travis-ci
diff --git a/‎_data/snippets.yml
Lines changed: 17 additions & 3 deletions b/‎_data/snippets.yml
Lines changed: 17 additions & 3 deletions
diff --git a/‎_data/xcodes.yml
Lines changed: 104 additions & 2 deletions b/‎_data/xcodes.yml
Lines changed: 104 additions & 2 deletions
diff --git a/‎_includes/sidebar.html
Lines changed: 3 additions & 0 deletions b/‎_includes/sidebar.html
Lines changed: 3 additions & 0 deletions
diff --git a/‎user/best-practices-security.md
Lines changed: 40 additions & 0 deletions b/‎user/best-practices-security.md
Lines changed: 40 additions & 0 deletions
diff --git a/‎user/build-config-imports.md
Lines changed: 33 additions & 1 deletion b/‎user/build-config-imports.md
Lines changed: 33 additions & 1 deletion
diff --git a/‎user/conditional-builds-stages-jobs.md
Lines changed: 2 additions & 0 deletions b/‎user/conditional-builds-stages-jobs.md
Lines changed: 2 additions & 0 deletions
@@ -72,6 +72,20 @@ concurrent_jobs: |
 
   - if your build depends on an external resource and might run into a race
     condition with concurrent jobs.
+enabling_access_jobs_logs: | 
+  This setting allows you to increase security by preventing access to old job logs older than 360 days. Or, in the case of a necessity, users can explicitly enable access to public and private old job log repositories.  
+
+  The following are the available configurations:
+  * If this setting is ON, it enables access to build job logs older than 365 days. 
+  * If this setting is OFF, access to build job logs older than 365 days is unavailable via UI or API calls. 
+limiting_access_jobs_logs: |  
+  Similarly, this setting allows you to restrict access to build job logs for any user without write/push access rights to the repository. Limit job log visibility to only those that needed it. Enable this setting and ensure job logs are only available to users with respective read or write access to the individual repository.
+
+  The following are the available configurations:
+  * If this setting is ON, it allows access to build job logs only for users with write/push permissions to this repository. Limits access to build job logs via UI and API. 
+  * If this setting is OFF, users with read access to the repository can access the build job logs. 
+
+  Please note that the '*Limiting access to build job logs*' repository setting applies only to users with ‘write/push’ permissions.  
 auto_cancellation: |
   If you are only interested in building the most recent commit on each branch you can use this new feature to automatically cancel older builds that are in the **queued** state and are not yet running.
 cron_jobs: |
@@ -162,9 +176,9 @@ git_repository_settings_forks_general: |
   
   For Git repositories, you may manage per repository how the [environment variables](/user/environment-variables/) and the [custom SSH keys](/user/private-dependencies/#user-key) will be handled in Travis CI when a build triggered as an effect of filing a Pull Request from a forked repository. Two settings are available specifically for this purpose, allowing you to customize your security vs. collaboration setup.
 
-  **base repository** - a Git repository, which is forked by someone else
-  **fork** or **forked repository** - any Git repository forked from the **base repository**
-  **PR** - Pull Request (e.g. in GitHub, BitBucket, GitLab) or Merge Request (in Assembla).
+   * **base repository** - a Git repository, which is forked by someone else  
+   * **fork** or **forked repository** - any Git repository forked from the **base repository**
+   * **PR** - Pull Request (e.g. in GitHub, BitBucket, GitLab) or Merge Request (in Assembla)
 
   > Please note: Repositories activated in [Travis CI](https://app.travis-ci.com ) before **March 1st, 2022** will have the `Share encrypted environment variables with forks (PRs) ` setting set to OFF. Please verify your collaboration model if necessary (especially for public repositories). The `Share SSH keys with forks (PRs)` will be set to ON for private repositories not to break too many collaboration setups.
   Repository settings will be set by default to OFF for any repository activated in [Travis CI](https://app.travis-ci.com) after **March 1st, 2022**. For repositories activated in Travis CI after **March 1st, 2022**, you may want to consider changing the default settings depending on your collaboration model.
 
@@ -1,10 +1,112 @@
 osx_images:
+  - image: xcode14.2
+    xcode: "14.2"
+    osx_version: "12.6"
+    xcode_full_version: "14.2"
+    xcode_build_version: "14C18"
+    image_publish_date: 2023-01-06
+    sdks:
+      - iphoneos16.2
+      - iphonesimulator16.2
+      - macosx13.1
+      - appletvos16.1
+      - appletvsimulator16.1
+      - watchos9.1
+      - watchsimulator9.1
+    simulators:
+      - iOS 15.0
+      - iOS 15.2
+      - iOS 15.4
+      - iOS 15.5
+      - iOS 16.0
+      - iOS 16.2            
+      - tvOS 14.5
+      - tvOS 15.0
+      - tvOS 15.2
+      - tvOS 15.4
+      - tvOS 16.0
+      - tvOS 16.1
+      - watchOS 7.4
+      - watchOS 8.0
+      - watchOS 8.3
+      - watchOS 8.5
+      - watchOS 9.0
+      - watchOS 9.1
+    jdk: "19.0.1"    
+  - image: xcode14.1
+    xcode: "14.1"
+    osx_version: "12.6"
+    xcode_full_version: "14.1"
+    xcode_build_version: "14B47b"
+    image_publish_date: 2022-11-11
+    sdks:
+      - iphoneos16.0
+      - iphonesimulator16.0
+      - macosx12.3
+      - appletvos16.0
+      - appletvsimulator16.0
+      - watchos9.0
+      - watchsimulator9.0
+    simulators:
+      - iOS 15.0
+      - iOS 15.2
+      - iOS 15.4
+      - iOS 15.5
+      - iOS 16.0
+      - iOS 16.1            
+      - tvOS 14.5
+      - tvOS 15.0
+      - tvOS 15.2
+      - tvOS 15.4
+      - tvOS 16.0
+      - tvOS 16.1
+      - watchOS 7.4
+      - watchOS 8.0
+      - watchOS 8.3
+      - watchOS 8.5
+      - watchOS 9.0
+      - watchOS 9.1
+    jdk: "19.0.1"  
+  - image: xcode14
+    xcode: "14"
+    osx_version: "12.6"
+    xcode_full_version: "14.0.1"
+    xcode_build_version: "14A400"
+    image_publish_date: 2022-10-27
+    sdks:
+      - iphoneos16.0
+      - iphonesimulator16.0
+      - macosx12.3
+      - appletvos16.0
+      - appletvsimulator16.0
+      - watchos9.0
+      - watchsimulator9.0
+    simulators:
+      - iOS 14.5
+      - iOS 15.0
+      - iOS 15.2
+      - iOS 15.4
+      - iOS 15.5
+      - iOS 16.0      
+      - tvOS 14.4
+      - tvOS 14.5
+      - tvOS 15.0
+      - tvOS 15.2
+      - tvOS 15.4
+      - tvOS 16.0
+      - watchOS 7.2
+      - watchOS 7.4
+      - watchOS 8.0
+      - watchOS 8.3
+      - watchOS 8.5
+      - watchOS 9.0
+    jdk: "19"  
   - image: xcode13.4
     xcode: "13.4"
     osx_version: "12.4"
     xcode_full_version: "13.4.1"
     xcode_build_version: "13F100"
-    image_publish_date: 2021-06-08
+    image_publish_date: 2022-06-08
     sdks:
       - iphoneos15.5
       - iphonesimulator15.5
@@ -37,7 +139,7 @@ osx_images:
     osx_version: "12.3"
     xcode_full_version: "13.2.1"
     xcode_build_version: "13E113"
-    image_publish_date: 2021-03-23
+    image_publish_date: 2022-03-23
     sdks:
       - iphoneos15.4
       - iphonesimulator15.4
 
@@ -108,7 +108,9 @@ <h3>Encrypting Files and Data</h3>
         <li><a href="/user/bb-oauth-scopes/">Bitbucket Permissions used by Travis CI</a></li>
         <li><a href="/user/assembla-oauth-scopes/">Assembla Permissions used by Travis CI</a></li>
         <li><a href="/user/gl-oauth-scopes/">GitLab Permissions used by Travis CI</a></li>
+        <li><a href="/user/disable-job-logs/">Disable Job Logs Availability</a></li>
         <li><a href="/user/best-practices-security/">Best Practices in Securing Your Data</a></li>
+        <li><a href="/user/securely-signing-software">Securely Signing Software</a></li>
       </ul>
 
       <h3>Integrations and Notifications</h3>
@@ -126,6 +128,7 @@ <h3>Integrations and Notifications</h3>
         <li><a href="/user/build-feeds/">Atom Feeds</a></li>
         <li><a href="/user/cc-menu/">CCMenu / CCTray Feeds</a></li>
         <li><a href="/user/integration/platformio/">Embedded Builds with PlatformIO</a></li>
+        <li><a href="/user/hashicorp-vault-integration">Hashicorp Vault</a></li>
         <li><a href="/user/apps/">3rd Party Apps, Clients and Tools</a></li>
       </ul>
 
 
@@ -13,6 +13,22 @@ Please make sure your secret is never related to the repository or branch name,
 
 > The beta Windows support does not obfuscate secure environment variables leaked into the build log. Please keep reading the next section, [on how to avoid leaking secrets to build logs](https://docs.travis-ci.com/user/best-practices-security/#recommendations-on-how-to-avoid-leaking-secrets-to-build-logs)
 
+### Log Scans
+
+Travis CI has also enabled a mandatory post-job log scan in an attempt to find any other potential leakage of secrets. These scans are carried out on the the raw job log files shortly after the build job is completed. Scans are executed using [Trivy](https://github.com/aquasecurity/trivy) and [detect-secrets](https://github.com/Yelp/detect-secrets), Open Source scanners made available by their maintainers via means of a permissive OSS license. If the scanning process finds an unmasked secret-like entry in the job log, Travis CI, as a precautionary action, will mask the full line in the job log with asterisks (`*`) and produce a log scan report, available to the repository administrators for 7 days. 
+
+The job log scan report contains details on found potential secrets, referring to the line numbers in the **raw** job log file, and is meant to help review and find the source of the possible leak and if this proves to be an actual exposition of the secret, the scan fixes that.
+
+When the additional post-job scanning process finds a potential leak in the build-job log, a graphical status in the Travis CI Web UI will present the log scan results. The *log scan: failing* is displayed over the repository page and in the dashboard for the next 7 days or until at least one of the repository administrators visits the job log scan report page, whichever condition is satisfied first.
+
+Since the job log scan is executed by the tools looking for secret-like entries, the notifications must be treated as a warning about the **potential** issue and verified by the repository administrator. Therefore, we recommend the following verification steps: 
+
+ * Reviewing the exact build instructions in the repository `.travis.yml` file (particularly if any unencrypted secrets are used) and build scripts called from within the `.travis.yml` recipe.
+ * Re-running suspicious jobs and reviewing the build job log on the go. Particularly around the preemptively censored area (please mind it will re-trigger the job log scan and any potential notifications in the process).
+
+> Please note: The scan results may produce false positives and/or miss some items due to the nature of the scanners (searching for secret-like patterns). This is continuous work, and we expect it to improve over time based on findings and feedback. Also, we closely monitor the number of warnings raised by the job log scan process and decide later on to enable respective email notifications on top of existing visual indicators.
+
+
 ## Recommendations on how to avoid leaking secrets to build logs
 Despite our best efforts, there are however many ways in which secure information can accidentally be exposed. These vary according to what tools you are using and what settings you have enabled. Some things to look out for are:
 
@@ -31,6 +47,30 @@ Preventing commands from displaying any output is one way to avoid accidentally
 git push url-with-secret >/dev/null 2>&1
 ```
 
+While using Travis CI, you may want to consider the additional means to decrease the risk of exposing secrets in the build job logs:
+
+### Always use encrypted secrets
+Travis CI offers the ability to either [encrypt your secret](/user/encryption-keys/) with the Travis-CLI (command line interface tool) or define the secret in the [Travis CI Repository Settings](/user/environment-variables/#defining-variables-in-repository-settings). 
+
+Shall the secret be stored in an encrypted file within your source code repository, you may instead [encrypt a file with a secret](/user/encrypting-files/) and use it during the build job. Decrypt your file for the shortest time needed and remove any temporary environment variables from the build job environment as soon as these are not necessary.
+
+Please mind that at some point, the secret, in order to be used, must be decrypted for the build job environment. Thus debug outputs to the standard outputs may still result in secret exposure. The additional post-job log scanning process is meant to find these as much as possible.
+
+### Use the Hashicorp Vault KMS integration
+If you manage your secrets using the Hashicorp Vault KMS (Key Management System), then you may use the existing [Travis CI - Hashicorp integration](/user/hashicorp-vault-integration) to obtain secrets directly to the build job. 
+
+Again, please be wary of any possible debug outputs to the standard outputs in the build job environment. The additional post-job log scanning process is meant to find these as much as possible. The advantage of pulling the secret from a KMS managed by you is the ability to rotate it from a single secret repository in case of any incident. We strongly recommend using Hashicorp Vault credentials limited to a specific set of CI/CD-related secrets to limit the threat scope for the KMS. 
+
+### Limit access to the job logs
+Review who and why should have access to the build job logs and set the appropriate options in the [Travis CI Repository Settings](/user/disable-job-logs/).
+
+### Review the settings for builds triggered from forked Git repositories
+Review the [Travis CI Repository Settings](/user/pull-requests#pull-requests-and-security-restrictions) and adjust what should be shared with forks. This is meant for a collaboration pattern when a forked repository can file a Pull Request to the base repository, thus triggering a CI/CD build job with automated build and tests as a part of the Pull Request validation and approval process. Assess the risks and adjust settings to your scenario.
+
+### Run builds requiring secrets in private repositories
+If this is a viable option, consider running builds requiring the usage of secrets as a CI/CD for private repositories with a carefully reviewed collaborator list. Combined with the above options, it should decrease the risk of secret exposition in the build job log.
+
+
 ## If you think that you might have exposed secure information
 
 As an initial step, it’s possible to delete logs containing any secure information by clicking the *Remove log* button on the build log page of Travis CI.
 
@@ -218,6 +218,23 @@ import:
 ```
 {: data-file=".travis.yml"}
 
+This mode first merges your `.travis.yml` contents into the `one.yml` file (i.e., items in the .travis.yml file “win”, if the merge mode deep_merge would be used and will overwrite keys on respective levels in `one.yml`).
+
+Respectively:
+
+```yaml
+import:
+  - source: one.yml
+  mode: deep_merge # deep merge
+  - source: two.yml
+  mode: deep_merge # deep merge
+```
+{: data-file=".travis.yml"}
+
+This mode first merges your `.travis.yml` contents into the `one.yml` file (overwriting, if required, sections in `one.yml` with content from `.travis.yml`). The results are merged into the `two.yml` file (again, items in the result of the previous merge win over what’s in this one, as the `deep_merge` mode is specified here).
+
+The reasoning behind this is that in many cases when you import something to your `.travis.yml’ file, you want to be able to overwrite or customize that imported configuration with config in your `.travis.yml` file.
+
 ### Merge
 
 The merge mode `merge` performs a shallow merge.
@@ -239,4 +256,19 @@ When triggering a build through the Travis API or the web UI, the order of ascen
 - Config from the API build request payload, if given
 - Imported configs from the API build request payload, if given, in the order listed (following a depth-first search pattern in case those imported configs import other configs)
 - Config from `.travis.yml`
-- Imported configs from `.travis.yml`, in the order listed (following a depth-first search pattern in case those imported configs import other configs)
+- Imported configs from `.travis.yml`, in the order listed (following a depth-first search pattern in case those imported configs import other configs).
+
+## FAQ
+
+### Can I import a shared build config at a specific job level?
+
+No. The parsed YAML trees must be merged. Thus, the `import` keyword is accepted only at the root level. If it suits your scenario, you can specify your job template in, e.g., `job.yml` and import it into your `.travis.yml` with the `mode: deep_merge`, adding in the `.travis,yml` specifics to be overridden in the imported template. 
+
+### Is it possible to create and use anchors via the shared configs mechanism?
+
+Unfortunately, it’s not supported. 
+As much as we encourage [using YAML as a build configuration language](/user/build-config-yaml), anchors and aliases, referring to these anchors must be defined and used within a single `.yml` file and will be expanded before any *import* action (merging parse trees) occurs. For the same reason, attempts to assign an anchor within `.travis.yml` to an *imported* key will not work — both `.travis.yml` and `imported.yml` must be parsed before the merge action can occur.
+
+See also  *native-api* concise [explanation in the Community Forum](https://travis-ci.community/t/imported-anchors-not-working/10035/2)
+
+
@@ -11,6 +11,8 @@ You can find more information on the build config format in our [Travis CI Build
 
 You can configure Travis CI to only run builds when certain conditions are met. Any builds that do not meet these conditions are listed in the *Requests* tab of your repository, even though the actual build is not generated.
 
+> Travis CI’s system fetches and processes the .travis.yml config file from the repository and the branch explicitly specified in the build request
+
 For example, this allows builds only to run on the `master` branch:
 
 ```yaml