RE: [feature] ProGet: Send test notifications from 'Notifiers & Webhooks'

Hi @Nils-Nilsson ,

It's possible but it's quite complex; there are dozens of variable/macros that rely on context (some will give an error) and none of them have built-in dummy data. That would make templating expressions like <% if %> or <% foreach %> difficult to test.

In theory, you could enter a large box of variable expressions (like $FeedName=fake-feed)... but at that point, it's just easier to test things by performing the actions on a real package. A quick pgutil packages delete + pgutil packages upload script works great for that... that's how we test.

Thanks,
Alana

Hi @joris-guex ,

Thanks for the detailed information; I was able to reproduce the error pretty easily thanks to that.

It seems to be happening when parsing a Dependency entry in the .toml file (missing version), but I can't figure out why since the version appears to be there. It also shouldn't cause this beahvior for this particular error.

In any case, we'll get it fixed via PG-3303 in an upcoming maintenance release. !

Cheers,
Alana

Hi @brandon_owensby_2976,

It's a bit confusing, but the message "{name}" is not a valid DeploymentScript identifier for the "global" scope. will occur when:

• a script is being executed in the global context (as this is case here)
• the {name} does not start with global::

I know you mentioned you pre-fixed with global::, but these scheduled jobs can be a bit tricky to test. It's possible that the old record (without global::) was queued up.

To be totally certain next time, I would stop/start the service so that there's nothing that gets queued up.

Thanks,
Alana

@Ashley thanks for letting us know!

Hi @brandon_owensby_2976 ,

Thanks for the feedback, we appreciate it :)

There's definitely a value in building before merging; if you haven't already, I'd check out that feature branch article, as it outlines the pattern we use for it.

In general, the way I would try to configure is:

• consider using a releaseless-build if you don't yet know the release it's targeting
• use a different piepline so it's visually clear; the stages may be Build -> Test -> Merge
• clean up the builds aftewards

That said, this isn't the most popular workflow in BuildMaster, so it may not be the most intuitive to implement or feel a bit clunky.

We don't have a lot of public examples, but the inedo-docs application is the closest to a Gitflow, releaseless type of workflow. Commits to master branch auto-deploy to live site, where as branches can only go to test:
https://buildmaster.inedo.com/applications/136/overview

No idea if that's helpful, but just FYI

Cheers,
Alana

Hi @brandon_owensby_2976 ,

Looks like this is a regression in BuildMaster 2025 from a library upgrade; we will address it via BM-4017 in an upcoming release, either this Friday or the following cycle.

Thanks,
Alana

Hi @pg_user_8607 ,

Nice find with that image; that makes it easier to demonstrate :)

This is unfortunately another "weird docker thing" that would requires a substantial amount of internal model changes to properly address. That's not on our roadmap at this time.

The image you found (inedo/buildmaster:25.0.12) is a so-called "fat manifest" (i.e. a manifest that points to another manifest). As such, there are zero layers (blobs) and thus the sum of all blob sizes is zero.

The 25.0.12 manifest points to e84148156b3e, which is an untagged image. You can see this on the "Sub Images" page:

The /containers page does not show untagged images.

In the past, "fat manifests" were rare - but the default Docker build tools default to create fat manifests, even if there's only one image. It's something we will likely address down the line, it's just not in the roadmap now.

Thanks,
Alana

Hi @brandon_owensby_2976 ,

I'm not sure how easy it will be to replicate that UI and workflow of your current system. It sounds like you're doing some version of "Gitflow", where the "main" branch is "production-ready" and release-candidate builds are "chosen" from that.

BuildMaster uses a different workflow. As you may know, the BuildMaster model uses a Release as a logical set of Builds, with the intent that a single Build within a release will make it to production (final stage). Here's the article that explains is a bit more clearly:
https://docs.inedo.com/docs/buildmaster/modeling-your-applications/buildmaster-releases

Jenkins (and Gitflow) in general does not model Releases in this manner. Instead, it only has "builds", and a build is either a feature branch or a main. And the main build is what eventually gets deployed using a separate job, after a release engineer "picks the build they want" from a list of "main" builds.

The closest way to model this workflow in BuildMaster is to use release-less builds. In BuildMaster, the "Builds" listing will show the branch that is associated with the build, so you can easily see "main" and "branch" builds.

However, this is working a bit against the grain; Releases are a superior workflow model and solve a lot of business problems that Gitflow and "picking from a list of main builds" causes: https://blog.inedo.com/lean-platforms/releases

Here is some notes on our pattern for handling feature branches:
https://docs.inedo.com/docs/buildmaster/builds-continuous-integration/buildmaster-ci-git-workflows/buildmaster-git-feature-branches

Cheers,
Alana

Hi @pg_user_8607 ,

Thanks for the bug report; this will be fixed via PG-3296 in the next maintenance release (scheduled next Friday). It was a problem in the redirect to the /log-in page, so of course if you log-in first, the error will not occur.

Cheers,
Alana

Hi @aristo_4359 ,

We didn't make any changes to LDAP/AD in ProGet 2026; the issue mentioned in the post was more of a display/widget issue (from a UI library upgrade).

Unfortunately we don't have enough to go on to help troubleshoot this nor do we have any other users who can reproduce this. In addition, API keys and Active Directory are separate authentication methods altogether.

There were also no changes to API keys... so it's very possible this is something else altogether,
such as a temporary AD lock out or user configuration issue. We see that quite a lot.

Otherwise, since it's only impacting you and we can't reproduce it, you'll have to simplify the reproduction case to isolate exactly what's happening.

I would try upgrading again, and then going to Admin > Security and using the AD test tool. For the API key issue, I would use a tool like Fiddler or Proxyman to capture HTTP traffic, so you can see exactly what requests are being issued and failing.

Cheers,
Alana

Hi @brandon_owensby_2976 ,

Release Numbers in BuildMaster need to be numeric (e.g. 1, 1.2, or 1.2.3), so it's not possible to start a new release number with pr-*. The Release Name can be alphanumeric and does not need to be unique.

When you create a repository monitor, you can select "Only monitor branch when a pull request is open"; this will effectively allow you to create builds when a pull request is created, since the branch will be ignored until a PR exists.

However, the PR number is not automatically captured in the runtime state. In theory, you could query the GitHub API to find the PR by branch name if you really needed it.

Also note that you may find it easier and more reliable to trigger from the GitHub side of things, using the BuildMaster API. That's typically what we see for these more advanced scenarios.

Cheers,
Alana

Hi @david-williams_3389 ,

On Windows, the embedded database is stored under %ProgramData%\ProGet\Database; we don't support changing that path at this time.

Is there a specific reason you'd want to relocate it? The database shouldn't be that big (gigabytes is uncommon) and does not grow that fast (unlike package/content).

Thanks,
Alana

Hi @Ashley ,

We're planning this Friday... though it may not make it. Hopefully!

It's a bit more involved, since it involves calling the separate API instead of the simple API.

Cheers,
Alana

Hi @vdubrovskyi_1854 ,

Thanks for the detailed reproduction information; I debugged/fixed this, and it will be in the next maintenance release of ProGet via PG-3290, scheduled for Friday of this week.

As for the underlying issue, the problem was that there were two composer.json files in the zip file. ProGet was opening build/composer.json instead. I didn't test a work-around, but in theory you should be able to just download the zip file directly, delete build/composer.json from it, and upload it to ProGet.

I also updated the error message to make somethign like this a little easier to track if it comes up again ("An unexpected error occurred: Error parsing "voku-simple_html_dom-716822e/build/composer.json" as a Composer manifest file (Missing required property: name).")

Cheers,
Alana

Hi @jimbobmcgee ,

Very cool!

We did not forget about this, just got a bit behind on feature requests (which this got classified on) with ProGet 2026 coming out.

However, we've added this to our BuildMaster/Otter 2026 roadmap to review and incorporate. We plan to start on that relatively soon, and it may be something we can easily back-port to BuildMaster/Otter 2025.

We'll update once we make progress on this :)

Cheers,
Alana

Hi @Ashley ,

Looking over the code that makes sense; the warehouse API is not used for the /simple/ty request, only the /simple/ty/0.0.0 type of request.

We'll get this addressed via PG-3288 in the upcoming maintenance release

Cheers,
Alana

Hi @Nils-Nilsson ,

We've added this to our ProGet 2026 roadmap; there's an additive feature called "Build Pipelines" that just didn't make it in time for release, so this will fit nicely into that.

FYI the main thing that this new pipeline offers is the ability to create multiple pipelines and assign them to different releases.

Thanks,
Alana

Hi @Valentijn ,

I just checked and that's an expected message.

Can you stop the ProGet service, then navigate to a commandline and run proget.exe run?

That will give detailed console output; in there you may see some messages about HTTP bindings, such as this:

The URL was configured to use HTTPS, but a certificate was not specified.
info: Inedo.Web.BackgroundTaskQueueService[0]
      Background Task Queue is starting.
warn: Microsoft.AspNetCore.Server.Kestrel[0]
      Overriding address(es) 'http://*:8624, https://*:8625'. Binding to endpoints defined via IConfiguration and/or UseKestrel() instead.
info: Microsoft.Hosting.Lifetime[14]
      Now listening on: http://[::]:8624
info: Microsoft.Hosting.Lifetime[14]
      Now listening on: http://[::]:8625

Hopefully that will give us a clue.

Thanks,
Alana

Hi @brodie-mclennan_5777,

Thanks for the detailed information on this one; I was able to reproduce this and found two separate issues with build/feed package matching and OSS metadata caching.

These impact multi-file PyPI packages (which are most). Anyway, this is fixed via PG-3284 and PG-3285 in the next maintenance release of ProGet 2026, scheduled for this Friday.

Happy to get you prerelease if you wanted to try it sooner.

Cheers,
Alana

Hi @felfert ,

The /health API endpoint changed in ProGet 2026 and it looks like we forgot to update the pgutil health command and docs.

I just published a new pgutil that will work-around this issue now, and we'll also tweak ProGet's health API a bit to require fewer changes to pgutil via PG-3283.

$ pgutil health --source=https://proget.inedo.com
Checking https://proget.inedo.com/...all OK
Version: 26.0.1.14 (26.0.1.14)

Database: OK
License:  OK
Service:  OK

Alana

Hi @imm0rtalsupp0rt ,

Great, thanks! I'll share the pull request with our technical writing members; they handle the HOWTO type articles and may want to add more screenshots, etc. But that intro paragraph will really help them.

Changing the texts is trivial; it'll be implemented via PG-3278 in the next maintenance release of ProGet 2026. FYI I also changed description too:

Chocolatey Community Packages

Cache and filter packages from the Chocolatey Community Repository (CCR).

Cheers,
Alana

Hi @Nils-Nilsson ,

FYI this is available in inedo/proget:26.0.1-ci.7 should you want to give it a shot!

Cheers,
Alana

Hi @Valentijn ,

This looks like some consequence of a platform change (we went from .NET8 to .NET10), but it's hard to say.... I wonder if there's some kind of issue with the mixed bindings (i.e. using port sharing for https, but not for http).

What does your <WebServer> node look like in your configuration file?
https://docs.inedo.com/docs/installation/configuration-files

Can you try it without port sharing? So basically just http://*:8624, https://*:443

Thanks,
Alana

Hi @Ashley ,

It sounds like you're definitely looking in the right place / setting the right configuration. X-Forwarded-For should do the trick, but something as silly as a typo (which I've done several times) will make it not work.

Here are the settings we recommend:

   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
   proxy_set_header X-Forwarded-Host $http_host;
   proxy_set_header X-Forwarded-Port $server_port;

And as an FYI, here is the code we use to get the ClientIP adddress.

public static string GetClientIPAddress(this AhHttpRequest request)
{
    ArgumentNullException.ThrowIfNull(request);

    var forwardedFor = request.Headers["X-Forwarded-For"];
    if (!string.IsNullOrWhiteSpace(forwardedFor))
    {
        var ips = forwardedFor.Split(',');
        var clientIp = ips.FirstOrDefault();
        if (!string.IsNullOrWhiteSpace(clientIp))
            return stripIpv4OverIpv6(clientIp.Trim().Truncate(50)!);
    }

    return stripIpv4OverIpv6((request.NativeRequest?.HttpContext?.Connection?.RemoteIpAddress?.ToString() ?? request.UserHostAddress).Truncate(50)!);

    static string stripIpv4OverIpv6(string ip)
    {
        if (ip.StartsWith("::ffff:") && ip.Contains('.'))
            return ip["::ffff:".Length..];
        return ip;
    }
}

Although I think the stripIpv4OverIpv6 bits may be relatively new.

Thanks,
Alana

Hi @ybaskar-temp_3339 ,

The "root cause" is relatively easy to answer. The error was occurring on the 10. Block 6.2 Upgrades.sql script, which is simply this:

IF OBJECT_ID('ActionGroups') IS NOT NULL EXEC sp_executesql N'
   IF NOT EXISTS(SELECT * FROM [Configuration] WHERE [Key_Name] = ''Legacy.NoLegacyFeaturesDetected'' AND [Value_Text] = ''True'')
   RAISERROR(''Cannot upgrade to BuildMaster 6.2 unless "Legacy.NoLegacyFeaturesDetected" in Advanced Settings is "True". This can be done by running the legacy features checker.'', 16, 1)
'

Basically it will simply crash unless Legacy.NoLegacyFeaturesDetected is not set to "True". The "Legacy Feature detector" should have set that to "True" if there were no legacy features detected... but perhaps it didn't?

Since you were able to bypass it, I wouldn't worry about it. In the "worse case", legacy data would have been purged during the delete.

Thanks,
Alana

Hi @Ashley,

Thanks for testing it! That was the intended behavior here - to count "days" not "24H blocks". That's a more intuitive pattern in general, as people think "the next day" or "a few days later" and don't really consider the time.

That does lead to some strange behaviors like 2026-05-03 23:59:59 to 2026-05-04 to 00:00:01 being considered "1 day". However, in this use case, I guess we're talking just a difference of hours which isn't going to make a package any "safer" realistically.

Thanks,
Alana

PS good catch on typo, I adjusted it on 2026 branch.

Hi @daniel-mccoy_4395,

Based on what you've described, it sounds like ProGet is indeed blocking downloads; this is visible in the ProGet Web UI with a "Download Blocked" indicator. If you try accessing the download URL, you will in fact get a 400 error.

However, NuGet/Visual Studio aggressively cache package - which means they aren't even attempting to download them. If you clear all the NuGet caches (system, user, http, project, etc), then it should attempt to download then again.

That said, as of ProGet 2026, we no longer recommend downloads. This is one reason, but there are more reasons.

Here's an work-in-progress article that discusses our new guidance:
https://guides.inedo.com/vulnerability-management/containment/

Cheers,
Alana

Hi @carl-westman_8110 ,

Not really... Feeds and Views are a bit different concept and we don't really encourage using the presence in a particular feed as a means to identify whether something has been released. Instead, we'd encourage using Pre-Release Packages & Repackaging
, which make it obvious from simply lookin at the version (i.e. 1.1.1-rc.7 indicates not yet released).

Thanks,
Alana

Hi @certificatemanager_4002 ,

ProGet is licensed per instance (i.e. installation), you will need a separate license if you wish to maintain a production and non-production instances of ProGet. See the official Licenses for Non-production / Testing Environments for more details.

For things like a one-off, cloud-migration, using a Trial license (which you can get from My.Inedo.com) is fine.

Thanks,
Alana

Hi @certificatemanager_4002 ,

Just to clarify the support:

We are planning to upgrade to ProGet 25.x, as we understand that Microsoft SQL Server support will be not supported by the end of the year.

We are currently planning to discontinue SQL Server support in ProGet 2027. It will continue to work in ProGet 2025 and ProGet 2026 regardless of when you use the software.

To answer your questions...

1. You can continue using SQL Server in ProGet 2025
2. Please see Configuring High Availability & Load Balancing, which details the implementation
3. ProGet for Linux is supported in a Docker environment; many users will deploy using Kubernetes, but we do not provide charts or templates... only a Docker Installation Guide that you will need to "translate" into pods, etc
4. ProGet can handle that traffic, though a lot of factors will determine how much server resources are required; I would start with a two-node cluster and evaluate/consider adding more if needed

Thanks,
Alana

Hi @Ashley ,

Good news -- this will be fixed via PG-3265 in the upcoming maintenance release (next Friday).

In case you're curious, the bug was that we were comparing packagePublished.AddDays(recentlyPublishedDays.Value) > DateTime.UtcNow.Date, which includes the time-portion on the left side, but not the right-side (so 12:00A).

Just changing to packagePublished.Date.AddDays(recentlyPublishedDays.Value) > DateTime.UtcNow.Date does the trick, and it works for both Aged and Recently Published.

cheers,
Alana

Hi @stno_9153 ,

Thanks for clarifying; that's not possible with ProGet. A Debian feed is not designed to be a "read-only mirror", but instead a repository where you can add/filter/update packages. So, that's why ProGet must generate/sign the (In)Release files.

I'm afraid we have no plans to support a read-only mirror use case in the forseeable future.

Cheers,
Alana

Hi @stno_9153 ,

(In)Release files are signed using a private/public key scheme, so unless you were somehow able to get a copy of Ubuntu's private signing keys and upload it to ProGet... it is not possible to sign those files using the original Ubuntu Key.

Cheers,
Alana

Thanks @Ashley, that's exactly what I was thinking.

I haven't tried reproducing this yet, but I've got all the steps to now! And at that point, I'll have a debugger and all the code in front of me, so it should be an easy fix. It's probably related to UTC/local time, I don't think we've ever tested it "by the hour" like that :)

Anyway stay tuned we'll get it fixed pretty soon.

Hi @stno_9153 ,

Oh yeah, that'll make a HUGE difference for public repositories. OTherwise it'll probably not work at all :)

Anyway glad it's working now

Thanks,
Alana

Hi @Ashley ,

To set override the publish date, first Pull the package to ProGet so that it's no longer a cached package. Once you do that, you will see a "Set Package Status" option (you may need to refresh page). On that modal dialog, select "Override Metadata..." and enter the date.

That's what we do to test these rules; note you can delete the package and re-download it to cache it again.

Let me know if you spot anything off, it seemed to work for me, but I might be looking at the wrong things.

Thanks,
Alana

Hi @stno_9153,

If the error happened during a apt update of hundreds of packages, then it probably was a case of server overload. Make sure to set a lower concurrent rate, which you can do under Admin > HTTPS SEttings > edit. 100 is the recommendation, and will be the default in ProGet 2026.

Thanks,
Alana

Hi @brandon_owensby_2976,

Argo CD is free / open source and no license is required. You'd be better off learning that than trying to do Kubernetes another way. FYI there's also Kargo, which is a "wrapper" that sits on top of ArgoCD and has some kind of promotion workflow outside of typical GitOps (pull requests I guess?).

To be honest, I really don't know if the Kubernetes extension even works; it was originally intended for Otter, to create a "Desired state" and offer an alternative to Git-based approaches. But there's just no demand and GitOps is just the Kubeernetes standard. We haven't tested it in years.

We do not plan on migrating it to the next SDK version. It's just a light wrapper around kubectrl, which has probably changed over the years. If you really wanna mess with Kubernetes outside of Argo CD I would just run kubectrl apply/replace directly.

Good luck!!

Hi @ashleycanham ,

The min-release-age setting in npm and ProGet's "Recently published" are unrelated. One controls how the client (npm) behaves, the other controls how the server (ProGet) behaves.

I'm not an expert on min-release-age on the client (npm) side, but I believe it changes the way the dependency resolution algorithm works. In turn, that means npm will request different packages from the server. That's why changing that value will yield different server results.

On the server (ProGet) side, ProGet effectively blocks package downloads by looking at the publish date (which you can see on the history page, and even set/change on the Set Package Status Page) against the current server date time. This is obviously indicated by "Download Blocked" in your screenshot, but more precisely it has to do with "package compliance".

There's a lot involved with that, but if you Reanalyze the Package, you can get detailed logs of what's making the package Noncompliant. Specifically, in those logs, you should see something like this:

Policy "{policy.Name}" considers recently published ({recentlyPublishedDays} days) {rule}
Publish date of {package.Published.Value.Date:d} is considered recently published.

That date will be UTC-based (the UI typically displays local time, i.e. BST), but you'll get an idea of how it works.

Anyway, that's where I would start. Considering timezones, rounding, or partial days, you may find it simply easiest to set min-release-age=8 so that npm isn't requesting a package that's 6.99999 days old, or something weird like that.

One last thing worth mentioning, we are no longer recommending blocking noncomplaint packages in most cases. Instead, using pgutil builds scan can be used to "Break builds" and give a much clearer output, so that developers don't have to chase down npm error logs.

Thanks,
Alana

Hi @stno_9153 ,

If you're getting an error downloading a .deb file, it wouldn't be related to the feed/connector indexes (i.e. those In/Release files).

When you request a .deb file, ProGet will first check if the file is stored (cached) locally. If so, then it will send them file. Otherwise, it will "forward" the request to the connector and stream the file to you while saving on disk, so that it's cached for next time.

A timeout typically is related to network or hardware errors. The first thing I would work on is reproducing and isolating where theh error is occuring. You can delete cached packages from the feed using the UI, and also download files that way.

I would just use curl to test downloads.

Let us know what you find!

Thanks,
Alana

Hi @kien-buit_2449 ,

Thanks for sharing the details. I was able to confirm this is some kind of bug (data problem?) in ProGet. It appears to be in the datafile that's downloaded/imported into ProGet, though I'm not sure.

Stay tuned, and we'll let you know once a fix is ready.

Thanks,
Alana

Hi @christian-georg_5533 ,

Thanks for sharing the additional context, that makes sense.

You are correct -- ProGet is a package repository with SCA as a value-added feature. Most of our users create SBOM because they are required to due to regulations, and but don't find much use outside of that :)

Of course we're always interested in expanding features but we aren't really striving for the "central SBOM Repository" use case now. We'll see if there's more demand down the line, feel free to share more information (other products, tools) sinc eit's always good to think about future versions of the product!

Cheers,
Alana

Hi @christian-georg_5533 ,

Thanks for sharing this; this behavior is expected.

ProGet is not a "SBOM Document Repository" (e.g. like Dependency Track), but instead models Projects & Builds for Software Composition Analysis (SCA). A Build is comprised of Packages (which should be stored in Feeds in ProGet), and "importing an SBOM document" is one way to create a build/package dataset.

Note that a build in ProGet will often be comprised of multiple SBOM documents, especially for web applications where like npm + .NET is used.

ProGet can "export" a build as an SBOM, and some of the information from the imported document will be used. However, our SCA model does not model a dependency tree, so it's not possible for this kind of information to be output or preserved.

That could be something we consider as a feature request, but we'd need to start with the "SCA model" (i.e. Builds + Packages) first, and try to understand why modeling a dependency tree relationship is beneficial.

The main idea I can think of is to "reduce noise from vulnerabilities", but that's a core feature of ProGet 2026 (upcoming!) so I'd check that out first, and see if it makes sense still.

Thanks,
Alana

Hi @geraldizo_0690 ,

I think the best way for us to proceed with this investigation is to get a copy of your database backup. And as a bonus, we'll validate your database to make sure the upgrade to ProGet 2026 and the new vulnerability management features work nicely :)

I created a secure public link for you, which you can access in this ticket that I've created for you: https://my.inedo.com/tickets/view?ticketNumber=EDO-12790

Just let us know once you've uploaded the BAK file, and we'll take a look and figure it out from there.

Thanks,
Alana

Hi @cole-brand_2889 ,

In general, that error message means some kind of code problem. Like, using "DatabasePathText" on a multi-table join without specifying which table/alias it belongs to.

However given the queries (see below code), I don't see the problem. I haven't seen the error on PostgreSQL... so that must mean it's Aurora Postgres specific?

According to ChatGPT, "Aurora PostgreSQL is stricter about recordset functions and want a relation alias before the column definition list.", but who knows if that's true. About the only way to test this theory is to modify the function code in your database. I've pasted it below, and you should be able to just run that to "edit" the code.

It'll get updated during any normal upgrade/downgrade, so no real worry.

The first change suggested was to add a BPT here:

    WITH BlobPackages_Table AS (
        SELECT * FROM jsonb_to_recordset("@BlobPackages_Table") AS BPT("DatabasePath_Text" VARCHAR(200), "PackageVersion_Id" INT)
    ),

I don't see how that could work, but who knows. Another suggested change was this:

    WITH BlobPackages_Table AS (
        SELECT * FROM jsonb_to_recordset(COALESCE("@BlobPackages_Table", '[]'::jsonb)) AS BPT("DatabasePath_Text" VARCHAR(200), "PackageVersion_Id" INT)
    ),

Although, I also don't believe that word work, since the @BlobPackages_Table would not be null. But again who knows.

Anyway... that's where I would start. It might be something else altogether, but I can't see it and I guess my ChatGPT prompt didn't spot it either.

CREATE OR REPLACE PROCEDURE "DockerBlobs_RecordScanData"
(
    "@DockerBlob_Id" INT,
    "@BlobInfo_Configuration" XML,
    "@BlobPackages_Table" JSONB
)
LANGUAGE plpgsql
AS $$
BEGIN

    IF "@BlobInfo_Configuration" IS NULL THEN
        DELETE FROM "DockerBlobInfos" WHERE "DockerBlob_Id" = "@DockerBlob_Id";
    ELSE
        INSERT INTO "DockerBlobInfos" ("DockerBlob_Id", "BlobInfo_Configuration")
             VALUES ("@DockerBlob_Id", "@BlobInfo_Configuration")
        ON CONFLICT DO
         UPDATE SET "BlobInfo_Configuration" = "@BlobInfo_Configuration"
              WHERE "DockerBlob_Id" = "@DockerBlob_Id";
    END IF;

    UPDATE "DockerBlobs"
       SET "LastScan_Date" = CURRENT_TIMESTAMP
     WHERE "DockerBlob_Id" = "@DockerBlob_Id";

    WITH BlobPackages_Table AS (
        SELECT * FROM jsonb_to_recordset("@BlobPackages_Table") AS ("DatabasePath_Text" VARCHAR(200), "PackageVersion_Id" INT)
    ),
    packagesToRemove AS (
        SELECT *
          FROM "DockerBlobPackages" DBP
          LEFT JOIN BlobPackages_Table BPT 
                 ON BPT."DatabasePath_Text" = DBP."DatabasePath_Text" 
                AND BPT."PackageVersion_Id" = DBP."PackageVersion_Id"
         WHERE DBP."DockerBlob_Id" = "@DockerBlob_Id" 
           AND BPT."PackageVersion_Id" IS NULL
    ),
    deletes AS  (
        DELETE FROM "DockerBlobPackages" DBP
              USING packagesToRemove PTR
              WHERE DBP."DockerBlob_Id" = "@DockerBlob_Id"
                AND DBP."DatabasePath_Text" = PTR."DatabasePath_Text" 
                AND DBP."PackageVersion_Id" = PTR."PackageVersion_Id"
    ),
    newBlobPackages AS (
        SELECT BPT.*
          FROM BlobPackages_Table BPT
               LEFT JOIN "DockerBlobPackages" DBP 
                      ON DBP."DockerBlob_Id" = "@DockerBlob_Id" 
                     AND BPT."DatabasePath_Text" = DBP."DatabasePath_Text" 
                     AND BPT."PackageVersion_Id" = DBP."PackageVersion_Id"
         WHERE DBP."PackageVersion_Id" IS NULL
    )
    INSERT INTO "DockerBlobPackages"
         SELECT "@DockerBlob_Id",
                "DatabasePath_Text",
                "PackageVersion_Id"
           FROM newBlobPackages BPT;

END $$;

// also I do realize the json input is not a great way to handle this, but it's how we needed to port a few things from SQL Server to maintain parity in behavior

Let us know if you find anything! Thanks, Alana

Hi @brandon_owensby_2976,

I'm afraid we don't have a lot of great documentation / information on how to deploy Kubernetes using BuildMaster. The existing extension is quite old and reflects a pre-Helm approach where Kubernetes resources were deployed directly via raw manifests.

These days, Helm charts are the standard way to package Kubernetes applications. A chart contains templated manifests along with default configuration (values.yaml) that can be overridden per environment.

Once you have a chart, you typically deploy it with a command like:

helm upgrade --install myapp corp/app -f values.yaml

Additional overrides (like your override.yaml) can be layered in as needed. In theory, that's where a BuildMaster configuration file would come in, and BuildMaster would also run the upgrade commands.

However... Helm isn't really run outside of development environments. Instead, most teams use a GitOps-based tool (i.e. Argo CD or Flux), which in turn use Helm to continuously "sync" whatever's in Git with what's running in the cluster.

The idea is that the "deployment state" is maintained in Git and doesn't need to be triggered from an external release system. In other words, a production "deployment" is done by issuing a commit.

Because of this, pipeline-driven deployment tools BuildMaster just popular for Kubernetes workflows. We've seen competitive tools try, but they get a lot of pushback from the end-users (i.e. Kubernetes engineers) and as a result don't see much adoption.

In my opinion, this is like 7 layers of unnecessary complexity (let alone error-prone) and a basic Docker deployment covers like 99% of use cases... but that's not where the market is.

Hope that helps clarify things a bit, let us know what you find.

Cheers,

Alana

Hi @parthu-reddy ,

This does not appear to be a "fat manifest". Two other things are coming to mind.

First, are these referenced in any helm charts? If so, they won't get removed unless you delete the helm chart first.

Second, how about trying a separate policy, "Delete untagged manifests"? That should clear out these images.

Thanks,
Alana

Hi @cole-brand_2889 ,

Wow, I didn't realize that S3 rate-limited like that!! That's good to know.

Unless this is something that could be configured as an advanced SDK switch in the S3FileSystem, then I don't think there's much that could/should be done in the ProGet or extension code.

After searching the error (and seeing this very post on the first page of Google ), this just seems to be endemic with S3; there's no published rate limit, and even in AWS official blog article the only solutions seem to be "follow the error message and reduce your request rate".

There's probably something you can do do on the load-balancer side of things... reducing concurrent requests, etc.

Let us know what you find!

Thanks,
Alana

Hi @davidroberts63 ,

While connector filters were never really designed to replace the "approved packages" workflow, we've seen many users do exactly that over the years, yielding hundreds of entries.

It's not exactly a use case we recommend, as one of the big benefits of the approved packages flow is to prevent "instinctively upgrading dependencies" yielding in regressions. But, if you're already effectively doing that through automation, then I suppose you already know the risks :)

From a performance standpoint, it shouldn't make a notable impact. Those have been optimized for quite some time now.

Thanks,
Alana

Hi @aleksander-szczepanek_3253 ,

If you navigate to Admin > Advanced Settings and check "Use Connector Publish Date", then this will behave as you expect. Note that you will need to delete already-cached packages.

This will be default behavior in ProGet 2026+

Cheers,
Alana