Release notes for Codecov v4.6.3

New Features

Encryption Key Rotation

🚧

Encryption Key Rotation is an Advanced Feature

While encryption key rotation is easily configurable via the codecov.yml, please be aware of the following caveats:

  1. If an encryption key is removed from the codecov.yml before all values in the database using that key rotate out of the database, those remaining keys will become invalid.
  2. Once an encryption key is in use, it should not be removed from the codecov.yml without first ensuring values created with that key no longer appear in the database.

Historically, the encryption key for Codecov Self-Hosted was specified in the install level codecov.yml as follows:

setup: 
   encryption_secret: <user_supplied_secret_string>

The encryption_secret was used to encrypt session cookies and to encrypt various values in the database. From a functional perspective, this approach worked fine, but provided no mechanism for proper rotation of the encryption secret to accommodate an organization's existing security practices, or to recover from an erroneous exposure of this secret.

With v4.6.3, Codecov is introducing an encryption secret rotation mechanism that allows for the downtime-free progressive rolling of those values generated by the encryption secret. To leverage this feature, a new section of the install codecov.yml, titled encryption has been created and works as follows:

setup:
  encryption_secret: <user_supplied_secret_string>
  encryption:
    keys:
    - code: abc
      value: "[email protected]#[email protected]#ds"
    - code: jkl
      value: "bqwbdwagydics_49s"
    - code: plo
      value: "uhsfsaigaernjchu3987$565*w"
    write_key: jkl #used to indicate which secret should be used, e.g, "abc", "plo"

Each key contains a code and a value. The code portion is concactenated with an internal string (e.g., v1), separated with a :: and appended to the value to generate the full encryption secret. For example, using the following key code and value:

    - code: abc
      value: "[email protected]#[email protected]#ds"

The following encryption key would be generated:

v1_abc::<encrypted key value using [email protected]#[email protected]#ds>

With v1_abd prepended, it's possible to later know which encryptor was used to generate which secrets in the database. This allows Codecov to pick the appropriate decryptor at runtime, effectively supporting seamless key rotation. As prior codes fully leave the database (e.g., as users logout and log back in to Codecov), these codes can be removed from the codecov.yml. Encryption codes and values should not be removed from the codecov.yml until it is certain that all encrypted values which used that code/value pair are no longer in the database.

Use Case: Rotating an encryption secret

To rotate an existing encryption secret, one would update the codecov.yml as follows:

setup:
  encryption_secret: <original-secret>
  encryption:
    keys:
    - code: abc
      value: "<new-secret>"
    write_key: abc

Once Codecov is restarted, all encryption routines will use the "<new-secret>" as opposed to <original-secret>. However, encryption_secret should not be immediately removed, since secrets will exist in the database that require the original encryption_secret. Over time, however, these secrets will eventually be overwritten with secrets generated using the new encryption string, thus rendering the original encryption_secret irrelevant.

v4.6.3 Full Changelog

New

  • (On-Premises) Encryption Key Rotation

Fixes

  • (On-Premises) Fixed an edge-case issue where registered users were sometimes counted incorrectly on application startup.
  • Fixed an issue that could lead to team syncing with the repository provider failing.
  • Fixed an issue where coverage on code diffs in newly added files could be considered an unexpected coverage change.
  • Fixed a Bitbucket issue where coverage for diffs with only added or only deleted lines were occasionally not calculated correctly.
  • Fixed an issue where the EOF used for a file's HEAD and BASE were sometimes swapped.

Minor

  • Improved the mechanism by which statuses are reported to make it more efficient, particularly for those use cases that include report hundreds of statuses.
  • Improved how large files are processed by the worker such that there is less chance of a large file timing out during processing and causing downstream reporting issues.
  • Improved the mechanism by which commit comparison data is generated and stored such that overall performance is improved when comparing commits.
  • Refactored how the repository codecov.yml is fetched and stored, reducing the number of API calls needed to the upstream repository provider.
  • (On-Premises) /graph and /graphs endpoints have been migrated to api from web.
  • Increased the timeout for organization syncing with the repository provider, as this task could sometimes time out for very large organizations.

Docker Image Information

The following Docker digests comprise the v4.6.2 release:

  • codecov/enterprise-web:v4.6.3 - sha256:24797ccd7e31d73bfcc899a3e85bdc8a5774851eae1cb1b291ce52decb7d011c
  • codecov/enterprise-worker:v4.6.3 - sha256:9f530be2ee011e564f0418a2372c7709c9cd518a40130a9cc56b8f0beae9bcc7
  • codecov/enterprise-api:v4.6.3 -
    sha256:fd3a30885d773f23cfcab8c42f56b04eff9b34cd1226153ac2ab9829bffccc57
    These are also the digests referenced by the latest-stable tag.

Note: due to a user impacting bug in enterprise-api, a point release was issued pushed over the existing v4.6.3 tag. The new digest is indicated above, the previous digests are as follows:

  • codecov/enterprise-api:v4.6.3 - sha256:4e1162eb8ebe1393eef82ef8c9c6e934c1a7dbc83be3dbc6821bdd5e7b566276