Releases: tektoncd/chains
Tekton Chains release v0.15.0
-Docs @ v0.15.0
-Examples @ v0.15.
Highlights
- π Sigstore keyless mode promoted out of experimental
- π
in-toto
provenance format now rebranded toslsa/v1
(in-toto
remains as an alias).
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.15.0/release.yaml
Attestation
The Rekor UUID for this release is 24296fb24b8ad77a9a10cc2c864ff3b62961e990c5e6ebc3374f9e6bcb0a5f52375ef3177c0ca8f0
Obtain the attestation:
REKOR_UUID=24296fb24b8ad77a9a10cc2c864ff3b62961e990c5e6ebc3374f9e6bcb0a5f52375ef3177c0ca8f0
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.15.0/release.yaml
REKOR_UUID=24296fb24b8ad77a9a10cc2c864ff3b62961e990c5e6ebc3374f9e6bcb0a5f52375ef3177c0ca8f0
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.15.0@sha256:" + .digest.sha256')
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done
Changes
Backwards incompatible changes
- 5fab3e2 Remove tekton as a provenance format (#685) - This was deprecated as of v0.9.0. This completes its removal.
- 1b47418 Unexport intoto/taskrun funcs. (#668) - This should have no impact unless you were calling chains libraries directly.
Features
- 82c213c Add labels and annotations to attestation (#692)
- 05232aa Slsa Branding of Chains Provenance Format (#687)
- 759d570 Updating provenance branding from intotoite to slsa (#684)
- b4e5b53 Allow passing in of sha1 digests through StructuredResults (#676)
- 28a6c69 Issue 642: predicate.materials needs to record more information in PipelineRun (#658)
- af6c5b4 Promote Sigstore features out of experimental. (#652)
- 1d48332 Issue 642: predicate.materials needs to record more information (#649)
Fixes
- 3d0e739 Do not initialize Rekor client if transparency is not enabled (#693)
- 1b142b5 Fix to prevent adding empty structs into materials. (#678)
Misc
- 8dc461d Bump google.golang.org/grpc from 1.52.3 to 1.53.0 (#701)
- 08ba781 Bump golang.org/x/crypto from 0.5.0 to 0.6.0 (#702)
- 0a06881 Bump github.com/golangci/golangci-lint from 1.50.1 to 1.51.0 (#696)
- 49eaca0 Bump google.golang.org/grpc from 1.52.1 to 1.52.3 (#691)
- b43d824 Bump gocloud.dev/pubsub/kafkapubsub from 0.27.0 to 0.28.0 (#674)
- d339ef2 Bump google.golang.org/grpc from 1.52.0 to 1.52.1 (#690)
- f3022d0 Bump github.com/tektoncd/pipeline from 0.43.2 to 0.44.0 (#689)
- 5cc2a87 Bump github.com/google/go-containerregistry from 0.12.1 to 0.13.0 (#688)
- 3ab8dfa Bump cloud.google.com/go/storage from 1.28.1 to 1.29.0 (#686)
- e075201 Bump github.com/hashicorp/vault/sdk from 0.6.2 to 0.7.0 (#679)
- a497bbe Run GHA workflows on release branches. (#651)
- 6a00ef9 Bump github.com/spiffe/go-spiffe/v2 from 2.1.1 to 2.1.2 (#672)
- 6a167b6 Bump github.com/sigstore/sigstore from 1.5.0 to 1.5.1 (#682)
- 13f37a2 Bump github.com/google/addlicense from 1.1.0 to 1.1.1 (#681)
- 6e0f82b Bump gocloud.dev/docstore/mongodocstore from 0.27.0 to 0.28.0 (#673)
- aecd3d9 Bump google.golang.org/grpc from 1.51.0 to 1.52.0 (#670)
- 61e7faa Bump github.com/tektoncd/pipeline from 0.43.1 to 0.43.2 (#669)
- bf183c0 Bump github.com/tektoncd/pipeline from 0.43.0 to 0.43.1 (#667)
- 19a50fb Bump golang.org/x/crypto from 0.4.0 to 0.5.0 (#666)
- 8bbbe55 Cleanup golangci-lint and added additional linters. (#661)
- 5028b17 Cleanup: use idiomatic Go. (#662)
- 26fdcbf Cleanup: replaced deprecated ioutil package use. (#660)
- 7015e14 Update tektoncd/pipeline to 0.43.0 (#659)
- 9843497 Bump github.com/hashicorp/vault/sdk from 0.6.1 to 0.6.2 (#656)
- b5efd58 Bump cloud.google.com/go/compute/metadata from 0.2.2 to 0.2.3 (#647)
- 19b5339 Bump github.com/hashicorp/go-plugin from 1.4.7 to 1.4.8 (#641)
Docs
- 0eb541d add transparency log search ui provided by chainguard team (#632)
- 09c36ba Update releases for v0.14.0 (#653) (#654)
- 46f2948 Update releases for v0.14.0 (#653)
Thanks
Thanks to these contributors who contributed to v0.15.0!
- β€οΈ @bendory
- β€οΈ @chitrangpatel
- β€οΈ @developer-guy
- β€οΈ @EmmaMunley
- β€οΈ @jagathprakash
- β€οΈ @lcarva
- β€οΈ @wlynch
Tekton Chains release v0.13.1
-Docs @ v0.13.1
-Examples @ v0.13.1
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.13.1/release.yaml
Attestation
The Rekor UUID for this release is 24296fb24b8ad77abd485cfcc75db8663ec582ee399b341b525bc6f55d3cf0188ef075d4ce955b1c
Obtain the attestation:
REKOR_UUID=24296fb24b8ad77abd485cfcc75db8663ec582ee399b341b525bc6f55d3cf0188ef075d4ce955b1c
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.13.1/release.yaml
REKOR_UUID=24296fb24b8ad77abd485cfcc75db8663ec582ee399b341b525bc6f55d3cf0188ef075d4ce955b1c
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.13.1@sha256:" + .digest.sha256')
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done
Changes
Features
Fixes
Misc
- Update go.mod (#650)
Docs
Thanks
Thanks to these contributors who contributed to v0.13.1!
- β€οΈ @wlynch
Extra shout-out for awesome release notes:
- π @wlynch
Tekton Chains release v0.14.0
-Docs @ v0.14.0
-Examples @ v0.14.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.14.0/release.yaml
Attestation
The Rekor UUID for this release is 24296fb24b8ad77a0effca53af23b8160b8953a500bda03abdf13c89d41b0e1822630e03bd7dc5fe
Obtain the attestation:
REKOR_UUID=24296fb24b8ad77a0effca53af23b8160b8953a500bda03abdf13c89d41b0e1822630e03bd7dc5fe
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.14.0/release.yaml
REKOR_UUID=24296fb24b8ad77a0effca53af23b8160b8953a500bda03abdf13c89d41b0e1822630e03bd7dc5fe
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.14.0@sha256:" + .digest.sha256')
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done
Changes
Features
Fixes
Misc
- Add lcarva, chuangw6 to global approvers. (#619)
- Added GHA to run go vet and go fmt checks. (#644)
- Bump github.com/sigstore/sigstore from 1.4.6 to 1.5.0 (#643)
- Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#639)
- Bump github.com/hashicorp/go-hclog from 1.3.1 to 1.4.0 (#638)
- Bump github.com/hashicorp/go-plugin from 1.4.6 to 1.4.7 (#637)
- Bump cloud.google.com/go/storage from 1.28.0 to 1.28.1 (#635)
- Bump cloud.google.com/go/compute/metadata from 0.2.1 to 0.2.2 (#634)
- Bump go.uber.org/zap from 1.23.0 to 1.24.0 (#633)
- Bump github.com/sigstore/sigstore from 1.4.5 to 1.4.6 (#628)
- Bump github.com/google/go-containerregistry from 0.12.0 to 0.12.1 (#627)
- Bump github.com/tektoncd/pipeline from 0.41.0 to 0.42.0 (#626)
- Bump github.com/google/addlicense from 1.0.0 to 1.1.0 (#624)
- Bump github.com/golangci/golangci-lint from 1.50.0 to 1.50.1 (#623)
- Bump google.golang.org/grpc from 1.50.1 to 1.51.0 (#622)
- Bump github.com/hashicorp/go-plugin from 1.4.5 to 1.4.6 (#621)
- Bump golang.org/x/crypto from 0.1.0 to 0.3.0 (#620)
- Bump cloud.google.com/go/storage from 1.27.0 to 1.28.0 (#618)
- Bump github.com/sigstore/cosign from 1.12.1 to 1.13.1 (#617)
- Bump github.com/hashicorp/vault/sdk from 0.6.0 to 0.6.1 (#616)
- Bump scaffolding release, use newer pipelines. (#614)
- Bump github.com/tektoncd/pipeline from 0.40.1 to 0.41.0 (#606)
- Bump gocloud.dev, knative.dev/pkg, k8s.io dependencies. (#605)
- Bump gocloud.dev/docstore/mongodocstore from 0.26.0 to 0.27.0 (#584)
- Bump gocloud.dev/pubsub/kafkapubsub from 0.26.0 to 0.27.0 (#583)
Docs
Thanks
Thanks to these contributors who contributed to v0.14.0!
- β€οΈ @bendory
- β€οΈ @chuangw6
- β€οΈ @dependabot[bot]
- β€οΈ @developer-guy
- β€οΈ @mtcolman
- β€οΈ @vaikas
- β€οΈ @wlynch
- β€οΈ @zregvart
Extra shout-out for awesome release notes:
- π @bendory
- π @chuangw6
- π @dependabot[bot]
- π @developer-guy
- π @mtcolman
- π @vaikas
- π @wlynch
- π @zregvart
Tekton Chains release v0.13.0
-Docs @ v0.13.0
-Examples @ v0.13.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.13.0/release.yaml
Attestation
The Rekor UUID for this release is 24296fb24b8ad77a71f63b3241ed6951f0f2d29cda204b818e0ac6cc80598d11aacf301aa1f139bc
Obtain the attestation:
REKOR_UUID=24296fb24b8ad77a71f63b3241ed6951f0f2d29cda204b818e0ac6cc80598d11aacf301aa1f139bc
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.13.0/release.yaml
REKOR_UUID=24296fb24b8ad77a71f63b3241ed6951f0f2d29cda204b818e0ac6cc80598d11aacf301aa1f139bc
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# Verify images in manifest (tekton.pub can be found in the chains repo)
cosign manifest verify release.yaml --key=tekton.pub
Changes
Features
- π Added support for PipelineRun attestations (#436, #568, #573, #564, #598, #599, #601) π π π
- π Allow reading the pull secret from the podTemplate (#579)
- π Add feature to extract structured signable targets and store them in subjects and materials in intoto provenance (#491)
Fixes
- π Stop reconciliation on unrecoverable error (#607)
Misc
- π§Ή Removed usage of Tekton Pipelines v1alpha for everything but PipelineResources (#538)
- π§Ή Removed tekton-provenance storage option (#590) (This was already partially deprecated in v0.8.0, this removed lagging config options).
Docs
- π getting rid of 'pipelien' (#526)
- π Add the OpenSSF badge to the main README (#580)
- π fix: pubusub to pubsub in storage backend support of experimental features (#582)
Thanks
Thanks to these contributors who contributed to v0.13.0!
- β€οΈ @ChaosInTheCRD
- β€οΈ @afrittoli
- β€οΈ @bcaton85
- β€οΈ @chuangw6
- β€οΈ @dependabot[bot]
- β€οΈ @developer-guy
- β€οΈ @joejstuart
- β€οΈ @lcarva
- β€οΈ @piyush-garg
- β€οΈ @vaikas
- β€οΈ @wlynch
- β€οΈ @ywluogg
Extra shout-out for awesome release notes:
- π @ChaosInTheCRD
- π @afrittoli
- π @bcaton85
- π @chuangw6
- π @dependabot[bot]
- π @developer-guy
- π @joejstuart
- π @lcarva
- π @piyush-garg
- π @vaikas
- π @wlynch
- π @ywluogg
v0.12.0
π v0.12.0 π
-Docs @ v0.12.0
-Examples @ v0.12.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.12.0/release.yaml
Attestation
The Rekor UUID for this release is 362f8ecba72f4326ceb2cb602c68d5e85ed349ab95d68611cfc3b2dacf654cc326b6582bbfed00cf
Obtain the attestation:
REKOR_UUID=362f8ecba72f4326ceb2cb602c68d5e85ed349ab95d68611cfc3b2dacf654cc326b6582bbfed00cf
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.12.0/release.yaml
REKOR_UUID=362f8ecba72f4326ceb2cb602c68d5e85ed349ab95d68611cfc3b2dacf654cc326b6582bbfed00cf
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.12.0@sha256:" + .digest.sha256')
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done
Changes
Features
- β¨ Grafeas storage for non-image artifacts (#531)
Support other artifact types for grafeas backend storage i.e. maven - β¨ Make grafeas notehint configurable and change the BuildType field #495
Addstorage.grafeas.notehint
field in configmap that allows the note hint field in the grafeas attestation note to be customizable.
Fixes
- Fix param value ordering in materials #527
- Fix for issue #515, This PR ensures only those signers which are specified as signers for any artifact are initialized. #519
- Fix the default value for
builder.id
in the config doc (#498)
Misc
- Bump to use scaffolding v0.4.3. (#518)
- Pin to scaffolding v0.4.2, test with k8s 1.22, 1.23, and 1.24. (#513)
- Pinning sigstore/scaffolding/actions/setup version (#512)
- Use industry standard names for payloadType field (#509)
- Fix typo in v0.3.0-build-chains-taskrun.yaml. (#505)
Docs
- π Add pull_request_template.md. (#511)
- π Clarify documentation for (#510)
- Add more supported GCP KMS key ref formats in config doc (#506)
Thanks
Thanks to these contributors who contributed to v0.12.0!
- β€οΈ @bcaton85
- β€οΈ @bendory
- β€οΈ @chuangw6
- β€οΈ @dependabot[bot]
- β€οΈ @jagathprakash
- β€οΈ @vaikas
v0.11.0
π v0.11.0 π
-Docs @ v0.11.0
-Examples @ v0.11.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.11.0/release.yaml
Attestation
The Rekor UUID for this release is 362f8ecba72f43269e5f6575dce248d044d0ac28e849fed13e7bcf58955aa6d13a9b40a4211c56c9
Obtain the attestation:
REKOR_UUID=362f8ecba72f43269e5f6575dce248d044d0ac28e849fed13e7bcf58955aa6d13a9b40a4211c56c9
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.11.0/release.yaml
REKOR_UUID=362f8ecba72f43269e5f6575dce248d044d0ac28e849fed13e7bcf58955aa6d13a9b40a4211c56c9
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.11.0@sha256:" + .digest.sha256')
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done
Changes
Features
- Add Intoto Signable Target support in Chains using strings in results. (#465)
Misc
- Switch to Grafeas v1 API in grafeas storage (#453)
Thanks
Thanks to these contributors who contributed to v0.11.0!
- β€οΈ @chuangw6
- β€οΈ @dependabot[bot]
- β€οΈ @maurycupitt
- β€οΈ @priyawadhwa
- β€οΈ @ywluogg
Extra shout-out for awesome release notes:
- π @chuangw6
- π @dependabot[bot]
- π @maurycupitt
- π @priyawadhwa
- π @ywluogg
v0.10.0
π v0.10.0π
-Docs @ v0.10.0
-Examples @ v0.10.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.10.0/release.yaml
Attestation
The Rekor UUID for this release is 362f8ecba72f43267da925cfee5ee315f14e826bd13d4ca0d20721c14d110bb155d7e8045d19b2b7
Obtain the attestation:
REKOR_UUID=362f8ecba72f43267da925cfee5ee315f14e826bd13d4ca0d20721c14d110bb155d7e8045d19b2b7
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | base64 --decode | jq
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.10.0/release.yaml
REKOR_UUID=362f8ecba72f43267da925cfee5ee315f14e826bd13d4ca0d20721c14d110bb155d7e8045d19b2b7
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.10.0@sha256:" + .digest.sha256')
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done
Changes
Features
- Add s390x arch support to chains (#463)
- Add ppc64le arch support to chains (#461)
- Allow TaskRun payloads other than IMAGE_URL (#444)
- add mongodb service support (#390)
Fixes
- Fix error msg in case no image produced (#464)
- Fix default params in attestation invocation (#449)
- Change SCC from anyuid to nonroot (#432)
Misc
- Disable unit test for grafeas backend creation (#446)
Docs
Thanks
Thanks to these contributors who contributed to v0.10.0!
- β€οΈ @06kellyjac
- β€οΈ @chuangw6
- β€οΈ @concaf
- β€οΈ @dependabot[bot]
- β€οΈ @haf-tech
- β€οΈ @lcarva
- β€οΈ @manojbison
- β€οΈ @priyawadhwa
- β€οΈ @robnester-rh
- β€οΈ @snehakpersistent
- β€οΈ @wlynch
Extra shout-out for awesome release notes:
- π @06kellyjac
- π @chuangw6
- π @concaf
- π @dependabot[bot]
- π @haf-tech
- π @lcarva
- π @manojbison
- π @priyawadhwa
- π @robnester-rh
- π @snehakpersistent
- π @wlynch
v0.9.0
π v0.9.0 π
-Docs @ v0.9.0
-Examples @ v0.9.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.9.0/release.yaml
Attestation
The Rekor UUID for this release is b634b3a883c0cb37805651f342b1778108fbed4cd7b02260180de83cb7994f89
Obtain the attestation:
REKOR_UUID=b634b3a883c0cb37805651f342b1778108fbed4cd7b02260180de83cb7994f89
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | base64 --decode | jq
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.9.0/release.yaml
REKOR_UUID=b634b3a883c0cb37805651f342b1778108fbed4cd7b02260180de83cb7994f89
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.9.0@sha256:" + .digest.sha256')
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done
Changes
Features
- Specify provider and oidc issuer when requesting fulcio cert (#440)
- Add support for Grafeas storage backend (#389)
- Add support for PubSub storage backend (#386)
- Adding Spire OIDC for Vault authentication (#369)
Deprecation Notices
tekton-provenance format has officially been removed in this release
Please switch to the in-toto format by running:
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'
- Remove tekton-provenance format (#439)
In current release:
Fixes
- Fix flaky grafeas unit test (#427)
Misc
- Fix nightly builds (#422)
- Use sigstore/scaffolding github actions now that it's out there. (#409)
- Revert default fulcio URL to fulcio.sigstore.dev (#388)
Docs
- Add docs for secrets based on existing credentials (#430)
- Add godoc documentation (#414)
- Add community tutorial subsection (#379)
- Fix default fulcio addr in docs (#365)
Thanks
Thanks to these contributors who contributed to v0.9.0!
- β€οΈ @Yongxuanzhang
- β€οΈ @chuangw6
- β€οΈ @concaf
- β€οΈ @dependabot[bot]
- β€οΈ @imjasonh
- β€οΈ @lcarva
- β€οΈ @loosebazooka
- β€οΈ @piyush-garg
- β€οΈ @priyawadhwa
- β€οΈ @rgreinho
- β€οΈ @sudo-bmitch
- β€οΈ @tcnghia
- β€οΈ @vaikas
- β€οΈ @wlynch
Extra shout-out for awesome release notes:
- π @Yongxuanzhang
- π @chuangw6
- π @concaf
- π @dependabot[bot]
- π @imjasonh
- π @lcarva
- π @loosebazooka
- π @piyush-garg
- π @priyawadhwa
- π @rgreinho
- π @sudo-bmitch
- π @tcnghia
- π @vaikas
- π @wlynch
v0.8.0
π v0.8.0 π
-Docs @ v0.8.0
-Examples @ v0.8.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.8.0/release.yaml
Verify the Release
The Rekor UUID for this release is 03e4be44d69a2697dc770c5aa3decd8fa945dcd8a4e6901bb109ccf1f4acb735
Obtain the attestation:
rekor-cli get --uuid 03e4be44d69a2697dc770c5aa3decd8fa945dcd8a4e6901bb109ccf1f4acb735 --format json | jq -r .Attestation | base64 --decode | jq
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.8.0/release.yaml
REKOR_UUID=03e4be44d69a2697dc770c5aa3decd8fa945dcd8a4e6901bb109ccf1f4acb735
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.8.0@sha256:" + .digest.sha256')
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
# Verify that the image was signed with [cosign](github.com/sigstore/cosign)
# Verify that the attestation was signed with cosign
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q ${image##*@} release.yaml && echo " ===> ok" || echo " ===> no match";
cosign verify --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
cosign verify-attestation --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
done
Features
- Add
chains-info
ConfigMap with version info (#338)
Deprecation Notices
- This release marks a new default value for
signers.x509.fulcio.address
. The default value was previouslyhttps://fulcio.sigstore.dev
, and it is nowhttps://v1.fulcio.sigstore.dev
to match the default in cosign. The old value can still be set by running:
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"signers.x509.fulcio.address": "https://fulcio.sigstore.dev"}}'
Fixes
- Bump go-containerregistry and k8schain to pick up new cred helpers (#364)
- Pass in authentication when getting remote image (#361)
- Change default Fulcio URL to match cosign's (#360)
- Add securityContext to controller pod (#346)
Misc
- Remove un-used options from
artifacts.oci.format
andartifacts.oci.storage
(#334)
Docs
- Fix namespace typo (#357)
Thanks
Thanks to these contributors who contributed to v0.8.0!
- β€οΈ @concaf
- β€οΈ @dependabot[bot]
- β€οΈ @imjasonh
- β€οΈ @priyawadhwa
- β€οΈ @pxp928
- β€οΈ @rgreinho
- β€οΈ @tcnghia
Extra shout-out for awesome release notes:
- π @concaf
- π @dependabot[bot]
- π @imjasonh
- π @priyawadhwa
- π @pxp928
- π @rgreinho
- π @tcnghia
v0.7.0
π v0.7.0 π
-Docs @ v0.7.0
-Examples @ v0.7.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.7.0/release.yaml
Verify the Release
The Rekor UUID for this release is 95eee9e2e5fd7b4200895544edf3e411e6592c61454883d3f38db47fa285f1ef
Obtain the attestation:
rekor-cli get --uuid 95eee9e2e5fd7b4200895544edf3e411e6592c61454883d3f38db47fa285f1ef --format json | jq -r .Attestation | base64 --decode | jq
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.7.0/release.yaml
REKOR_UUID=95eee9e2e5fd7b4200895544edf3e411e6592c61454883d3f38db47fa285f1ef
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.7.0@sha256:" + .digest.sha256')
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
# Verify that the image was signed with [cosign](github.com/sigstore/cosign)
# Verify that the attestation was signed with cosign
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q ${image##*@} release.yaml && echo " ===> ok" || echo " ===> no match";
cosign verify --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
cosign verify-attestation --key https://raw.githubusercontent.com/tektoncd/chains/main/tekton.pub $image
done
Features
- Add support for all of cosign's ambient credentials. (#319)
- Allow IMAGES result to be separated by newlines (#315)
- added multi-backend support (#302)
- Implement missing features to OCI backend (#284)
Deprecation Notices
- π¨ - Deprecate the
tekton-provenance
predicate format (#292)
This feature will be removed in v0.8.0. To switch to the in-toto
format which is now the preferred format, please run:
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'
Fixes
- Make builder id for SLSA provenance valid URI (#331)
- Make SLSA provenance v0.2 invocation.parameters compliant with spec (#307)
- Fix bugs in provenance implementation for materials.digest (#310)
- Fix bug in uploading signatures to OCI (#298)
Docs
- Fix in-toto chains docs typos (#337)
- Add installation instructions for OpenShift (#335)
- Use cosign flags with 2 hyphens (#327)
Thanks
Thanks to these contributors who contributed to v0.7.0!
- β€οΈ @concaf
- β€οΈ @loosebazooka
- β€οΈ @mattmoor
- β€οΈ @mlieberman85
- β€οΈ @priyawadhwa
- β€οΈ @pxp928
- β€οΈ @rgreinho
- β€οΈ @sublimino
Extra shout-out for awesome release notes:
- π @concaf
- π @loosebazooka
- π @mattmoor
- π @mlieberman85
- π @priyawadhwa
- π @pxp928
- π @rgreinho
- π @sublimino