Skip to content

Releases: tektoncd/chains

Tekton Chains release v0.28.0

Choose a tag to compare

@tekton-robot tekton-robot released this 10 Jul 12:08
e1630a7

Tekton Chains release v0.28.0 "Release v0.28.0"

-Docs @ v0.28.0
-Examples @ v0.28.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.28.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677ae629a6c752733033ba688ada1b6546bd966a3e4ce200b8164f66313961206624

Obtain the attestation:

REKOR_UUID=108e9186e8c5677ae629a6c752733033ba688ada1b6546bd966a3e4ce200b8164f66313961206624
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.28.0/release.yaml
REKOR_UUID=108e9186e8c5677ae629a6c752733033ba688ada1b6546bd966a3e4ce200b8164f66313961206624

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.28.0@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • ✨ feat: embed Rekor bundle in OCI attestation layer annotations (#1610)

Fixes

  • 🐛 [cherry-pick: release-v0.28.x] fix(storage): skip docdb watcher reconfiguration on empty file read (#1770)

  • 🐛 [cherry-pick: release-v0.28.x] fix(signing): make KMS OIDC fallback test environment-independent (#1767)

  • 🐛 Add migration cleanup for SSA finalizers (#1697)

  • 🐛 fix: enable Vault JWT auth without Spire for KMS signing (#1616)

Misc

  • 🔨 chore: switch base image to ghcr.io/tektoncd/plumbing/static-base (#1702)

  • 🔨 Update setup-nightly-infra to latest version (#1741)

  • 🔨 chore: update release publish task (#1689)

  • 🔨 fix: update plumbing revision (#1688)

  • 🔨 fix: pass insecure option to name.NewDigest for OCI storage (#1684)

  • 🔨 ci(dependabot): group github-actions bumps across all branches (#1757)

  • 🔨 chore(deps): bump ko-build/setup-ko from 0.9 to 0.10 (#1754)

  • 🔨 chore(deps): bump actions/setup-go from 6.4.0 to 6.5.0 (#1753)

  • 🔨 chore(deps): bump imjasonh/setup-ko from 0.9 to 0.10 (#1752)

  • 🔨 chore(deps): bump github.com/sigstore/fulcio from 1.8.5 to 1.8.6 (#1740)

  • 🔨 chore(deps): bump github.com/sigstore/timestamp-authority/v2 from 2.0.6 to 2.1.0 (#1739)

  • 🔨 chore(deps): bump actions/checkout from 6.0.3 to 7.0.0 (#1711)

  • 🔨 chore(deps): bump zizmorcore/zizmor-action from 0.5.6 to 0.5.7 (#1710)

  • 🔨 chore(deps): bump chainguard-dev/actions from 1.6.23 to 1.6.25 (#1709)

  • 🔨 chore(deps): bump go.mongodb.org/mongo-driver from 1.17.6 to 1.17.7 (#1708)

  • 🔨 chore(deps): bump chainguard-dev/actions from 1.6.22 to 1.6.23 (#1704)

  • 🔨 chore(deps): bump chainguard-dev/actions from 1.6.21 to 1.6.22 (#1701)

  • 🔨 chore(deps): bump github/codeql-action from 4.36.1 to 4.36.2 (#1700)

  • 🔨 chore(deps): bump chainguard-dev/actions from 1.6.19 to 1.6.21 (#1695)

  • 🔨 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#1694)

  • 🔨 chore(deps): bump github/codeql-action from 4.36.0 to 4.36.1 (#1693)

Docs

Thanks

Thanks to these contributors who contributed to v0.28.0!

Extra shout-out for awesome release notes:

Tekton Chains release v0.27.3

Choose a tag to compare

@tekton-robot tekton-robot released this 10 Jul 03:28
4199635

Tekton Chains release v0.27.3

-Docs @ v0.27.3
-Examples @ v0.27.3

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.3/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a23e40ac00f6210e922a59eff6e12eb4fca63234b1fa30d1cfcb0fb08261b6b79

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a23e40ac00f6210e922a59eff6e12eb4fca63234b1fa30d1cfcb0fb08261b6b79
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.3/release.yaml
REKOR_UUID=108e9186e8c5677a23e40ac00f6210e922a59eff6e12eb4fca63234b1fa30d1cfcb0fb08261b6b79

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.27.3@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

Misc

  • 🔨 chore(deps): bump the all group with 3 updates (#1787)
  • 🔨 chore(deps): bump chainguard-dev/actions/kind-diag from 1.6.25 to 1.6.26 in the all group (#1759)
  • 🔨 chore(deps): bump zizmorcore/zizmor-action from 0.5.6 to 0.5.7 (#1751)
  • 🔨 chore(deps): bump chainguard-dev/actions/kind-diag from 1.6.24 to 1.6.25 (#1730)
  • 🔨 chore(deps): bump chainguard-dev/actions from 1.6.19 to 1.6.24 (#1721)

Docs

Thanks

Thanks to these contributors who contributed to v0.27.3!

Extra shout-out for awesome release notes:

Tekton Chains Release v0.26.6

Choose a tag to compare

@tekton-robot tekton-robot released this 10 Jul 03:27
ef8b3d7

Tekton Chains Release v0.26.6

-Docs @ v0.26.6
-Examples @ v0.26.6

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.6/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a9cc2851aeabc5d55eb1dce87413ca45c2e7196726dd0e84ea1255a41f3d43ca2

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a9cc2851aeabc5d55eb1dce87413ca45c2e7196726dd0e84ea1255a41f3d43ca2
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.6/release.yaml
REKOR_UUID=108e9186e8c5677a9cc2851aeabc5d55eb1dce87413ca45c2e7196726dd0e84ea1255a41f3d43ca2

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.6@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

Misc

  • 🔨 chore(deps): bump github.com/tektoncd/pipeline from 1.9.5 to 1.9.6 in the all group (#1774)
  • 🔨 chore(deps): bump chainguard-dev/actions/kind-diag from 1.6.25 to 1.6.26 in the all group across 1 directory (#1760)
  • 🔨 chore(deps): bump chainguard-dev/actions/kind-diag from 1.6.14 to 1.6.25 (#1750)
  • 🔨 chore(deps): bump github/codeql-action/autobuild from 3.30.7 to 3.30.9 (#1749)
  • 🔨 chore(deps): bump github/codeql-action/init from 3.30.7 to 3.30.9 (#1748)
  • 🔨 chore(deps): bump github/codeql-action/analyze from 3.30.7 to 3.30.9 (#1734)
  • 🔨 chore(deps): bump github.com/tektoncd/pipeline from 1.9.4 to 1.9.5 in the all group (#1729)
  • 🔨 chore(deps): bump the all group with 14 updates (#1728)
  • 🔨 chore(deps): bump step-security/harden-runner from 2.13.1 to 2.13.3 (#1725)
  • 🔨 chore(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 (#1719)

Docs

Thanks

Thanks to these contributors who contributed to v0.26.6!

Extra shout-out for awesome release notes:

Tekton Chains release v0.27.2

Choose a tag to compare

@tekton-robot tekton-robot released this 02 Jul 09:03
80338e0

Tekton Chains release v0.27.2 "Release v0.27.2"

-Docs @ v0.27.2
-Examples @ v0.27.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a0ff10e5cf17374dc985416b7f8fb979e5fc6a2a065e6e8b92f0444b07ab866f2

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a0ff10e5cf17374dc985416b7f8fb979e5fc6a2a065e6e8b92f0444b07ab866f2
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.2/release.yaml
REKOR_UUID=108e9186e8c5677a0ff10e5cf17374dc985416b7f8fb979e5fc6a2a065e6e8b92f0444b07ab866f2

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.27.2@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

Misc

  • 🔨 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#1723)
  • 🔨 chore(deps): bump github/codeql-action from 4.36.0 to 4.36.2 (#1720)

Docs

Thanks

Thanks to these contributors who contributed to v0.27.2!

  • ❤️ @app/dependabot

Extra shout-out for awesome release notes:

Tekton Chains release v0.26.5

Choose a tag to compare

@tekton-robot tekton-robot released this 02 Jul 09:03
881f5e9

Tekton Chains release v0.26.5 "Release v0.26.5"

-Docs @ v0.26.5
-Examples @ v0.26.5

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.5/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a349f2deb2e5f38833800ef9c33b284db5d2c2b4df8641b7b6fe629503b43089a

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a349f2deb2e5f38833800ef9c33b284db5d2c2b4df8641b7b6fe629503b43089a
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.5/release.yaml
REKOR_UUID=108e9186e8c5677a349f2deb2e5f38833800ef9c33b284db5d2c2b4df8641b7b6fe629503b43089a

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.5@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

Misc

Docs

Thanks

Thanks to these contributors who contributed to v0.26.5!

Extra shout-out for awesome release notes:

Tekton Chains release v0.27.1

Choose a tag to compare

@tekton-robot tekton-robot released this 08 Jun 11:22
020a29a

Tekton Chains release v0.27.1

-Docs @ v0.27.1
-Examples @ v0.27.1

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a9c93c24b59fba7b3e2de163a740faeba34300825ad23565eb69a3d11ab071694

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a9c93c24b59fba7b3e2de163a740faeba34300825ad23565eb69a3d11ab071694
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.1/release.yaml
REKOR_UUID=108e9186e8c5677a9c93c24b59fba7b3e2de163a740faeba34300825ad23565eb69a3d11ab071694

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.27.1@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

  • 🐛 [cherry-pick: release-v0.27.x] Add migration cleanup for SSA finalizers (#1699)

Thanks

Thanks to these contributors who contributed to v0.27.1!

Extra shout-out for awesome release notes:

Tekton Chains release v0.27.0

Choose a tag to compare

@tekton-robot tekton-robot released this 28 May 08:17
3fbaa94

Tekton Chains release v0.27.0

-Docs @ v0.27.0
-Examples @ v0.27.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a71df6799eebef48b36c3a91fcb47d8a0bd0d6ed9943b2cbc07271e8cf521366d

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a71df6799eebef48b36c3a91fcb47d8a0bd0d6ed9943b2cbc07271e8cf521366d
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.0/release.yaml
REKOR_UUID=108e9186e8c5677a71df6799eebef48b36c3a91fcb47d8a0bd0d6ed9943b2cbc07271e8cf521366d

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.27.0@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • ✨ feat(metrics): Migrate from OpenCensus to OpenTelemetry (#1550)

  • ✨ feat(oci): support insecure OCI registry (#1374)

Fixes

  • 🐛 Fix duplicate .att/.sig OCI layers for same digest type hints (#1601)

  • 🐛 Handle signing OCI artifacts in *ARTIFACT_OUTPUTS (#1578)

  • 🐛 chore(ci): update cherry-pick workflow to fix multi-commit PRs (#1539)

  • 🐛 Fix- Update Docdb storage logic (issue #1178) (#1505)

  • 🐛 fix: microshift e2e test failures on merge (#1500)

Misc

  • 🔨 includes dependency and doc updates

Thanks

Thanks to these contributors who contributed to v0.27.0!

Extra shout-out for awesome release notes:

Tekton Chains "Release v0.26.4"

Choose a tag to compare

@tekton-robot tekton-robot released this 28 May 16:08
dbad7be

Tekton Chains "Release v0.26.4"

-Docs @ v0.26.4
-Examples @ v0.26.4

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.4/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a530b574bc14f60d678f287e5f81e8707750ea0808ede65f1f7a4add3183e74a1

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a530b574bc14f60d678f287e5f81e8707750ea0808ede65f1f7a4add3183e74a1
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.4/release.yaml
REKOR_UUID=108e9186e8c5677a530b574bc14f60d678f287e5f81e8707750ea0808ede65f1f7a4add3183e74a1

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.4@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

Misc

  • 🔨 fix(cve): CVE-2026-33814 - Update golang.org/x/net to v0.53.0 (release-v0.26.x) (#1670)

Docs

Thanks

Thanks to these contributors who contributed to v0.26.4!

Extra shout-out for awesome release notes:

Tekton Chains release v0.25.2

Choose a tag to compare

@tekton-robot tekton-robot released this 22 Apr 15:44
d45ad41

-Docs @ v0.25.2
-Examples @ v0.25.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.25.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89

Obtain the attestation:

REKOR_UUID=108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.25.2/release.yaml
REKOR_UUID=108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.25.2@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Security Fixes

Thanks

Thanks to these contributors who contributed to v0.25.2!

Extra shout-out for awesome release notes:

Tekton Chains release v0.26.3

Choose a tag to compare

@tekton-robot tekton-robot released this 22 Apr 17:59
868c359

-Docs @ v0.26.3
-Examples @ v0.26.3

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.3/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.3/release.yaml
REKOR_UUID=108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.3@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Security Fixes

Thanks

Thanks to these contributors who contributed to v0.26.3!

Extra shout-out for awesome release notes: