Release Notes

In Development

New Features

• A new Ansible inventory variable zuul.child_jobs which is a list of the first level child jobs to be run after a job has finished successfully.

• The supercedent pipeline manager has been added. It is designed to make post-merge artifact build pipelines more efficient.

• It is now possible to use zuul_return to skip child jobs. You can use the zuul.child_jobs inventory variable to get a list of child jobs configured to run, then use zuul_return to modify the list. Any child job not in zuul_return zuul.child_jobs will be skipped. See Return Values for examples.

Bug Fixes

• Project Templates are now branch-aware and behave more like project stanzas. If a template is defined on a branch, it will only apply to changes to that branch.

• The timer trigger does not enqueue an event for every branch of every project anymore and it now only processes projects actually using the pipeline triggered by a timer.

3.1.0

New Features

• The GitHub driver can determine the required status checks of pull requests which are needed for entering a gate pipeline. This eliminates the need to hard code required status checks in the gate pipeline and makes interoperation with other GitHub apps much more flexible.

• Zuul is now ables to start with an invalid configuration. When reading configuration files from project repositories, if an issue is detected, Zuul will store the issue and skip the broken block of configuration. Issues are then reported in the scheduler log at the end of the configuration phase.

• A <mqtt connection> driver is added to feature build report over MQTT message.

• The GitHub driver now supports the pipeline.require.<github source>.merged requirement.

• The json log now also contains the role name and the uuid similar to the task entry.

Upgrade Notes

• Files (and irrelevant-files) matchers are now overridable. Zuul now uses only branch matchers to collect job variants. Once those variants are collected, they are combined, and the files and irrelevant-files attributes are inherited and overridden as any other job attribute. The final values are used to determine whether the job should ultimately run.

• Zuul now uses Ansible 2.5.

Security Issues

• Tobias Henkel (BMW Car IT GmbH) discovered a vulnerability which is fixed in this release. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could lead to accidentally leaking credentials or secrets. MITRE has assigned CVE-2018-12557 to this vulnerability.

Bug Fixes

• Untrusted playbooks no longer see ‘Executing local code is prohibited’ when using the zuul_return Ansible task.

3.0.3

New Features

• The project.default-branch option is now documented. It has been supported since version 3.0.0, but was omitted from the documentation.

• Project stanzas now support regex matching of project.name. This can be used to apply project pipelines to many projects at once.

Deprecation Notes

• The merge-mode and default-branch attributes may no longer appear in a Project Template stanza.

Bug Fixes

• Configuration loading for dynamic configuration changes (i.e., changes to zuul.yaml files) is now significantly more CPU and memory efficient, incurring only a slight penalty compared to normal changes.

3.0.2

New Features

• The GitHub trigger status filter status and pipeline requirements pipeline.require.<github source>.status now support regular expression matching.

Upgrade Notes

• The fb-re2 python library is added as a dependency; this may required the installation of the re2 library and header files in order to build.

Bug Fixes

• Story 2001441 is fixed. Failure by one Zuul reporter will not short circuit the reporting of other reporters. This ensures as much information as possible is reported for each change even if some failures occur. Note that the build set status is changed to ‘ERROR’ after the first failed reporter.

• The zuul-changes.py script has been adapted to the new zuul-web api routes.

3.0.1

New Features

• Git repositories will have a origin remote with refs pointing to the previous change in the speculative state.

  This allows jobs to determine the commits that are part of a change, which was not possible before. The remote URL is set to a bogus value which won’t work with git commands that need to talk to the remote repository.

• PostgreSQL is now officially supported as database backend. See <sql connection> on how to configure database connections.

• A new option for the scheduler scheduler.tenant_config_script can be used to tell Zuul to execute a script and read its yaml output as the tenants configuration. The option is exclusive with the scheduler.tenant_config option.

Upgrade Notes

• The alembic version table is fixed to being prefixed too. This is necessary when using <sql connection>.table_prefix. However if you are already using table_prefix you will need to rename the table alembic_version to <prefix>alembic_version before starting Zuul. Otherwise zuul will try to create the tables again and fail. If you’re not using table_prefix you can safely ignore this.

Bug Fixes

• Zuul role repository checkouts now honor job.override-checkout.

  Previously, when a Zuul role was specified for a job, Zuul would usually checkout the master branch, unless that repository appeared in the dependency chain for a patch. It will now follow the usual procedure for determining the branch to check out, including honoring job.override-checkout options.

  This may alter the behavior of currently existing jobs. Depending on circumstances, you may need to set job.override-checkout or copy roles to other branches of projects.