Bamboo 12.0 upgrade notes

We’ve collected some important notes on upgrading to Bamboo 12.0. For details on all the new features and improvements we’ve introduced in this release, see the Bamboo 12.0 release notes.

アップグレード ノート

Here’s some important information you should know about before upgrading.

Java 21 required

Bamboo 12.0 now requires Java 21 as the minimum supported version for both server nodes and all kinds of agents. Support for Java 17 has been removed. Ensure your environment is updated before upgrading.

Atlassian Data Center Platform 8.0

Bamboo 12.0 now uses Atlassian Data Center Platform 8.0, allowing us to address security updates with less disruption.

This upgrade also includes updates to various Atlassian and third-party components, ensuring access to the latest security improvements and bug fixes. For a comprehensive overview of Platform 8 changes and migration guidance for your app, see the Prepare your Data Center app for 2025 security and usability updates page.

Spring, Jakarta, and Tomcat upgrades

To strengthen security and maintain up-to-date dependencies, Bamboo 12.0 upgrades several foundational components:

• Spring has been updated to version 6.2
• Jakarta now uses EE Platform 10
• Apache Tomcat has been upgraded to 10.1, along with related libraries that rely on Spring and Jakarta

The move to Tomcat 10.1 also introduces changes from the latest Jakarta Servlet specification. If you have custom server configurations or connectors, review the following before upgrading:

• Check any custom server.xml settings, especially those referencing the javax.servlet APIs, as Tomcat 10.1 now uses the jakarta.servlet namespace.
• Ensure all connectors (such as HTTP or AJP) are compatible and properly configured for Tomcat 10.1.
• Verify that your security and TLS/SSL settings work with the updated cryptographic defaults in Tomcat 10.1.

For a full list of changes and guidance, see the official Apache Tomcat 10.1 documentation.

The Maven packages that provide the Jakarta EE APIs have been updated to the following versions:

• Jakarta Servlet 6.0
• Jakarta RESTful Web Services 3.1
• Jakarta Dependency Injection 2.0
• Jakarta Annotations 2.1
• Jakarta Activation 2.1
• Jakarta Mail 2.1
• Jakarta XML Binding 4.0
• Jakarta Bean Validation 3.0

Java package name changes

The upgrade to Jakarta EE 10 is a significant change and will impact most third-party apps as the Java package names have changed from javax to jakarta.

The table below summarizes those package name changes:

Migration to Apache Struts 7

We’ve upgraded to Struts 7. Make sure you’re aware of the following changes:

• The com.opensymphony.xwork2  package has been migrated to org.apache.struts2.

• The FreeMarker parameters template variable has been replaced with attributes to avoid mixing access to HTTP request parameters.

You can find extensive documentation and migration steps at Struts 6.x.x to 7.x.x migration.

基本認証を既定で無効化

To enhance security, Bamboo 12.0 disables basic authentication for REST API calls by default in new installations.
If you’re upgrading from an existing instance, basic authentication will remain enabled to maintain compatibility with your current integrations.
You can manage the basic authentication settings for REST API calls at any time in the Authentication methods configuration.

基本認証を無効化する方法

アプリのインストール時におけるアプリ署名の既定での有効化

In this release, app signing is now enabled by default, further enhancing the security of your Bamboo instance. This feature, already introduced across other Data Center products, ensures that only trusted apps can be installed. For more information, see App Signing rollout started: Time to boost App security.

App signing applies only to new app installations - existing apps will continue to work as before.

Installing Marketplace apps:

1. Set the location of your truststore folder as described in Configuring UPM app signature check.

2. Download and install the Atlassian Certificates bundle. See Updating Atlassian Certificates Bundles for details.

3. You’re all set—Marketplace apps will now install securely.

Installing custom apps:

1. Set the truststore folder location as above.

2. Generate your app’s signature and verification certificate as described in Generating app signature and verification certificate using OpenSSL.

3. Add your certificate to the Trust store as shown in Updating Atlassian Certificates Bundles.

4. Install your signed app.

Alternatively, you can install apps directly via the file system without app signing if needed.

If you encounter any problems, refer to App signing troubleshooting.

It is possible to disable the signature verification by setting a Java system property.

atlassian.upm.signature.check.disabled=true

Removal of Trusted AppLinks

製品への安全でないエントリ ポイントの数を減らすために、信頼できるアプリが削除されます。アトラシアン製品間のこの情報交換方法は、業界のベスト プラクティスに沿った安全性の高いソリューション (OAuth 2.0 プロトコルなど) に置き換えられています。

AUI 10 support

Bamboo 12.0 now ships with AUI 10 and jQuery 3. Plugin developers should ensure their plugins are compatible by bundling the required versions or updating their code according to the AUI 10 migration guide and the jQuery 3 migration guidelines.
Additionally, Backbone versions 1.6.0 and 1.3.3 have been removed, and Backbone is no longer available globally as window.backbone.

Removal of deprecated components in AUI 10

During the AUI 10 migration, we removed outdated components that were deprecated due to design or accessibility issues:

• Dropdown 1 - replaced by Dropdown 2

• Toolbar 1 - replaced by Toolbar 2

• Dialog 1 - replaced by Dialog 2

These changes may result in slight differences in the UI, primarily layout changes. No functional behaviours should have changed.

For details on deprecated components in AUI 10, refer to the Prepare your Data Center app for 2025 security and usability updates.

jQuery 3 への更新

We’re moving to jQuery 3 to align with the standard jQuery version used across all Data Center products. This upgrade represents a major jump for products that previously relied on older jQuery releases.
For guidance on updating your code, see the migration guide.

LESS のサポート終了

To improve security and performance, Bamboo no longer supports transforming LESS files to CSS at runtime. All LESS must now be compiled into CSS during the build process. Read the announcement

オリジナル テーマのサポート終了

新しいライト テーマとダーク テーマによりアクセシビリティとユーザビリティの向上がもたらされたため、すべての製品から元のテーマが削除されます。

グローバル シリアル化フィルター

We’re introducing a global serialization filter that uses a centralized blocklist to protect Java deserialization, Velocity, Struts, and XStream. This filter automatically blocks classes and patterns known to be vulnerable to Remote Code Execution (RCE) exploits via publicly disclosed gadget chains.

In-product diagnostics (IPD)

Bamboo 12.0 introduces built-in In-product Diagnostics (IPD), providing real-time monitoring of key system metrics directly within Bamboo. Enabled by default, IPD tracks database latency, build and deployment activity, file system performance, server and JVM health, and overall system resource usage.

主なメリット

• Health monitoring: Instantly view the health of your Bamboo instance and catch issues early.

• Faster troubleshooting: Diagnostic data is automatically included in support zips, helping Atlassian Support and admins resolve problems more quickly.

• Seamless integration: IPD data is accessible to admins, Atlassian support engineers, and third-party monitoring tools for comprehensive analysis.

New metrics are logged to logs/atlassian-bamboo-ipd-monitoring.log and logs/atlassian-bamboo-jmx.log.

New API for adding data to support information and support zip files

The page at Administration → Troubleshooting and support tools → System Information shows diagnostic information about the system that is helpful for support purposes. This information is also included in support zip files. The API that adds custom information to this page has moved. The new API should require only trivial changes.

Old Maven dependency:

<dependency>
    <groupId>com.atlassian.support</groupId>
    <artifactId>stp-spi</artifactId>
</dependency>

New Maven dependency:

<dependency>
    <groupId>com.atlassian.troubleshooting</groupId>
    <artifactId>spi</artifactId>
    <version>3.1.0</version>
</dependency>

Dedicated log file for cluster communications

Cluster communication logs are now logged in a separate file. From Bamboo 12 onward, node communication metrics are recorded in atlassian-bamboo-communication-stats.log rather than the main log, simplifying troubleshooting and performance analysis.

Enhanced access logs

The new structured format of access logs provides richer information for better analysis and troubleshooting.

旧:

[INFO]:   [ip] [user] [method] [url] [starting memory free (kb)]
[DEBUG]:  [ip] [user] [method] [url] [starting memory free (kb)] +- [difference in free mem (kb)] [query time (ms)]

新:

[INFO]:   [ip] [user] [method] [url] requestSize=[request size (B)]
[DEBUG]:  [ip] [user] [method] [url] requestSize=[request size (B)] startMemory=[starting memory free (kB)] memoryDiff=+-[difference in free mem (kB)] responseTime=[query time (ms)]

Migrate from app passwords to API tokens for Bitbucket Cloud

To improve security and align with best practices, Bamboo 12.0 recommends migrating from app passwords to API tokens for integrations and automation.
App passwords are being deprecated in Bitbucket Cloud and other Atlassian products, and API tokens provide a more secure and manageable way to authenticate REST API calls and repository access.

必要な操作

• Review your repository configurations, integrations, scripts, and build configurations that use app passwords.

• Replace any usage of app passwords with API tokens as soon as possible.

• For guidance on generating and using API tokens, see API tokens.

Switching to API tokens will help keep your Bamboo environment secure and compatible with future platform updates.

Migrate to GitHub Apps for secure GitHub integration

Bamboo 12.0 introduces support for GitHub Apps integration, offering secure, fine-grained API access to GitHub repositories. This new approach eliminates the need for personal access tokens (PATs) and is specifically designed to enhance security by allowing permissions to be tightly scoped and centrally managed.

We strongly recommend migrating all Bamboo GitHub integrations from personal access tokens to GitHub Apps as soon as possible. GitHub Apps is now the preferred and most secure authentication method, and using it is considered best practice for enterprise automation, compliance, and long-term support. Continuing to use PATs may expose your environment to unnecessary security risks and could result in unsupported configurations in the future.

You can configure GitHub Apps integration directly from each repository’s configuration page in Bamboo, or define it programmatically using Bamboo Specs.

For detailed instructions, see GitHub.

Grey builds now shown on Bitbucket Data Center builds page

You now have full visibility into your entire CI/CD pipeline, as grey (cancelled) builds are now displayed on the Bitbucket Data Center builds page.

REST エンドポイントにスコープを追加して、OAuth 2.0 2LO を使用する

REST エンドポイントのセキュリティと制御を強化するために、@ScopesAllowed を導入しました。

@ScopesAllowed アノテーションをエンドポイントに追加し、OAuth 2.0 クライアント認証情報トークン (2LO) を使用してアクセスできるようにします。

たとえば、このアノテーションでは、このエンドポイントへのアクセスを提供する前に、アクセス トークンに WRITE スコープが必要です。

@POST
@ScopesAllowed(requiredScope = "WRITE")
public void createEntity(...) {}

サポートされているスコープは次で文書化されています。

• Confluence
• Jira
• Bitbucket
• Bamboo
• Crowd

サポート対象プラットフォームの変更

See what changes are in store for the supported platforms in Bamboo. For more information about what the latest stable release of Bamboo supports, see Supported platforms.

サポート終了のお知らせ

In this release, we’re removing support for:

  PostgreSQL 15

  SQL Server 2017

新たにサポート対象となったプラットフォーム

In this release, we’re adding support for:

  PostgreSQL 18

  Oracle 23ai

  MySQL 8.4

Check all end of support announcements.

How to upgrade Bamboo

See the Bamboo upgrade guide for a complete walk-through of the upgrade process that includes descriptions of all the available upgrade paths, prerequisites, and methods.