Skip to main content
Version: cicd.4.0 print this page

Release Notes

Note

Compatibility Requirements:

  • Minimum supported Amorphic version is 3.3.
  • Minimum supported Python version is now 3.12.

New Features

  • Broader resource support

    • CICD now supports additional resource types, including KnowledgeBase, CostTag, Datalab, DatalabLifecycleConfiguration, Agent, DataClassification, Dashboard, Project, and MailServer.
    • This helps teams manage a larger part of their platform lifecycle in one consistent release process.

  • Improved access sharing and governance

    • Access sharing has been introduced in CICD in this release. Users can now define and manage resource-level sharing directly through CICD, using clear ownership and collaboration patterns.

    • Teams can assign and update access in a consistent way as resources evolve, while CICD reconciles sharing state during updates to reduce drift between intended and actual permissions. This reduces manual corrections, improves audit readiness, and makes cross-team collaboration safer and faster.

  • Stronger centralized access control

    • Teams can standardize access behavior from a shared baseline while still allowing controlled overrides for specific environments and use cases.
    • This makes access policies more predictable, easier to audit, and simpler to scale.

  • Faster agent delivery workflow

    • Agent artifact handling has been improved so packaging and release flow can start earlier, which helps reduce wait time during deployments.

Enhancements

  • Renamed the CICD driver file from driver.py to cicd.py for clearer and more consistent entrypoint naming.
  • Added dedicated resource_handlers module for resource-specific orchestration (Datalab, Guardrail, Job, Agent).
  • Added resource_access_manager module for share grant/revoke/sync orchestration.
  • Async operation wait window increased to 600 seconds (60 retries x 10 seconds).
  • Improved async error reporting to include backend status and ErrorMessage details.
  • Improved validate_version error handling for unauthorized access and request timeout scenarios.
  • Dependency resolution now uses lexicographical topological sorting while preserving explicit dependency edges.

Breaking Changes

  • Python runtime updated to >=3.12 (from >=3.6)

    • What changed: CICD Utils no longer supports Python 3.6-3.11.
    • Why: This aligns the package with current language support and dependency compatibility, and improves security posture.
    • Impact on existing pipelines: Any build image or runner using Python versions lower than 3.12 will fail before deployment starts.
    • Action required: Update your pipeline runtime to Python 3.12 or later (for example, update your CodeBuild image or GitHub Actions setup).

  • Guardrail resources now require the Services field

    • What changed: A Guardrail definition without Services is now invalid.
    • Why: Guardrails must explicitly declare where they apply so behavior is predictable and auditable.
    • Impact on existing pipelines: Existing templates that omit Services will fail during validation.
    • Action required: Add a non-empty Services list to each Guardrail resource.
      Example: "Services": ["knowledgebases", "agents"]

  • Schedule CostTags schema key names changed

    • What changed: CostTags entries must now use TagKey and TagValue instead of Key and Value.
    • Why: The updated schema standardizes cost-tag structure across resource types.
    • Impact on existing pipelines: Pipelines using old key names will fail schema validation.
    • Action required: Rename keys in all affected Schedule definitions.
      Example migration: { "Key": "Team", "Value": "DataEng" } -> { "TagKey": "Team", "TagValue": "DataEng" }

  • DataPipelineName is now mandatory for DataPipeline resources

    • What changed: DataPipeline definitions must include DataPipelineName.
    • Why: Explicit naming improves pipeline identification and dependency resolution.
    • Impact on existing pipelines: Templates missing DataPipelineName will fail validation.
    • Action required: Add DataPipelineName to every DataPipeline resource definition.

Validations & Schema Changes

Newly added schema validations

  • Agent
    • Required fields: AgentName, Description, Instruction, ModelId, Tools, ResourceAccessMetadata.
    • ResourceAccessMetadata requires GuardRails.
    • GuardRails items require Id and Version.
  • CostTag
    • Required fields: TagKey, TagValues.
  • Dashboard
    • Required field: DashboardName.
  • DataClassification
    • Required fields: DataClassificationName, Description.
  • Datalab
    • Required fields: DatalabName, DatalabType.
    • DatalabType values: sagemaker-notebook, sagemaker-studio.
  • DatalabLifecycleConfiguration
    • Required field: LifecycleName.
  • KnowledgeBase
    • Required fields: KnowledgebaseName, GuardRails.
    • GuardRails items require Id and Version.
  • MailServer
    • Required fields: ServerName, ServerDescription, Port, Enabled, UserName, Password, AccountEmail.
  • Project
    • Required field: ProjectName.

Updated existing schema validations

  • Guardrail
    • Added required field: Services.
    • Services constraints:
      • minItems: 1
      • uniqueItems: true
      • allowed values: knowledgebases, agents, jobs, datalabs, nl2sql, data-pipelines, datasets, chats.
  • Schedule
    • ScheduleType now allows external-trigger.
    • JobType now allows jobs.
    • Added optional fields: ResourceType, SourceArn, Source.
    • ResourceType values: jobs, data-pipelines.
    • CostTag now requires TagKey and TagValue.
  • DataPipeline
    • Added required field: DataPipelineName.
    • Added node-level keys: ResourceIdentifier, Inputs, Outputs, Conditions.

Validation engine behavior updates

  • Validation now runs through JSON Schema Draft7Validator, a standards-based validator that checks your resource JSON against the declared schema rules.
  • Validation errors are now location-aware, meaning failures include the exact path to the problematic field (for example: ResourceName.Properties.field) instead of only a generic schema failure message.
  • This makes debugging faster in CICD logs because developers can go directly to the failing key, fix it, and rerun the pipeline with less trial-and-error.
  • Validation failures now report exact failing path (for example: ResourceName.Properties.field).
  • Added validate_access_management_schema() for centralized access-management files.

Behavior Changes

  • Share path support (SharePath) is added for selected resource types for access operations (for example: datasources, domains, datasets, jobs, tags, guard-rails, knowledgebases, datalabs, agents, dashboards, projects).
  • Tag dependency has been added to multiple resource types in resource configuration dependency graph.
  • Guardrail delete flow now performs service unassignment before delete.
  • Datalab delete flow now attempts stop/wait before delete when needed.

Bug Fixes

  • Improved reliability when artifact/share post-create steps fail by persisting partial state and surfacing original error.
  • Improved Job publish flow after script upload by retrying when transient Forbidden responses occur.
  • Added graceful handling for immediate read-after-create Forbidden responses in create flow.
  • Improved consistency of URL-key handling and read polling behavior for async resources.