--- title: "Skip rebuilds, Guardrails, better CLI" date: 2026-04-03 number: 0284 url: https://railway.com/changelog/2026-04-03-skip-rebuilds --- # Skip rebuilds, Guardrails, better CLI The best build is the one that never runs. This week, Railway can detect when identical source code has already been built and skip the build entirely, deploying the cached image in seconds. We're also shipping Guardrails, a set of workspace-wide policies for enterprise teams, and a round of CLI upgrades including OAuth 2.0 login and a new `environment list` command. Let's get into it! 🚄 ## Skip rebuilds [Image: Service settings > Feature-flags > Enable Skipped Builds] Railway can now detect when the exact same source code has already been built and skip the build entirely, deploying the cached image instead. The most useful scenario involves [PR environments](https://docs.railway.com/environments#pr-environments). You open a pull request, Railway builds it. You iterate, Railway rebuilds. You merge, and if the merged commit matches what was already built in the PR environment, Railway skips the rebuild and deploys the cached image to production. Your changes go live in seconds. This is different from [build layer caching](https://docs.railway.com/builds/build-configuration#disable-build-layer-caching), which speeds up builds by reusing intermediate layers. With skipped builds, no build runs at all. Skipped builds are disabled by default. Enable them per service in your service settings under **Feature Flags**. Read the [full documentation](https://docs.railway.com/builds/skipped-builds) for details on caching behavior and environment variables. This is an experimental feature. Tell us how it goes on [Central Station](https://station.railway.com/feedback/skip-redundant-builds-with-image-caching-4b36e070). ## Guardrails [Image: Define workspace-level guardrails] Rolling Railway out to a large team means trusting that developers won't accidentally expose internal services to the public internet. Until now, there was no centralized way to enforce that. Guardrails give enterprise admins the governance controls they need to onboard hundreds of developers without the risk. Two policies are available today: - **Restrict domain generation: **prevents members from generating public Railway domains on their services - **Restrict public TCP proxies:** prevents members from creating public TCP proxies Toggle either policy on, and it applies across every project in the workspace. When a policy is active, the relevant options are hidden for non-admin members. If you're interested in Railway for your organization or enterprise, [get in touch](https://railway.com/enterprise). ## CLI enhancements [Video: List environments in the Railway CLI] The [Railway CLI](https://github.com/railwayapp/cli/) picked up several upgrades recently. Make sure you’re on the latest version by running `railway upgrade` to try them out. **`railway environment list`****.** A new subcommand that lists all environments in your project, grouped by type. Persistent environments appear first, followed by PR environments with their fork source and pull request metadata. Use `--ephemeral` or `--no-ephemeral` to filter, and `--json` for machine-readable output. **OAuth 2.0 login.** `railway login` now uses standard OAuth 2.0 with PKCE for browser-based authentication and the Device Authorization Grant (RFC 8628) for browserless environments like SSH sessions and containers. The previous custom login flow is gone. Tokens refresh automatically before they expire, so you won't hit unexpected auth failures mid-session. If the browser can't open, the CLI falls back to device flow on its own. **Project targeting via environment variables.** Set `RAILWAY_PROJECT_ID` and `RAILWAY_ENVIRONMENT_ID` to target a project without running `railway link`. This is particularly useful in CI/CD pipelines and scripts where persisting link state on disk isn't practical. Optionally include `RAILWAY_SERVICE_ID` to scope commands to a specific service. **Safer project deletion.** `railway delete` now schedules a 48-hour grace period instead of removing the project immediately. If you accidentally delete a project, you have two days to recover it. There's more on the way. We're actively working toward feature parity between the CLI and the dashboard while making sure everything is agent-friendly. You can see [sneak peeks of what's coming next](https://x.com/thisismahmoud/status/2037133142922842207). The CLI is [open source](https://github.com/railwayapp/cli), so if you run into something or have an idea, open an issue or submit a PR. We're always happy to review contributions from the community. ## Fixes and improvements - We fixed an issue where users in a workspace with a 2FA requirement, but without 2FA enabled, would see a "train derailed" error page. Now, a modal prompts the user to enable 2FA. - We fixed an issue where setting a JSON string as a password for image credentials caused the project page to enter an infinite loading state. - We fixed an issue where metric charts on the observability page would fail to render lines in the graph. - We fixed an issue where two similar entries in the command palette would both appear as hovered. - We fixed a proxy issue that resulted in a 503 when one Railway-hosted app proxied traffic publicly to another Railway-hosted app. - We fixed a missing redirect on the account verification page. - We fixed an issue where all cron expressions were flagged as invalid.