|
| 1 | +--- |
| 2 | +title:"Release Notes: September 2024" |
| 3 | +description:"Release Notes for Codefresh Pipelines and GitOps" |
| 4 | +--- |
| 5 | +##Features & enhancements |
| 6 | + |
| 7 | +###Pipelines: Sigstore for signing container images |
| 8 | + |
| 9 | +We are excited to announce that Codefresh is at the forefront of the latest developments in container image authenticity and verification! |
| 10 | +By integrating with modern security standards like Sigstore, a trusted authority for signing container images, we provide you with a secure and streamlined solution for signing and verifying container images. |
| 11 | + |
| 12 | +Sigstore offers two signing methods to secure container images:**key-based signing**, the traditional method, and**keyless signing**, which leverages the OpenID Connect (OIDC) protocol. |
| 13 | +Codefresh fully supports both approaches for images generated by Codefresh pipelines. |
| 14 | + |
| 15 | +#####What’s unique about our implementation? |
| 16 | +Codefresh removes the complexity by integrating both key-based and keyless signing directly into your pipeline’s build step. This means you can sign container images with minimal configuration, making the entire process seamless and automated. |
| 17 | + |
| 18 | +To initiate the signing process, simply add this attribute in your pipeline’s build step: |
| 19 | + |
| 20 | +```yaml |
| 21 | +cosign: |
| 22 | +sign:true |
| 23 | +``` |
| 24 | +
|
| 25 | +##### Key-based signing |
| 26 | +Our key-based signing mechanism includes an option for password-based signing, adding an extra layer of security by unlocking the private key with a passphrase. |
| 27 | +
|
| 28 | +##### Keyless signing |
| 29 | +Keyless signing eliminates the need for long-term private key management by utilizing the OIDC protocol. |
| 30 | +Read all about it in our [blog](https://codefresh.io/blog/securing-containers-oidc/){:target="\_blank"}. |
| 31 | +
|
| 32 | +Codefresh is an official OIDC provider, and using Codefresh for keyless signing offers significant benefits: |
| 33 | +* Secure authentication |
| 34 | + Codefresh securely authenticates the pipeline at runtime, ensuring that only authorized pipelines can sign artifacts. |
| 35 | +
|
| 36 | +* Unique build identification |
| 37 | + The Codefresh OIDC provider generates claims that uniquely identify both the pipeline and the build in the issued token, ensuring that each image’s signature is tied to a specific pipeline and build. |
| 38 | +
|
| 39 | +* Robust verification |
| 40 | + External systems can use these embedded claims to confirm the origin and authenticity of the artifact, ensuring the image was signed by a trusted pipeline. |
| 41 | +
|
| 42 | +For details, see [Signing container images with Sigstore]({{site.baseurl}}/docs/pipelines/steps/build/#signing-container-images-with-sigstore). |
| 43 | +
|
| 44 | +
|
| 45 | +
|
| 46 | +### Pipelines: Enhancements for step-member variables & Boolean properties |
| 47 | +We just rolled out two key updates to give you more control and flexibility in your pipelines. |
| 48 | +
|
| 49 | +##### Seamless access to step-member variables across parallel steps |
| 50 | +
|
| 51 | +You can now reference step member variables between steps in the same parallel block. No extra work needed to pass information between steps. This update makes it easier to manage complex workflows and share context between parallel steps. |
| 52 | +
|
| 53 | +Here’s an example: |
| 54 | +
|
| 55 | +```yaml |
| 56 | +main_step: |
| 57 | +type:parallel |
| 58 | +steps: |
| 59 | +first: |
| 60 | +image:alpine |
| 61 | +commands: |
| 62 | + -echo steps.second.name=${{steps.second.name}} |
| 63 | +second: |
| 64 | +image:alpine |
| 65 | +commands: |
| 66 | + -echo steps.first.name=${{steps.first.name}} |
| 67 | +``` |
| 68 | +
|
| 69 | +##### Boolean properties as variables |
| 70 | +
|
| 71 | +We also updated properties with Boolean values to fully support variables. This means you can dynamically change the behavior of your pipeline using variables, with properties like`fail_fast`, for example. |
| 72 | + |
| 73 | +Here’s how it works: |
| 74 | + |
| 75 | +```yaml |
| 76 | +fail_fast: $VAR |
| 77 | +``` |
| 78 | + |
| 79 | +### GitOps: Argo CD v2.12 |
| 80 | + |
| 81 | +We have upgraded the Argo CD version in our platform to v2.12. For detailed information, see the [official docs](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/2.11-2.12/){:target="\_blank"}. |
| 82 | + |
| 83 | +##### GitOps Runtime version |
| 84 | +You need GitOps Runtime v0.12.0 which includes the latest version of the Helm chart from Argo CD, v7.x.x. |
| 85 | + |
| 86 | +##### Breaking change for cluster credentials value type |
| 87 | +Version 7.x.x of the chart includes the breaking change in the _value type for cluster credentials_. |
| 88 | +Previously, the `clusterCredentials` value type was `list`. In the latest version, the type has been changed to `map (object)`. |
| 89 | + |
| 90 | +As GitOps Runtimes do not use these values directly, runtimes with the default configuration are _not affected_. |
| 91 | + |
| 92 | + |
| 93 | +## Bug fixes |
| 94 | + |
| 95 | + |
| 96 | + |
| 97 | +##### Pipelines |
| 98 | +* For Bitbucket, build fails as `CF_PULL_REQUEST_ACTION` variable is not populated with correct value. |
| 99 | +* `Error: Failed to run Pipeline` for Azure DevOps SSO (Single Sign-On) provider. |
| 100 | +* Permission and missing scope error when running `codefresh validate yaml` command. |
| 101 | +* Conditions with `workflow.result`” incorrectly evaluated in terminated builds. |
| 102 | +* Some repositories not displayed in **Repository** list when creating trigger for Bitbucket server. |
| 103 | +* `CF_COMMIT_MESSAGE` and `CF_COMMIT_MESSAGE_ESCAPED` variables show text in Pull Request titles instead of commit messages. |
| 104 | +* Variables not supported as values for Boolean properties in pipelines. |
| 105 | + |
| 106 | + |
| 107 | + |
| 108 | + |
| 109 | +##### GitOps |
| 110 | +* Unable to connect to a Git provider using the Hosted GitOps Runtime. |
| 111 | +* Command failure for `argo-platform-analytics-reporter`. |
| 112 | +* GitOps permissions do not function correctly when attributes are applied. |