Release Notes: September 2024
Release Notes for Codefresh Pipelines and GitOps
Features & enhancements
Pipelines: Sigstore for signing container images
We are excited to announce that Codefresh is at the forefront of the latest developments in container image authenticity and verification! By integrating with modern security standards like Sigstore, a trusted authority for signing container images, we provide you with a secure and streamlined solution for signing and verifying container images.
Sigstore offers two signing methods to secure container images: key-based signing, the traditional method, and keyless signing, which leverages the OpenID Connect (OIDC) protocol. Codefresh fully supports both approaches for images generated by Codefresh pipelines.
What’s unique about our implementation?
Codefresh removes the complexity by integrating both key-based and keyless signing directly into your pipeline’s build step. This means you can sign container images with minimal configuration, making the entire process seamless and automated.
To initiate the signing process, simply add this attribute in your pipeline’s build step:
cosign:
sign: true
Key-based signing
Our key-based signing mechanism includes an option for password-based signing, adding an extra layer of security by unlocking the private key with a passphrase.
Keyless signing
Keyless signing eliminates the need for long-term private key management by utilizing the OIDC protocol. Read all about it in our blog.
Codefresh is an official OIDC provider, and using Codefresh for keyless signing offers significant benefits:
-
Secure authentication
Codefresh securely authenticates the pipeline at runtime, ensuring that only authorized pipelines can sign artifacts. -
Unique build identification
The Codefresh OIDC provider generates claims that uniquely identify both the pipeline and the build in the issued token, ensuring that each image’s signature is tied to a specific pipeline and build. -
Robust verification External systems can use these embedded claims to confirm the origin and authenticity of the artifact, ensuring the image was signed by a trusted pipeline.
For details, see Signing container images with Sigstore.
Pipelines: Enhancements for step-member variables & Boolean properties
We just rolled out two key updates to give you more control and flexibility in your pipelines.
Seamless access to step-member variables across parallel steps
You can now reference step member variables between steps in the same parallel block. No extra work needed to pass information between steps. This update makes it easier to manage complex workflows and share context between parallel steps.
Here’s an example:
main_step:
type: parallel
steps:
first:
image: alpine
commands:
- echo steps.second.name=$
second:
image: alpine
commands:
- echo steps.first.name=$
Boolean properties as variables
We also updated properties with Boolean values to fully support variables. This means you can dynamically change the behavior of your pipeline using variables, with properties like fail_fast
, for example.
Here’s how it works:
fail_fast: $VAR
GitOps: Argo CD v2.12
We have upgraded the Argo CD version in our platform to v2.12. For detailed information, see the official docs.
GitOps Runtime version
You need GitOps Runtime v0.12.0 which includes the latest version of the Helm chart from Argo CD, v7.x.x.
Breaking change for cluster credentials value type
Version 7.x.x of the chart includes the breaking change in the value type for cluster credentials.
Previously, the clusterCredentials
value type was list
. In the latest version, the type has been changed to map (object)
.
As GitOps Runtimes do not use these values directly, runtimes with the default configuration are not affected.
Bug fixes
Pipelines
- For Bitbucket, build fails as
CF_PULL_REQUEST_ACTION
variable is not populated with correct value. Error: Failed to run Pipeline
for Azure DevOps SSO (Single Sign-On) provider.- Permission and missing scope error when running
codefresh validate yaml
command. - Conditions with
workflow.result
” incorrectly evaluated in terminated builds. - Some repositories not displayed in Repository list when creating trigger for Bitbucket server.
CF_COMMIT_MESSAGE
andCF_COMMIT_MESSAGE_ESCAPED
variables show text in Pull Request titles instead of commit messages.- Variables not supported as values for Boolean properties in pipelines.
GitOps
- Unable to connect to a Git provider using the Hosted GitOps Runtime.
- Command failure for
argo-platform-analytics-reporter
. - GitOps permissions do not function correctly when attributes are applied.