Apr 1, 2025 · Mar 26, 2025 · Mar 27, 2025 · Mar 27, 2025 · Mar 30, 2025 · Mar 30, 2025
diff --git a/_docs/administration/account-user-management/access-control.md b/_docs/administration/account-user-management/access-control.md
 Rules combine teams (who), privileges (what), and tags (where) to create fine-grained access control policies.
 Codefresh supports ABAC with the flexibility to use both OR and AND operations for tags.


 Define rules using the *who, what, where* pattern to control access to entities and resources. Rules can be based on OR or AND relationships. See

 For each rule, select:
diff --git a/_docs/installation/installation-options/on-premises/on-prem-feature-management.md b/_docs/installation/installation-options/on-premises/on-prem-feature-management.md
 | Feature                     | Description            |  Default | Notes |
 | --------------              | --------------         | ------- | ------- |
 | `appDiffView`  |When enabled, and the application is out of sync, displays the differences for each resource in the application in either Compact or Split view modes.<br>See [Analyze out-of-sync applications with Diff View]({{site.baseurl}}/docs/deployments/gitops/monitor-applications/#analyze-out-of-sync-applications-in-diff-view) | TRUE         |  |
 | `abacAndRule`       | When enabled, supports creating ABAC rules for entities in Codefresh pipelines using "AND". <br>See [Configuring rules for access control in pipelines]({{site.baseurl}}/docs/administration/account-user-management/access-control/#rules-for-access-control).|TRUE  |  |
 | `abacAndRule`       | When enabled, supports creating ABAC rules for entities in Codefresh pipelines using "AND". <br>See [Configuring rules for access control in pipelines]({{site.baseurl}}/docs/administration/account-user-management/access-control/#rules-for-access-control).|FALSE  |_Default changed to FALSE in v2.7_ |
 |`abacRuntimeEnvironments`    | When enabled (the default), allows creating rules in **Permissions** which impacts options in <b>Pipeline > Settings > Build Runtime</b>: {::nomarkdown}<ul><li><b>Build Runtime Environment</b>: When enabled, allows restricting Runtime Environments available for pipelines based on tags. Restricted Runtime Environments are disabled in the Runtime Environments list for the pipeline/build run.</li><li><b>Pipeline</b> actions:<ul><li><b>Manage resources</b>: Select CPU, memory, and minimum disk space for the pipeline/build run.</li><li><b>Set runtime environment</b>: Select a Runtime Environment from those available in the Runtime Environments list for the pipeline/build run.</li><li><b>Set cloud builds</b>: Set Cloud build and select the resource size for the pipeline/build run.</li></ul></li></ul> {:/}| TRUE   | _Default changed to TRUE in v2.5_  |
 |`abacHermesTriggers`       | When enabled, restricts access to the legacy version of Cron triggers for users without permissions to edit pipelines.| FALSE  |  |
 |`abacUIEnforcement`        |  When enabled (the default), for Pipelines, prevents the user from selecting options and performing actions which are not permitted.| TRUE  | _Default changed to TRUE in v2.5_ |
 |`logMasking` |When enabled, secrets in build logs, both online and offline logs, are masked and replaced by asterisks. <br><br>This feature is currently available only for Enterprise customers. |FALSE|  |
 | `modulesConfigurationPage`     | When enabled (the default), enables administrators to customize the modules and menu items displayed in the sidebar. | TRUE         |_New in v2.6_ |
 | `multiSource`            | When enabled, supports displaying information for multi-source applications in the **GitOps Apps > Current State** tab, and in the **Product > Releases** tab.   | FALSE| _New in v2.6_ |
 | `newVariablesConfiguration` | When enabled, displays the new revamped form to add and configure variables in projects, pipelines, and triggers. |TRUE         |_Newin v2.6_ |
 | `newVariablesConfiguration` | When enabled, displays the new revamped form to add and configure variables in projects, pipelines, and triggers. |FALSE         |_Default changed to FALSEin v2.7_ |
 | `newLogo`     | When enabled (the default), displays the new logo in the Codefresh platform. | TRUE         |  _New in v2.6_ |
 |`parallelKubectlOperations` |When enabled, allows running parallel steps that includes `kubectl`. Especially Helm `install` and `deploy` steps that deploy to multiple clusters with `kubectl` in parallel. |FALSE|  |
 | `pipelineCreditConsumption` | When enabled (the default), supports credit-consumption analytics for pipelines. | TRUE         |  |
 | `promotionFlowsManagement`     | When enabled (the default), enables the administrator to add, edit, and delete Promotion Flows. <br>See [Configure Promotion Flows]({{site.baseurl}}/docs/promotions/promotion-flow/).| TRUE         |_New in v2.6_ |
 | `promotionPolicies`     | When enabled (the default), displays Promotion Policies in the sidebar. <br>See [Configure Promotion Policies]({{site.baseurl}}/docs/promotions/promotion-policy/). | TRUE         | _New in v2.6_ |
 | `promotionWorkflows` | When enabled (the default), allows you create and run workflows when a promotion is triggered.<br>See [Configure Promotion Workflows]({{site.baseurl}}/docs/promotions/promotion-workflow/).| TRUE  |_Default changed to TRUE in v2.6_  |
 | `promotionCommitStatuses`    | When enabled, the promotion mechanism reports the statuses of Git commits to Git providers. |FALSE   |_Newin v2.6_ |
 | `promotionCommitStatuses`    | When enabled, the promotion mechanism reports the statuses of Git commits to Git providers. |TRUE   |_Default changed to TRUEin v2.7_ |
 | `reportBuildStatusPerPipelineTriggerEvent`     | Currently supported for Bitbucket cloud.<br>When enabled, for builds with the same `pipelineId`, reports build statuses separately per `triggerId` and trigger event. | FALSE         |  |
 |`restrictedGitSource` | When enabled, allows you to create a Restricted Git Source in addition to a standard Git Source. <br>See [Managing Git Sources in GitOps Runtimes]({{site.baseurl}}/docs/installation/gitops/git-sources/).| FALSE         |   |
 |`supportGerrit`      | When enabled, adds the capability to connect to Gerrit as a Git provider. <br>See [Gerrit as Git provider for pipelines]({{site.baseurl}}/docs/integrations/git-providers/#gerrit).     | FALSE         |  |
diff --git a/_docs/pipelines/variables.md b/_docs/pipelines/variables.md
  A standard variable whose value is visible in plain text unless explicitly encrypted. You can create these manually, import them from a file with predefined values, or define empty variables without assigned values.
 * **Secret**
  A variable whose value is automatically encrypted and masked in logs.

 >**NOTE**
 Secret variables are currently not supported in on-premises environments.



diff --git a/_docs/whats-new/on-prem-release-notes.md b/_docs/whats-new/on-prem-release-notes.md

 Welcome to the release notes for our on-premises releases.


 ##On-premises version 2.7

 ###Features & enhancements

 ####Installing v2.7
 For detailed instructions on installing v2.7, visit[ArtifactHub](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh){:target="\_blank"}.

 ####Upgrading to v2.6
 For details, see[Upgrade to 2.7 in ArtifactHub](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh#to-2-7-0){:target="\_blank"}



 ####General: Increased limit for audit logs

 Codefresh keeps a log of all actions that happen at all times based on API calls that reach Codefresh. These include UI actions from users, CLI invocations, and any external integration used with Codefresh.
 We have now increased the audit limit_from 15,000 to 50,000_, which means you can access more data on how you use your Codefresh account.

 For details, see[Auditing actions in Codefresh]({{site.baseurl}}/docs/administration/account-user-management/audit/).

 <br><br>


 ####GitOps: Promotions with GitOps-the Codefresh advantage
 We’re excited to introduce**promotions** in Codefresh GitOps !

 In Continuous Delivery (CD), promotions are essential for advancing application versions across environments in a controlled, traceable manner.
 **Promotions in Codefresh GitOps** enhance this process by providing greater visibility, control, and automation while maintaining Git as the single source of truth. Additionally, they integrate with and extend**Argo CD**, enabling structured promotion flows, policy enforcement, and enhanced deployment tracking beyond standard application syncs.

 {% include
 image.html
 lightbox="true"
 file="/images/gitops-promotions/overview/promos-gitops.png"
 url="/images/gitops-promotions/overview/promos-gitops.png"
 alt="GitOps promotions in Codefresh"
 caption="GitOps promotions in Codefresh"
 max-width="60%"
 %}

 >**NOTE**
 GitOps promotions require Runtime version 0.13.4 or higher. Ensure your runtime is updated to access promotion features.

 #####Why use GitOps promotions in Codefresh?
 Codefresh builds on Argo CD’s deployment model by introducing structured promotion flows with additional context and automation:

 ***Declarative and version-controlled**
  Promotions are fully tracked in Git, tied to commits, ensuring traceability. Teams can see who triggered a promotion and why.

 ***Enhanced context and visibility**
  While Argo CD manages application deployments, Codefresh GitOps provides additional structure with:
 ***Environments**, defining stages in the software lifecyle, allowing you to track application progress.
 ***Products**, grouping related applications for unified promotion management.
 ***Releases**, providing end-to-end visibility into deployments across environments.


 #####Promotion entities
 Codefresh GitOps streamlines and automates promotions, eliminating the need for custom scripts.
 ***Promotion properties** to control which application properties are promoted and prevent unnecessary changes.
 ***Promotion Workflows** to enforce environment-specific checks such as validations, compliance, and performance checks at different stages of promotions.
 ***Promotion Policies** to govern advanced promotion behavior for environments.
 ***Promotion Flows** to automate complex promotions across multiple environments.

 For details, see[About promotions]({{site.baseurl}}/docs/promotions/promotions-overview/).

 <!--- ## GitOps: Simplified Runtime installation with the installation wizard

 Our new installation wizard, designed for ease of use and maximum visibility into every step, makes installing a GitOps Runtime simple, intuitive, and quick.


 ##### Key features
 * **Installation and configuration** steps clearly defined, allowing you to complete the entire setup from the same location.
 * **Guided experience** that walks you through each step.
 * **Inline parameter descriptions** so you always know what to define.
 * **Automatic progress saving** so you can stop anytime and resume exactly where you left off.

 ##### Installation
 Install a Runtime in three simple steps:
 * Define the Shared Configuration Repo and Git provider—a one-time action for the first Runtime in your account.
 * Review and define installation parameters, which are automatically populated in the install command.
 * Run the install command in your terminal.

 ##### Configuration
 Configuration steps are clearly defined, allowing you to complete setup correctly.
 * **Define Git credentials**, with the option to use the same token for both the Runtime and user authentication. Required scopes are detailed to ensure the correct permissions.
 * **Configure as an Argo CD Application** to take full advantage of GitOps.
 * **Add a Git source** to the Runtime so you are ready to create applications.

 -->





 ###Feature Flags
 Feature Flags are divided into new Feature Flags released in the current version, and changes to existing Feature Flags which are now enabled by default.

 <br>

 ####New Feature Flags in v2.7
 There are no new feature flags in this release.



 ####Updated Feature Flags in v2.7
 The table below lists existing Feature Flags which have been updated by default to be either enabled (set to_TRUE_), or disabled (set to_FALSE_).

 {: .table .table-bordered .table-hover}
 | Feature Flag| Description| Default Value|
 | -----------| ---------------------------------------------------------| -------------------------|
 |`abacAndRule`| When enabled, supports creating ABAC rules for entities in Codefresh pipelines using "AND".|_FALSE_|


 ###Bug fixes

 #####Pipelines
 * Builds frozen at the initialization phase when connecting to Vault secret store.
 * Build fails with`manifest unknown` error when referencing or including v1.0.12  of`jira-issue-manager` step.
 *`build` step fails to build ECR images when base image (`FROM`) is from a different AWS account.


 <br>

 #####GitOps
 * Broken hyperlink to Shared Configuration Repository in the Upgrade Runtime panel.
 * Typo in the parameter name in the`values.yaml` file of the`gitops-runtime` chart.

 ##On-premises version 2.6

 ###Features & enhancements




diff --git a/images/whats-new/mar25/variable-secret.png b/images/whats-new/mar25/variable-secret.png
Original file line number	Diff line number	Diff line change
Expand Up		@@ -225,6 +225,7 @@ Shared configuration can be environment variables, Helm values, encrypted secret
		Rules combine teams (who), privileges (what), and tags (where) to create fine-grained access control policies.
		Codefresh supports ABAC with the flexibility to use both OR and AND operations for tags.


		Define rules using the who, what, where pattern to control access to entities and resources. Rules can be based on OR or AND relationships. See

		For each rule, select:
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -66,7 +66,7 @@ The table describes in alphabetical order, the features you can open for Codefre
		\| Feature \| Description \| Default \| Notes \|
		\| -------------- \| -------------- \| ------- \| ------- \|
		\| `appDiffView` \|When enabled, and the application is out of sync, displays the differences for each resource in the application in either Compact or Split view modes.<br>See [Analyze out-of-sync applications with Diff View]({{site.baseurl}}/docs/deployments/gitops/monitor-applications/#analyze-out-of-sync-applications-in-diff-view) \| TRUE \| \|
		\| `abacAndRule` \| When enabled, supports creating ABAC rules for entities in Codefresh pipelines using "AND". <br>See [Configuring rules for access control in pipelines]({{site.baseurl}}/docs/administration/account-user-management/access-control/#rules-for-access-control).\|TRUE \| \|
		\| `abacAndRule` \| When enabled, supports creating ABAC rules for entities in Codefresh pipelines using "AND". <br>See [Configuring rules for access control in pipelines]({{site.baseurl}}/docs/administration/account-user-management/access-control/#rules-for-access-control).\|FALSE \|_Default changed to FALSE in v2.7_ \|
		\|`abacRuntimeEnvironments` \| When enabled (the default), allows creating rules in Permissions which impacts options in <b>Pipeline > Settings > Build Runtime</b>: {::nomarkdown}<ul><li><b>Build Runtime Environment</b>: When enabled, allows restricting Runtime Environments available for pipelines based on tags. Restricted Runtime Environments are disabled in the Runtime Environments list for the pipeline/build run.</li><li><b>Pipeline</b> actions:<ul><li><b>Manage resources</b>: Select CPU, memory, and minimum disk space for the pipeline/build run.</li><li><b>Set runtime environment</b>: Select a Runtime Environment from those available in the Runtime Environments list for the pipeline/build run.</li><li><b>Set cloud builds</b>: Set Cloud build and select the resource size for the pipeline/build run.</li></ul></li></ul> {:/}\| TRUE \| _Default changed to TRUE in v2.5_ \|
		\|`abacHermesTriggers` \| When enabled, restricts access to the legacy version of Cron triggers for users without permissions to edit pipelines.\| FALSE \| \|
		\|`abacUIEnforcement` \| When enabled (the default), for Pipelines, prevents the user from selecting options and performing actions which are not permitted.\| TRUE \| _Default changed to TRUE in v2.5_ \|
Expand DownExpand Up		@@ -100,7 +100,7 @@ The table describes in alphabetical order, the features you can open for Codefre
		\|`logMasking` \|When enabled, secrets in build logs, both online and offline logs, are masked and replaced by asterisks. <br><br>This feature is currently available only for Enterprise customers. \|FALSE\| \|
		\| `modulesConfigurationPage` \| When enabled (the default), enables administrators to customize the modules and menu items displayed in the sidebar. \| TRUE \|_New in v2.6_ \|
		\| `multiSource` \| When enabled, supports displaying information for multi-source applications in the GitOps Apps > Current State tab, and in the Product > Releases tab. \| FALSE\| _New in v2.6_ \|
		\| `newVariablesConfiguration` \| When enabled, displays the new revamped form to add and configure variables in projects, pipelines, and triggers. \|TRUE \|_Newin v2.6_ \|
		\| `newVariablesConfiguration` \| When enabled, displays the new revamped form to add and configure variables in projects, pipelines, and triggers. \|FALSE \|_Default changed to FALSEin v2.7_ \|
		\| `newLogo` \| When enabled (the default), displays the new logo in the Codefresh platform. \| TRUE \| _New in v2.6_ \|
		\|`parallelKubectlOperations` \|When enabled, allows running parallel steps that includes `kubectl`. Especially Helm `install` and `deploy` steps that deploy to multiple clusters with `kubectl` in parallel. \|FALSE\| \|
		\| `pipelineCreditConsumption` \| When enabled (the default), supports credit-consumption analytics for pipelines. \| TRUE \| \|
Expand All		@@ -111,7 +111,7 @@ The table describes in alphabetical order, the features you can open for Codefre
		\| `promotionFlowsManagement` \| When enabled (the default), enables the administrator to add, edit, and delete Promotion Flows. <br>See [Configure Promotion Flows]({{site.baseurl}}/docs/promotions/promotion-flow/).\| TRUE \|_New in v2.6_ \|
		\| `promotionPolicies` \| When enabled (the default), displays Promotion Policies in the sidebar. <br>See [Configure Promotion Policies]({{site.baseurl}}/docs/promotions/promotion-policy/). \| TRUE \| _New in v2.6_ \|
		\| `promotionWorkflows` \| When enabled (the default), allows you create and run workflows when a promotion is triggered.<br>See [Configure Promotion Workflows]({{site.baseurl}}/docs/promotions/promotion-workflow/).\| TRUE \|_Default changed to TRUE in v2.6_ \|
		\| `promotionCommitStatuses` \| When enabled, the promotion mechanism reports the statuses of Git commits to Git providers. \|FALSE \|_Newin v2.6_ \|
		\| `promotionCommitStatuses` \| When enabled, the promotion mechanism reports the statuses of Git commits to Git providers. \|TRUE \|_Default changed to TRUEin v2.7_ \|
		\| `reportBuildStatusPerPipelineTriggerEvent` \| Currently supported for Bitbucket cloud.<br>When enabled, for builds with the same `pipelineId`, reports build statuses separately per `triggerId` and trigger event. \| FALSE \| \|
		\|`restrictedGitSource` \| When enabled, allows you to create a Restricted Git Source in addition to a standard Git Source. <br>See [Managing Git Sources in GitOps Runtimes]({{site.baseurl}}/docs/installation/gitops/git-sources/).\| FALSE \| \|
		\|`supportGerrit` \| When enabled, adds the capability to connect to Gerrit as a Git provider. <br>See [Gerrit as Git provider for pipelines]({{site.baseurl}}/docs/integrations/git-providers/#gerrit). \| FALSE \| \|
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -271,6 +271,9 @@ When adding a user-defined variable, you can create a:
		A standard variable whose value is visible in plain text unless explicitly encrypted. You can create these manually, import them from a file with predefined values, or define empty variables without assigned values.
		* Secret
		A variable whose value is automatically encrypted and masked in logs.

		>NOTE
		Secret variables are currently not supported in on-premises environments.



Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -6,6 +6,132 @@ toc: true

		Welcome to the release notes for our on-premises releases.


		##On-premises version 2.7

		###Features & enhancements

		####Installing v2.7
		For detailed instructions on installing v2.7, visit[ArtifactHub](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh){:target="\_blank"}.

		####Upgrading to v2.6
		For details, see[Upgrade to 2.7 in ArtifactHub](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh#to-2-7-0){:target="\_blank"}



		####General: Increased limit for audit logs

		Codefresh keeps a log of all actions that happen at all times based on API calls that reach Codefresh. These include UI actions from users, CLI invocations, and any external integration used with Codefresh.
		We have now increased the audit limit_from 15,000 to 50,000_, which means you can access more data on how you use your Codefresh account.

		For details, see[Auditing actions in Codefresh]({{site.baseurl}}/docs/administration/account-user-management/audit/).

		<br><br>


		####GitOps: Promotions with GitOps-the Codefresh advantage
		We’re excited to introducepromotions in Codefresh GitOps !

		In Continuous Delivery (CD), promotions are essential for advancing application versions across environments in a controlled, traceable manner.
		Promotions in Codefresh GitOps enhance this process by providing greater visibility, control, and automation while maintaining Git as the single source of truth. Additionally, they integrate with and extendArgo CD, enabling structured promotion flows, policy enforcement, and enhanced deployment tracking beyond standard application syncs.

		{% include
		image.html
		lightbox="true"
		file="/images/gitops-promotions/overview/promos-gitops.png"
		url="/images/gitops-promotions/overview/promos-gitops.png"
		alt="GitOps promotions in Codefresh"
		caption="GitOps promotions in Codefresh"
		max-width="60%"
		%}

		>NOTE
		GitOps promotions require Runtime version 0.13.4 or higher. Ensure your runtime is updated to access promotion features.

		#####Why use GitOps promotions in Codefresh?
		Codefresh builds on Argo CD’s deployment model by introducing structured promotion flows with additional context and automation:

		*Declarative and version-controlled
		Promotions are fully tracked in Git, tied to commits, ensuring traceability. Teams can see who triggered a promotion and why.

		*Enhanced context and visibility
		While Argo CD manages application deployments, Codefresh GitOps provides additional structure with:
		*Environments, defining stages in the software lifecyle, allowing you to track application progress.
		*Products, grouping related applications for unified promotion management.
		*Releases, providing end-to-end visibility into deployments across environments.


		#####Promotion entities
		Codefresh GitOps streamlines and automates promotions, eliminating the need for custom scripts.
		*Promotion properties to control which application properties are promoted and prevent unnecessary changes.
		*Promotion Workflows to enforce environment-specific checks such as validations, compliance, and performance checks at different stages of promotions.
		*Promotion Policies to govern advanced promotion behavior for environments.
		*Promotion Flows to automate complex promotions across multiple environments.

		For details, see[About promotions]({{site.baseurl}}/docs/promotions/promotions-overview/).

		<!--- ## GitOps: Simplified Runtime installation with the installation wizard

		Our new installation wizard, designed for ease of use and maximum visibility into every step, makes installing a GitOps Runtime simple, intuitive, and quick.


		##### Key features
		* Installation and configuration steps clearly defined, allowing you to complete the entire setup from the same location.
		* Guided experience that walks you through each step.
		* Inline parameter descriptions so you always know what to define.
		* Automatic progress saving so you can stop anytime and resume exactly where you left off.

		##### Installation
		Install a Runtime in three simple steps:
		* Define the Shared Configuration Repo and Git provider—a one-time action for the first Runtime in your account.
		* Review and define installation parameters, which are automatically populated in the install command.
		* Run the install command in your terminal.

		##### Configuration
		Configuration steps are clearly defined, allowing you to complete setup correctly.
		* Define Git credentials, with the option to use the same token for both the Runtime and user authentication. Required scopes are detailed to ensure the correct permissions.
		* Configure as an Argo CD Application to take full advantage of GitOps.
		* Add a Git source to the Runtime so you are ready to create applications.

		-->





		###Feature Flags
		Feature Flags are divided into new Feature Flags released in the current version, and changes to existing Feature Flags which are now enabled by default.

		<br>

		####New Feature Flags in v2.7
		There are no new feature flags in this release.



		####Updated Feature Flags in v2.7
		The table below lists existing Feature Flags which have been updated by default to be either enabled (set to_TRUE_), or disabled (set to_FALSE_).

		{: .table .table-bordered .table-hover}
		\| Feature Flag\| Description\| Default Value\|
		\| -----------\| ---------------------------------------------------------\| -------------------------\|
		\|`abacAndRule`\| When enabled, supports creating ABAC rules for entities in Codefresh pipelines using "AND".\|_FALSE_\|


		###Bug fixes

		#####Pipelines
		* Builds frozen at the initialization phase when connecting to Vault secret store.
		* Build fails with`manifest unknown` error when referencing or including v1.0.12 of`jira-issue-manager` step.
		*`build` step fails to build ECR images when base image (`FROM`) is from a different AWS account.


		<br>

		#####GitOps
		* Broken hyperlink to Shared Configuration Repository in the Upgrade Runtime panel.
		* Typo in the parameter name in the`values.yaml` file of the`gitops-runtime` chart.

		##On-premises version 2.6

		###Features & enhancements
Expand DownExpand Up		@@ -2102,4 +2228,3 @@ The table below describes the Feature Flags in the Codefresh On-Premises release