9 posts tagged with "Pantheon"

Pantheon has been expanding Site Metrics and dashboard visibility through a series of updates published on February 4, 2026, February 23, 2026, and earlier dashboard modernization work from May 5, 2025. The feature set is genuinely useful, but only if teams stop treating "traffic" as one bucket.

For Drupal and WordPress operators, Pantheon Site Metrics changes one thing more than anything else: it makes it easier to separate performance problems, ownership problems, and noise problems before they become incident calls.

When the Drupal Security Team issues a highly critical PSA warning of an impending Remote Code Execution (RCE) vulnerability, the clock starts ticking. For a single site, applying the patch takes minutes. For an enterprise running 20+ legacy platforms on a custom upstream, hitting a 24-hour Service Level Agreement (SLA) requires rigorous automation.

Nothing destroys developer productivity faster than local environment issues. Specifically, infinite redirect loops.

Pantheon announced on March 6, 2026 that new sites created from the Drupal CMS upstream now use Drupal CMS 2. This is not a blanket platform upgrade: Pantheon explicitly says existing Drupal CMS sites are not auto-updated, and Drupal 10/11 upstream sites are not affected.

That split matters operationally. Teams can misread this as "new upstream available, apply update everywhere." For managed portfolios, that interpretation is risky.

The important point: this is not a patch-level update. Treat it as a controlled migration.

What Actually Changed​

From Pantheon and Drupal.org sources:

• Pantheon updated the Drupal CMS upstream to version 2 for newly created sites.
• Existing Drupal CMS sites require deliberate upgrade work and validation.
• CMS 2 introduces architectural shifts, including Canvas as default editing UX and the Byte site template.
• Pantheon's Drupal CMS guidance flags concrete break risks for 1.x to 2.0 upgrades.

The important point: this is not a patch-level update. Treat it as a controlled migration.

Breaking-Change Surface You Need to Map First​

Pantheon's own Drupal CMS doc calls out the highest-risk breaks for CMS 1.x sites, including theme removal and recipe package splits.

# Update sequencing for Drupal CMS 2
composer require drupal/cms:^2 -W
composer require drupal/site_template_helper:^1
vendor/bin/drush theme:enable byte
vendor/bin/drush theme:set-default byte
vendor/bin/drush cr

• drupal_cms_olivero is removed and replaced by byte; post-upgrade, unresolved theme config can trigger missing theme errors.
• Several content-type recipe packages are replaced by drupal_cms_site_template_base.
• Composer plugin allowlist requirements change (drupal/site_template_helper must be explicitly allowed), or Integrated Composer builds can fail.
• automatic_updates is marked obsolete and should be uninstalled after upgrade.

For managed Drupal teams, the real blast radius is usually:

• Theme dependency assumptions in custom front-end work.
• Content model dependencies on replaced recipe packages.
• CI/CD breakage from Composer allow-plugins drift.
• Inconsistent environments if Dev is upgraded but promotion criteria are weak.

Update Sequencing for Managed Teams​

The safest order is environment-first and evidence-driven:

1. Classify sites by upstream: Drupal CMS vs Drupal 10/11 core upstreams.
2. For Drupal CMS 1.x sites, branch to Multidev first; do not start in Dev/Test/Live.
3. Inventory content using recipe-provided types (Blog, News, Events, etc.) before any package removals.
4. Update composer.json constraints from ^1 to ^2, apply package replacements, and update allow-plugins.
5. Run DB updates and config validation in Multidev; switch theme to byte before declaring success.
6. Validate editor workflows (Canvas, content creation, revisions), not just homepage rendering.
7. Merge to Dev only with explicit rollback criteria and owner sign-off.

This sequencing aligns with Pantheon's Multidev-first guidance and reduces production surprise.

The Integration Test Gate: Beyond Code Success​

A successful build artifact does not guarantee a successful Drupal CMS 2 site. Because CMS 2 relies heavily on recipes and configuration-as-code, you must validate the Canvas editor experience and the integrity of the Byte theme mappings in Multidev before merging any code to production.

Need an Enterprise Drupal Architect who specializes in Pantheon upstream migrations and CI/CD optimization? View my Open Source work on Project Context Connector or connect with me on LinkedIn.

Deployment Checklist​

Use this as a release gate before promotion:

• Upstream classification documented per site (CMS upstream vs Drupal 10/11 upstream).
• Dependency diff approved (composer.lock + removed packages + plugin allowlist updates).
• Theme migration completed and verified (drupal_cms_olivero references removed, byte active as intended).
• Content integrity check completed for replaced content-type recipes.
• Drush update + cache rebuild + watchdog checks clean in Multidev.
• Editor smoke tests passed (create/edit/publish, media, menus, forms).
• Config export/import cycle passes without unexpected drift.
• Rollback path tested (known-good tag + DB backup + owner on-call).

If one item is missing, delay promotion. CMS 2 adoption is optional per-site, outage time is not.

WordPress and Cross-CMS Relevance​

WordPress teams on Pantheon are not directly impacted by this Drupal CMS upstream change. But multi-CMS platform teams should still adopt the same discipline:

• classify by upstream/product line,
• avoid "one update policy for all sites",
• enforce environment-gated promotion with explicit rollback checks.

That process is reusable across Drupal and WordPress estates, even when only one CMS has breaking changes.

Bottom Line​

Pantheon's Drupal CMS 2 upstream update is a positive move for new builds, but for existing managed Drupal estates it is a migration event, not a maintenance click. The teams that avoid incidents will be the ones that map the breaking surface early, run Multidev-first sequencing, and enforce a release gate that checks content and editor workflows, not only code deploy success.

Sources​

• Pantheon release note (March 6, 2026): Upstream update for Drupal CMS 2 now available
• Pantheon docs: Drupal CMS on Pantheon (includes 1.x to 2.0 upgrade warnings and recommended steps)
• Drupal.org: Drupal CMS releases
• Drupal.org: cms 2.0.0 release notes
• Pantheon docs: WordPress and Drupal Core Updates

Pantheon announced on March 6, 2026 enhancements for SQL Server connectivity on PHP Runtime Generation 2. This changes the connection path for any Drupal site relying on external SQL Server backends.

For teams running Drupal with SQL Server backends, this is meaningful. It changes both the connection path options and the failure modes you need to test before Pantheon's Generation 1 removal window in April 2026.

What Actually Changed​

According to Pantheon's release note and Gen 2 docs:

• sqlsrv and pdo_sqlsrv are now available on Gen 2 for PHP 8.3+ (v5.13.0).
• Microsoft ODBC Driver 17 and 18 are installed for PHP 8.2+.
• Gen 1 removal auto-upgrades start April 6, 2026 (Dev/Multidev) and April 13, 2026 (Test/Live).

This means SQL Server-connected workloads are no longer limited to the previous ODBC-only pattern on newer runtimes. You can use native PHP SQL Server extensions on supported PHP versions.

Drupal-Focused Compatibility Reality​

The Drupal SQL Server contrib driver (drupal/sqlsrv) now has modern paths to support these runtime changes.

// Example settings.php for SQL Server on Pantheon Gen 2
$databases['external']['default'] = [
  'database' => 'my_db',
  'username' => 'admin',
  'password' => 'password',
  'prefix' => '',
  'host' => 'sqlserver.example.com',
  'port' => '1433',
  'namespace' => 'Drupal\\sqlsrv\\Driver\\Database\\sqlsrv',
  'driver' => 'sqlsrv',
  'pdo' => [
    PDO::SQLSRV_ATTR_ENCODING => PDO::SQLSRV_ENCODING_UTF8,
    PDO::SQLSRV_ATTR_DIRECT_QUERY => TRUE,
  ],
];

That is helpful, but you still need environment-level validation because:

• The driver layer (Drupal DB driver) is separate from the runtime layer (Pantheon extensions + ODBC packages).
• A site can be "module-compatible" but still fail at runtime due to TLS/cert defaults, missing connection options, or subtle SQL behavior differences.
• Drupal 11 requires PHP 8.3, which aligns with Pantheon's new sqlsrv/pdo_sqlsrv availability, but your deployed connection config might still assume older ODBC behavior.

For WordPress teams: this matters primarily when custom code or middleware touches SQL Server, not for standard WordPress/MySQL setups. Agencies managing both CMS stacks should still treat this as an infra control-plane update.

Key Deployment Risks (Ordered by Impact)​

1) Encryption/certificate breakage on ODBC 18 paths​

Microsoft documents ODBC 18 as the modern driver family, and ecosystem guidance repeatedly flags the encryption-default change (Encrypt defaults to mandatory/yes) as the main migration break.

Risk pattern:

• Existing SQL Server endpoints with weak/self-signed cert chains.
• Connection strings with no explicit encryption settings.
• Runtime upgrade triggers connection failures that look like generic SQLSTATE transport errors.

Mitigation:

• Test ODBC 17 and ODBC 18 behavior separately in Dev.
• Make encryption intent explicit in connection configuration.
• Prefer trusted cert chain fixes over permanent TrustServerCertificate bypasses.

2) Mixed driver path drift (ODBC vs sqlsrv/pdo_sqlsrv)​

Pantheon now supports both native extensions (PHP 8.3+) and ODBC packages (PHP 8.2+). Teams can accidentally run different paths across environments.

Risk pattern:

• Dev on PHP 8.4 with native pdo_sqlsrv; Live still 8.2 path through ODBC assumptions.
• Different connection options and error signatures across envs.

Mitigation:

• Pin and document one intended connection stack per site/environment.
• Add runtime assertions in health checks (loaded extensions, connection attributes, TLS mode).
• Keep php version + runtime generation + db driver metadata in deployment checklists.

3) Timeline risk from Gen 1 removal​

Pantheon has explicit non-optional auto-upgrade windows in April 2026. Waiting until Test/Live auto-upgrade dates to validate SQL Server connectivity is operationally risky.

Mitigation:

• Upgrade Dev/Multidev first and run full Drupal smoke tests (drush status, cache rebuild, write/read flows, background jobs).
• Promote only after verified SQL Server transaction paths (imports, queues, cron, complex query workloads).

Recommended Rollout Pattern for Drupal Teams​

1. Baseline now: capture current runtime generation, PHP version, loaded SQL Server extensions, and DSN/connection settings.
2. Force explicit connection settings: encryption, trust behavior, timeout, charset, and retries.
3. Test on Gen 2 with production-like cert chain and database version.
4. Validate Drupal-specific paths: schema updates, entity saves under load, queue workers, and contrib modules with custom SQL.
5. Promote through Dev -> Test -> Live with rollback criteria pre-written.

Bottom Line​

Pantheon's March 2026 SQL Server update is a positive capability upgrade, especially for Drupal teams that needed native sqlsrv/pdo_sqlsrv on modern PHP. The real risk is not feature availability; it is configuration drift plus certificate/encryption assumptions during Gen 2 migration.

Treat this as an infra migration with database-connector QA, not as a patch-level runtime bump.

Sources​

• Pantheon release note: SQL Server connectivity improvements for PHP Runtime Generation 2 (8.2+)
• Pantheon docs: PHP Runtime Generation 2 (timeline, known changes)
• Drupal.org project: Drupal driver for SQL Server and SQL Azure
• Drupal.org releases: sqlsrv
• Microsoft msphpsql GitHub repository (driver prerequisites and release stream)
• Microsoft Learn: Download ODBC Driver for SQL Server
• Microsoft Learn troubleshooting note on certificate trust after moving to newer SQL Server drivers

Pantheon Content Publisher shipped to general availability after months of pre-release messaging since October 2025. The AI-assistive capabilities target content acceleration and quality — two words that marketing departments love combining and operations teams learn to distrust. For CMS teams evaluating this, the question worth asking is whether the controls keep up with the speed, or whether you're just publishing mistakes faster.

Pantheon reporting "All Systems Operational" is a good signal, but it is not a deploy approval by itself. I treat platform status as one input in a release gate that also checks app health, migration safety, and rollback readiness.

I sketched a traffic forensics workflow around Pantheon's new "top IPs / user agents / paths" metrics and turned it into a small, shippable reference so teams can spot noisy traffic fast and stop guessing where spikes come from.

I shipped a Drupal migrate mapping validator utility that catches broken mappings before they land in prod.