Download: 3.8.2 | 3.8.1 | 3.8.0

Documentation: 3.8.2 | 3.8.1 | 3.8.0

Release highlights

Rebase on behalf of the uploader

Rebasing a change from the web UI preserves the uploader for trivial rebases.

This has the advantage that the rebaser is not taking over the change, which is important when the project is configured to ignore self-approvals of the uploader, as this allows the reviewer to approve and submit the change, after doing a rebase.

Rebase a chain of changes

Allow to atomically rebase a chain of changes.

If the chain is outdated, i.e., there’s a change that depends on an old revision of its parent, the result is the same as individually rebasing all outdated changes on top of their parent’s latest revision.

Browser Notifications (experimental)

Users can be notified about their attention set in browser. The notifications work only when Gerrit is open in one of the browser tabs. When users open Gerrit, they will be asked by a popup to allow desktop notifications on their browser to see them. If users deny notifications on all sites, there won’t be a popup. But they can change it in browser settings. The latency to get the notification is up to 5 minutes.

Automatic notifications are enabled by default, but users can turn them off in the Gerrit user preferences.

See the documentation for more details.

This feature can be enabled in gerrit.config by adding this configuration:

    enabled = UiFeature__push_notifications

Important notes

Schema and index changes

This release doesn’t contain schema changes.

The changes index version has been increased to version 82.

Online index schema upgrade from 3.7

By default, if you’re upgrading from 3.7, the index is automatically rebuilt upon Gerrit startup after the upgrade.

If you’re upgrading from 3.6 or an earlier version, you must use the Offline upgrade steps below.

Offline upgrade

  1. Download the new gerrit.war
  2. Stop Gerrit
  3. Ensure all installed plugins are compatible with the new API
  4. Run init
  java -jar gerrit.war init -d site_path --batch
  1. Reindex
  • If you are upgrading from a 3.7 version you don’t need to run reindex (see Online index schema upgrade from 3.7 above). If you still want to you will only need to run reindex of changes:

      java -jar gerrit.war reindex --index changes -d site_path
  • If you are upgrading from a 3.6 version, or an earlier version, you must run a reindex of all indexes:

     java -jar gerrit.war reindex -d site_path

See the reindex program for other options.

  1. Start Gerrit

Online upgrade with zero-downtime

Gerrit v3.8.x supports zero-downtime upgrade from Gerrit v3.7.2 or later when configured using a high-availability configuration, and the Git repositories are stored in a shared filesystem such as NFS or similar.

During the zero-downtime upgrade, Gerrit end-users would not notice any outage or service disruption. They will be able to perform any read/write Gerrit operation on the GUI or using any API.

The zero-downtime upgrade consists of the following steps:

  1. Have Gerrit servers running v3.7.2 or later, in high-availability configuration, healthy and able to handle the incoming traffic properly.
  2. Set gerrit.experimentalRollingUpgrade to true in gerrit.config on both Gerrit primaries.
  3. Set one of the Gerrit servers to unhealthy.
  4. Shutdown the Gerrit server, update gerrit.war and plugins to v3.8.x and start Gerrit again.
  5. Verify that the Gerrit server is working properly (e.g. run automated smoke tests) and then make it healthy again.
  6. Wait for the Gerrit server to start serving traffic normally.
  7. Repeat steps 3. to 6. for all the other Gerrit servers.
  8. Remove gerrit.experimentalRollingUpgrade from gerrit.config on both Gerrit primaries.


Downgrade to any Gerrit v3.7.x release is possible, but requires the following manual steps:

  1. Shutdown all migrated Gerrit v3.8.x servers
  2. Update the gerrit.war and plugins to the previous v3.7.x version
  3. Run offline change reindexing using the previous gerrit.war version
  java -jar gerrit.war init -d site_path --batch
  java -jar gerrit.war reindex --index changes -d site_path
  1. Startup Gerrit server

Native packaging

Update gerrit.reportBugUrl configuration

The issues of the Gerrit Code Review project have been migrated from Monorail into the new Gerrit Tracker, see announcement at:

If the gerrit.reportBugUrl setting on your Gerrit server is pointing to the Gerrit Monorail project, which is deprecated now, please update the URL to point to the new Gerrit Tracker, e.g. change to

Breaking changes

  • Issue 16942: Gerrit does not render properly the modal dialogs on Safari 15.3, Chrome 36, Edge 78, and Firefox 97 or earlier.

    Gerrit frontend uses the HTMLDialogElement.showModal function, which is not working properly on old browsers.

  • Change 365595: WebLinkInfo: Drop deprecated constructor

    Custom UI plugins that are explicitly using WebLinkInfo are affected by this and might need adapting.

  • Change 360756: Disallow uploading new prolog rules files.

    Clients should use submit-requirements instead. Please note that modifications and deletions of existing files are still allowed.

  • Change 360054: Allow callers to format create change response

    Add ListChangeOptions to ChangeInput and ApplyPatchPatchSetInput such that callers can control what fields should be formatted in the returned ChangeInfo. For ApplyPatch, this commit changes the default formatting options from CURRENT_COMMIT to no-options.

  • Change 360219: Delete vote now fails for an already deleted vote

    An e-mail was sent each time when a vote was executed, even if the label had been already set to 0 and thus no actual changes were made.

    This fix can break some scenarios, where the caller expects that DeleteVoteOp will always succeed after the label was added at least once. This should be fixed on the caller side.

  • Change 358975: Skip account visibility checks when querying changes

    Skipping the account visibility check when querying changes of users participating in the change (the change owner, reviewers, CCs etc.). This affects several search predicates: owner / uploader / label

    • user / reviewer / attention / commentby
  • Change 358954: Check permissions when resolving accounts by secondary emails

fixed an issue that allowed users to resolve secondary emails, although they should not have been able to see them.

  • Change 358114: removed automatic linkification of URLs that do not start with http:// or https://.

  • Change 357298: Removed Assignee functionality in Gerrit.

    ‘Assignee’ functionality has been superseded by ‘Attention Set’. The functionality has no Web UI support anymore.

  • Change 357276: Removed option to disable Attention Set

    No longer support the option of disabling the Attention Set.

  • Change 356941: Do not set real_author in ChangeMessageInfo if author == real_author

    It’s not needed to return the author twice if the change message was not impersonated. Documentation already stated this, but clients should double check they don’t rely on real_author always being returned.

  • Change 354916: Remove registerStyleModule() plugin API

    Use plugin.styleApi().insertCSSRule() instead.

  • Change 351814: Remove notify() from AnnotationPluginApi

  • Change 351515: Remove html commentlink functionality.

    Html commentlinks allow for arbitrary html injection on the page. Replaced them with link commentlinks, using optional prefix, suffix, text parameters to achieve the same functionality. Existing configs can be migrated using scripts in tools/migration/

Other changes

Plugin changes

  • download-commands:
  • reviewnotes:
  • webhooks:
    • Change 365175: Add HTTP response code ‘SC_ACCEPTED’ (202) as success case in response handler
  • codemirror-editor:
  • gitiles:
  • replication:
    • Change 353294: Provide an option to skip replication of NoteDb meta refs

      Replicating NoteDb meta refs is not needed when the remote does not run a Gerrit instance. This can be now disabled via remote.<NAME>.replicateNoteDbMetaRefs

Performance changes

  • Change 360646: Introduce a per request ref cache for better performance

    Add a new core.usePerRequestRefCache setting. If the setting is true, use a per request (currently per request thread) ref cache. This helps reduce the overhead of checking if the packed-refs file is outdated. This setting is true by default.

  • Change 365144: Destination queries now use the change index

    destination predicate now matches any number of branch names with O(1) efficiency.

  • Issue 16072: Fix “showchange” plugin event being triggered twice on patchset change

  • Change 363074: Performance optimization for cold-cache groups

Gerrit UI changes

  • Change 370995: Add comments chips to patchset select

  • Change 361574: Add darkMode param to gr-editor-view extension point

  • Change 358179: Add a new endpoint for a profile page

    The goal of this endpoint is to show a new page that’s the contributions’ page of a user.

  • Change 360134: Fix “Old Patchset” being displayed on current edits

  • Change 359814: User can rebase whole chain from UI.

  • Issue 16545: Fix issue where using in-line editor to add new files / edit existing files didn’t show the changes in file list

  • Change 349422: Privacy information on settings page

  • Change 354154: Enter key selects emoji after ‘:’ is typed

    The previous behavior was that enter wouldn’t select emojis until more characters were typed after ‘:’.

  • Change 352682: Matching atoms in copy conditions that are posted as change messages are highlighted in bold now.

    When a new patch set is created and approvals are copied to the new patch set, Gerrit posts a change message to inform about the copied and outdated votes together with the corresponding copy condition. Passing and failing atoms in the copy condition are now highlighted in bold.

  • Change 351934 Comments tab respects special file sorting cases like .h

  • Change 348877: Show account hovercard preview on settings page

    Account preview can be displayed in-flow without requiring hovering

  • Change 348794: Account chip preview on settings page

    This lets the user see how they will appear to others and what data will be public.

  • Change 348536: Removed all hardcoded gr-icons.

    All core plugins have been migrated to using Material-based gr-icon which no longer need these hardcoded SVGs.

Documentation changes

  • Change 361696: Remove prolog rules doc page mention from the index page

    users should use submit-requirements instead of prolog rules

  • Change 348538: Improve Polygerrit README

  • Change 340255: Add a shortcut to Developer Setup

JGit changes

  • Upgrade jgit to 5ae8d28. Notable changes are:
    • Implement a snapshotting RefDirectory for use in request scope
    • If tryLock fails to get the lock another gc has it
    • Fix GcConcurrentTest#testInterruptGc
    • Don’t swallow IOException in GC.PidLock#lock
    • Check if FileLock is valid before using or releasing it
    • Use Java 11 ProcessHandle to get pid of the current process
    • UploadPack: use allow-any-sha1-in-want configuration
    • Acquire file lock “” before running gc
    • Fix getPackedRefs to not throw NoSuchFileException
    • Add pack options to preserve and prune old pack files
    • Allow to perform PackedBatchRefUpdate without locking loose refs
    • Document option “core.sha1Implementation” introduced in 59029aec
    • Shortcut during git fetch for avoiding looping through all local refs
    • FetchCommand: fix fetchSubmodules to work on a Ref to a blob
    • Allow the exclusions of refs prefixes from bitmap
    • PackWriterBitmapPreparer: do not include annotated tags in bitmap
    • BatchingProgressMonitor: avoid int overflow when computing percentage
    • Fetch-CLI: add support for shallow
    • Speedup GC listing objects referenced from reflogs
    • Fixes for multi-primary new loose object reads on NFS
    • GC: disable writing commit-graph for shallow repos
    • Introduce core.trustPackedRefsStat config
    • Add TernarySearchTree
    • CommitGraph: teach ObjectReader to get commit-graph
    • PatchApplier: fix handling of last newline in text patch
    • CommitGraph: add commit-graph for FileObjectDatabase
    • IO#readFully: provide overload that fills the full array
    • GC: Write commit-graph files when gc
    • CommitGraph: add core.commitGraph config
    • CommitGraph: implement commit-graph read
    • Gc#deleteOrphans: avoid dependence on PackExt alphabetical ordering
    • WalkPushConnection: Sanitize paths given to transports
    • Fix documentation for core.trustFolderStat
    • Update jetty to 10.0.13 d
    • PackExt: Add a commit graph extension.
    • UploadPackServlet#doPost use try-with-resource to ensure up is closed
    • Update Apache Mina SSHD to 2.9.2
    • Fix crashes on rare combination of file names
    • DfsBlockCache: Report IndexEventConsumer metrics for reverse indexes.
    • DfsStreamKey: Replace ForReverseIndex to separate metrics.
    • RawText.isBinary(): handle complete buffer correctly
    • PackExt: Add a reverse index extension.

Other dependency changes

Other core changes

  • Change 367654 Fixed rebasing chain when a checks refs exists for one of the changes

    Fixed a NPE that might have been thrown when rebasing on changes for which a checks ref exists.

  • Change 366334 Added ‘a’ as alias for the ‘author’ search operator

    This follows the example of other aliases, e.g. ‘o’ for ‘owner’ or ‘r’ for ‘ reviewer’.

  • Change 365901 Added global capability that allows to view secondary emails

    If users have multiple emails only the preferred email is visible to other users. Now, with the new View Secondary Emails global capability it’s possible to allow viewing all emails.

  • Change 361460 Allow editing commit message from Change-Id: to Link: footer

    This allows to edit the commit message by replacing a valid ‘Change-Id:’ footer for a valid ‘Link:’ footer.

  • Change 350455: Enables transition from LDAP to Google OAuth

    When transitions to Google OAuth from LDAP, if the account exists with the same e-mail then the account ID is reused. This allows to have the same user history post migration.

  • Change 359974: Fixed calculation of insertions and change buckets for change emails

    When computing change email, the number of files, insertions and deletions didn’t count the commit message for number of files, but for insertions the lines from the commit message were counted, which was inconsistent.

  • Change 358115: Allow for plugin data directory to be symlinked

  • Change 357648: Don’t add owner to attention set on merged change if bot re-applies a negative vote

    Bots can no longer re-apply negative votes on merged change, leading to an unwanted attention set update.

  • Change 357477: Added a new ‘uploaderemail:' operator for Submit Requirements

    returns true if the uploader’s email matches a specific regular expression pattern.

  • Change 357474: Added a new ‘committeremail:' operator for Submit Requirements

    returns true if the change committer’s email matches a specific regular expression pattern.

  • Change 357460: Fixed ownerin/uploaderin for internal groups that include external groups

    Fixed an issue where the ownerin and uploaderin predicates were not matching correctly for internal groups that include external groups.

  • Change 350034: The commit-msg hook respects the scissors marker for the empty message detection.

    When “git commit –cleanup=scissors” the commit-msg hook couldn’t detect if the commit message is empty properly.

  • Change 357278: Fixed parsing of URL parameters that contain a ‘%’ that is not part of an encoded character

    Without this fix users could trigger 500 internal server errors in Gerrit by providing invalid strings for URL parameters.

  • Change 356762: Added support for rebasing on behalf of the uploader

    Rebasing a change on behalf of the uploader means that the uploader stays intact when the reviewer rebases the change.

  • Change 356354: Added project permission for removing votes/labels

    For every configured label My-Name in the project, there is a corresponding permission removeLabel-My-Name with a range corresponding to the defined values. For these values, the users are permitted to remove other users’ votes from a change.

  • Change 356260: Fixed overriding impersonated votes

    Fix an issue where overriding an impersonated vote for a user A (real user B) only worked if the voting values were different. If the voting value was the same Gerrit wrongly assumed that the voting was a no-op.

  • Change 355574: Added support to remove a non-visible account as a reviewer through the PostReview REST endpoint

    Fix an issue where, if a visible change had a reviewer whose account was not visible, this account could be seen on the change, but the reviewer could not be removed.

  • Change 351075: Added a REST API to rebase a chain of changes

    A new API POST /changes/{change-id}/rebase:chain now allows to rebase an ancestry chain of changes.

  • Change 355116: Added prefixsubject index field (requires index upgrade)

    Similarly to prefixhashtag and prefixtopic it is not possible to search changes by subject prefix (e.g. a bug ID in square brackets).

  • Change 354294: Custom git gc-preserve command which can preserve packs for JGit

    Implemented a custom git command “git-gc-preserve” preserving old packs to prevent races between git gc running on a large repository concurrently to fetch/clone requests.

  • Change 354037: Added subject index field (requires index upgrade)

    Allow to query changes by subject.

  • Change 353674: Invalid label ranges for permissions are rejected when pushing a project.config file

    Attempting to add permissions with a range where min is greater than max, where min is present but max is missing or vice-versa throws an IllegalArgumentException.

  • Change 353635: Set Access REST endpoint rejects invalid label ranges

  • Change 353655: Do not add a duplicated project.config entry if a duplicate input is added.

    When the same request was made to the ‘Set Access’ project rest endpoint, it resulted in adding a duplicated line in the project.config.

  • Change 353287: Votes that are copied to follow-up patch sets when a vote on an outdated patch set is applied are now posted as a change message.

    When votes were copied to follow-up patch sets they were applied in NoteDb, but users were not informed about them. Now a change message is posted to inform that the vote was copied forward.

  • Change 352055: Reject invalid base on push with proper error message instead of failing with an internal server error

  • Change 352034: Fix GetRelated if multiple changes for the same commit exist

  • Change 351534: Fix the issue that 404 page is shown after login

    After logging in using the “Sign in with a Launchpad ID” link Gerrit used to display a “not found” page.

  • Change 351614: Do not require trailing slash for requests on root collections

    Often users are confused why ‘GET /changes/’ works, but ‘GET /changes’ doesn’t. Both are now allowed.

  • Change 347719: Suppressing emails on submit is disallowed now if there is a post approval diff

    Fixes a security issue where a malicious user could submit code changes without anyone ever seeing them. If a change is submitted and a post approval diff exists, no matter which notify setting the caller specified, Notify=ALL is used.

  • Change 351114: Add support for enabling Strict Dynamic CSP on Documentation pages.

  • Change 349175: Disallow ‘cansee’ account search operator with private changes

    This operator used to fail for private changes if the change owner requested cansee:<private_change>. Now, if the caller of the query is the owner or one of the reviewers/ccs of the change, the query returns account data for it.

  • Change 349216: Add a has:submodule-updates operator for submit requirements

    Returns true if the diff of the latest patchset against the default base has a submodule modified file

  • Change 347936: Reject uploading project config changes if they contain duplicate submit requirement definitions.

    Prevent project owners and admins from accidentally adding multiple definitions for the same submit requirement name.

  • Change 246234: The WorkQueue now uses new STARTING and STOPPING states while a listener’s onStart() and onStop() methods are called.

  • Change 346954: Log progress for online-reindexing of changes

    When performing online reindexing, from the log file we could only observe when it starts and when it ends. With this change we log the progress once per minute.

  • Change 340061: Add old/new file modes to the ‘List Files’ diff endpoint

    if a file is modified with a change to the file mode only, now the file will be listed as modified.

  • Change 245614: Added a WorkQueue.TaskListener extension for plugins

    This extension point makes it possible for plugins to define and implement WorkQueue QOS policies.

Bugfix releases


  • New Features

    • Change 385116: Support Cloud Spanner for AccountPatchReviewStore
  • Bug Fixes

    • Change 380154: Documentation: NOTE on use of sshkeys, and *projects cache on clusters

      When using the sshkeys, and *projects caches on a cluster, warn the Gerrit admin he should be aware of those caches to be potentially stale. The problem can be minimised by either disabling them altogether or setting a low value of refreshAfterWrite.

    • Change 384214: Align Jetty session timeout with Gerrit web_sessions maxAge

      Do not leave Jetty having sessions kept forever but expire them with the same timeout of Gerrit sessions.

      Verified E2E that the Jetty sessions expires with the same timeout of the web_sessions maxAge value.

    • Issue 290225204: loginUrl and loginText are hardcoded in the UI

      Gerrit UI ignored the settings in the auth section of the configuration 1.

      In particular auth.loginUrl 2 should be used if present and auth.type is set to HTTP or HTTP_LDAP. Also auth.loginText 3 should be used if auth.loginUrl is set.

      This change backports change 381534 to stable-3.6. We didn’t cherry-pick because the code changes significantly and had many conflicts.

    • Issue 291102119: Avoid NullPointerException when deleting multiple tags

      To avoid NPE make sure that ref is not read again after checking if ref exists. This prevent the issue when other call already removed the tag and we try to read it. Proper behaviour is to try to delete it and return Cannot delete refs/tags/...: LOCK_FAILURE if tag is already deleted.

    • Issue 289505276: Fix for: change can’t be submitted if another branch contains exactly the same commit.

    • Change 380694: Hide Move Change from UI if change.move is set to false

    • Issue 290641654: Fix bug in API ‘/projects/*/access:review’ ignoring ‘message’ field

      Fix API endpoint ‘CreateAccessChange’ ‘/projects/*/access:review’ not hounouring ‘message’ field provided via ‘ProjectAccessInput’ object despite setting it. Add condition to check if message is provided then use it instead of default ‘Review access change’

    • Issue 298846017: Fix admin links that contain the base URL twice

      Fix Gerrit Context paths becoming doubled in Admin View navigation links.

  • Plugin Updates

    • Change 383360: Update webhooks plugin to 1dc0a71883

      This includes the following changes: 1dc0a71 Add HTTP response code ‘SC_ACCEPTED’ (202) as success case in response handler 16110f3 Annotate methods that return a definitely null value with @Nullable and fixes: Issue 40015349 “plugins/webhooks doesn’t accept HTTP 202 response code”


  • Breaking changes

    • Issue 40015585: Enhance metric name sanitize function to remove collision on ‘_’ between metrics.

      Collision between the sanitized metric names can be easily created e.g. foo_bar will collide with foo+bar. In order to avoid collisions keep the rules about slashes and replace not supported chars with _0x[HEX CODE]_ string. The replacement prefix 0x is prepended with another replacement prefix.

  • New Features

    • Change 377794: Extend configurability of index pagination type

      Add NONE option to disable index backend pagination, this option needs to be honoured by the indexing backend and this change introduces the correct implementation for Lucene.

    • Change 372974: Don’t allow index searches with size greater than maxPageSize

      Queries with a ‘start’ parameter can perform an index search with size greater than the configured maxPageSize, i.e. when start + limit exceeds the maxPageSize. Fix such queries to paginate instead.

  • Bug Fixes

    • Issue 289321387: Preserve refs order in the GitBatchRefUpdateEvent event

      Change 335757 introduced the concept of the single event representing batch ref update. However this new event did not preserve original order of the updated refs. This impacts event consumers behaviour and can cause failures. For example if meta ref is processed before patchset ref indexing operation will fail because of the missing patchset.

      The timeline of events is kept in the same order they are generated, to make sure that refs order is preserved and backward compatibility is kept.

    • Change 378075: Fix links to URLs with nonstandard schemes

      Removed automatic linking of URLs that do not start with https?://

    • Change 377796: Fix imported changes appearing as duplicates in index

      When parsing the change data from ChangeNotes, the in-memory created ChangeData contains useful information like the serverId that the change belongs to. The same information isn’t available when reindexing directly from a newly created entity Change which has no relationship with the underlying change notes.

    • Change 340014: Fix identity parsing for imported human comments

      When an account’s serverId does not match the one defined in gerrit.config, then use the ‘imported’ external ids in the accounts for reverse lookup of the accountId. This allows to correctly understand and associate the imported changes coming from repositories of other Gerrit servers to the correct local accounts.

    • Issue 40015148: Fix ExternalId differential loading when cache is inconsistent

      Make differential loading idempotent to avoid failures due to retry to insert the same entry again, caused by the JGit Issue 582044.

    • Issue 40015614: Show correct cherry-picked list for imported changes

      The UI ran the following query to determine if a change had been cherry-picked from another branch: project:<projectName> change:<changeID> -change:<changeNum> -is:abandoned Modified the query adhering to the cherry-pick change definition: project:<projectName> change:<changeID> -branch:<currentBranch> -is:abandoned

    • Change 357634: Fix parsing legacy labels for users with comma

      This change fixes a bug introduced by 336883 when parsing labels where a UUID was present together with a user name containing a comma.

    • Change 347316: Fix Bazel build on Apple M2 ARM64 chip

      Bazel fails to select the correct java-tools binaries for Apple’s ARM64 architecture and downloads the generic x86. This fix disables the download of the pre-compiled java_tools, allowing Bazel to build them locally for the correct architecture.

    • Change 375634: Fix listing files for initial commit against the first parent

      DiffOperations used an empty tree as the base commit when getting the diff for an initial commit and the user specified comparing against the first parent (which doesn’t exist). In this case the request failed with 500 ISE because the empty tree is not a commit and thus we run into an IncorrectObjectTypeException. Instead of failing in this case we are now falling back to comparing against the default root.

  • Documentation fixes

    • 40014489: Announce / document that building with Java 8 is no longer supported

      Documents that building with Java 8 is no longer supported. Java 11 is now required and removes the now unused error_prone_warnings_toolchain.