Releases: tektoncd/chains
Release list
Tekton Chains release v0.27.2
Tekton Chains release v0.27.2 "Release v0.27.2"
-Docs @ v0.27.2
-Examples @ v0.27.2
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.2/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677a0ff10e5cf17374dc985416b7f8fb979e5fc6a2a065e6e8b92f0444b07ab866f2
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a0ff10e5cf17374dc985416b7f8fb979e5fc6a2a065e6e8b92f0444b07ab866f2
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.2/release.yaml
REKOR_UUID=108e9186e8c5677a0ff10e5cf17374dc985416b7f8fb979e5fc6a2a065e6e8b92f0444b07ab866f2
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.27.2@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
Fixes
Misc
- 🔨 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#1723)
- 🔨 chore(deps): bump github/codeql-action from 4.36.0 to 4.36.2 (#1720)
Docs
Thanks
Thanks to these contributors who contributed to v0.27.2!
- ❤️ @app/dependabot
Extra shout-out for awesome release notes:
Tekton Chains release v0.26.5
Tekton Chains release v0.26.5 "Release v0.26.5"
-Docs @ v0.26.5
-Examples @ v0.26.5
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.5/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677a349f2deb2e5f38833800ef9c33b284db5d2c2b4df8641b7b6fe629503b43089a
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a349f2deb2e5f38833800ef9c33b284db5d2c2b4df8641b7b6fe629503b43089a
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.5/release.yaml
REKOR_UUID=108e9186e8c5677a349f2deb2e5f38833800ef9c33b284db5d2c2b4df8641b7b6fe629503b43089a
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.5@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
Fixes
Misc
Docs
Thanks
Thanks to these contributors who contributed to v0.26.5!
- ❤️ @jkhelil
Extra shout-out for awesome release notes:
- 😍 @jkhelil
Tekton Chains release v0.27.1
Tekton Chains release v0.27.1
-Docs @ v0.27.1
-Examples @ v0.27.1
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.1/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677a9c93c24b59fba7b3e2de163a740faeba34300825ad23565eb69a3d11ab071694
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a9c93c24b59fba7b3e2de163a740faeba34300825ad23565eb69a3d11ab071694
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.1/release.yaml
REKOR_UUID=108e9186e8c5677a9c93c24b59fba7b3e2de163a740faeba34300825ad23565eb69a3d11ab071694
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.27.1@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
Fixes
- 🐛 [cherry-pick: release-v0.27.x] Add migration cleanup for SSA finalizers (#1699)
Thanks
Thanks to these contributors who contributed to v0.27.1!
- ❤️ @enarha
Extra shout-out for awesome release notes:
- 😍 @enarha
Tekton Chains release v0.27.0
Tekton Chains release v0.27.0
-Docs @ v0.27.0
-Examples @ v0.27.0
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.0/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677a71df6799eebef48b36c3a91fcb47d8a0bd0d6ed9943b2cbc07271e8cf521366d
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a71df6799eebef48b36c3a91fcb47d8a0bd0d6ed9943b2cbc07271e8cf521366d
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.0/release.yaml
REKOR_UUID=108e9186e8c5677a71df6799eebef48b36c3a91fcb47d8a0bd0d6ed9943b2cbc07271e8cf521366d
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.27.0@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
-
✨ feat(metrics): Migrate from OpenCensus to OpenTelemetry (#1550)
-
✨ feat(oci): support insecure OCI registry (#1374)
Fixes
-
🐛 Fix duplicate .att/.sig OCI layers for same digest type hints (#1601)
-
🐛 Handle signing OCI artifacts in *ARTIFACT_OUTPUTS (#1578)
-
🐛 chore(ci): update cherry-pick workflow to fix multi-commit PRs (#1539)
-
🐛 fix: microshift e2e test failures on merge (#1500)
Misc
- 🔨 includes dependency and doc updates
Thanks
Thanks to these contributors who contributed to v0.27.0!
- ❤️ @AlanGreene
- ❤️ @ab-ghosh
- ❤️ @anithapriyanatarajan
- ❤️ @app/dependabot
- ❤️ @bradbeck
- ❤️ @emmanuel-ferdman
- ❤️ @enarha
- ❤️ @infernus01
- ❤️ @jkhelil
- ❤️ @l-qing
- ❤️ @ngelman1
- ❤️ @socialsister
- ❤️ @vdemeester
Extra shout-out for awesome release notes:
- 😍 @AlanGreene
- 😍 @ab-ghosh
- 😍 @anithapriyanatarajan
- 😍 @app/dependabot
- 😍 @bradbeck
- 😍 @emmanuel-ferdman
- 😍 @enarha
- 😍 @infernus01
- 😍 @jkhelil
- 😍 @l-qing
- 😍 @ngelman1
- 😍 @socialsister
- 😍 @vdemeester
Tekton Chains "Release v0.26.4"
Tekton Chains "Release v0.26.4"
-Docs @ v0.26.4
-Examples @ v0.26.4
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.4/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677a530b574bc14f60d678f287e5f81e8707750ea0808ede65f1f7a4add3183e74a1
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a530b574bc14f60d678f287e5f81e8707750ea0808ede65f1f7a4add3183e74a1
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.4/release.yaml
REKOR_UUID=108e9186e8c5677a530b574bc14f60d678f287e5f81e8707750ea0808ede65f1f7a4add3183e74a1
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.4@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
Fixes
Misc
- 🔨 fix(cve): CVE-2026-33814 - Update golang.org/x/net to v0.53.0 (release-v0.26.x) (#1670)
Docs
Thanks
Thanks to these contributors who contributed to v0.26.4!
Extra shout-out for awesome release notes:
Tekton Chains release v0.25.2
-Docs @ v0.25.2
-Examples @ v0.25.2
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.25.2/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89
Obtain the attestation:
REKOR_UUID=108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.25.2/release.yaml
REKOR_UUID=108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.25.2@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
Security Fixes
- 🔨 [Release-v0.25.x] fix: CVE-2026-34986, CVE-2026-33211, CVE-2025-66506, & CVE-2026-33186 (#1631)
Thanks
Thanks to these contributors who contributed to v0.25.2!
Extra shout-out for awesome release notes:
Tekton Chains release v0.26.3
-Docs @ v0.26.3
-Examples @ v0.26.3
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.3/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.3/release.yaml
REKOR_UUID=108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.3@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Security Fixes
- 🔨 [Release-v0.26.x] fix: CVE-2026-34986, CVE-2026-33211, & CVE-2026-33186 (#1630)
Thanks
Thanks to these contributors who contributed to v0.26.3!
Extra shout-out for awesome release notes:
Tekton Chains release v0.26.2
-Docs @ v0.26.2
-Examples @ v0.26.2
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.2/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677a7e46855402bd228281747a3ed323026c284c56ac1b8a546aaf0ce6f32e6714bd
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a7e46855402bd228281747a3ed323026c284c56ac1b8a546aaf0ce6f32e6714bd
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.2/release.yaml
REKOR_UUID=108e9186e8c5677a7e46855402bd228281747a3ed323026c284c56ac1b8a546aaf0ce6f32e6714bd
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.2@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Fixes
- 🔨 chore(deps): fix stale deps (#1547) & CVE-2026-24137
Thanks
Thanks to all the contributors who contributed to v0.26.2!
Tekton Chains release v0.26.1
-Docs @ v0.26.1
-Examples @ v0.26.1
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.1/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677ae62945dea4e9789dbebdfee12e3cc85ee1f12ee9e6cb367731fa4e446af03670
Obtain the attestation:
REKOR_UUID=108e9186e8c5677ae62945dea4e9789dbebdfee12e3cc85ee1f12ee9e6cb367731fa4e446af03670
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.1/release.yaml
REKOR_UUID=108e9186e8c5677ae62945dea4e9789dbebdfee12e3cc85ee1f12ee9e6cb367731fa4e446af03670
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.1@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Fixes
- 🐛 fix: upgrade cosign 2.6.0 to 2.6.2 (#1537) to address CVE's CVE-2025-66564, CVE-2025-66506
Tekton Chains release v0.26.0 "v0.26.0"
-Docs @ v0.26.0
-Examples @ v0.26.0
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.0/release.yamlAttestation
The Rekor UUID for this release is 108e9186e8c5677a3a5e8bb8eccd3483eb9d0f120eed8ee76c47fef28d1d49f3a738d7999b241fdc
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a3a5e8bb8eccd3483eb9d0f120eed8ee76c47fef28d1d49f3a738d7999b241fdc
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.0/release.yaml
REKOR_UUID=108e9186e8c5677a3a5e8bb8eccd3483eb9d0f120eed8ee76c47fef28d1d49f3a738d7999b241fdc
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.0@sha256:" + .digest.sha256')
# Download the release file
curl -LO "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
doneChanges
Features
- Allows users to disable image signing while still enabling provenance generation and attestation signing(#1419)
- Keyless Signing Change (Cosign v2.6.0). Chains now uses Cosign v2.6.0, which no longer accepts HS256 JWT tokens(#1441)
Affected: Private OIDC providers using HS256
Not affected: Public Sigstore (Fulcio) , Key-based signing , Private OIDC using RS256
Action Required: - If your OIDC provider uses HS256, switch to RS256 before upgrading. All other users can upgrade safely.
Fixes
Misc
-
🔨 Pin actions by commit SHA (#1453)
-
🔨 Add GitHub Actions workflow for go coverage job (#1447)
-
🔨 Remove ttl.sh dependency for microshift gh action (#1396)
-
🔨 Add path to taskrun finalizer name (#1391)
-
🔨 Run e2e tests on microshift (#1383)
-
🔨 Fix subpath capitalisation (#1358)
-
🔨 Bump the all group across 1 directory with 23 updates (#1424)
-
🔨 Bump chainguard-dev/actions from e0505cd917df3f8bd6fbf5a78c075de1ba4fcc63 to 3998adea1311c21a09c05d5749b154d2206e902b (#1360)
-
🔨 Bump the all group across 1 directory with 16 updates (#1359)
-
🔨 Bump chainguard-dev/actions from f3c4f016161c129594cb6a27d9339fc04b8aba54 to e0505cd917df3f8bd6fbf5a78c075de1ba4fcc63 (#1356)
-
🔨 Bump chainguard-dev/actions from 9c0be1ee0103db886d1887d114ec97f8766b7ef8 to f3c4f016161c129594cb6a27d9339fc04b8aba54 (#1352)
Docs
- 📖 Fix link to keyless signing doc (#1400)
Thanks
Thanks to these contributors who contributed to v0.26.0!
- ❤️ @AlanGreene
- ❤️ @PuneetPunamiya
- ❤️ @aThorp96
- ❤️ @anithapriyanatarajan
- ❤️ @arewm
- ❤️ @dependabot[bot]
- ❤️ @enarha
- ❤️ @jinjingroad
- ❤️ @jkhelil
- ❤️ @khrm
- ❤️ @l-qing
- ❤️ @lcarva
- ❤️ @mathur07
- ❤️ @overallteach
- ❤️ @st3penta
- ❤️ @tylerauerbeck
- ❤️ @waveywaves
Extra shout-out for awesome release notes:
- 😍 @AlanGreene
- 😍 @PuneetPunamiya
- 😍 @aThorp96
- 😍 @anithapriyanatarajan
- 😍 @arewm
- 😍 @enarha
- 😍 @jinjingroad
- 😍 @jkhelil
- 😍 @khrm
- 😍 @l-qing
- 😍 @lcarva
- 😍 @mathur07
- 😍 @overallteach
- 😍 @st3penta
- 😍 @tylerauerbeck
- 😍 @waveywaves