CI Build Image Updates

Updated 1 month ago by Doug Bothwell

Your organization has a one-month window to run security scans or other tests on new CI build images before you deploy them. Every two weeks, Harness publishes new versions of images required to run CI builds. Each image is backwards-compatible with the previous two releases.

Harness CI Image Updates

Harness updates harness/ci-* images such as harness/ci-addon and harness/ci-lite-engine as follows:

  • Harness publishes updates of all CI images on the second and fourth Monday of each month.
  • Version numbers use an x.y.z format: x = major release, y = minor release, z = hotfix or patch release.
  • All images are supported for the latest three releases: latest, latest-1, and latest-2. Each image release is backward-compatible with the previous two releases.
  • You can choose to deploy the latest containers immediately upon release, or download and scan them before deploying.
  • If your builds use containers that are more than two releases old, the UI shows a warning that the image versions are no longer supported. The builds won't fail automatically.
  • If a hotfix or security fix is required for a specific image, Harness will create hotfixes for the latest three images and notify customers when these hotfixes are available.

Drone Plugin Image Updates

Drone images are updated as needed. All Drone image updates are backward-compatible. When you first deploy CI, Harness will scan all plugin images you plan to use and address any vulnerabilities. After your initial deployment, Harness will publish updates to address new vulnerabilities based on our Service Level Agreement with your organization.

Updating the Images Used in your Pipelines

Harness CI includes an execution-config API that enables you to update the images used in your infrastructure. The following steps describe the high-level workflow.

  1. Send a get-default-config request to get a list of the latest Harness CI build images and tags:
    curl --location --request GET 'https://app.harness.io/gateway/ci/execution-config/get-default-config?accountIdentifier=XXXXXX' \
    --header 'Authorization: Bearer XXXXXX'
    The response shows the latest supported images and their tags.

    {
    "addonTag": "releaseBuild-30",
    "liteEngineTag": "harness/ci-lite-engine:1.6.1",
    "gitCloneTag": "harness/drone-git:1.0.6-rootless-linux-amd64",
    "buildAndPushDockerRegistryTag": "plugins/kaniko:1.3.1",
    "buildAndPushECRTag": "plugins/kaniko-ecr:1.3.1",
    "buildAndPushGCRTag": "plugins/kaniko-gcr:1.3.1",
    "gcsUploadTag": "plugins/gcs:1.2.4",
    "s3UploadTag": "bewithaman/s3:latest",
    "artifactoryUploadTag": "plugins/artifactory:1.0.4",
    "cacheGCSTag": "plugins/cache:1.3.7",
    "cacheS3Tag": "plugins/cache:1.3.7",
    "securityTag": "zeronorth/sto_plugin:dev"
    }
  2. Send a get-current-config request to get the build images that your CI pipelines currently use. The following request returns a list of images and tags similar to the previous request:
    curl --location --request GET 'https://app.harness.io/gateway/ci/execution-config/get-current-config?accountIdentifier=XXXXXXXXX' \
    --header 'Authorization: Bearer XXXXXXXXXX'
  3. Send an execution-config (POST) request with the latest supported images in the request body. The payload should be identical to the JSON object returned by get-current-config, except the tags for the images you want to update:

    curl --location --request POST 'https://app.harness.io/gateway/ci/execution-config?accountIdentifier=XXXXXXX' \
    --header 'Content-Type: application/json' \
    --header 'Authorization: Bearer XXXXXXXXX' \
    --data-raw '{
    "addonTag": "releaseBuild-30",
    "liteEngineTag": "harness/ci-lite-engine:1.7.1",
    "gitCloneTag": "harness/drone-git:1.0.6-rootless-linux-amd64",
    "buildAndPushDockerRegistryTag": "plugins/kaniko:1.3.1",
    "buildAndPushECRTag": "plugins/kaniko-ecr:1.3.1",
    "buildAndPushGCRTag": "plugins/kaniko-gcr:1.3.1",
    "gcsUploadTag": "plugins/gcs:1.2.4",
    "s3UploadTag": "bewithaman/s3:latest",
    "artifactoryUploadTag": "plugins/artifactory:1.0.4",
    "cacheGCSTag": "plugins/cache:1.3.7",
    "cacheS3Tag": "plugins/cache:1.3.7",
    "securityTag": "zeronorth/sto_plugin:dev"
    }'


Please Provide Feedback