Skip to content

Releases: tektoncd/chains

Tekton Chains release v0.27.1

08 Jun 11:22
@tekton-robot tekton-robot
v0.27.1
020a29a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Tekton Chains release v0.27.1 Latest
Latest

Tekton Chains release v0.27.1

-Docs @ v0.27.1
-Examples @ v0.27.1

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a9c93c24b59fba7b3e2de163a740faeba34300825ad23565eb69a3d11ab071694

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a9c93c24b59fba7b3e2de163a740faeba34300825ad23565eb69a3d11ab071694
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.1/release.yaml
REKOR_UUID=108e9186e8c5677a9c93c24b59fba7b3e2de163a740faeba34300825ad23565eb69a3d11ab071694

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.27.1@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

  • 🐛 [cherry-pick: release-v0.27.x] Add migration cleanup for SSA finalizers (#1699)

Thanks

Thanks to these contributors who contributed to v0.27.1!

Extra shout-out for awesome release notes:

Contributors

enarha
Assets 4
Loading

Tekton Chains release v0.27.0

28 May 08:17
@tekton-robot tekton-robot
v0.27.0
3fbaa94
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Tekton Chains release v0.27.0

Tekton Chains release v0.27.0

-Docs @ v0.27.0
-Examples @ v0.27.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a71df6799eebef48b36c3a91fcb47d8a0bd0d6ed9943b2cbc07271e8cf521366d

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a71df6799eebef48b36c3a91fcb47d8a0bd0d6ed9943b2cbc07271e8cf521366d
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.0/release.yaml
REKOR_UUID=108e9186e8c5677a71df6799eebef48b36c3a91fcb47d8a0bd0d6ed9943b2cbc07271e8cf521366d

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.27.0@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • ✨ feat(metrics): Migrate from OpenCensus to OpenTelemetry (#1550)

  • ✨ feat(oci): support insecure OCI registry (#1374)

Fixes

  • 🐛 Fix duplicate .att/.sig OCI layers for same digest type hints (#1601)

  • 🐛 Handle signing OCI artifacts in *ARTIFACT_OUTPUTS (#1578)

  • 🐛 chore(ci): update cherry-pick workflow to fix multi-commit PRs (#1539)

  • 🐛 Fix- Update Docdb storage logic (issue #1178) (#1505)

  • 🐛 fix: microshift e2e test failures on merge (#1500)

Misc

  • 🔨 includes dependency and doc updates

Thanks

Thanks to these contributors who contributed to v0.27.0!

Extra shout-out for awesome release notes:

Contributors

vdemeester, bradbeck, and 10 other contributors
Loading

Tekton Chains "Release v0.26.4"

28 May 16:08
@tekton-robot tekton-robot
v0.26.4
dbad7be
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Tekton Chains "Release v0.26.4"

Tekton Chains "Release v0.26.4"

-Docs @ v0.26.4
-Examples @ v0.26.4

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.4/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a530b574bc14f60d678f287e5f81e8707750ea0808ede65f1f7a4add3183e74a1

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a530b574bc14f60d678f287e5f81e8707750ea0808ede65f1f7a4add3183e74a1
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.4/release.yaml
REKOR_UUID=108e9186e8c5677a530b574bc14f60d678f287e5f81e8707750ea0808ede65f1f7a4add3183e74a1

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.4@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

Misc

  • 🔨 fix(cve): CVE-2026-33814 - Update golang.org/x/net to v0.53.0 (release-v0.26.x) (#1670)

Docs

Thanks

Thanks to these contributors who contributed to v0.26.4!

Extra shout-out for awesome release notes:

Contributors

jkhelil and anithapriyanatarajan
Loading

Tekton Chains release v0.25.2

22 Apr 15:44
@tekton-robot tekton-robot
v0.25.2
d45ad41
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Tekton Chains release v0.25.2

-Docs @ v0.25.2
-Examples @ v0.25.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.25.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89

Obtain the attestation:

REKOR_UUID=108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.25.2/release.yaml
REKOR_UUID=108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.25.2@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Security Fixes

Thanks

Thanks to these contributors who contributed to v0.25.2!

Extra shout-out for awesome release notes:

Contributors

anithapriyanatarajan and infernus01
Loading

Tekton Chains release v0.26.3

22 Apr 17:59
@tekton-robot tekton-robot
v0.26.3
868c359
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Tekton Chains release v0.26.3

-Docs @ v0.26.3
-Examples @ v0.26.3

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.3/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.3/release.yaml
REKOR_UUID=108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.3@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Security Fixes

Thanks

Thanks to these contributors who contributed to v0.26.3!

Extra shout-out for awesome release notes:

Contributors

anithapriyanatarajan and infernus01
Loading

Tekton Chains release v0.26.2

06 Feb 11:15
@tekton-robot tekton-robot
v0.26.2
bee7519
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Tekton Chains release v0.26.2

-Docs @ v0.26.2
-Examples @ v0.26.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a7e46855402bd228281747a3ed323026c284c56ac1b8a546aaf0ce6f32e6714bd

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a7e46855402bd228281747a3ed323026c284c56ac1b8a546aaf0ce6f32e6714bd
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.2/release.yaml
REKOR_UUID=108e9186e8c5677a7e46855402bd228281747a3ed323026c284c56ac1b8a546aaf0ce6f32e6714bd

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.2@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Fixes

Thanks

Thanks to all the contributors who contributed to v0.26.2!

Loading

Tekton Chains release v0.26.1

06 Feb 09:33
@tekton-robot tekton-robot
v0.26.1
6cad4e5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Tekton Chains release v0.26.1

-Docs @ v0.26.1
-Examples @ v0.26.1

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677ae62945dea4e9789dbebdfee12e3cc85ee1f12ee9e6cb367731fa4e446af03670

Obtain the attestation:

REKOR_UUID=108e9186e8c5677ae62945dea4e9789dbebdfee12e3cc85ee1f12ee9e6cb367731fa4e446af03670
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.1/release.yaml
REKOR_UUID=108e9186e8c5677ae62945dea4e9789dbebdfee12e3cc85ee1f12ee9e6cb367731fa4e446af03670

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.1@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Fixes

Loading

Tekton Chains release v0.26.0 "v0.26.0"

05 Nov 11:40
@tekton-robot tekton-robot
v0.26.0
0c9284f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Tekton Chains release v0.26.0 "v0.26.0"

-Docs @ v0.26.0
-Examples @ v0.26.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a3a5e8bb8eccd3483eb9d0f120eed8ee76c47fef28d1d49f3a738d7999b241fdc

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a3a5e8bb8eccd3483eb9d0f120eed8ee76c47fef28d1d49f3a738d7999b241fdc
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.0/release.yaml
REKOR_UUID=108e9186e8c5677a3a5e8bb8eccd3483eb9d0f120eed8ee76c47fef28d1d49f3a738d7999b241fdc

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.0@sha256:" + .digest.sha256')

# Download the release file
curl -LO "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • Allows users to disable image signing while still enabling provenance generation and attestation signing(#1419)
  • Keyless Signing Change (Cosign v2.6.0). Chains now uses Cosign v2.6.0, which no longer accepts HS256 JWT tokens(#1441)
    Affected: Private OIDC providers using HS256
    Not affected: Public Sigstore (Fulcio) , Key-based signing , Private OIDC using RS256
    Action Required: - If your OIDC provider uses HS256, switch to RS256 before upgrading. All other users can upgrade safely.

Fixes

  • 🐛 Remove old taskrun finalizer (#1394)

  • 🐛 Fix the build error in e2e test (#1384)

Misc

  • 🔨 Pin actions by commit SHA (#1453)

  • 🔨 Add GitHub Actions workflow for go coverage job (#1447)

  • 🔨 Remove ttl.sh dependency for microshift gh action (#1396)

  • 🔨 Add path to taskrun finalizer name (#1391)

  • 🔨 Run e2e tests on microshift (#1383)

  • 🔨 Fix subpath capitalisation (#1358)

  • 🔨 Bump the all group across 1 directory with 23 updates (#1424)

  • 🔨 Bump chainguard-dev/actions from e0505cd917df3f8bd6fbf5a78c075de1ba4fcc63 to 3998adea1311c21a09c05d5749b154d2206e902b (#1360)

  • 🔨 Bump the all group across 1 directory with 16 updates (#1359)

  • 🔨 Bump chainguard-dev/actions from f3c4f016161c129594cb6a27d9339fc04b8aba54 to e0505cd917df3f8bd6fbf5a78c075de1ba4fcc63 (#1356)

  • 🔨 Bump chainguard-dev/actions from 9c0be1ee0103db886d1887d114ec97f8766b7ef8 to f3c4f016161c129594cb6a27d9339fc04b8aba54 (#1352)

Docs

  • 📖 Fix link to keyless signing doc (#1400)

Thanks

Thanks to these contributors who contributed to v0.26.0!

Extra shout-out for awesome release notes:

Contributors

khrm, AlanGreene, and 15 other contributors
Loading

Tekton Chains release v0.25.1 "v0.25.1"

19 May 19:14
@tekton-robot tekton-robot
v0.25.1
ab93ad4
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Tekton Chains release v0.25.1 "v0.25.1"

-Docs @ v0.25.1
-Examples @ v0.25.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.25.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677aa8cbf847acc4ce0aed8e3b794dcb0f8e20e495c9a994ca636d04b6d2680d0227

Obtain the attestation:

REKOR_UUID=108e9186e8c5677aa8cbf847acc4ce0aed8e3b794dcb0f8e20e495c9a994ca636d04b6d2680d0227
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.25.1/release.yaml
REKOR_UUID=108e9186e8c5677aa8cbf847acc4ce0aed8e3b794dcb0f8e20e495c9a994ca636d04b6d2680d0227

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.25.1@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Thanks

Thanks to these contributors who contributed to v0.25.1!

Extra shout-out for awesome release notes:

Contributors

savitaashture
Loading

Tekton Chains release v0.25.0 "v0.25.0"

13 May 15:11
@tekton-robot tekton-robot
v0.25.0
1682a36

Choose a tag to compare

View all tags
Tekton Chains release v0.25.0 "v0.25.0"

-Docs @ v0.25.0
-Examples @ v0.25.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.25.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a76acbea0b7deeb21ada0fccb6951454f25f003ffd4e70762f5c602492e43749f

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a76acbea0b7deeb21ada0fccb6951454f25f003ffd4e70762f5c602492e43749f
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.25.0/release.yaml
REKOR_UUID=108e9186e8c5677a76acbea0b7deeb21ada0fccb6951454f25f003ffd4e70762f5c602492e43749f

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.25.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Misc

  • 🔨 Consume release pipeline images and task bundles from GHCR (#1330)

  • 🔨 Bump chainguard-dev/actions from 9ba949ac63357c725a9438f3e05a1e33d313498e to 9c0be1ee0103db886d1887d114ec97f8766b7ef8 (#1349)

  • 🔨 Bump the all group across 1 directory with 26 updates (#1347)

  • 🔨 Bump ko-build/setup-ko from 0.8 to 0.9 (#1339)

  • 🔨 Bump imjasonh/setup-ko from 0.8 to 0.9 (#1338)

  • 🔨 Bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#1328)

Docs

  • 📖 Add ghcr.io migration banner to README.md. (#1335)

Thanks

Thanks to these contributors who contributed to v0.25.0!

Extra shout-out for awesome release notes:

Contributors

twoGiants, AlanGreene, and 7 other contributors
Loading