BREAKING: Updated color tokens in @backstage/ui

UI color tokens have been updated to align with the new neutral surface-based design system, and the -tint tokens have been removed.

More information can be found in the BUI Changelog.

BREAKING: Redirect validation in the URL reader

coreServices.urlReader now validates that redirect chains are subject to the allow list in backend.reading.allow of your app config. If you were relying on redirects that pointed to URLs that were not allowlisted, you will now have to add those to your config as well.

To support this, the FetchUrlReader class no longer has a public constructor, but instead has a fromConfig static factory method.

BREAKING: Better AWS S3 auth handling in techdocs

Techdocs now knows how to properly use integrations.awsS3 config to authenticate with AWS S3. Since this affects the priority order of which auth setting is being used, it’s technically a breaking change.

The new priority is:

1. aws.accounts
2. techdocs.publisher.awsS3.credentials
3. integrations.awsS3
4. Default credential chain

Deprecation and upcoming restrictions of blueprints for app customization in @backstage/frontend-plugin-api

There were several blueprints in @backstage/frontend-plugin-api that were intended only for use in customization of the central app. For example SignInPageBlueprint that replaces the sign-in page, or NavContentBlueprint that replaces the sidebar content. The following blueprints have all been deprecated and moved to a new @backstage/plugin-app-react package:

• IconBundleBlueprint
• NavContentBlueprint
• RouterBlueprint
• SignInPageBlueprint
• SwappableComponentBlueprint
• ThemeBlueprint
• TranslationBlueprint

These blueprints are also being restricted from use outside of the app plugin. This means that you have to either use an app plugin override or a module with pluginId set to app. These currently trigger deprecation warnings, but will instead be rejected in a future release.

Deprecations and upcoming restrictions for API factories in new frontend system

Similar to the above change, restrictions are being introduced that limit the ability for plugins to override both core Utility APIs and API factories from other plugins. Plugins will be restricted from installing factory overrides for Utility APIs that belong to other plugins. This restriction also applies to the core APIs provided by the app plugin. These overrides now instead need to be made using a plugin override or module.

Just like the blueprint changes, this release will only trigger deprecation warnings, with the change taking effect in a future release.

Backend action filtering support

ActionsService in @backstage/backend-defaults now supports action filtering based on configuration to enable control over which actions are exposed to consumers like the MCP backend.

At the time of writing, this is primarily documented in the relevant configuration schema.

scaffolder now supports configuration for workflowAccess level for creating Github repositories

Workflow files can now configure the level of access to Github Actions for workflows outside of a repository.

This is useful when creating repositories for GitHub Actions to manage access to the workflows for github:repo:create.

   - action: github:repo:create
      id: create-repo
      input:
        repoUrl: github.com?owner=owner&repo=repo
        visibility: private
+       workflowAccess: organization

Github Actions access-level documentation can be found here.

Contributed by @fearphage in #32237

Additional Kafka Events streaming settings

The Kafka event module now supports fromBeginning offsets and autoCommit.

Contributed by @imod in #31410

Improvements to the home plugin UI

Widget configuration changes are now only saved when the Save button is explicitly clicked. A new Cancel button has been added to enable users to discard unsaved changes

Contributed by @kmikko in #31198

Improved performance for GithubOrgEntityProvider

GithubOrgEntityProvider membership event handling and edit team has been improved. The provider now fetches only the specific user's teams instead of all organization users when processing membership events, and uses addEntitiesOperation instead of replaceEntitiesOperation to avoid unnecessary entity deletions.

Contributed by @angeliski in #32184

Link component now uses React Router’s navigation system

Previously the Link component would cause hard page refreshes for internal routes. With this update, the component now properly uses React Router’s navigation instead of full page reloads.

Another release is out the door 🎉 Big thanks to the 40 folks who contributed and helped ship 103 PRs. Couldn't have done it without you 🙌 @adamdmharvey, @angeliski, @aramissennyeydd, @awanlin, @b718, @benjdlambert, @byan1197, @cdedreuille, @ciiay, @deepthi-28, @drodil, @entee28, @fearphage, @freben, @GabDug, @gaelgoth, @HarshalJain-cs, @InsidersByte, @invalid-email-address, @jabrks, @Jamsre, @jasonouellet, @jonkoops, @karpfslp, @kmikko, @martina-equinix, @meganide, @meleu, @milliehartnt123, @Naycon, @Parsifal-M, @rmartine-ias, @Rugvip, @Sanchit2662, @secustor, @sennyeya, @theZMC, @vinzscam, @Vivek1819, @zcmander.

Security Fixes

This release contains security fixes for Software Templates and reading external content.

Upgrade path

We recommend that you keep your Backstage project up to date with this latest release. For more guidance on how to upgrade, check out the documentation for keeping Backstage updated.

Links and References

Below you can find a list of links and references to help you learn about and start using this new release.

• Backstage official website, documentation, and getting started guide
• GitHub repository
• Backstage's versioning and support policy
• Community Discord for discussions and support
• Changelog
• Backstage Demos, Blog, Roadmap and Plugins

Sign up for our newsletter if you want to be informed about what is happening in the world of Backstage.