What's Changed

🐞 Bug Fixes

• Make container attach idempotent and handle exited processes gracefully by @IvanChalukov in #9345
  • Cherry-picked over by #9355

🛠️ Misc. Changes

• [7.14.x] Bump containerd to v2.1.5 & v1.7.29 by @taylorsilva in #9354

📦 Bundled Resource Types

Full Changelog: v7.14.2...v7.14.3

🛠️ Changes

• Fix SVG styling inheritance on Chrome >= v141 @slang25 #9313

📦 Bundled Resource Types

🛠️ Changes

• Fixed the guardian runtime for users of the concourse/concourse image @taylorsilva #9257
• Fixed the semver resource for users that use the git driver @taylorsilva concourse/semver-resource@13de59c
• docker-image resource updated with latest Docker binaries

📦 Bundled Resource Types

Full Changelog: v7.14.0...v7.14.1

What's Changed

🦾 Official ARM Build

This is the first release that includes an ARM version of concourse and fly (Linux and macOS). The ARM version of concourse only supports the containerd runtime (See garden/#378).

🐙 Wolfi-based Images

The concourse/concourse container image and all base resource-types now use Wolfi as their base image. This was done to support building the ARM version of Concourse.

✈️ Features

• Add Pipeline identity token as a var_source by @dbaumgarten in #9035
  • See the docs for more details: https://concourse-ci.org/idtoken-credential-manager.html
• atc: allow identifiers to start with numbers by @analytically in #9119
• atc: enhance container memory unit parsing with IEC notation support by @analytically in #9130
• atc: Consider image volumes in volume-locality strategy by @analytically in #9188
• Restrict algorithms for host key exchange by @neumayer in #9214
• Bump pgx and concourse/flag to latest patch, this enables sslnegotiation option by @analytically in #9211
• Invalidate access token on Logout by @IvanChalukov in #9218
• containerd: add flag to add additional-hosts by @Kump3r in #9238
• Add /download-fly page for downloading the fly cli by @taylorsilva in #9240

🐞 Bug Fixes

• Skip renewal for non-renewable Vault tokens by @IvanChalukov in #9208
• Improve idtoken credential provider compatibility (with AWS and Azure) by @dbaumgarten in #9224
• runtime/containerd: ensure logs are not dropped when web node re-attaches to running containers by @taylorsilva in #9234
• Re-enable manual token entry when a fly command fails due to auth by @taylorsilva in #9245

🛠️ Misc. Changes

• Update github.com/aws/aws-sdk-go to github.com/aws/aws-sdk-go-v2 by @hoegaarden in #9178
• refactor: More granular locking in WorkerCache by @analytically in #9118
• worker: containerd.go: Fixed typo in error message by @jpds in #9192
• fix(deps): update javasript by @renovate[bot] in #9172
• Fix error handling in processStream.Write method to follow io.Writer contract by @analytically in #9120
• Improve repository lock manager with sync.Map for better concurrency by @analytically in #9131
• Adding the db connection parameter to dev docker-compose by @Kump3r in #9196
• fix: add O_TRUNC flag when writing volume metadata file by @analytically in #9132
• Replace standard gzip with klauspost/compress/gzip by @analytically in #9138
• Migrate from kr/pty to creack/pty by @analytically in #9152
• Migrate from mitchellh/mapstructure to go-viper/mapstructure/v2 by @analytically in #9153
• fix k8s-topgun prometheus integration tests by @taylorsilva in #9206
• Remove use of deprecated package github.com/pkg/errors by @BooleanCat in #9216
• refactor: replace map+RWMutex with sync.Map in artifact repository for better concurrency by @analytically in #9148
• refactor: beingWatchedBuildEventChannelMap to use sync.Map by @analytically in #9161
• refactor: optimize Counter and Gauge with atomic.Int64 by @analytically in #9158
• refactor: simplify hasPermission method in accessor by @analytically in #9166
• Optimize SSE build event streaming by @analytically in #9169
• Increase containerd runner ready state timeout by @jzho987 in #9230
• Bump containerd libraries to v2 by @taylorsilva in #9231
• Remove hardcoded AlwaysSample from OpenTelemetry tracing configuration by @marcus-crane in #9229
• runtime: remove guardian as a runtime option for linux/arm64 by @taylorsilva in #9235
• fix(deps): update module github.com/containerd/containerd/v2 to v2.0.5 [security] by @renovate[bot] in #9233
• go and web dependency updates by @taylorsilva in #9243
• update web dependencies by @taylorsilva in #9247
• remove --time-format flag when using guardian runtime by @taylorsilva in #9252

New Contributors

• @hoegaarden made their first contribution in #9178
• @jpds made their first contribution in #9192
• @Kump3r made their first contribution in #9196
• @neumayer made their first contribution in #9214
• @dbaumgarten made their first contribution in #9035
• @jzho987 made their first contribution in #9230
• @marcus-crane made their first contribution in #9229

📦 Bundled Resource Types

Full Changelog: v7.13.2...v7.14.0

🛠️ Changes

• Upgraded CNI Plugins to v1.7.1 which should resolve #9027
• Upgraded Containerd to v2.1.1
• Bumped registry-image resource to v1.12.0
  • Pushes multi-arch OCI images correctly now
• Bumped S3 resource to v2.2.0
  • Fixed more auth related bugs

📦 Bundled resource types

📦 Bundled resource types

This release only updates the bundled resource-types, specifically the s3 and registry-image resources. Both resources had bugs related to their upgrade to v2 of the AWS Go SDK.

🚨 Breaking Changes

• Remove CONCOURSE_POSTGRES_BINARY_PARAMETERS flag (#9068) @taylorsilva _^🔗
  • BREAKING: Removed the CONCOURSE_POSTGRES_BINARY_PARAMETERS flag. This was a lib/pq specific flag. We are now using Pgx as our Postgresql driver, therefore this flag is no longer relevant. If you are using PgBouncer we recommend being on the latest version (v1.24.0) which now supports prepared statements by default, though any version >1.21.0 may also work. This flag has been removed from both the Helm chart and Bosh release.

✈️ Features

• Building with Go 1.24.0 (#9074) @taylorsilva _^🔗

• go-concourse:connection client prints response body to the end user (#9011) @aliculPix4D _^🔗

• improve the error message given to the end user when setting the pipeline (#9012) @aliculPix4D _^🔗

• Log policy checker error messages (#9013) @aliculPix4D _^🔗

  • Log detailed OPA error messages in web nodes logs and show a friendlier error message to the end user

• Introduce privileged-mode (#9017) @A1kmm _^🔗

  • Added a new --containerd-privileged-mode/CONCOURSE_CONTAINERD_PRIVILEGED_MODE option to the worker, which accepts full (default, original behaviour), fuse-only (privileged: true tasks can use tools like buildah and podman, but can't escape if user namespaces are used to run the worker), ignore (privileged: true tasks have no extra access compared to privileged: false tasks)

• pgx Migration (Removing lib/pq) (#9066) @taylorsilva _^🔗

  • Replace lib/pq with pgx as the Postgresql driver.
    • PgBouncer users: The Pgx driver docs state that its out-of-the-box configuration does not support PgBouncer, but recent discussion indicates that may not be the case if you're using PgBouncer >1.21.0. The recent 1.24.0 release also says prepared statement support is on by default, so this may be a non-issue if you're on the most recent version of PgBouncer.

• atc: exec: ignore task input/output paths that reference parent directories (#9078) @taylorsilva _^🔗

  • Task inputs and outputs can be placed using absolute or relative paths inside task containers now. This was changed back in v7.5.0 (#6597) but never properly announced. Paths that reference parent directories (../) will be treated as relative paths and no parent directory traversal will occur.

• worker runtime: concurrent process killing (#9084) @analytically _^🔗

  • Worker runtime: make process killing concurrent for faster container cleanup

• worker runtime: make container deletion more robust (#9090) @taylorsilva _^🔗

  • Make container deletion more robust by continuing to delete a container even if we get errors related to reading the containers /etc/host file

• Mount /sys/fs/cgroup as cgroup2 type if supported (#9094) @mariash _^🔗

  • Enable cgroupv2 support for the Guardian runtime by mounting /sys/fs/cgroup as cgroup2 type if supported. Requires Garden v1.67.0 or greater

• fly: improve performance of fly watch (#9097) @analytically _^🔗

• Add --team flag to clear-resource-cache command (#9106) @IvanChalukov _^🔗

• Add --team flag to containers command (#9107) @IvanChalukov _^🔗

  • Added --team flag to fly command containers. Use:

    fly -t ci containers --team custom-team

• Support custom pipeline background image styling (#9117) @analytically _^🔗

  • Add background_filter option for pipeline background images which takes in string of CSS filters. Defaults to the current filters opacity(30%) grayscale(100%)

• runtime: Seccomp update (#9173) @taylorsilva _^🔗

  • Update seccomp profile to be in sync with Docker/Containerd's default profiles

• CF API v3 is now supported by our fork of Dex which will ensure CF Auth does not break when the CF v2 API is officially gone. Work done by @Kump3r @IvanChalukov in concourse/dex#148

• Add support for Strict-Transport-Security header (#9076) @taylorsilva _^🔗

  • Add CONCOURSE_STRICT_TRANSPORT_SECURITY to the web command which allows an operator to set the Strict-Transport-Security header

• Add ESC key shortcut to hide keyboard help (#9111) @analytically _^🔗

  • Can use the Escape key to close the Help menu in the Web UI

🐞 Bug Fixes

• make sure to drop item from secret cache after default duration if calculated duration is equal or less than 0 (#9049) @carlo-blohm _^🔗

  • Fix a bug in credential caching where a secret would be cached forever

• 8529/fix chrome login (#9051) @taylorsilva _^🔗

  • Have fly handle preflight requests from Chromium browsers. Users will no longer get a "your token could not be sent to fly" error if they login to fly using a Chormium browser

• Properly close process IO (#9061) @taylorsilva _^🔗

  • Fix a bug where builds could not be aborted because the underlying process had a lock on stdout that Concourse would wait for the process to release. If the underlying process never released it then Concourse would wait forever and the build would never be aborted.

• fix the policy-checker-handler logger session name (#9081) @aliculPix4D _^🔗

• Fix bug in maxValidFromFile using hardcoded path (#9082) @analytically _^🔗

• Use github.com/google/uuid to generate UUIDv4 (#9083) @taylorsilva _^🔗

  • Use github.com/google/uuid to generate UUID's (v4). The previous library incorrectly implemented UUID generation and would sometimes generate the same UUID twice. Therefore it was possible for two containers or volumes to be created with the same UUID. The second container/volume would fail to create due to the UUID collision.

• atc: Various small fixes (#9092) @taylorsilva _^🔗

  • Fix unbounded goroutine creation in resource scanner (lidar)
  • Fix potential race condition in Tracker.IterateInterpolatedCreds
  • Optimize SequenceGenerator using atomic types
  • Fix error message in container placement strategy. Previously an unknown placement strategy would result in an error which showed the successfully parsed part of the chain. Now the error will show the unknown strategy that was passed in.
  • Fix: redirect var source diffs to output writer & improve nil handling

• CI: only run baggageclaimcmd test on linux (#9093) @taylorsilva _^🔗

• Gracefully recover from containerd TaskNotFound errors (#9100) @taylorsilva _^🔗

  • Gracefully recover from task retrieval: no running task found errors

• Fix --team flag in order-pipelines command (#9102) @IvanChalukov _^🔗

  • Fix order-pipelines command with --team Option

• web: avoid duplicate in-memory checks (#9103) @taylorsilva _^🔗

• Fix: Preserve existing browser session during fly login (#9109) @IvanChalukov _^🔗

  • Fix: Corrected CSRF token header format for proper validation.

• Fix fish shell completion generation (#9113) @analytically _^🔗

🤷 Miscellaneous

• fix(deps): update all dependencies (#8985) @renovate _^🔗

• fix(deps): update javasript (#8996) @renovate _^🔗

• Correct policy-checker test suite names (#9009) @aliculPix4D _^🔗

• Split go-concourse client tests (#9010) @aliculPix4D _^🔗

• merging main back into master (#9022) @taylorsilva _^🔗

• Revert "bump go dependencies" (#9024) @taylorsilva _^🔗

• fix: topgun k8s container limits ...

What's Changed

• fix: topgun k8s container limits test supports cgroups v1 and v2 by @Spimtav in #9028
• Split go-concourse client tests by @aliculPix4D in #9010
• go-concourse:connection client prints response body to the end user by @aliculPix4D in #9011
• Rebase master onto release 7.12.x by @drich10 in #9037
• fix(deps): update all dependencies by @drich10 in #9038
• Rebase master 7.12 by @drich10 in #9040
• fix(deps): update module golang.org/x/crypto to v0.31.0 [security] by @renovate in #9039
• Update renovate config by @drich10 in #9043
• Disable garden renovate update by @drich10 in #9044
• fix(deps): update all dependencies by @renovate in #8985
• CNI was downgraded to v1.5.1 to resolve an issue with the current versions (v1.6.x) of CNI. See #9027

New Contributors

• @Spimtav made their first contribution in #9028
• @drich10 made their first contribution in #9037

Full Changelog: v7.12.0...v7.12.1

📦 Bundled resource types

✈️ Features

• Add resource type check interval (#8381) @Caprowni

  • This adds an option for a user to configure resource types to be checked every X time at a global level as opposed to setting check_every on each resource type.

• add shared path to SSM parameters (#8687) @konstl000

• Implement support for IPv6 networking in tasks (#8801) @Qjammer

  • Add IPv6 networking support to tasks - There's now a CONCOURSE_CONTAINERD_V6_ENABLE/--containerd-v6-enable config option on the concourse worker command to enable IPv6 support in containerd containers. There are two IPv6 config's you can change. --containerd-v6-pool to specify the IPv6 subnet to use. Default subnet is fd9c:31a6:c759::/64. --containerd-v6-disable-masquerade to disable IPMasq, which is on by default if you use IPv6.

• fly: add background option to execute command (#8856) @KoltesDigital

  • fly execute gets new -b/--background option to create builds without watching them.

• Load vault client token from file (#8899) @jenniferplusplus

  • This allows Concourse to use the client tokens provided by the K8s Vault-Agent sidecar by setting CONCOURSE_VAULT_CLIENT_TOKEN_PATH

• Add --team flag to clear-task-cache command (#8933) @hlreyes

  • Added team flag to fly command clear-task-cache. Use:

    fly -t dev clear-task-cache --job pipeline/job --step some-task-step --team other-team
    

• Add --team flag to rename-pipeline command (#8940) @Priyanshinv

  • Added team flag to fly command rename-pipeline. Usage: fly -t dev rename-pipeline -o some-pipeline -n new-pipeline --team other-team

🐞 Bug Fixes

• Fly excludes Mac metadata when uploading local inputs (#8939) @selzoc

  • fly execute no longer includes MacOS extended file attributes when uploading local inputs

• fix: fix the mistakes in defer statements (#9003) @cuishuang

🤷 Miscellaneous

• Fix incorrect log message (#8865) @hongkuancn

• use stable website for internet test in watsjs (#8869) @xtremerui

• Update renovate.json (#8871) @xtremerui

• fix(deps): update module github.com/containerd/containerd to v1.7.11 [security] (#8872) @renovate

• fix(deps): update module github.com/go-jose/go-jose/v3 to v3.0.1 [security] (#8873) @renovate

• fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (#8874) @renovate

• fix(deps): update all dependencies (#8875) @renovate

• fix(deps): update all dependencies (#8876) @renovate

• chore(deps): update javasript (#8877) @renovate

• chore(deps): update all dependencies (#8878) @renovate

• Pulling go version other than relying on runner image in CodeQL scan (#8879) @xtremerui

• fix(deps): update all dependencies (#8880) @renovate

• fix(deps): update all dependencies (#8882) @renovate

• fix(deps): update all dependencies (#8884) @renovate

• fix(deps): update all dependencies (#8887) @renovate

• Fix compilation error in topgun/k8s test (#8889) @xtremerui

• fix(deps): update all dependencies (#8890) @renovate

• fix(deps): update all dependencies (#8893) @renovate

• Rebase master 7.11.1 (#8895) @xtremerui

• fix(deps): update module github.com/opencontainers/runc to v1.1.12 [security] (#8900) @renovate

• chore(deps): update javasript (#8901) @renovate

• Rotate dev vault certs (#8904) @xtremerui

• Rebase master 7.11.2 (#8909) @xtremerui

• fix(deps): update module github.com/go-jose/go-jose/v3 to v3.0.3 [security] (#8922) @renovate

• Fix elm data-format package hash error (#8928) @xtremerui

• switch from elm package ryannhg/date-format to ryan-haskell/date-format

• chore(deps): update javasript (#8930) @renovate

• Fix integration test failure due to deprecated docker-compose (#8946) @xtremerui

• chore: fix function name in comment (#8948) @fuyangpengqi

• chore(deps): update javasript (#8954) @renovate

• chore(deps): update javasript (#8966) @renovate

• chore: remove repeat words (#8967) @stellrust

• fix(deps): update module github.com/hashicorp/go-retryablehttp to v0.7.7 [security] (#8969) @renovate

• fix(deps): update javasript (#8977) @renovate

• Correctly configure the garden backend in integration tests (#8979) @taylorsilva

• fix(deps): update all dependencies (#8980) @renovate

• fix(deps): update all dependencies (#8981) @renovate

• fix(deps): update all dependencies (#8983) @renovate

• chore(deps): update javasript (#8987) @renovate

📦 Bundled resource types

Note about the Windows Package: The Concourse Windows package had to be re-uploaded after the initial release because the Windows package was not correctly zipped up. We accidentally zipped up an empty folder! This has been fixed in our CI build script.

🚨 Security

• fix(deps): update module github.com/opencontainers/runc to v1.1.12 [security] (#8900) @renovate _^🔗

🤷 Miscellaneous

• Rotate dev vault certs (#8904) @xtremerui _^🔗

• Rebase master 7.11.2 (#8909) @xtremerui _^🔗

📦 Bundled resource types