Skip to content

Tekton Chains release v0.26.0 "v0.26.0"

Latest
Latest

Choose a tag to compare

View all tags
@tekton-robot tekton-robot released this 05 Nov 11:40
v0.26.0
0c9284f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

-Docs @ v0.26.0
-Examples @ v0.26.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a3a5e8bb8eccd3483eb9d0f120eed8ee76c47fef28d1d49f3a738d7999b241fdc

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a3a5e8bb8eccd3483eb9d0f120eed8ee76c47fef28d1d49f3a738d7999b241fdc
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.0/release.yaml
REKOR_UUID=108e9186e8c5677a3a5e8bb8eccd3483eb9d0f120eed8ee76c47fef28d1d49f3a738d7999b241fdc

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.0@sha256:" + .digest.sha256')

# Download the release file
curl -LO "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • Allows users to disable image signing while still enabling provenance generation and attestation signing(#1419)
  • Keyless Signing Change (Cosign v2.6.0). Chains now uses Cosign v2.6.0, which no longer accepts HS256 JWT tokens(#1441)
    Affected: Private OIDC providers using HS256
    Not affected: Public Sigstore (Fulcio) , Key-based signing , Private OIDC using RS256
    Action Required: - If your OIDC provider uses HS256, switch to RS256 before upgrading. All other users can upgrade safely.

Fixes

  • 🐛 Remove old taskrun finalizer (#1394)

  • 🐛 Fix the build error in e2e test (#1384)

Misc

  • 🔨 Pin actions by commit SHA (#1453)

  • 🔨 Add GitHub Actions workflow for go coverage job (#1447)

  • 🔨 Remove ttl.sh dependency for microshift gh action (#1396)

  • 🔨 Add path to taskrun finalizer name (#1391)

  • 🔨 Run e2e tests on microshift (#1383)

  • 🔨 Fix subpath capitalisation (#1358)

  • 🔨 Bump the all group across 1 directory with 23 updates (#1424)

  • 🔨 Bump chainguard-dev/actions from e0505cd917df3f8bd6fbf5a78c075de1ba4fcc63 to 3998adea1311c21a09c05d5749b154d2206e902b (#1360)

  • 🔨 Bump the all group across 1 directory with 16 updates (#1359)

  • 🔨 Bump chainguard-dev/actions from f3c4f016161c129594cb6a27d9339fc04b8aba54 to e0505cd917df3f8bd6fbf5a78c075de1ba4fcc63 (#1356)

  • 🔨 Bump chainguard-dev/actions from 9c0be1ee0103db886d1887d114ec97f8766b7ef8 to f3c4f016161c129594cb6a27d9339fc04b8aba54 (#1352)

Docs

  • 📖 Fix link to keyless signing doc (#1400)

Thanks

Thanks to these contributors who contributed to v0.26.0!

Extra shout-out for awesome release notes:

Contributors

khrm, AlanGreene, and 15 other contributors
Assets 4
Loading