Buildkite has introduced new rate limits for the GraphQL API.
This update will improve performance, enhance security, and ensure fair usage across the Buildkite platform.
Please read the documentation to learn more about the GraphQL rate limits, specifically how to check your current usage:
On 13 July 2023, there will be some deprecations in the GraphQL API. The following objects from the pipeline will be deprecated: buildRetentionEnabled
, buildRetentionNumber
, and buildRetentionPeriod
.
To get more information about the pipeline schema and its changes, please refer to the documentation.
Effective from 24 July 2023, agent tokens in the Buildkite UI will undergo a significant modification. They will now behave similarly to API tokens, meaning that after creation, they will no longer be visible in the UI.
To ensure you have access to the complete token, it is crucial to save it immediately upon creation. This change aims to enhance the security of agent tokens within the Buildkite platform.
Please make a note of this update and adjust your workflows accordingly. If you have any questions or concerns, feel free to reach out to our support team (support@buildkite.com) for assistance.
Today we’re shipping 30+ new features to Buildkite 🚀
Some of the features I’m most excited about are:
Check out the rest of the release here: https://buildkite.com/releases/2023-06
I'd love to hear your feedback on the release, send me an email any time: keith@buildkite.com
Security is job zero, it’s important for organizations to harden their defenses against lost or leaked credentials. Buildkite’s token expiry policy will automatically revoke tokens that are no longer in use from accessing your organizational information
Set your token expiry policy to either 30, 60, 90, 180, or 365 days. After which if a token has not been used for that period of time it will expire and no longer have access to your organization.
Buildkite has implemented additional security notifications to keep your data safer.
Security notifications empower customers to promptly address any token changes made to their accounts, ensuring data security and preventing unauthorised access.
Users will now receive an email when they create or update an access token associated with their account.
We're removing support for Import
of agent tokens in the Terraform provider. This change coincides with the announcement in this changelog. From 4 July 2023 onwards, any resources or data-sources which are dependent on an agent token being present will likely fail to apply
.
We recommend that you update your provider version
to >=0.19.0
. Any version below this will run a state refresh on the next Terraform operation and cause agent tokens in state
to be set to nil, "". If these changes are then deployed, there is a risk that all agents in your organisation will have their tokens removed and no longer be able to connect to Buildkite.
At Buildkite we take your security seriously, because of that starting 22 June 2023 you will not be able to retrieve agent tokens for clustered and unclustered agents through the token attribute after it has been created through GraphQL APIs.
Read more about how to create Agent Tokens
Read more about how to create Cluster Agent Tokens
Update: The date for deprecation will be delayed to 4 July 2023 due to the breaking change introduced to Buildkite terraform provider. If you are a customer using the Terraform provider, please make sure to upgrade to version 0.19.0 beforehand.
We've introduced a new 🔒 Security section under Settings for all security related features.
Moving all security related controls into the same space will make them easier to find and manage.
You'll find:
consolidated in this new page: https://buildkite.com/organizations/~/security
We’ve added a guide in the docs to help you migrate from Jenkins to Buildkite.
The new page:
We hope it makes the migration process more straightforward and transparent.
See Migrate from Jenkins to check it out. ✨
The v5.19.0 version of the Elastic CI Stack is now avaliable. This includes a fix for an error encountered when creating a new stack from its cloudformation template due to an attempt to create an ACL for object ownership when they are now disabled by default.
For further details of the fix and what else is included in the release, see the Elastic CI Stack's release notes.
We've redesigned the documentation home page to make getting to the content you want easier.
Notice:
See Buildkite docs to check it out! ✨
We've restructured the documentation for the Elastic CI Stack for AWS to create clearer and more focused pages that are easier to navigate.
See the Overview to check out the changes. ✨
We've just shipped new features that'll help uplevel your build and test workflows with Buildkite, including some key announcements:
We've released a new way to run your Buildkite jobs in Kubernetes natively. The Agent Stack for Kubernetes will allow your Kubernetes cluster to orchestrate your Buildkite Pipeline steps as Kubernetes jobs.
Prompt your users to re-authorize when their origin changes.
With session IP address pinning enabled, authorized sessions can only come from the IP address that created the session. If another IP address attempts to access the organization, the session will be immediately revoked. By pairing IP pinning with SSO session durations, we're taking a proactive approach to combating stolen session cookies.
We're committed to keeping our customers' data secure and are constantly exploring new ways to enhance our security measures.
Clusters allow you to organize agents into groups. These groups, or clusters, will enable the management of pipelines and queues within that cluster.
Clusters can be turned on by an admin by accessing pipeline settings
in the organization settings
tab. Note that once clusters is enabled, you will be unable to disable it.
You can now request an OpenID Connect (OIDC) token from the Buildkite Agent 🔑
OIDC tokens are JWTs signed by Buildkite and decode into JSON which includes many attributes like the pipeline slug and the build branch. buildkite-agent oidc request-token
will return a token representing the current job that can be exchanged with federated systems to authorize actions like deployments or allow access to context-sensitive information like secrets based on these attributes.
Learn more about OpenID Connect support from the Buildkite Agent
Explore organization change events in your existing AWS monitoring suite.
Enterprise customers can now route Buildkite Audit Log events via the AWS Event Bridge event bus.
Restrict API access to IP addresses and CIDR block ranges you trust.
You can now easily create and manage a list of IP addresses and CIDR blocks that are authorized to access your organization via the Buildkite API, improving security and reducing the risk of unauthorized access.
Learn more about configuring IP/CIDR allowlist via the UI, API, or Terraform
Create an account to get started with a 30-day free trial. No credit card required.