We ship a new bitrise cli version on the second Tuesday of every month.
The new release will be available on the bitrise.io
virtual machines on the weekend after the CLI release,
unless we discover any serious bug/regression.
Read on to learn more about this month’s Bitrise CLI release and about the changes around Bitrise tools and steps.
New version of Bitrise CLI (1.19.0)
1. Sensitive input validation update
The cli version 1.18.0 introduced a new step input option: is_sensitive
.
Step inputs which store secret values, like passwords, api tokens, an SSH key, etc. can be marked as sensitive.
These step input values need to be defined as secret environment variables to make sure they are not visible in the build logs
as Bitrise CLI 1.15.0 introduced the secret filtering feature, which redacts the values defined as secret environment variables from the build log.
As the initial rollout of the sensitive step input feature, the bitrise run
and bitrise trigger
commands
will print a warning message at the very beginning of the build log if your configuration has a security issue. The warning message looks like this:
Security validation failed: security issue in slack step's webhook_url input: value should be defined as a secret environment variable, but does not starts with '$' mark
or
Security validation failed: security issue in slack step's webhook_url input: value should be defined as a secret environment variable, but is_expand set to: false
While the run
and trigger
commands are just notifying you about the issue, the bitrise validate
command fails in case of a security issue.
bitrise validate --format json
command will exit with status 1
and a similar output in case of security issue:
{
"data":{
"config":{
"is_valid":false,
"error":"security issue in slack step's webhook_url input: value should be defined as a secret environment variable, but is_expand set to: false"
},
"secrets":{
"is_valid":true
}
}
}
As the next phase of the security update, we will go through all of steps maintained by Bitrise
and release a new version with sensitive inputs marked as: is_sensitive
.
2. Tools update
3. Default plugins update
4. Go dependencies update
New version of Stepman (0.10.0)
Go dependencies update.
New version of Envman (1.2.0)
EnvironmentItem
model got a new option: is_sensitive
. Set it to: true
to mark the environment variable as sensitive.
New version of workflow-editor plugin (1.1.20)
- Step description (short/long) behavior updated on the UI
- UX revision of Input fields of Android keystore file
- Disable “Expose for Pull-requests” toggles in case of Public apps
- Add prominent warnings
- Fix ProvProfile name overlap
- Secrets tab fixed alignments and typo
- Fix secrets reveal button
- Update gems
New version of analytics plugin (0.9.14)
Go dependencies update.
New steps
- generate-changelog 0.9.0
Step updates
- android-lint 0.9.4:
- added
lintFix
task skipping
- added
- certificate-and-profile-installer 1.10.0:
- Handle TvOS - Xcode managed provisioning profiles
- Switch summary and description in step.yml
- create-android-emulator 1.1.6:
- bitrise yml and dependency manager updated
- fix typo for emulator - Thanks @jkaan for the fix
- deploy-to-itunesconnect-application-loader 0.9.2:
- replace the password with “[REDACTED]” in the output
- feature-list-for-release-notes 0.0.3:
- file-downloader 1.0.1:
- fix for failing if the destination has whitespace
- git-tag-project-version-and-build-number 1.0.1:
- github-release 0.9.3:
- added asset upload option
- fixed draft input’s value_option fields
- changed step id for share
- go-test 1.0.1:
- step definition update
- ios-auto-provision 1.1.3:
- nil check error fix for target_attributes
- slack 2.7.3:
- webhook URL set to secret param
- testfairy-deploy 2.1.1:
- change is_expand on the API Key to true, as it’s expected to be passed from Secrets
- step.yml clean
- release config added
- trigger-bitrise-workflow 0.0.4:
- deprecated API domain replaced with new equivalent
- xcode-archive 2.4.9:
- auto detect
iCloudContainerEnvironment
export option value
- auto detect
- xcode-test 1.18.15:
- Rename screenshot fix