Product Updates May 2025: Scalr OIDC, Improved GitOps Flows, and PR Comment Approval

Features

Scalr OIDC Authentication

Scalr now supports OpenID Connect (OIDC), allowing users to authenticate to the Scalr API using ID tokens from providers like GitHub, GitLab, AWS, Azure, and others. This removes the need for static personal or service account tokens and simplifies access management. See the docs on this here.

Avoid State Updates by Unmerged PRs

Want to ensure that Terraform state modifications are only applied from the main workspace branch or a verified PR, preventing accidental overwrites or conflicts caused by unmerged changes? 

Scalr now safeguards your Terraform state from unintended modifications with branch awareness. Scalr displays warnings when changes are attempted from branches with unmerged pull requests, and automatically prevents auto-apply operations when the state-generating branch differs from your run's configuration branch. This ensures state modifications only occur from your main workspace branch or properly verified pull requests, preventing accidental overwrites and conflicts.

No extra configuration in Scalr is needed to trigger these warnings. This workflow applies to those who apply before merging.

PR Comment Approvals for Runs

Streamline your workflow with new GitHub and Azure DevOps PR comment commands /scalr approve and /scalr decline that let you manage run approvals directly from pull requests. This feature supports both bulk and specific workspace approvals, with optional reason documentation using the -reason argument. Users must share the same email address in both the VCS provider and Scalr and have runs:apply permission to use these commands. See more here.

Cross-Environment Run Triggers and State Sharing

Need to trigger runs and share state with workspaces in different environments? Federated environment access in Scalr enables users to create dependencies between workspaces across different environments. This functionality enables teams to set up run triggers, where the successful execution in one workspace automatically initiates runs in dependent workspaces in other environments. It also facilitates state sharing, where outputs from one workspace can be used as inputs in another. By granting controlled access between environments, federated environments streamline cross-environment workflows while maintaining appropriate security boundaries. See the docs on this here.

Improvements

Default Agent Pools

Scalr now allows administrators to set a default agent pool at the account level. When set, all new workspaces will inherit the pool unless overridden at the workspace level. This eliminates the need to assign agent pools to each workspace manually.

Existing workspaces remain unaffected unless explicitly changed. To use this feature, set the default agent pool through the agent pool management UI with the agent-pools:update permission:

Choose a Commit Strategy

Scalr now allows administrators to select commit strategies in the VCS provider settings to determine when runs should be triggered. The default base commit strategy compares the latest head commit with the base branch commit, while the newly available previous commit strategy compares the latest head commit with the previous head commit.

This enhancement reduces unnecessary runs triggered by unrelated file changes in pull requests, giving administrators better control over change detection to improve run relevance and reduce noise.

Existing setups will continue to operate with the current base commit strategy as the default behavior. Administrators have the option to switch to the previous commit strategy through VCS settings if it better aligns with their specific workflow requirements. See the docs here.

Automatic Base Branch Merge Before Run Execution

Scalr has introduced a new optional feature for VCS-driven workspaces that automatically merges the base branch into the head branch before triggering a run. This enhancement ensures that runs are always executed against the latest code in the base branch, providing more accurate and reliable results.

This improvement addresses a common pain point where runs could previously be executed against outdated head branches, potentially leading to false-positive results or failed applies after merging.

To implement this feature, enable the auto-merge option when configuring a VCS.

Support for PR Comment Approval on Closed Pull Requests

Scalr now processes "/scalr approve" and "/scalr decline" comments even when pull requests are closed. This enhancement eliminates the need to reopen PRs to approve or decline runs.

This update requires no changes to existing setups and works automatically if pull request comments are enabled.

Improved Access Control for Discarding Runs

Scalr has enhanced its permission system to allow users to discard runs in both Apply Approval and Policy Override stages using either the runs:apply or runs:cancel permission. Previously, runs:apply was the only option, so now admins have more granular permissions for discarding runs.

No configuration changes are required for existing setups, as workflows relying on runs:apply will continue to function normally. Teams can immediately begin granting the more targeted runs:cancel permission instead, enabling improved security through granular access control.

Show All Outputs

There is an improved workspace outputs experience with a new "Show all" option that opens a modal displaying all workspace outputs, not just those from the latest run. This improvement addresses a previous limitation where outputs were only visible when navigating to individual runs, and no outputs would appear if the latest run had no output changes.

Slack Notifications for Drift Detection

Scalr now supports Slack notifications for infrastructure drift detection. When drift is detected, you'll receive instant alerts in your configured Slack channel. To enable this feature, navigate to Settings → Integrations → Slack and activate the new "Drift Detected" event. See more here. (May 13th, 2025/8.200.0)

New OPA Input: AzureDevOps Merge Error Attribute

Added a new merge_error attribute to the policy input for Azure DevOps that provides visibility into potential merge blockers. This attribute captures values from the Azure DevOps merge_status field. This helps teams proactively identify and address merge issues before running an apply.

Sample tfrun data:

"pull_request": {    "author": "user",    "merged_by": null,   "merge_error": "blocked"}

See an example policy here.

 (May 13th, 2025/8.200.0)

New OPA Input: Github Merge Error Attribute

Added a new merge_error attribute to the policy input for GitHub and GitHub Enterprise integrations that provides visibility into potential merge blockers. This attribute captures values from GitHub's mergeable_state field when it contains 'dirty', 'unknown', 'blocked', or 'behind' statuses, while remaining empty for 'clean', 'unstable', and 'has_hooks' states. This helps teams proactively identify and address merge issues before running an apply.

Sample tfrun data:

"pull_request": {    "author": "user",    "merged_by": null,   "merge_error": "blocked"}

See an example policy here.

Select Storage Profile Per Environment

Scalr now allows users to select a storage profile (AWS S3, GCP, or AzureRM) when creating or updating environments via UI, in addition to the existing API support. If no profile is selected, the default account-level profile will be used.

Storage Profiles: Azure

Scalr now supports creating and managing Azure storage profiles, expanding multi-cloud support alongside AWS and GCP. Users with the appropriate permissions can configure Azure-based storage by providing the storage account, container, and OIDC credentials (Tenant ID, Client ID, Audience). This enables organizations to store data within their own Azure subscription, helping meet data residency requirements. See more here.

Download OPA Reports

We've added the ability to download Policy reports and Impact analysis of OPA policy groups in CSV format. This streamlined export function makes it significantly easier to review, share, and audit your policy statuses.

Access this feature through the policy reports or policy impact analysis tabs:

Storage Profiles CRUD Added to the UI

Scalr now supports adding custom AWS S3 and GCP storage profiles via the UI, complementing the previously released Public API. Users with the appropriate permissions can configure storage profiles to align with organizational policies and store Terraform-related data in their buckets. The Scalr GCP profile remains available and cannot be modified or deleted.

 Export SCALR_RUN_CONTENT_ROOT environment variable

The SCALR_RUN_CONTENT_ROOT variable is now exported during the run. This allows users to reference the absolute path to the root of the workspace code for use in custom scripts or tooling within the run lifecycle.