v3.64.0

v3.64.0 (2024-02-21)

Full Changelog

Added

• De-experimentify Job API #2646 (@triarius)
• Add explicit queue flag to the agent #2648 (@moskyb)
• Add an info log of which experiments are known and enabled on agent start #2645 (@triarius)
• Add cli command to read from Pipelines Secrets [Not available to customers yet] #2647 (@triarius)

Fixed

• YAML marshaling of wait, block, and input scalar steps (when using tool sign or pipeline upload --format=yaml) #2640 (@DrJosh9000)
• Packaging: Use separate repos for each package type #2636 (@sj26)

Internal

• Various dependency updates: #2643, #2642 #2641, #2638, #2640, #2639, #2637 (@dependabot[bot])

v3.63.1

v3.63.1 (2024-02-16)

Full Changelog

Fixed

• Fix NPE when decoding token response #2634 (@moskyb)

v3.63.0

v3.63.0 (2024-02-14)

Full Changelog

Warning

This release has two potentially breaking changes in the way environment
variables are interpolated.

• Interpolation on Windows should be done in a case-insensitive manner to be
  compatible with Batch scripts and Powershell. This was working correctly up
  until some refactoring in v3.59.0.

  For example, this pipeline:

  env:
    FOO: bar
  steps:
  - command: echo $Foo $FOO

  should now be correctly interpolated on Windows as:

  env:
    FOO: bar
  steps:
  - command: echo bar bar

  Interpolation on other platforms is unchanged.

• Our documented interpolation rules
  implies that variables from the agent environment have higher precedence than
  variables defined by the job environment ("we merge in some of the variables
  from the agent environment").

  Suppose the agent environment contains FOO=runtime_foo. The pipeline

  env:
    BAR: $FOO
    FOO: pipeline_foo
  steps:
  - command: echo hello world

  would in previous releases be interpolated as:

  env:
    BAR: runtime_foo
    FOO: pipeline_foo
  steps:
  - command: echo hello world

  On the other hand, the pipeline

  env:
    FOO: pipeline_foo
    BAR: $FOO
  steps:
  - command: echo hello world

  would be interpolated to become

  env:
    FOO: pipeline_foo
    BAR: pipeline_foo
  steps:
  - command: echo hello world

  We think this is inconsistent with the agent environment taking precedence,
  and if users would like to interpolate $FOO as the value of the pipeline
  level definition of FOO, they should ensure the agent environment does not
  contain FOO.

Added

• BK github app git credentials helper #2599 (@moskyb)

Fixed

• Fix pipeline interpolation case sensitivity on Windows, and runtime environment variable precedence #2624 (@triarius)
• Fix environment variable changes in hooks logged incorrectly #2621 (@triarius)
• Fix Powershell hooks on windows #2613 (@triarius)
• Fix bug where unauthorised register was retrying erroneously #2614 (@moskyb)
• Fix docs for --allowed-environment-variables #2598 (@tessereth)

Upgraded

• The agent is now built with Go 1.22 #2631 (@moskyb)

Internal

• Add a PR template #2601 (@triarius)
• Move check from upload-release-steps.sh to pipeline.yml #2617 (@DrJosh9000)
• build-github-release.sh tidyups #2619 (@DrJosh9000)
• Various dependency updates #2625, #2630, #2627, #2626, #2622, #2605, #2609, #2603, #2602, #2604, #2606, #2616, #2610, #2611 (@dependabot[bot])

v3.62.0

v3.62.0 (2024-01-23)

Full Changelog

Added

• Add more fields to job logger #2578 (@ChrisBr)
• Environment Variable allowlisting #2539 (@moskyb, originally @CheeseStick)

Fixed

• When the server returns a 401, stop retrying and bail out #2569 (@SorchaAbel)
• Retry for 24 hours instead of forever #2588 (@tessereth)
• Documentation updates #2590 (@moskyb), #2591 (@moskyb), #2589 (@moskyb)

Internal

• Various @dependabot[bot] updates #2587, #2594, #2596, #2595, #2593, #2592, #2585, #2584, #2583, #2573, #2582, #2572, #2571, #2575, #2580, #2567, #2566, #2563, #2562, #2564, #2565

v3.61.0

v3.61.0 (2023-12-14)

Full Changelog

Added

• Add more debug logging and error wrapping for running processes #2543 (@triarius)
• Enable overriding buildkite-agent url in install.ps1 #1805 (@staticfloat)

Fixed

• Buildkite build script is broken due to missing version default value #2559 (@amir-khatibzadeh)
• Update go-pipeline to v0.3.2 (fixes parsing pipelines that contain YAML aliases used as mapping keys) #2560 (@DrJosh9000)

Changed

• Alpine image updated from 3.18.5 to 3.19.0 #2545, #2549, #2550, #2551 (@dependabot[bot])

Internal

• Make it clear these are not leaked credentials #2554 (@sj26)
• Various other @dependabot[bot] updates #2553, #2544, #2548, #2552, #2547

v3.60.1

v3.60.1 (2023-12-06)

Full Changelog

Security

• Bump docker/library/golang from 1.21.4 to 1.21.5 in /.buildkite #2542 (@dependabot[bot])

Fixed

• Fix typo in environment variable name for allowed-plugins #2526 (@moskyb)
• Fix environment variable interpolation into command step labels #2540 (@triarius)

Internal

• Refactor hook wrapper writing #2505 (@triarius)
• Use os.RemoveAll in cleanup #2538 (@DrJosh9000)
• Dependencies #2537 #2536 #2500 #2528 #2529 #2533 #2532 #2534 #2535 (@dependabot[bot])

v3.60.0

v3.60.0 (2023-11-29)

Full Changelog

Signed pipelines is now GA! Check out the docs here if you want a little more zero-trust mixed into your pipelines.

Added

• Signed Pipelines goes GA! 🎉 #2492 #2521 #2522 (@moskyb + @triarius)

Changed

• Insert extra timestamps after a timeout #2447 (@DrJosh9000)
• Log the max size warning once #2497 (@DrJosh9000)
• MetaDataSetCommand: retry longer (exponential backoff) #2514 (@pda)
• Humanize bytes to IEC (1024 → KiB etc) not SI (1000 → KB etc) #2513 (@pda)

Internal

• More log streamer cleanups #2498 (@DrJosh9000)
• Add a helpful note to security researchers #2520 (@DrJosh9000)
• Update Go to 1.21 #2284 (@triarius + @moskyb)
• Dependabot's making us all look bad at our jobs: #2501 #2499 #2515 #2509 #2502 #2516 #2517 #2496 #2493 #2495 #2494 #2504

v3.59.0

v3.59.0 (2023-11-09)

Full Changelog

Security

• This release is built with Go 1.20.11, which includes fixes for two vulnerabilities in file path handling on Windows (CVE-2023-45283, CVE-2023-45284). #2486 (@dependabot[bot])

Changed

• Experimental: Signed Pipelines
  • Allow omitting the key ID when signing pipelines #2481 (@triarius)
  • Remove Org and Pipeline slugs from pipeline invariants and update the signing tool to use the GraphQL API #2479 (@triarius)
  • Add key.Validate call #2488 (@DrJosh9000)
• Use zzglob.MultiGlob to process multiple globs simultaneously, and stop sending GlobPath with artifact upload #2472 (@DrJosh9000)

Internal

• Migrate usage of internal/{pipeline,ordered,jwkutil} to go-pipeline #2489 (@moskyb)
• Update bintest to v3.2.0 to resolve ETXTBSY race condition in tests #2480 (@DrJosh9000)
• Fix race in header times streamer #2485, #2487 (@DrJosh9000)
• Various dependency updates #2484, #2482 (@dependabot[bot])

v3.58.0

v3.58.0 (2023-11-02)

Full Changelog

Added

• Add allowed-plugin param to enable plugins allow-list #2471 (@jakubm-canva)
• New experiment: pty-raw avoids LF→CRLF mapping by setting PTY to raw mode #2453 (@pda)
• Experimental: Signed Pipelines
  • Add some pipeline invariants to the signature and create a cli subcommand to sign a pipeline #2457 (@triarius)
  • Add log group headers and timestamps to job verification success and failure logs #2461 (@triarius)

Fixed

• Fix checkout of short commit hashes #2465 (@triarius)
• Parallelise artifact collection #2456 (@DrJosh9000), #2477 (@DrJosh9000)
• Log warning about short vars once #2454 (@DrJosh9000)

Internal

• Reduce header regexps #2135 (@DrJosh9000)
• Various dependency updates: #2469, #2468, #2467, #2463, #2450, #2460, #2459, #2458 (@dependabot[bot])

v3.57.0

v3.57.0 (2023-10-19)

Full Changelog

Added

• Experimental: Signed Pipelines
  • Signing build matrices #2440 #2429 #2426 #2425 #2391 #2395 (@DrJosh9000)
  • Add debug logs for job verification #2439 (@DrJosh9000)
  • Reduce information in verification errors #2431 (@DrJosh9000)
  • Separate step/pipeline env vars for job validation #2428 (@DrJosh9000)
  • Signing config cleanup #2420 #2427 (@moskyb)
  • Fix verifying jobs with no plugins #2419 (@DrJosh9000)
  • Use canonicalised JSON as signature payload #2416 (@DrJosh9000)
  • Add utility for generating signing and verification keys #2415 #2422 (@moskyb)

Changed

• Revert "Upgrade pre-installed packages in docker images" and Pin docker images by digest #2430 (@triarius)

Internal

• Use docker image bases from ECR public gallery #2423 #2424 (@triarius + @moskyb)
• Add CODEOWNERS file #2444 (@moskyb)
• Push agent packages to Packagecloud #2438 #2441 #2443 #2442 (@sj26)
• Test clicommand config completeness #2414 (@moskyb)
• As always, the cosmic background radiation of dependabot updates. Thanks dependabot! #2435 #2434 #2433 #2432 #2421 #2418 #2417 (@dependabot[bot])