Pin Deployment Engine image to 0.56 for v0.57.1 patch release (#11866)

brooke-hamilton · Copilot · sk593 · web-flow · commit 2dd62c265626 · 2026-05-12T19:21:49.000-04:00
# Description This pull request implements a patch release (v0.57.1) for the Radius Helm chart that addresses an issue with the Deployment Engine by pinning its image to version 0.56. The patch ensures stability for users on the v0.57 channel and updates related documentation and configuration files accordingly. Release and version updates: * Added release notes for v0.57.1, explaining the reason for pinning the Deployment Engine image and providing changelog details. (`docs/release-notes/v0.57.1.md`) * Updated the supported version in `versions.yaml` from v0.57.0 to v0.57.1. (`versions.yaml`) Deployment Engine image pinning: * Changed the default Deployment Engine image tag from the latest to `0.56` in `values.yaml` to work around a bug in v0.57.0. (`deploy/Chart/values.yaml`) * Modified the Helm test helper to clear the `de.tag` value, ensuring the global imageTag fallback is exercised in tests. (`deploy/Chart/tests/helpers_test.yaml`) ## Type of change - This pull request is a patch release. ## Contributor checklist Please verify that the PR meets the following requirements, where applicable: - An overview of proposed schema changes is included in a linked GitHub issue. - [ ] Yes  - [x] Not applicable  - A design document PR is created in the [design-notes repository](https://github.com/radius-project/design-notes/), if new APIs are being introduced. - [ ] Yes  - [x] Not applicable  - The design document has been reviewed and approved by Radius maintainers/approvers. - [ ] Yes  - [x] Not applicable  - A PR for the [samples repository](https://github.com/radius-project/samples) is created, if existing samples are affected by the changes in this PR. - [ ] Yes  - [x] Not applicable  - A PR for the [documentation repository](https://github.com/radius-project/docs) is created, if the changes in this PR affect the documentation or any user facing updates are made. - [ ] Yes  - [x] Not applicable  - A PR for the [recipes repository](https://github.com/radius-project/recipes) is created, if existing recipes are affected by the changes in this PR. - [ ] Yes  - [x] Not applicable  --------- Signed-off-by: Brooke Hamilton <45323234+brooke-hamilton@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: sk593 <42750942+sk593@users.noreply.github.com> Co-authored-by: Shruthi Kumar <shruthikumar2401@gmail.com> Co-authored-by: Nithya Subramanian <98416062+nithyatsu@users.noreply.github.com> Co-authored-by: Copilot <copilot@github.com>
diff --git a/.github/workflows/functional-test-noncloud.yaml b/.github/workflows/functional-test-noncloud.yaml
@@ -87,6 +87,9 @@ env:
   GIT_HTTP_PASSWORD: not-a-secret-password
   # Kubernetes client QPS and Burst settings for high-concurrency CI environments
   RADIUS_QPS_AND_BURST: "800"
+  # Bicep CLI pinned: v0.40+ rejects br:localhost:5000/... (ThrowIfRegistryNotTrusted).
+  # Bump only after verifying localhost support or adding allowedUntrustedRegistries to bicepconfig.json.
+  BICEP_VER: v0.42.1
 
 jobs:
   changes:
@@ -248,6 +251,13 @@ jobs:
           registry-server: ${{ env.LOCAL_REGISTRY_SERVER }}
           registry-port: ${{ env.LOCAL_REGISTRY_PORT }}
 
+      - name: Setup and verify bicep CLI
+        run: |
+          curl -Lo bicep "https://github.com/Azure/bicep/releases/download/${{ env.BICEP_VER }}/bicep-linux-x64"
+          chmod +x ./bicep
+          sudo mv ./bicep /usr/local/bin/bicep
+          bicep --version
+
       - name: Publish bicep types
         run: |
           bicep publish-extension ./hack/bicep-types-radius/generated/index.json --target br:${{ env.LOCAL_REGISTRY_SERVER }}:${{ env.LOCAL_REGISTRY_PORT }}/radius:${{ env.REL_VERSION == 'edge' && 'latest' || env.REL_VERSION }} --force
@@ -428,13 +438,6 @@ jobs:
         run: |
           make publish-test-terraform-recipes
 
-      - name: Setup and verify bicep CLI
-        run: |
-          curl -Lo bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64
-          chmod +x ./bicep
-          sudo mv ./bicep /usr/local/bin/bicep
-          bicep --version
-
       - name: Publish bicep types
         run: |
           bicep publish-extension ./hack/bicep-types-radius/generated/index.json --target br:${{ env.LOCAL_REGISTRY_SERVER }}:${{ env.LOCAL_REGISTRY_PORT }}/radius:${{ env.REL_VERSION == 'edge' && 'latest' || env.REL_VERSION }} --force
diff --git a/.github/workflows/validate-bicep.yaml b/.github/workflows/validate-bicep.yaml
@@ -33,6 +33,9 @@ env:
   LOCAL_REGISTRY_SERVER: localhost
   # Local Docker registry port
   LOCAL_REGISTRY_PORT: "5000"
+  # Bicep CLI pinned: v0.43+ rejects br:localhost:5000/... (ThrowIfRegistryNotTrusted).
+  # Bump only after verifying localhost support or adding allowedUntrustedRegistries to bicepconfig.json.
+  BICEP_VER: v0.42.1
 
 concurrency:
   # Cancel the previously triggered build for only PR build.
@@ -72,7 +75,7 @@ jobs:
       - name: Setup and verify bicep CLI
         run: |
           # Download bicep CLI
-          curl -Lo bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64
+          curl -Lo bicep "https://github.com/Azure/bicep/releases/download/${{ env.BICEP_VER }}/bicep-linux-x64"
           chmod +x ./bicep
 
           # Install in both locations for maximum compatibility
diff --git a/.terraform-version b/.terraform-version
@@ -0,0 +1 @@
+1.14.9
diff --git a/build/build.mk b/build/build.mk
@@ -53,7 +53,8 @@ else
 endif
 
 # Linker flags: https://cmake.org/cmake/help/latest/envvar/LDFLAGS.html.
-LDFLAGS := "-s -w -X $(BASE_PACKAGE_NAME)/pkg/version.channel=$(REL_CHANNEL) -X $(BASE_PACKAGE_NAME)/pkg/version.release=$(REL_VERSION) -X $(BASE_PACKAGE_NAME)/pkg/version.commit=$(GIT_COMMIT) -X $(BASE_PACKAGE_NAME)/pkg/version.version=$(GIT_VERSION) -X $(BASE_PACKAGE_NAME)/pkg/version.chartVersion=$(CHART_VERSION)"
+TERRAFORM_VERSION := $(shell cat .terraform-version)
+LDFLAGS := "-s -w -X $(BASE_PACKAGE_NAME)/pkg/version.channel=$(REL_CHANNEL) -X $(BASE_PACKAGE_NAME)/pkg/version.release=$(REL_VERSION) -X $(BASE_PACKAGE_NAME)/pkg/version.commit=$(GIT_COMMIT) -X $(BASE_PACKAGE_NAME)/pkg/version.version=$(GIT_VERSION) -X $(BASE_PACKAGE_NAME)/pkg/version.chartVersion=$(CHART_VERSION) -X $(BASE_PACKAGE_NAME)/pkg/recipes/terraform.terraformVersion=$(TERRAFORM_VERSION)"
 
 # Combination of flags into GOARGS.
 GOARGS := -v -gcflags $(GCFLAGS) -ldflags $(LDFLAGS)
diff --git a/build/install-bicep.sh b/build/install-bicep.sh
@@ -59,12 +59,17 @@ if [ "$ARCH" = "arm64" ]; then
   BICEP_ARCH="arm64"
 fi
 
+# Bicep CLI version. Pinned because Bicep v0.43+ tightened
+# ContainerRegistryClientFactory.ThrowIfRegistryNotTrusted to reject br:localhost:5000/... targets,
+# breaking publish-extension to local registries used by our CI and local dev workflows.
+BICEP_VER="v0.42.1"
+
 # Check if bicep binary already exists in the target location
 if [ -f "$OUTPUT_DIR/bicep" ]; then
   echo "Bicep CLI already exists at $OUTPUT_DIR/bicep, skipping download."
 else
-  echo "Downloading Bicep CLI..."
-  if ! curl -Lo bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-$BICEP_ARCH; then
+  echo "Downloading Bicep CLI ${BICEP_VER}..."
+  if ! curl -Lo bicep "https://github.com/Azure/bicep/releases/download/${BICEP_VER}/bicep-linux-${BICEP_ARCH}"; then
     echo "Failed to download Bicep CLI. Please check your internet connection or the URL."
     exit 1
   fi
diff --git a/deploy/Chart/tests/helpers_test.yaml b/deploy/Chart/tests/helpers_test.yaml
@@ -398,6 +398,9 @@ tests:
       rp.image: applications-rp
       dynamicrp.image: dynamic-rp
       de.image: deployment-engine
+      # Clear the values.yaml pin so this test exercises the
+      # global.imageTag fallthrough for the DE image.
+      de.tag: ""
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
diff --git a/deploy/Chart/values.yaml b/deploy/Chart/values.yaml
@@ -83,8 +83,8 @@ controller:
 
 de:
   image: deployment-engine
-  # Default tag uses Chart AppVersion.
-  # tag: latest
+  # Pin Deployment Engine to the v0.56.0 image for the v0.57.1 patch release.
+  tag: 0.56
   resources:
     requests:
       # request memory is the average memory usage + 10% buffer.
diff --git a/docs/release-notes/v0.57.1.md b/docs/release-notes/v0.57.1.md
@@ -0,0 +1,11 @@
+## Radius v0.57.1
+
+This patch release pins the Deployment Engine image installed by the Radius Helm chart to the `0.56` tag to work around a bug in Deployment Engine `0.57.0`, pins the Bicep CLI used by the `rad` CLI and CI workflows to `v0.42.1` to work around a breaking change in Bicep `v0.43+` that rejects local registry targets (e.g. `br:localhost:5000/...`), and pins the Terraform version to avoid surprise breaking changes. Check out the [changelog](#changelog) for more details of what was addressed in this patch.
+
+## Changelog
+
+* Pin Deployment Engine image to 0.56 for v0.57.1 patch release by @brooke-hamilton in https://github.com/radius-project/radius/pull/11855
+* Pin Bicep CLI to v0.42.1 in workflows and rad CLI by @sk593 in https://github.com/radius-project/radius/pull/11812
+* Pin tf version to avoid surprise breaking changes by @nithyatsu in https://github.com/radius-project/radius/pull/11779
+
+**Full Changelog**: https://github.com/radius-project/radius/compare/v0.57.0...v0.57.1
diff --git a/pkg/cli/bicep/tools/download_tools.go b/pkg/cli/bicep/tools/download_tools.go
@@ -28,8 +28,14 @@ import (
 )
 
 const (
+	// bicepVersion is the pinned version of the Bicep CLI to download.
+	// Pinned because Bicep v0.43+ tightened ContainerRegistryClientFactory.ThrowIfRegistryNotTrusted
+	// to reject br:localhost:5000/... targets, breaking publish-extension to local registries used
+	// by our CI and local dev workflows.
+	bicepVersion = "v0.42.1"
+
 	// binaryRepo is the name of the remote bicep binary repository
-	binaryRepo = "https://github.com/Azure/bicep/releases/latest/download/"
+	binaryRepo = "https://github.com/Azure/bicep/releases/download/" + bicepVersion + "/"
 )
 
 // validPlatforms is a map of valid platforms to download for. The key is the combination of GOOS and GOARCH.
diff --git a/pkg/recipes/terraform/install.go b/pkg/recipes/terraform/install.go
@@ -24,6 +24,7 @@ import (
 	"time"
 
 	"github.com/go-logr/logr"
+	"github.com/hashicorp/go-version"
 	install "github.com/hashicorp/hc-install"
 	"github.com/hashicorp/hc-install/product"
 	"github.com/hashicorp/hc-install/releases"
@@ -174,10 +175,7 @@ func downloadAndInstallTerraform(ctx context.Context, installer *install.Install
 
 	installStartTime := time.Now()
 	execPath, err := installer.Ensure(ctx, []src.Source{
-		&releases.LatestVersion{
-			Product:    product.Terraform,
-			InstallDir: globalDir,
-		},
+		&releases.ExactVersion{Product: product.Terraform, Version: version.Must(version.NewVersion(terraformVersion))},
 	})
 	if err != nil {
 		metrics.DefaultRecipeEngineMetrics.RecordTerraformInstallationDuration(ctx, installStartTime,
diff --git a/pkg/recipes/terraform/version.go b/pkg/recipes/terraform/version.go
@@ -0,0 +1,35 @@
+/*
+Copyright 2026 The Radius Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package terraform
+
+// terraformVersion is the version of Terraform that Radius downloads and
+// uses to execute Terraform recipes.
+//
+// The canonical source of truth is the .terraform-version file at the
+// repository root (matching the .node-version / .python-version
+// convention used by tfenv, tfswitch, asdf, and mise). The Makefile reads
+// that file and overrides this value at build time via the
+// -X linker flag. The hard-coded default below is used by `go test`,
+// `go run`, and other invocations that do not go through the Makefile;
+// the TestTerraformVersionMatchesFile test guarantees it stays in sync
+// with the file.
+var terraformVersion = "1.14.9"
+
+// TerraformVersion returns the Terraform version Radius will install.
+func TerraformVersion() string {
+	return terraformVersion
+}
diff --git a/pkg/recipes/terraform/version_test.go b/pkg/recipes/terraform/version_test.go
@@ -0,0 +1,55 @@
+/*
+Copyright 2026 The Radius Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package terraform
+
+import (
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// TestTerraformVersionMatchesFile guarantees that the hard-coded
+// terraformVersion default in version.go stays in sync with the
+// .terraform-version file at the repository root.
+func TestTerraformVersionMatchesFile(t *testing.T) {
+	_, thisFile, _, ok := runtime.Caller(0)
+	require.True(t, ok, "unable to determine test file location")
+
+	// Walk up from this file to the repo root (which contains go.mod).
+	dir := filepath.Dir(thisFile)
+	for {
+		if _, err := os.Stat(filepath.Join(dir, "go.mod")); err == nil {
+			break
+		}
+		parent := filepath.Dir(dir)
+		require.NotEqual(t, parent, dir, "could not locate repository root (go.mod)")
+		dir = parent
+	}
+
+	contents, err := os.ReadFile(filepath.Join(dir, ".terraform-version"))
+	require.NoError(t, err, "failed to read .terraform-version at repo root")
+
+	require.Equal(t,
+		strings.TrimSpace(string(contents)),
+		terraformVersion,
+		"terraformVersion default in version.go must match .terraform-version at repo root",
+	)
+}
diff --git a/versions.yaml b/versions.yaml
@@ -1,6 +1,6 @@
 supported:
   - channel: '0.57'
-    version: 'v0.57.0'
+    version: 'v0.57.1'
   - channel: '0.56'
     version: 'v0.56.1'
 deprecated:

Original file line number	Diff line number	Diff line change
`@@ -28,8 +28,14 @@ import (`
`28`	`28`	`)`
`29`	`29`
`30`	`30`	`const (`
	`31`	`+ // bicepVersion is the pinned version of the Bicep CLI to download.`
	`32`	`+ // Pinned because Bicep v0.43+ tightened ContainerRegistryClientFactory.ThrowIfRegistryNotTrusted`
	`33`	`+ // to reject br:localhost:5000/... targets, breaking publish-extension to local registries used`
	`34`	`+ // by our CI and local dev workflows.`
	`35`	`+ bicepVersion = "v0.42.1"`
	`36`	`+`
`31`	`37`	`// binaryRepo is the name of the remote bicep binary repository`
`32`		`- binaryRepo = "https://github.com/Azure/bicep/releases/latest/download/"`
	`38`	`+ binaryRepo = "https://github.com/Azure/bicep/releases/download/" + bicepVersion + "/"`
`33`	`39`	`)`
`34`	`40`
`35`	`41`	`// validPlatforms is a map of valid platforms to download for. The key is the combination of GOOS and GOARCH.`