Monthly release of Bitrise CLI tools and summary of updates (July)

We ship a new bitrise cli version on the second Tuesday of every month.
The new release will be available on the bitrise.io
virtual machines on the weekend after the CLI release,
unless we discover any serious bug/regression.

Read on to learn more about this month’s Bitrise CLI release and about the changes around Bitrise tools and steps.


New version of Bitrise CLI (1.19.0)

1. Sensitive input validation update

The cli version 1.18.0 introduced a new step input option: is_sensitive.
Step inputs which store secret values, like passwords, api tokens, an SSH key, etc. can be marked as sensitive.
These step input values need to be defined as secret environment variables to make sure they are not visible in the build logs
as Bitrise CLI 1.15.0 introduced the secret filtering feature, which redacts the values defined as secret environment variables from the build log.

As the initial rollout of the sensitive step input feature, the bitrise run and bitrise trigger commands
will print a warning message at the very beginning of the build log if your configuration has a security issue. The warning message looks like this:

Security validation failed: security issue in slack step's webhook_url input: value should be defined as a secret environment variable, but does not starts with '$' mark

or

Security validation failed: security issue in slack step's webhook_url input: value should be defined as a secret environment variable, but is_expand set to: false

While the run and trigger commands are just notifying you about the issue, the bitrise validate command fails in case of a security issue.

bitrise validate --format json command will exit with status 1 and a similar output in case of security issue:

{  
   "data":{  
      "config":{  
         "is_valid":false,
         "error":"security issue in slack step's webhook_url input: value should be defined as a secret environment variable, but is_expand set to: false"
      },
      "secrets":{  
         "is_valid":true
      }
   }
}

As the next phase of the security update, we will go through all of steps maintained by Bitrise
and release a new version with sensitive inputs marked as: is_sensitive.

2. Tools update

  • envman update to version 1.2.0
  • stepman update to version 0.10.0

3. Default plugins update

  • workflow-editor plugin updated to version 1.1.20
  • analytics plugin updated to version 0.9.14

4. Go dependencies update


New version of Stepman (0.10.0)

Go dependencies update.


New version of Envman (1.2.0)

EnvironmentItem model got a new option: is_sensitive. Set it to: true to mark the environment variable as sensitive.


New version of workflow-editor plugin (1.1.20)

  • Step description (short/long) behavior updated on the UI
  • UX revision of Input fields of Android keystore file
  • Disable “Expose for Pull-requests” toggles in case of Public apps
  • Add prominent warnings
  • Fix ProvProfile name overlap
  • Secrets tab fixed alignments and typo
  • Fix secrets reveal button
  • Update gems

New version of analytics plugin (0.9.14)

Go dependencies update.


New steps

  • generate-changelog 0.9.0

Step updates

  • android-lint 0.9.4:
    • added lintFix task skipping
  • certificate-and-profile-installer 1.10.0:
    • Handle TvOS - Xcode managed provisioning profiles
    • Switch summary and description in step.yml
  • create-android-emulator 1.1.6:
    • bitrise yml and dependency manager updated
    • fix typo for emulator - Thanks @jkaan for the fix
  • deploy-to-itunesconnect-application-loader 0.9.2:
    • replace the password with “[REDACTED]” in the output
  • feature-list-for-release-notes 0.0.3:
  • file-downloader 1.0.1:
    • fix for failing if the destination has whitespace
  • git-tag-project-version-and-build-number 1.0.1:
  • github-release 0.9.3:
    • added asset upload option
    • fixed draft input’s value_option fields
    • changed step id for share
  • go-test 1.0.1:
    • step definition update
  • ios-auto-provision 1.1.3:
    • nil check error fix for target_attributes
  • slack 2.7.3:
    • webhook URL set to secret param
  • testfairy-deploy 2.1.1:
    • change is_expand on the API Key to true, as it’s expected to be passed from Secrets
    • step.yml clean
    • release config added
  • trigger-bitrise-workflow 0.0.4:
    • deprecated API domain replaced with new equivalent
  • xcode-archive 2.4.9:
    • auto detect iCloudContainerEnvironment export option value
  • xcode-test 1.18.15:
    • Rename screenshot fix
1 Like