Releases: tektoncd/chains
Release list
Tekton Chains release v0.28.0
Tekton Chains release v0.28.0 "Release v0.28.0"
-Docs @ v0.28.0
-Examples @ v0.28.0
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.28.0/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677ae629a6c752733033ba688ada1b6546bd966a3e4ce200b8164f66313961206624
Obtain the attestation:
REKOR_UUID=108e9186e8c5677ae629a6c752733033ba688ada1b6546bd966a3e4ce200b8164f66313961206624
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.28.0/release.yaml
REKOR_UUID=108e9186e8c5677ae629a6c752733033ba688ada1b6546bd966a3e4ce200b8164f66313961206624
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.28.0@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
- ✨ feat: embed Rekor bundle in OCI attestation layer annotations (#1610)
Fixes
-
🐛 [cherry-pick: release-v0.28.x] fix(storage): skip docdb watcher reconfiguration on empty file read (#1770)
-
🐛 [cherry-pick: release-v0.28.x] fix(signing): make KMS OIDC fallback test environment-independent (#1767)
-
🐛 Add migration cleanup for SSA finalizers (#1697)
-
🐛 fix: enable Vault JWT auth without Spire for KMS signing (#1616)
Misc
-
🔨 chore: switch base image to ghcr.io/tektoncd/plumbing/static-base (#1702)
-
🔨 Update setup-nightly-infra to latest version (#1741)
-
🔨 chore: update release publish task (#1689)
-
🔨 fix: update plumbing revision (#1688)
-
🔨 fix: pass insecure option to name.NewDigest for OCI storage (#1684)
-
🔨 ci(dependabot): group github-actions bumps across all branches (#1757)
-
🔨 chore(deps): bump ko-build/setup-ko from 0.9 to 0.10 (#1754)
-
🔨 chore(deps): bump actions/setup-go from 6.4.0 to 6.5.0 (#1753)
-
🔨 chore(deps): bump imjasonh/setup-ko from 0.9 to 0.10 (#1752)
-
🔨 chore(deps): bump github.com/sigstore/fulcio from 1.8.5 to 1.8.6 (#1740)
-
🔨 chore(deps): bump github.com/sigstore/timestamp-authority/v2 from 2.0.6 to 2.1.0 (#1739)
-
🔨 chore(deps): bump actions/checkout from 6.0.3 to 7.0.0 (#1711)
-
🔨 chore(deps): bump zizmorcore/zizmor-action from 0.5.6 to 0.5.7 (#1710)
-
🔨 chore(deps): bump chainguard-dev/actions from 1.6.23 to 1.6.25 (#1709)
-
🔨 chore(deps): bump go.mongodb.org/mongo-driver from 1.17.6 to 1.17.7 (#1708)
-
🔨 chore(deps): bump chainguard-dev/actions from 1.6.22 to 1.6.23 (#1704)
-
🔨 chore(deps): bump chainguard-dev/actions from 1.6.21 to 1.6.22 (#1701)
-
🔨 chore(deps): bump github/codeql-action from 4.36.1 to 4.36.2 (#1700)
-
🔨 chore(deps): bump chainguard-dev/actions from 1.6.19 to 1.6.21 (#1695)
-
🔨 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#1694)
-
🔨 chore(deps): bump github/codeql-action from 4.36.0 to 4.36.1 (#1693)
Docs
Thanks
Thanks to these contributors who contributed to v0.28.0!
- ❤️ @AlanGreene
- ❤️ @ab-ghosh
- ❤️ @app/dependabot
- ❤️ @enarha
- ❤️ @infernus01
- ❤️ @jkhelil
- ❤️ @ngelman1
- ❤️ @tekton-robot
- ❤️ @vdemeester
Extra shout-out for awesome release notes:
- 😍 @AlanGreene
- 😍 @ab-ghosh
- 😍 @enarha
- 😍 @infernus01
- 😍 @jkhelil
- 😍 @ngelman1
- 😍 @tekton-robot
- 😍 @vdemeester
Tekton Chains release v0.27.3
Tekton Chains release v0.27.3
-Docs @ v0.27.3
-Examples @ v0.27.3
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.3/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677a23e40ac00f6210e922a59eff6e12eb4fca63234b1fa30d1cfcb0fb08261b6b79
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a23e40ac00f6210e922a59eff6e12eb4fca63234b1fa30d1cfcb0fb08261b6b79
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.3/release.yaml
REKOR_UUID=108e9186e8c5677a23e40ac00f6210e922a59eff6e12eb4fca63234b1fa30d1cfcb0fb08261b6b79
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.27.3@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
Fixes
Misc
- 🔨 chore(deps): bump the all group with 3 updates (#1787)
- 🔨 chore(deps): bump chainguard-dev/actions/kind-diag from 1.6.25 to 1.6.26 in the all group (#1759)
- 🔨 chore(deps): bump zizmorcore/zizmor-action from 0.5.6 to 0.5.7 (#1751)
- 🔨 chore(deps): bump chainguard-dev/actions/kind-diag from 1.6.24 to 1.6.25 (#1730)
- 🔨 chore(deps): bump chainguard-dev/actions from 1.6.19 to 1.6.24 (#1721)
Docs
Thanks
Thanks to these contributors who contributed to v0.27.3!
- ❤️ @app/dependabot
- ❤️ @tekton-robot
Extra shout-out for awesome release notes:
Tekton Chains Release v0.26.6
Tekton Chains Release v0.26.6
-Docs @ v0.26.6
-Examples @ v0.26.6
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.6/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677a9cc2851aeabc5d55eb1dce87413ca45c2e7196726dd0e84ea1255a41f3d43ca2
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a9cc2851aeabc5d55eb1dce87413ca45c2e7196726dd0e84ea1255a41f3d43ca2
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.6/release.yaml
REKOR_UUID=108e9186e8c5677a9cc2851aeabc5d55eb1dce87413ca45c2e7196726dd0e84ea1255a41f3d43ca2
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.6@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
Fixes
Misc
- 🔨 chore(deps): bump github.com/tektoncd/pipeline from 1.9.5 to 1.9.6 in the all group (#1774)
- 🔨 chore(deps): bump chainguard-dev/actions/kind-diag from 1.6.25 to 1.6.26 in the all group across 1 directory (#1760)
- 🔨 chore(deps): bump chainguard-dev/actions/kind-diag from 1.6.14 to 1.6.25 (#1750)
- 🔨 chore(deps): bump github/codeql-action/autobuild from 3.30.7 to 3.30.9 (#1749)
- 🔨 chore(deps): bump github/codeql-action/init from 3.30.7 to 3.30.9 (#1748)
- 🔨 chore(deps): bump github/codeql-action/analyze from 3.30.7 to 3.30.9 (#1734)
- 🔨 chore(deps): bump github.com/tektoncd/pipeline from 1.9.4 to 1.9.5 in the all group (#1729)
- 🔨 chore(deps): bump the all group with 14 updates (#1728)
- 🔨 chore(deps): bump step-security/harden-runner from 2.13.1 to 2.13.3 (#1725)
- 🔨 chore(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 (#1719)
Docs
Thanks
Thanks to these contributors who contributed to v0.26.6!
- ❤️ @app/dependabot
- ❤️ @tekton-robot
Extra shout-out for awesome release notes:
Tekton Chains release v0.27.2
Tekton Chains release v0.27.2 "Release v0.27.2"
-Docs @ v0.27.2
-Examples @ v0.27.2
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.2/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677a0ff10e5cf17374dc985416b7f8fb979e5fc6a2a065e6e8b92f0444b07ab866f2
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a0ff10e5cf17374dc985416b7f8fb979e5fc6a2a065e6e8b92f0444b07ab866f2
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.2/release.yaml
REKOR_UUID=108e9186e8c5677a0ff10e5cf17374dc985416b7f8fb979e5fc6a2a065e6e8b92f0444b07ab866f2
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.27.2@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
Fixes
Misc
- 🔨 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#1723)
- 🔨 chore(deps): bump github/codeql-action from 4.36.0 to 4.36.2 (#1720)
Docs
Thanks
Thanks to these contributors who contributed to v0.27.2!
- ❤️ @app/dependabot
Extra shout-out for awesome release notes:
Tekton Chains release v0.26.5
Tekton Chains release v0.26.5 "Release v0.26.5"
-Docs @ v0.26.5
-Examples @ v0.26.5
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.5/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677a349f2deb2e5f38833800ef9c33b284db5d2c2b4df8641b7b6fe629503b43089a
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a349f2deb2e5f38833800ef9c33b284db5d2c2b4df8641b7b6fe629503b43089a
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.5/release.yaml
REKOR_UUID=108e9186e8c5677a349f2deb2e5f38833800ef9c33b284db5d2c2b4df8641b7b6fe629503b43089a
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.5@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
Fixes
Misc
Docs
Thanks
Thanks to these contributors who contributed to v0.26.5!
- ❤️ @jkhelil
Extra shout-out for awesome release notes:
- 😍 @jkhelil
Tekton Chains release v0.27.1
Tekton Chains release v0.27.1
-Docs @ v0.27.1
-Examples @ v0.27.1
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.1/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677a9c93c24b59fba7b3e2de163a740faeba34300825ad23565eb69a3d11ab071694
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a9c93c24b59fba7b3e2de163a740faeba34300825ad23565eb69a3d11ab071694
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.1/release.yaml
REKOR_UUID=108e9186e8c5677a9c93c24b59fba7b3e2de163a740faeba34300825ad23565eb69a3d11ab071694
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.27.1@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
Fixes
- 🐛 [cherry-pick: release-v0.27.x] Add migration cleanup for SSA finalizers (#1699)
Thanks
Thanks to these contributors who contributed to v0.27.1!
- ❤️ @enarha
Extra shout-out for awesome release notes:
- 😍 @enarha
Tekton Chains release v0.27.0
Tekton Chains release v0.27.0
-Docs @ v0.27.0
-Examples @ v0.27.0
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.0/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677a71df6799eebef48b36c3a91fcb47d8a0bd0d6ed9943b2cbc07271e8cf521366d
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a71df6799eebef48b36c3a91fcb47d8a0bd0d6ed9943b2cbc07271e8cf521366d
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.0/release.yaml
REKOR_UUID=108e9186e8c5677a71df6799eebef48b36c3a91fcb47d8a0bd0d6ed9943b2cbc07271e8cf521366d
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.27.0@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
-
✨ feat(metrics): Migrate from OpenCensus to OpenTelemetry (#1550)
-
✨ feat(oci): support insecure OCI registry (#1374)
Fixes
-
🐛 Fix duplicate .att/.sig OCI layers for same digest type hints (#1601)
-
🐛 Handle signing OCI artifacts in *ARTIFACT_OUTPUTS (#1578)
-
🐛 chore(ci): update cherry-pick workflow to fix multi-commit PRs (#1539)
-
🐛 fix: microshift e2e test failures on merge (#1500)
Misc
- 🔨 includes dependency and doc updates
Thanks
Thanks to these contributors who contributed to v0.27.0!
- ❤️ @AlanGreene
- ❤️ @ab-ghosh
- ❤️ @anithapriyanatarajan
- ❤️ @app/dependabot
- ❤️ @bradbeck
- ❤️ @emmanuel-ferdman
- ❤️ @enarha
- ❤️ @infernus01
- ❤️ @jkhelil
- ❤️ @l-qing
- ❤️ @ngelman1
- ❤️ @socialsister
- ❤️ @vdemeester
Extra shout-out for awesome release notes:
- 😍 @AlanGreene
- 😍 @ab-ghosh
- 😍 @anithapriyanatarajan
- 😍 @app/dependabot
- 😍 @bradbeck
- 😍 @emmanuel-ferdman
- 😍 @enarha
- 😍 @infernus01
- 😍 @jkhelil
- 😍 @l-qing
- 😍 @ngelman1
- 😍 @socialsister
- 😍 @vdemeester
Tekton Chains "Release v0.26.4"
Tekton Chains "Release v0.26.4"
-Docs @ v0.26.4
-Examples @ v0.26.4
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.4/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677a530b574bc14f60d678f287e5f81e8707750ea0808ede65f1f7a4add3183e74a1
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a530b574bc14f60d678f287e5f81e8707750ea0808ede65f1f7a4add3183e74a1
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.4/release.yaml
REKOR_UUID=108e9186e8c5677a530b574bc14f60d678f287e5f81e8707750ea0808ede65f1f7a4add3183e74a1
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.4@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
Fixes
Misc
- 🔨 fix(cve): CVE-2026-33814 - Update golang.org/x/net to v0.53.0 (release-v0.26.x) (#1670)
Docs
Thanks
Thanks to these contributors who contributed to v0.26.4!
Extra shout-out for awesome release notes:
Tekton Chains release v0.25.2
-Docs @ v0.25.2
-Examples @ v0.25.2
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.25.2/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89
Obtain the attestation:
REKOR_UUID=108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.25.2/release.yaml
REKOR_UUID=108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.25.2@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
Security Fixes
- 🔨 [Release-v0.25.x] fix: CVE-2026-34986, CVE-2026-33211, CVE-2025-66506, & CVE-2026-33186 (#1631)
Thanks
Thanks to these contributors who contributed to v0.25.2!
Extra shout-out for awesome release notes:
Tekton Chains release v0.26.3
-Docs @ v0.26.3
-Examples @ v0.26.3
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.3/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.3/release.yaml
REKOR_UUID=108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.3@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Security Fixes
- 🔨 [Release-v0.26.x] fix: CVE-2026-34986, CVE-2026-33211, & CVE-2026-33186 (#1630)
Thanks
Thanks to these contributors who contributed to v0.26.3!
Extra shout-out for awesome release notes: