor
 	EditorVersionRestrictions map[string]OrganizationPoliciesEditorVersionRestriction `json:"editorVersionRestrictions"`
-	// executable_deny_list contains executables that are blocked from execution in
-	// environments.
-	ExecutableDenyList ExecutableDenyList `json:"executableDenyList"`
+	// executable_deny_list contains the veto exec policy for environments.
+	ExecutableDenyList VetoExecPolicy `json:"executableDenyList"`
 	// maximum_environment_lifetime controls for how long environments are allowed to
 	// be reused. 0 means no maximum lifetime. Maximum duration is 180 days (15552000
 	// seconds).
@@ -358,6 +334,50 @@ func (r securityAgentPolicyJSON) RawJSON() string {
 	return r.raw
 }
 
+// VetoExecPolicy defines the policy for blocking or auditing executable execution
+// in environments.
+type VetoExecPolicy struct {
+	// action specifies what action kernel-level controls take on policy violations
+	Action KernelControlsAction `json:"action"`
+	// enabled controls whether executable blocking is active
+	Enabled bool `json:"enabled"`
+	// executables is the list of executable paths or names to block
+	Executables []string           `json:"executables"`
+	JSON        vetoExecPolicyJSON `json:"-"`
+}
+
+// vetoExecPolicyJSON contains the JSON metadata for the struct [VetoExecPolicy]
+type vetoExecPolicyJSON struct {
+	Action      apijson.Field
+	Enabled     apijson.Field
+	Executables apijson.Field
+	raw         string
+	ExtraFields map[string]apijson.Field
+}
+
+func (r *VetoExecPolicy) UnmarshalJSON(data []byte) (err error) {
+	return apijson.UnmarshalRoot(data, r)
+}
+
+func (r vetoExecPolicyJSON) RawJSON() string {
+	return r.raw
+}
+
+// VetoExecPolicy defines the policy for blocking or auditing executable execution
+// in environments.
+type VetoExecPolicyParam struct {
+	// action specifies what action kernel-level controls take on policy violations
+	Action param.Field[KernelControlsAction] `json:"action"`
+	// enabled controls whether executable blocking is active
+	Enabled param.Field[bool] `json:"enabled"`
+	// executables is the list of executable paths or names to block
+	Executables param.Field[[]string] `json:"executables"`
+}
+
+func (r VetoExecPolicyParam) MarshalJSON() (data []byte, err error) {
+	return apijson.MarshalRoot(r)
+}
+
 type OrganizationPolicyGetResponse struct {
 	Policies OrganizationPolicies              `json:"policies,required"`
 	JSON     organizationPolicyGetResponseJSON `json:"-"`
@@ -414,9 +434,8 @@ type OrganizationPolicyUpdateParams struct {
 	// editor_version_restrictions restricts which editor versions can be used. Maps
 	// editor ID to version policy with allowed major versions.
 	EditorVersionRestrictions param.Field[map[string]OrganizationPolicyUpdateParamsEditorVersionRestrictions] `json:"editorVersionRestrictions"`
-	// executable_deny_list contains executables that are blocked from execution in
-	// environments.
-	ExecutableDenyList param.Field[ExecutableDenyListParam] `json:"executableDenyList"`
+	// executable_deny_list contains the veto exec policy for environments.
+	ExecutableDenyList param.Field[VetoExecPolicyParam] `json:"executableDenyList"`
 	// maximum_environment_lifetime controls for how long environments are allowed to
 	// be reused. 0 means no maximum lifetime. Maximum duration is 180 days (15552000
 	// seconds).