v2.0.1

Container Images

Component	Image
Runner	us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260508.526
Proxy	us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260508.526
Prometheus	us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3
Node Exporter	us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1

Assets

Asset	URL
CLI Binary	https://storage.googleapis.com/gitpod-runner-releases/gcp/releases/20260508.526/gitpod-linux-amd64
Supervisor Binary	https://storage.googleapis.com/gitpod-runner-releases/gcp/releases/20260508.526/supervisor-amd64.xz
VM Image	projects/gitpod-next-production/global/images/ona-environment-20260429-1144

Changelog

• chore: bump VERSION to v2.0.1 (2a5a60b)
• fix: add create_before_destroy to trust bundle GCS object (8dd901a)
• fix: add memory and CPU limits to all docker containers (9e777b0)
• Merge pull request #32 from gitpod-io/nv/remove-honeycomb-key (09733cc)
• fix: remove honeycomb_api_key from example configuration (d715104)
• fix: remove Honeycomb API key from Terraform and VM metadata (416ee84)
• feat: add flow logging to security-critical firewall rules (c3d358a)
• fix: enable full shielded VM hardening and block project SSH keys (4b4806e)
• fix: close SSH port 22 to 0.0.0.0/0, restrict to IAP only (0c2ff56)
• fix: wire time_rotating to auth proxy TLS cert for actual rotation (f67e652)
• feat: add metrics audit receiver and MANAGED_METRICS_DIRECT_PUSH env var (ab2d1ba)
• refactor: read module version from VERSION file (9969049)
• feat: report Terraform module version to the management plane (c1b733f)
• feat: support managed endpoint direct push in config-reloader (25aa26b)

v2.0.0

Container Images

Component	Image
Runner	us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260504.828
Proxy	us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260504.828
Prometheus	us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3
Node Exporter	us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1

Assets

Asset	URL
CLI Binary	https://storage.googleapis.com/gitpod-runner-releases/gcp/releases/20260504.828/gitpod-linux-amd64
Supervisor Binary	https://storage.googleapis.com/gitpod-runner-releases/gcp/releases/20260504.828/supervisor-amd64.xz
VM Image	projects/gitpod-next-production/global/images/ona-environment-20260429-1144

⚠️ IAM/Permission Changes

This release adds warm pool support and includes IAM changes since v1.0.0. If you use pre-created service accounts, update your custom role and SA bindings manually.

New permissions added to the runner custom role

Permission	Purpose
compute.autoscalers.create	Manage MIG autoscalers for dynamic warm pool scaling
compute.autoscalers.delete	Clean up autoscalers when warm pools are removed
compute.autoscalers.get	Read autoscaler state during reconciliation
compute.autoscalers.update	Adjust autoscaler targets as demand changes
compute.instanceGroupManagers.use	Required for autoscaler to manage MIG instances
compute.instances.listReferrers	Discover which MIG owns a VM during warm pool operations
compute.instances.resume	Resume suspended warm pool VMs on claim
monitoring.timeSeries.create	Publish scaling metrics that drive the autoscaler

Role changes

Resource	Previous	New	Reason
Runner assets bucket (runner_runner_assets_access)	roles/storage.objectViewer	roles/storage.objectAdmin	Runner now writes managed metrics audit payloads to the assets bucket

IAM role binding changes

• iam.serviceAccounts.actAs removed from the runner custom role. Replaced by per-SA roles/iam.serviceAccountUser bindings.
• iam.serviceAccounts.getAccessToken removed from the runner custom role (unused — the runner authenticates via GCE metadata server).
• New per-SA bindings: The runner SA is granted roles/iam.serviceAccountUser on three specific service accounts:
  • runner_sa (self) — for runner VM instance templates
  • environment_vm_sa — for environment VMs created by the orchestrator
  • proxy_vm_sa — for proxy VM instance templates
• Unused service accounts removed: build_cache, secret_manager, pubsub_processor.

⚠️ Breaking change for pre-created service accounts: If you use pre_created_service_accounts, you must grant roles/iam.serviceAccountUser on the runner_sa, environment_vm_sa, and proxy_vm_sa service accounts to the runner SA out of band. Previously, the project-level actAs in the custom role covered this implicitly.

See docs/iam.md and docs/terraform_service_account_permissions.md for the full updated permission requirements.

What's New

• Warm pools are now enabled by default for all new runners. Pre-initialized suspended VMs cut environment startup from minutes to ~10 seconds. See the warm pools documentation.
• Organization ID added to Prometheus external_labels for multi-org metric filtering.

Other Changes

• Environment UDP egress restricted to DNS, NTP, and QUIC.
• Port 7070 added to firewall rules for port authentication.
• Local remote_write target for managed metrics pipeline.
• Prometheus updated to v3.11.3.

v1.0.3

Container Images

Component	Image
Runner	us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260504.828
Proxy	us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260504.828
Prometheus	us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.3
Node Exporter	us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1

Assets

Asset	URL
CLI Binary	https://storage.googleapis.com/gitpod-runner-releases/gcp/releases/20260504.828/gitpod-linux-amd64
Supervisor Binary	https://storage.googleapis.com/gitpod-runner-releases/gcp/releases/20260504.828/supervisor-amd64.xz
VM Image	projects/gitpod-next-production/global/images/ona-environment-20260429-1144

⚠️ IAM/Permission Changes

This release includes changes to IAM roles or permissions. Review the following commits and update your IAM configuration if needed:

• feat(iam): grant compute.instances.resume to runner role (170c27e)

See docs/iam.md and docs/terraform_service_account_permissions.md for the updated permission requirements.

Changelog

• Merge pull request #21 from gitpod-io/n/warm-pool-default (eac4ec5)
• style: fix terraform formatting (baca4f7)
• feat: enable warm pool by default for all new runners (853c100)
• Merge pull request #20 from gitpod-io/n/org-id-ext-label (ee7b328)
• fix: add organization_id to prometheus external_labels (2dde835)
• Merge pull request #19 from gitpod-io/nan/wp-resume-perm (808b0f9)
• feat(iam): grant compute.instances.resume to runner role (170c27e)

v1.0.2

Container Images

Component	Image
Runner	us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260424.828
Proxy	us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260424.828
Prometheus	us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1
Node Exporter	us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1

Assets

Asset	URL
CLI Binary	https://storage.googleapis.com/gitpod-runner-releases/gcp/releases/20260424.828/gitpod-linux-amd64
Supervisor Binary	https://storage.googleapis.com/gitpod-runner-releases/gcp/releases/20260424.828/supervisor-amd64.xz
VM Image	projects/gitpod-next-production/global/images/ona-environment-20260422-1858

⚠️ IAM/Permission Changes

This release includes changes to IAM roles or permissions. Review the following commits and update your IAM configuration if needed:

• docs(iam): trim explanatory comments about removed permissions (11259f6)
• feat(iam)!: scope runner actAs per-SA, drop unused getAccessToken (6d56c4e)
• iam: remove unused build_cache, secret_manager, and pubsub_processor service accounts (7a49dc5)

See docs/iam.md and docs/terraform_service_account_permissions.md for the updated permission requirements.

Changelog

• Merge pull request #17 from gitpod-io/nv/scope-runner-iam (de4772a)
• docs(iam): trim explanatory comments about removed permissions (11259f6)
• Revert "fix(proxy-vm): tighten OAuth scope to cloud-platform.read-only" (a68c83b)
• fix(proxy-vm): tighten OAuth scope to cloud-platform.read-only (fed9a4b)
• feat(iam)!: scope runner actAs per-SA, drop unused getAccessToken (6d56c4e)
• Merge pull request #16 from gitpod-io/NaN/restrict-env-udp-egress (afff2fe)
• firewall: restrict environment UDP egress to DNS/NTP/QUIC (918bc6e)
• Merge pull request #14 from gitpod-io/NaN/remove-unused-service-accounts (a96cefb)
• iam: remove unused build_cache, secret_manager, and pubsub_processor service accounts (7a49dc5)
• Merge pull request #15 from gitpod-io/gpl/port-auth-enabled (8514be6)
• Enable port auth on GCP runner (b9ed854)
• Merge pull request #13 from gitpod-io/add-port-auth-mode (1ad4952)
• Forward remaining internal module variables to example wrapper (fe501e8)
• Add port 7070 to firewall rules and iptables (6a626c1)
• Merge pull request #12 from gitpod-io/n/release-notif-docs (5c50c3f)
• docs: move release notifications to Ona docs, remove local copy (e23fab6)
• Merge pull request #11 from gitpod-io/NaN/clean-up-contributing (9b240ae)
• docs: mention Ona and VS Code as dev environment options (e344d37)
• docs: add back Build with Ona badge (9e40e2c)
• docs: rewrite CONTRIBUTING.md to follow Terraform module conventions (9f604e7)
• Merge pull request #10 from gitpod-io/NaN/remove-proxy-docs (c116fff)
• docs: remove CHANGELOG.md (2a08db5)
• docs: remove proxy.md (7cbaa67)
• Merge pull request #9 from gitpod-io/NaN/remove-e2e-tests (898e697)
• e2e: remove end-to-end tests (3cd88ab)
• Merge pull request #8 from gitpod-io/NaN/clean-up-readme (1f4755c)
• docs: reword enterprise callout in README (3a765b4)
• docs: add spacing to README (f8df362)
• docs: simplify README to link to Ona docs (388b543)
• Merge pull request #7 from gitpod-io/n/local-rw-target (487b2ea)
• fix: escape shell ${} for Terraform templatefile and fix runner_id indentation (4cf2fcb)
• feat: add runner_id, stack label, and write_relabel_configs for managed metrics (4b43f9b)
• feat: add local remote_write target for managed metrics pipeline (35a09e0)

v1.0.1

Container Images

Component	Image
Runner	us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260413.69
Proxy	us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260413.69
Prometheus	us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.11.1
Node Exporter	us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.11.1

Assets

Asset	URL
CLI Binary	https://storage.googleapis.com/gitpod-runner-releases/gcp/releases/20260327.1118/gitpod-linux-amd64
Supervisor Binary	https://storage.googleapis.com/gitpod-runner-releases/gcp/releases/20260327.1118/supervisor-amd64.xz
VM Image	projects/gitpod-next-production/global/images/ona-environment-20260327-1741

Changelog

• Update example to use local runner module before publishing (1d358ad)

v1.0.0

Container Images

Component	Image
Runner	us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-gcp-runner:20260327.1118
Proxy	us-docker.pkg.dev/gitpod-next-production/gitpod-next/gitpod-proxy:20260327.1118
Prometheus	us-docker.pkg.dev/gitpod-next-production/gitpod-next/prometheus:v3.5.0
Node Exporter	us-docker.pkg.dev/gitpod-next-production/gitpod-next/node-exporter:v1.9.1

Assets

Asset	URL
CLI Binary	https://storage.googleapis.com/gitpod-runner-releases/gcp/releases/20260327.1118/gitpod-linux-amd64
Supervisor Binary	https://storage.googleapis.com/gitpod-runner-releases/gcp/releases/20260327.1118/supervisor-amd64.xz
VM Image	projects/gitpod-next-production/global/images/ona-environment-20260327-1741

Changelog

• Initial commit (6f88af4)