Release Notes: September 2024

Release Notes for Codefresh Pipelines and GitOps

Features & enhancements

Pipelines: Sigstore for signing container images

We are excited to announce that Codefresh is at the forefront of the latest developments in container image authenticity and verification! By integrating with modern security standards like Sigstore, a trusted authority for signing container images, we provide you with a secure and streamlined solution for signing and verifying container images.

Sigstore offers two signing methods to secure container images: key-based signing, the traditional method, and keyless signing, which leverages the OpenID Connect (OIDC) protocol. Codefresh fully supports both approaches for images generated by Codefresh pipelines.

What’s unique about our implementation?

Codefresh removes the complexity by integrating both key-based and keyless signing directly into your pipeline’s build step. This means you can sign container images with minimal configuration, making the entire process seamless and automated.

To initiate the signing process, simply add this attribute in your pipeline’s build step:

cosign:
  sign: true
Key-based signing

Our key-based signing mechanism includes an option for password-based signing, adding an extra layer of security by unlocking the private key with a passphrase.

Keyless signing

Keyless signing eliminates the need for long-term private key management by utilizing the OIDC protocol. Read all about it in our blog.

Codefresh is an official OIDC provider, and using Codefresh for keyless signing offers significant benefits:

  • Secure authentication
    Codefresh securely authenticates the pipeline at runtime, ensuring that only authorized pipelines can sign artifacts.

  • Unique build identification
    The Codefresh OIDC provider generates claims that uniquely identify both the pipeline and the build in the issued token, ensuring that each image’s signature is tied to a specific pipeline and build.

  • Robust verification External systems can use these embedded claims to confirm the origin and authenticity of the artifact, ensuring the image was signed by a trusted pipeline.

For details, see Signing container images with Sigstore.

Pipelines: Enhancements for step-member variables & Boolean properties

We just rolled out two key updates to give you more control and flexibility in your pipelines.

Seamless access to step-member variables across parallel steps

You can now reference step member variables between steps in the same parallel block. No extra work needed to pass information between steps. This update makes it easier to manage complex workflows and share context between parallel steps.

Here’s an example:

main_step:
  type: parallel
  steps:
    first:
      image: alpine
      commands:
        - echo steps.second.name=$
    second:
      image: alpine
      commands:
        - echo steps.first.name=$
Boolean properties as variables

We also updated properties with Boolean values to fully support variables. This means you can dynamically change the behavior of your pipeline using variables, with properties like fail_fast, for example.

Here’s how it works:

fail_fast: $VAR

GitOps: Argo CD v2.12

We have upgraded the Argo CD version in our platform to v2.12. For detailed information, see the official docs.

GitOps Runtime version

You need GitOps Runtime v0.12.0 which includes the latest version of the Helm chart from Argo CD, v7.x.x.

Breaking change for cluster credentials value type

Version 7.x.x of the chart includes the breaking change in the value type for cluster credentials.
Previously, the clusterCredentials value type was list. In the latest version, the type has been changed to map (object).

As GitOps Runtimes do not use these values directly, runtimes with the default configuration are not affected.

Bug fixes

Pipelines
  • For Bitbucket, build fails as CF_PULL_REQUEST_ACTION variable is not populated with correct value.
  • Error: Failed to run Pipeline for Azure DevOps SSO (Single Sign-On) provider.
  • Permission and missing scope error when running codefresh validate yaml command.
  • Conditions with workflow.result” incorrectly evaluated in terminated builds.
  • Some repositories not displayed in Repository list when creating trigger for Bitbucket server.
  • CF_COMMIT_MESSAGE and CF_COMMIT_MESSAGE_ESCAPED variables show text in Pull Request titles instead of commit messages.
  • Variables not supported as values for Boolean properties in pipelines.
GitOps
  • Unable to connect to a Git provider using the Hosted GitOps Runtime.
  • Command failure for argo-platform-analytics-reporter.
  • GitOps permissions do not function correctly when attributes are applied.