Bamboo 12.0 release notes

Bamboo 12.0.0

Release date: 20 Nov 2025 

Here's what's new in Bamboo 12.0.0.

Major new features

Service accounts

A service account is a special type of Data Center account that isn’t tied to a person. Instead, it represents a service, integration, script, or app that needs to access Bamboo, Jira, Confluence, or other Data Center products. You can use service accounts to access REST APIs using OAuth 2.0 authentication in order to run scripts and automate tasks with precise permission control. Every action taken by a service account is logged, ensuring full visibility into its activities.

To create a service account:

1. Navigate to Administration > Security, then select Service accounts from the sidebar.
2. Select Create service account.
3. Complete the setup by specifying the account’s details, selecting the appropriate scopes and resources, and generating OAuth 2.0 credentials.
4. Carefully review the information and securely store your credentials.

Explore how to manage a service account

OAuth 2.0 AppLinks

Bamboo now supports OAuth 2.0 for application links (AppLinks), enabling secure, modern, and reliable connections between Bamboo, other Atlassian products, and external applications. OAuth 2.0 is the industry standard for authentication and authorization, offering improved security and easier management of integrations.

GitHub Apps integration

Secure, fine-grained API access for GitHub repositories is now available through GitHub Apps integration. With this approach, you can skip personal access tokens while getting the benefits of enhanced security with tightly scoped and managed permissions.

GitHub recommends using GitHub Apps as the preferred authentication method for integrations, making this the best practice for enterprise-level automation and compliance.

You can configure this setting directly from each GitHub repository’s configuration page in Bamboo, or define it programmatically using Bamboo Specs.

Read more about GitHub repository configuration

API token support for Bitbucket Cloud

Bitbucket Cloud repositories now support API token authentication alongside app passwords, providing a more flexible and secure way to integrate your tools and scripts. API tokens offer enhanced security and better access management, helping you protect your integrations against unauthorized access.

We strongly recommend upgrading to API tokens, as Bitbucket Cloud is deprecating app passwords in favor of this more secure authentication method.

Read more about this change in the blog 

You can use API tokens directly from each Bitbucket Cloud repository’s configuration page in Bamboo, or define them programmatically using Bamboo Specs.

Ephemeral agent concurrency limits 

You can now set a limit on the number of concurrent ephemeral agents. If the limit is reached, additional agent spawn requests are queued until a slot becomes available, improving resource management and predictability.

To test it, navigate to Administration > Ephemeral agents > Configuration, enable Agent limit, and set a value that meets your needs.

Non-rerunnable plans

Plans can now be marked as non-rerunnable, ensuring only fresh builds are allowed and giving you more control over your CI/CD workflows. This option is available in every plan’s details page, or can be configured programmatically using Bamboo Specs.

In-product diagnostics (IPD)

In-product diagnostics (IPD) is now built into Bamboo, bringing the same powerful monitoring and support capabilities already available in Jira, Confluence, and Bitbucket Data Center. IPD continuously collects key system metrics, performs basic monitoring, and provides proactive alerts about your Bamboo environment’s health.

Key benefits for admins:

• Health monitoring: Instantly view the health status of your Bamboo instance and identify potential issues before they impact your teams.
• Faster troubleshooting: All diagnostic data is automatically included in support zips, making it easier for Atlassian Support and your admins to analyze and resolve problems quickly.
• Seamless integration: IPD data can be consumed by Atlassian support engineers, your Bamboo admins, and third-party tools for comprehensive monitoring and analysis.

Explore how in-product diagnostics can help you get more visibility into your Bamboo instances

Improved background job distribution

 In clustered environments, Bamboo now distributes background jobs across all nodes, not just the primary node, for better performance and resource utilization. This feature will be enabled automatically if Bamboo is configured in warm-standby mode with at least two running nodes.

Performance improvements

Bamboo 12 offers many significant performance improvements, such as faster time-to-build for Bitbucket Cloud and GitHub webhook-based integrations, or a reduced heap memory footprint in the app.

Platform and security updates

Java 21 required

Bamboo 12.0 requires Java 21 as the minimum version. Support for Java 17 has been removed.

Atlassian Data Center Platform 8.0 

Bamboo 12.0 now runs on Atlassian Data Center Platform 8, bringing improved responsiveness to security updates and minimizing disruptions or breaking changes for Atlassian Marketplace apps.

Prepare your Data Center app for 2025 security and usability updates 

This upgrade is part of our ongoing commitment to enhanced security and performance.

Spring and Jakarta upgrade

To maintain high security standards and keep dependencies supported and up to date, we’re upgrading:

• Spring to the 6.x line
• Jakarta to EE Platform 10
• Apache Tomcat to 10.1 alongside other libraries that depend on Spring and Jakarta

The Apache Tomcat upgrade also introduces changes under the Jakarta Servlet specification. If you rely on custom server settings or connectors, review the following before upgrading:

• Review any custom server.xml settings, especially those referencing "javax.servlet" APIs, as Tomcat 10.1 now uses the "jakarta.servlet" namespace.
• Make sure all connectors (such as HTTP or AJP) are still supported and correctly set up for Tomcat 10.1.
• Check that your security and TLS/SSL configurations are compatible with the cryptographic defaults in Tomcat 10.1.

For more details on what’s new in Tomcat 10.1, see the official Apache Tomcat documentation.

Migration to Apache Struts 7

Struts has been upgraded to version 7. Key packages have been migrated and template variables updated for improved security and maintainability. This move modernizes our technology stack and protects against known vulnerabilities.

Migration documentation 

Basic authentication disabled by default

To improve security, basic authentication is now disabled by default for REST API calls in new instances. If you’re upgrading an existing instance, basic auth remains enabled to ensure your current integrations keep working after the upgrade. You can enable or disable basic auth for REST calls at any time in the Authentication methods settings.

How to disable basic authentication

App signing is now enabled by default for app installations

Apps that are uploaded via UPM are now required to be signed by default. This doesn’t impact Java APIs or app compatibility, but may impact your development and test environment. You can disable the signature verification by setting a Java system property.

atlassian.upm.signature.check.disabled=true 

Distribution via Atlassian Marketplace generates the signatures of the installed apps, but for vendors or customer in-house development teams that want to install an application directly in the product without the Marketplace involvement, custom application signature and verification certificate are required. For further details, see Configuring UPM app signature check and Generating app signature and verification certificate using OpenSSL.

Removal of Trusted apps

We’re removing Trusted apps to reduce the number of insecure entry points into the products. We’ve replaced this way of exchanging information between Atlassian products with more secure solutions that follow industry best practices, like the OAuth 2.0 protocol.

AUI 10 support

Bamboo 12 uses AUI 10. Plugin developers should either include their own versions of these libraries or update their plugins according to the AUI 10 migration guide and the jQuery 3 migration guidelines. As part of these updates, Backbone 1.6.0 and 1.3.3 have been removed, and Backbone is no longer accessible globally via window.backbone.

For more information on AUI 10 deprecations, see Prepare your Data Center app for 2025 security and usability updates.

Update to jQuery 3

We’ve updated to jQuery 3 to standardize the jQuery version across all Data Center products. Plugin developers should update their plugins according to the jQuery 3 migration guidelines. This means a significant jQuery version uplift for products containing older versions of jQuery.

End of support for LESS

To improve security and performance, Bamboo no longer supports transforming LESS files to CSS at runtime. All LESS must now be compiled into CSS during the build process.

Global serialization filter

We’re introducing a global serialization filter that uses a centralized blocklist to protect Java deserialization, Velocity, Struts, and XStream. This filter automatically blocks classes and patterns known to be vulnerable to Remote Code Execution (RCE) exploits via publicly disclosed gadget chains.

Dedicated log files and enhanced access logs

Cluster communication logs and access logs are now more structured and easier to analyze. Cluster communication events are now recorded in a dedicated atlassian-bamboo-communication-stats.log file instead of the main log, making troubleshooting and performance monitoring simpler and more efficient.

Additionally, access logs now include more detailed information about each request, providing greater visibility for auditing and diagnostics.

Add scopes to REST endpoints to use OAuth 2.0 2LO

We’ve introduced @ScopesAllowed to improve security and control over REST endpoints.

Add the @ScopesAllowed annotation to your endpoints to make them accessible using an OAuth 2.0 Client Credentials token (2LO).

For example, this annotation requires that the access token has the WRITE scope before providing access to this endpoint.

@POST
@ScopesAllowed(requiredScope = "WRITE")
public void createEntity(...) {}

Supported scopes are documented here:

• Confluence
• Jira
• Bitbucket
• Bamboo
• Crowd

Before you upgrade to Bamboo 12.0

Updates to supported platforms

See what changes are in store for the supported platforms in Bamboo. For more information about what the latest stable release of Bamboo supports, see Supported platforms.

End of support announcements

In this release, we’re removing support for:

JDK 17

  PostgreSQL 15

  SQL Server 2017

New supported platforms

In this release, we’re adding support for:

  PostgreSQL 18

  Oracle 23ai

  MySQL 8.4

Resolved issues

Scroll through the list of the issues we’ve resolved throughout the lifecycle of Bamboo 12.0.