App passwords are here in Bitbucket Cloud

By on June 6, 2016

Keeping your code secure is crucial. That’s why last year we added support for 2-factor authentication. However, only having native 2FA support limits you from accessing Bitbucket repositories via 3rd party applications. Today, we’re excited to announce application-specific passwords (a.k.a. app passwords), which will allow you to just do that. App passwords let applications access Bitbucket’s API via HTTPS when 2-factor authentication is enabled on your Bitbucket account.

app password list retina

For example, you can use an app password in SourceTree to get full desktop access to your repositories when you have 2FA enabled. From the command line, you can make API calls with the app password instead of the account password, like:

curl --user bitbucket_user:app_password

Granular scopes
You can set the scope of app passwords when you create them and give each application exactly the access it needs. We show you the last time each app password was used to access Bitbucket, and if you want, you can easily revoke an app password if something changes.

app password create retina

You can create and manage app passwords in the Access Management section of your account settings, or check out the docs to learn more.

Happy (and secure) coding!

Bitbucket Pipelines Beta: continuous delivery inside Bitbucket

By on May 24, 2016


Software has changed the world faster than almost any other industrial innovation and it’s only picking up speed. Companies are moving from infrequent, large code deployments to frequent, small and agile deployments. This trend is having a huge impact on the current software development processes. For example, in one of our most recent customer surveys, more than 65% of software teams noted that they are practicing some form of continuous delivery. It’s becoming the norm for software teams.

But implementing continuous delivery is not easy. Setting up build agents is complicated. Developers have to constantly juggle between different tools. And most of the time, the build is sitting in a queue, or you’re burying yourself in log files digging for information about failures.

Bitbucket Pipelines
That is until now. Bitbucket Cloud is introducing Pipelines to let your team build, test, and deploy from Bitbucket. It is built right within Bitbucket, giving you end-to-end visibility from coding to deployment. With Bitbucket Pipelines there’s no CI server to setup, user management to configure, or repositories to synchronize. Just enable it in one click and you’re ready to go.

Pipelines is also a great fit for branching workflows like git-flow. Anyone on your team can adapt the build configuration to map the structure of your branches. Here is a quick look at some of the salient features of Bitbucket Pipelines:

Bring your own services to Bitbucket Pipelines
We worked very closely with some of the leaders in the industry so you can bring your own services to Bitbucket Pipelines, right out of the box. Whether you want to deploy, test, monitor code quality, or store artifacts, complete any workflow with the tool of your choice: Amazon Web Services, Ansible, bitHound, BrowserStack, buddybuild, Code Climate, JFrog, Microsoft Azure, npm, SauceLabs, Sentry, Sonatype, and TestFairy.

Pipelines provided us with the perfect opportunity to bring the power of automated code quality analysis to Bitbucket users. We’re excited about the awesome potential of Pipelines and they’re only just getting started!” –Michael Bernstein, VP of Community, Code Climate.

Check out our integrations page for more details.

Continuous Delivery options from Atlassian
We believe that the best way to provide our customers with a top-notch cloud CD solution is to build the service natively within Bitbucket Cloud. That’s why we built Bitbucket Pipelines and also why today, we’re announcing the end-of-life for Bamboo Cloud, which will be discontinued starting Jan 31, 2017. While Bamboo Cloud has helped many customers to adopt CD, we realized that we would not be able to deliver the experience and the quality of service that our customers need. If you’re a Bamboo Cloud customer, click here to learn more about the migration options.

If you want to build and ship behind the firewall, we’re still heavily investing in Bamboo Server as an on-prem CD solution.

Get early access to Bitbucket Pipelines
With Bitbucket Pipelines we want to empower every team to accelerate their releases. No more time wasted on setup and maintenance, just focus on the work you love. You can sign up for the Bitbucket Pipelines beta program today and request early access.

Sign up for the beta program

Pin a comment in issues for Bitbucket Cloud

By on May 11, 2016

Every few weeks, we set aside a week for what we like to call “Innovation Week”. During that time, our developers can work on whatever they like – feature enhancements, new features, bug fixes, performance improvements, etc. Today, we’re releasing one of the projects from our most recent Innovation Week: the ability to pin a comment in issues as an “Official response“:

Screen Shot 2016-05-10 at 3.31.37 PM

Repository administrators can now pin their comment to the top of an issue’s comments section. It will be highlighted as an “Official response” right below the issue’s description and can be used for communicating a resolution status, highlighting open questions, or providing additional context and clarification. It will be particularly useful for large open-source repositories or repositories owned by organizations with large user bases.

This feature is available now for all users. Happy pinning!

Build webhook integrations faster with new troubleshooting tools

By on May 5, 2016

Last year, we released a set of new webhooks to make integration with Bitbucket Cloud easier and more powerful. The response has been overwhelming. We recently added new troubleshooting tools to better support all of you developing integrations using Bitbucket webhooks.

Request details page
We’ve added a “View details” link next to each webhook request on the log table. The new “Request details” page includes a lot of useful information about the webhook request and response, including headers, bodies, and other specifics that will help you debug.

USE 1 webhook log table

Resend request button
While developing or testing an integration, sometimes you need to trigger the same webhook multiple times while you make code changes between each request. This can be very time-consuming, slowing down your development speed. To alleviate this, we’ve included a “Resend request” button on the “Request details” page. Now you can just click once to resend the original request manually – no need to go through the steps to trigger the hook again. And if a request has been resent several times, each try will split into its own tab for easy reference.

USE 2 multiple requests

Also, the request list view now displays an icon to indicate when a request has been attempted multiple times:

USE 1 webhook log table 2

We hope these improvements will enhance your webhook development experience! If you’re new to Bitbucket webhooks, you can configure them in your repository settings. Are you inspired to build new, exciting integrations? Clone our webhook-listener demo project to quickly get started with Bitbucket webhooks.

Renewing our certificate

By on May 4, 2016

It’s almost time to replace our main certificate, so we’re planning to do that at 00:00 UTC on May 6 2016.

Most users shouldn’t notice any difference. However, if you’re using Mercurial over HTTPS, then you might see this error message after the new certificate is installed:

abort: certificate for has unexpected fingerprint
(check hostfingerprint configuration)

If you do see that error, you’ll need to update the host fingerprint for in your ~/.hgrc or Mercurial.ini configuration file:

[hostfingerprints] = 3f:d3:c5:17:23:3c:cd:f5:2d:17:76:06:93:7e:ee:97:42:21:14:aa

Happy branching!

Got questions? We’ve got answers. Git, agile and JIRA/Bitbucket answers to be exact.

By on May 3, 2016

Are you a JIRA Software or Bitbucket user? How about an Agile fan or Git enthusiast? We’re looking at you. To honor one of Atlassian’s core values, Don’t *%# the customer, we want you to use us as a resource. Today, Atlassian’s Product managers and developer advocates will unite to give your team the leg up on any JIRA Software/Bitbucket, Git or agile questions you may have.

How you ask?

Here’s the deal. Today we’ll be answering questions on Twitter from 12-7pm PST and will get to as many questions as we can, as fast as we can, until signing off at 7pm PST. Here’s how to join in the fun:

  1. Ask a question on twitter using the hashtag #AskJIRABB
  2. Be sure to follow both @JIRA and @Bitbucket to see your answer, and follow along with the conversation
  3. It’s as simple as that

To get the conversation started, here are some examples questions we can help you with:

Get the idea? Awesome. Gather your questions, your dev team, and join the conversation.

Protect our Git repos: stop foxtrot merges now!

By on April 28, 2016

This guest post is written by Sylvie Davies, the author of the Bit-Booster Commit Graph and More add-on for Bitbucket Server. Sylvie is a mother, poet, painter, pianist, and software developer with over 5 years experience in Java and JavaScript, and 2 years with Git. 


First, what is a foxtrot merge?

A foxtrot merge is a specific sequence of git commits. A particularly nefarious sequence. Out in the open, in lush open grasslands, the sequence looks like this:


But foxtrots are rarely seen in the open. They hide up in the canopy, in between the branches. I call them foxtrots because, when caught mid-pounce, they look like the foot sequence for the eponymous ballroom dance:



Others have blogged about foxtrot merges, but they never name them directly. For example, Junio C. Hamano blogs about having Fun With –First-Parent, as well as Fun With Non-Fast-Forward. David Lowe of talks about Maintaining Consistent Linear History.  And then there’s a whole pack of people telling you to avoid “git pull” and to always use “git pull –rebase” instead. Why?  Mostly to avoid merge commits in general, but also to avoid them darn foxtrot vermin.

But are foxtrot merges really bad? Yes.


They are clearly not as bad as the Portuguese Man o’ War. But foxtrot merges are bad, and you do not want them creeping into your git repositories.

Why are foxtrot merges bad?

Foxtrot merges are bad because they change origin/master’s first-parent history.

The parents of a merge commit are ordered. The 1st parent is HEAD. The 2nd parent is the commit you reference with the “git merge” command.

You can think of it like this:

git checkout 1st-parent
git merge 2nd-parent

And if you are of the octopus persuasion:

git merge 2nd-parent 3rd-parent 4th-parent ... 8th-parent etc...

This means first-parent history is exactly like it sounds.  It’s the history you get when you omit all parents except the first one for each commit. For regular commits (non-merges) the first parent is the only parent, and for merges it was the commit you were on when you typed “git merge.” This notion of first-parent is built right into Git, and appears in many of the commands, e.g., “git log –first-parent.”

The problem with foxtrot merges is they cause origin/master to merge as a 2nd parent.

Which would be fine except that Git doesn’t care about parent-order when it evaluates whether a commit is eligible for fast-forward. And you really don’t want that. You don’t want foxtrot merges updating origin/master via fast-forward. It makes the first-parent history unstable.

Look what happens when a foxtrot merge is pushed:


You can calculate the first-parent history yourself by tracing the graph with your finger starting from origin/master and always going left at every fork.

The problem is that initially the first-parent sequence of commits (starting from origin/master) is this:

B, A

But after the foxtrot merge is pushed, the first-parent sequence becomes this:

D, C, A

Commit B has vanished from the origin-master‘s first-parent history. No work is lost, and commit B is still part of origin/master of course.

But first-parent turns out to have all sorts of implications. Did you know that the tilda notation (e.g., <commit>~N) specifies the Nth-commit down the first-parent path from the given commit?

Have you ever wanted to see each commit on your branch as a diff, but “git log -p” is clearly missing diffs, and “git log -p -m” has way too many diffs?

Try “git log -p -m –first-parent” instead.

Have you ever wanted to revert a merge?  You need to supply the “-m parent-number” option to “git revert” to do that, and you really don’t want to provide the wrong parent-number.

Most people I work with treat the first-parent sequence as the real “master” branch. Either consciously or subconsciously, people see “git log –first-parent origin/master” as the sequence of the important things. As for any side branches merging in? Well, you know what they say:


But foxtrot merges mess with this. Consider the example below, where a sequence of critical commits hits origin/master in parallel to your own slightly less important work:



At this point you’re finally ready to bring your work into master. You type “git pull,” or maybe you’re on a topic branch and you type “git merge master”. What happens? A foxtrot merge happens.



This wouldn’t really be of any concern. Except when you type “git push” and your remote repo accepts it. Because now your history looks like this:




What should I do about the pre-existing foxtrot merges that have infected my git repo?

Nothing. Leave them. Unless you’re one of those antisocial people that rewrites master. Then go nuts.

Actually, please don’t.

How can I prevent future foxtrot merges from creeping into my git repo?

There are a few ways.  My favorite approach involves 4 steps:

1. Setup Atlassian Bitbucket Server for your team.

2. Install the add-on I wrote for Bitbucket Server called “Bit Booster Commit Graph and More.”  You can find it here:

3. Click the “Enable” button on the “Protect First Parent Hook” in all your repos:


4. Call in sick to work for 31 days to make the trial license expire.

This is my preferred approach because it keeps the foxtrots away, and it prints a cow whenever a foxtrot is blocked:

$ git commit -m 'my commit'
$ git pull
$ git push

remote:  _____________________________________________
remote: /                                             \
remote: | Moo! Your bit-booster license has expired!  |
remote: \                                             /
remote:  ---------------------------------------------
remote:         \   ^__^
remote:          \  (oo)\_______
remote:             (__)\       )\/\
remote:                 ||----w |
remote:                 ||     ||
remote: *** PUSH REJECTED BY Protect-First-Parent HOOK ***
remote: Merge [da75830d94f5] is not allowed. *Current* master
remote: must appear in the 'first-parent' position of the
remote: subsequent commit.


There are other ways. You could disable direct pushes to master, and hope that pull-requests never merge with fast-forward. Or train your staff to always do “git pull –rebase” and to never type “git merge master” and once all your staff are trained, never hire anyone else.

If you have direct access to the remote repository, you could setup a pre-receive hook. The following bash script should help you get started:


# Copyright (c) 2016 G. Sylvie Davies.
# Copyright (c) 2016 torek.
# License: MIT license.
while read oldrev newrev refname
if [ "$refname" = "refs/heads/master" ]; then
   MATCH=`git log --first-parent --pretty='%H %P' $oldrev..$newrev |
     grep $oldrev |
     awk '{ print \$2 }'`

   if [ "$oldrev" = "$MATCH" ]; then
     exit 0
     exit 1


I accidentally created a foxtrot merge, but I haven’t pushed it. How can I fix it?

Suppose you install the pre-receive hook, and it blocks your foxtrot. What do you do next? You have three possible remedies:

1. Simple rebase:


2. Reverse your earlier merge to make origin/master the first-parent:


3. Create a 2nd merge commit after the foxtrot merge to preserve origin/master’s –first-parent relation.


But please don’t do #3, because the final result is called a “Portuguese man o’ war merge,” and those guys are even worse than foxtrot merges.


At the end of the day a foxtrot merge is just like any other merge. Two (or more) commits come together to reconcile separate development histories.  As far as your codebase is concerned, it makes no difference. Whether commit merges into commit B or vice versa, the end result from a code perspective is identical.

But when it comes to your repository’s history, as well as using the git toolset effectively, foxtrot merges create havoc.  By setting up policy to prevent them, you make your history easier to understand, and you reduce the range of git command options you need to memorize.

Did you like the git graphs in this blog post?   You can make similar git graphs for your own blog posts using the git-graph-drawing-tool:  You can also install the Bit-Booster Commit Graph add-on for Bitbucket Server to block foxtrots AND see nice git graphs.

Updated diff view for moved or renamed files in Bitbucket Cloud

By on April 14, 2016

On the heels of other improvements to code review that we recently released, today we’re updating the diff view to better represent moved or renamed files in Git repositories. This will speed up your code review by collapsing files whose contents have not changed—enabling you to jump right into the code that actually requires review. No more wading through large blocks of code for moved or renamed files!


Try out the new view for renamed/moved files today by visiting the “Labs” page (“Bitbucket settings” → “Labs”) and turning on “Show renamed/moved files in diffs“:


While you’re there, check out the “improved pull request list” if you haven’t already. We’ve updated the pull request list to make it easier for you to quickly find the pull requests you need to review and show the state of a review at a glance. We’ll be rolling out both these features to everyone over the next few weeks. Happy code reviewing!

Get to master faster with pull requests in Bitbucket Server

By on April 7, 2016

Pull requests provide a lightweight way to do peer code reviews and merges as part of a branch-based development workflow. Sure beats having to huddle around a monitor with 3 other developers! Today I’d like to share with you some improvements we’ve made to pull requests in Bitbucket Server that will help you get to master faster.

Pull request reviewer status

Professional teams benefit from having an explicit set of reviewers on pull requests, making it clear who is expected to pitch in and review. And we built that into Bitbucket long ago. As powerful as that has been, we’ve heard feedback that it wasn’t obvious who had reviewed the latest changes – even to the reviewers themselves. Some reviewers were also appearing a little too judgmental and reaching for the decline button when they really just wanted to say that the code needed a little improvement.

Pull requests need a way to help reviewers and authors keep track of what was going on around all the feedback flying around. So we added reviewer status to make reviewers’ intention clear to everyone. As a result, both the author and reviewers can see which pull requests need their attention. We shipped this last month with Bitbucket Server 4.4 and have seen strong uptake amongst our customers.

Another useful improvement we made to pull requests is the ability for users to quickly add or remove themselves as a reviewer. If you’re on a team that adds lots of reviewers, it’s now easy for a reviewer to opt out whilst make it clear who’s still on the hook. Conversely, if your teammates prefer to “self-select” by opting in as a reviewer, that’s easy too.

Even better branch permissions

Awesome pull requests are awesome and everything… but only if people use them. We’ve long had branch permissions that let teams choose who can write to a branch without a pull request. That’s pretty much an expected feature these days. Recently, we made it possible to protect certain branches by requiring pull requests for changes.

Organizations that wanted stricter pull request based workflows found this quite useful, though as some pointed out, there are times when bypassing this restriction is necessary. For example, when applying merges of already approved changes between release branches.

With Bitbucket Server 4.5, it’s now possible to nominate exceptions to any of the available restrictions – be it force pushes, branch deletions, or requiring pull requests. This means you can ensure developers’ changes always go through pull requests, while the release manager can propagate previously reviewed changes with regular merges.

Overdue for a Bitbucket upgrade?

If you’ve been holding off upgrading to the latest release or want to try Bitbucket Server for the first time, there’s never been a better time. Get these goodies into developers’ hands and they’ll thank you for helping them fly! Download Bitbucket 4.5 here.

Code review just got even better in Bitbucket Cloud

By on April 6, 2016

High performing teams use code reviews. A lot. And most of the time code reviews are done using pull requests.

Improved pull request list
We’ve updated Bitbucket’s pull request list to make it even easier for you to quickly find the pull requests you need to review, and to show you the state of a review at a glance:

We’ve improved the filter bar to let you jump right to the pull request you need to approve and filter by author, target branch or pull request state. You can search for the pull request too. The updated display shows who’s reviewing each pull request, who has already approved it, and which branch it’s targeting, so it’s easy to see how your team’s code reviews are progressing.

Manage features
Try out the new pull request list today by visiting the Labs page and turning on the improved pull request list:

Please provide feedback straight from the Labs page by clicking “Give feedback”. Your feedback will help us get it right. We’ll be rolling out the improved pull request list to everyone over the new few weeks.

We will use the Labs functionality in Bitbucket Cloud to gradually roll-out new features to our users. This will let you provide extensive feedback to our engineering teams and help make the feature better before we roll it out to everyone.

Ignore whitespace
Remember when you had to add ?w=1 to your page URL to ignore whitespace? That did the trick, but it wasn’t very intuitive. Now it is.

Now, every time you’re reviewing some code and want to ignore whitespace on that diff, click the “More Actions” menu (i.e., the ellipses “…”) and select “Ignore whitespace”. Selecting this option will ignore whitespace across all changed files. This option is available for everyone today.

We hope these new features we introduced recently improve your code reviewing experience in Bitbucket Cloud. Happy coding!


Did you find this post useful? Share it on your social network of choice so your fellow Bitbucketeers can learn about these new goodies, too!