Skip to content

Releases: tektoncd/chains

Tekton Chains release v0.18.0 "v0.18.0"

Choose a tag to compare

@tekton-robot tekton-robot released this 20 Sep 13:47
52b918e

-Docs @ v0.18.0
-Examples @ v0.18.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.18.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a87f3cdb6d4078507d9d3b943968f2cf3af530b417d79a7da05cbfddd3c447a95

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a87f3cdb6d4078507d9d3b943968f2cf3af530b417d79a7da05cbfddd3c447a95
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.18.0/release.yaml
REKOR_UUID=24296fb24b8ad77a87f3cdb6d4078507d9d3b943968f2cf3af530b417d79a7da05cbfddd3c447a95

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.18.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • ✨ Deep inspection for materials (#903)

  • ✨ Smarter Chains: check taskrun level results for Subjects (#866)

Fixes

  • 🐛 Fix SPDX format function (#904)

Misc

  • 🔨 Make e2e tests faster (#911)

  • 🔨 Increase direct usage of Tekton Object Interface (#896)

  • 🔨 Clean up Subjects compare (#891)

  • 🔨 Add slsa compare options (#887)

  • 🔨 Add k8s 1.26 + 1.27 to e2e test matrix. (#848)

Docs

Thanks

Thanks to these contributors who contributed to v0.18.0!

Extra shout-out for awesome release notes:

Tekton Chains release v0.17.0 "v0.17.0"

Choose a tag to compare

@tekton-robot tekton-robot released this 26 Jul 17:01
fb905ce

-Docs @ v0.17.0
-Examples @ v0.17.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.17.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a8f418b4ea48826b2469c46cd8208f150592cdf78d1277e7c29b847fa5517c375

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a8f418b4ea48826b2469c46cd8208f150592cdf78d1277e7c29b847fa5517c375
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.17.0/release.yaml
REKOR_UUID=24296fb24b8ad77a8f418b4ea48826b2469c46cd8208f150592cdf78d1277e7c29b847fa5517c375

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.17.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • ✨ Add top-level build config to External Parameters (#863)

  • ✨ SLSAv1.0 predicate format wire-up (#823)

  • ✨ Slsa1.0 params, builderID, buildType, subjects, metadata, byProducts (#800)

  • ✨ Introduce Resolved dependencies for SLSA v1.0 predicate (#798)

Fixes

Misc

  • 🔨 Cleanup Materials usage (#857)
  • 🔨 Update e2e tests to Pipelines v0.49. (#847)

Docs

Thanks

Thanks to these contributors who contributed to v0.17.0!

Extra shout-out for awesome release notes:

Tekton Chains release v0.16.0 "v0.16.0"

Choose a tag to compare

@tekton-robot tekton-robot released this 05 May 16:49
5ca4264

-Docs @ v0.16.0
-Examples @ v0.16.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.16.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a3c42d79eba887ff35f251406199a42b1707976f80eaab969211e6db424640a52

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a3c42d79eba887ff35f251406199a42b1707976f80eaab969211e6db424640a52
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.16.0/release.yaml
REKOR_UUID=24296fb24b8ad77a3c42d79eba887ff35f251406199a42b1707976f80eaab969211e6db424640a52

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.16.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • ✨ Re-add support for full task status for backward compatibility (#790)

  • ✨ Set metadata completeness for parameters as true for slsav2/alpha1 (#763)

  • ✨ [TEP0122] Add feature flags field to Invocation.Environment (#720)

  • ✨ TEP 0122 - Adding taskspec to buildConfig and taskrunspec to parameters (#663)

Fixes

  • 🐛 Bump tektoncd/pipelines dependency to v0.45 (#712)

Misc

  • 🔨 Replace deprecated type/function (#779)

  • 🔨 Cleanup: generics replace deprecated sets.String. (#776)

  • 🔨 Hygiene: enable additional linters. (#735)

  • 🔨 Hygiene: enable additional linters. (#731)

  • 🔨 Add Pipelines v0.46.0 and v0.47.0 to e2e tests. (#785)

  • 🔨 Bump sigstore to v1.6.3 (#784)

Docs

  • 📖 Update docs for cosign v2 (#725)

  • 📖 [TEP0122]: Add example showing provenance in README (#724)

Thanks

Thanks to these contributors who contributed to v0.16.0!

Extra shout-out for awesome release notes:

Tekton Chains release v0.15.0

Choose a tag to compare

@wlynch wlynch released this 21 Feb 15:25
9950cb5

-Docs @ v0.15.0
-Examples @ v0.15.

Highlights

  • 🎉 Sigstore keyless mode promoted out of experimental
  • 🎉 in-toto provenance format now rebranded to slsa/v1 (in-toto remains as an alias).

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.15.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a9a10cc2c864ff3b62961e990c5e6ebc3374f9e6bcb0a5f52375ef3177c0ca8f0

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a9a10cc2c864ff3b62961e990c5e6ebc3374f9e6bcb0a5f52375ef3177c0ca8f0
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.15.0/release.yaml
REKOR_UUID=24296fb24b8ad77a9a10cc2c864ff3b62961e990c5e6ebc3374f9e6bcb0a5f52375ef3177c0ca8f0

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.15.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Backwards incompatible changes

  • 5fab3e2 Remove tekton as a provenance format (#685) - This was deprecated as of v0.9.0. This completes its removal.
  • 1b47418 Unexport intoto/taskrun funcs. (#668) - This should have no impact unless you were calling chains libraries directly.

Features

  • 82c213c Add labels and annotations to attestation (#692)
  • 05232aa Slsa Branding of Chains Provenance Format (#687)
  • 759d570 Updating provenance branding from intotoite to slsa (#684)
  • b4e5b53 Allow passing in of sha1 digests through StructuredResults (#676)
  • 28a6c69 Issue 642: predicate.materials needs to record more information in PipelineRun (#658)
  • af6c5b4 Promote Sigstore features out of experimental. (#652)
  • 1d48332 Issue 642: predicate.materials needs to record more information (#649)

Fixes

  • 3d0e739 Do not initialize Rekor client if transparency is not enabled (#693)
  • 1b142b5 Fix to prevent adding empty structs into materials. (#678)

Misc

  • 8dc461d Bump google.golang.org/grpc from 1.52.3 to 1.53.0 (#701)
  • 08ba781 Bump golang.org/x/crypto from 0.5.0 to 0.6.0 (#702)
  • 0a06881 Bump github.com/golangci/golangci-lint from 1.50.1 to 1.51.0 (#696)
  • 49eaca0 Bump google.golang.org/grpc from 1.52.1 to 1.52.3 (#691)
  • b43d824 Bump gocloud.dev/pubsub/kafkapubsub from 0.27.0 to 0.28.0 (#674)
  • d339ef2 Bump google.golang.org/grpc from 1.52.0 to 1.52.1 (#690)
  • f3022d0 Bump github.com/tektoncd/pipeline from 0.43.2 to 0.44.0 (#689)
  • 5cc2a87 Bump github.com/google/go-containerregistry from 0.12.1 to 0.13.0 (#688)
  • 3ab8dfa Bump cloud.google.com/go/storage from 1.28.1 to 1.29.0 (#686)
  • e075201 Bump github.com/hashicorp/vault/sdk from 0.6.2 to 0.7.0 (#679)
  • a497bbe Run GHA workflows on release branches. (#651)
  • 6a00ef9 Bump github.com/spiffe/go-spiffe/v2 from 2.1.1 to 2.1.2 (#672)
  • 6a167b6 Bump github.com/sigstore/sigstore from 1.5.0 to 1.5.1 (#682)
  • 13f37a2 Bump github.com/google/addlicense from 1.1.0 to 1.1.1 (#681)
  • 6e0f82b Bump gocloud.dev/docstore/mongodocstore from 0.27.0 to 0.28.0 (#673)
  • aecd3d9 Bump google.golang.org/grpc from 1.51.0 to 1.52.0 (#670)
  • 61e7faa Bump github.com/tektoncd/pipeline from 0.43.1 to 0.43.2 (#669)
  • bf183c0 Bump github.com/tektoncd/pipeline from 0.43.0 to 0.43.1 (#667)
  • 19a50fb Bump golang.org/x/crypto from 0.4.0 to 0.5.0 (#666)
  • 8bbbe55 Cleanup golangci-lint and added additional linters. (#661)
  • 5028b17 Cleanup: use idiomatic Go. (#662)
  • 26fdcbf Cleanup: replaced deprecated ioutil package use. (#660)
  • 7015e14 Update tektoncd/pipeline to 0.43.0 (#659)
  • 9843497 Bump github.com/hashicorp/vault/sdk from 0.6.1 to 0.6.2 (#656)
  • b5efd58 Bump cloud.google.com/go/compute/metadata from 0.2.2 to 0.2.3 (#647)
  • 19b5339 Bump github.com/hashicorp/go-plugin from 1.4.7 to 1.4.8 (#641)

Docs

Thanks

Thanks to these contributors who contributed to v0.15.0!

Tekton Chains release v0.13.1

Choose a tag to compare

@tekton-robot tekton-robot released this 20 Dec 18:55
de8ce91

-Docs @ v0.13.1
-Examples @ v0.13.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.13.1/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77abd485cfcc75db8663ec582ee399b341b525bc6f55d3cf0188ef075d4ce955b1c

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77abd485cfcc75db8663ec582ee399b341b525bc6f55d3cf0188ef075d4ce955b1c
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.13.1/release.yaml
REKOR_UUID=24296fb24b8ad77abd485cfcc75db8663ec582ee399b341b525bc6f55d3cf0188ef075d4ce955b1c

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.13.1@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

Misc

  • Update go.mod (#650)

Docs

Thanks

Thanks to these contributors who contributed to v0.13.1!

Extra shout-out for awesome release notes:

Tekton Chains release v0.14.0

Choose a tag to compare

@tekton-robot tekton-robot released this 20 Dec 16:46
7897fa4

-Docs @ v0.14.0
-Examples @ v0.14.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.14.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a0effca53af23b8160b8953a500bda03abdf13c89d41b0e1822630e03bd7dc5fe

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a0effca53af23b8160b8953a500bda03abdf13c89d41b0e1822630e03bd7dc5fe
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.14.0/release.yaml
REKOR_UUID=24296fb24b8ad77a0effca53af23b8160b8953a500bda03abdf13c89d41b0e1822630e03bd7dc5fe

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.14.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • Generalize format loading. (#603)
  • Record invocation.configSource section in slsa provenance (#554)

Fixes

  • Convert times to UTC (#631)
  • test/test_utils: Use kind instead of full GVK for tkn commands. (#648)

Misc

  • Add lcarva, chuangw6 to global approvers. (#619)
  • Added GHA to run go vet and go fmt checks. (#644)
  • Bump github.com/sigstore/sigstore from 1.4.6 to 1.5.0 (#643)
  • Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#639)
  • Bump github.com/hashicorp/go-hclog from 1.3.1 to 1.4.0 (#638)
  • Bump github.com/hashicorp/go-plugin from 1.4.6 to 1.4.7 (#637)
  • Bump cloud.google.com/go/storage from 1.28.0 to 1.28.1 (#635)
  • Bump cloud.google.com/go/compute/metadata from 0.2.1 to 0.2.2 (#634)
  • Bump go.uber.org/zap from 1.23.0 to 1.24.0 (#633)
  • Bump github.com/sigstore/sigstore from 1.4.5 to 1.4.6 (#628)
  • Bump github.com/google/go-containerregistry from 0.12.0 to 0.12.1 (#627)
  • Bump github.com/tektoncd/pipeline from 0.41.0 to 0.42.0 (#626)
  • Bump github.com/google/addlicense from 1.0.0 to 1.1.0 (#624)
  • Bump github.com/golangci/golangci-lint from 1.50.0 to 1.50.1 (#623)
  • Bump google.golang.org/grpc from 1.50.1 to 1.51.0 (#622)
  • Bump github.com/hashicorp/go-plugin from 1.4.5 to 1.4.6 (#621)
  • Bump golang.org/x/crypto from 0.1.0 to 0.3.0 (#620)
  • Bump cloud.google.com/go/storage from 1.27.0 to 1.28.0 (#618)
  • Bump github.com/sigstore/cosign from 1.12.1 to 1.13.1 (#617)
  • Bump github.com/hashicorp/vault/sdk from 0.6.0 to 0.6.1 (#616)
  • Bump scaffolding release, use newer pipelines. (#614)
  • Bump github.com/tektoncd/pipeline from 0.40.1 to 0.41.0 (#606)
  • Bump gocloud.dev, knative.dev/pkg, k8s.io dependencies. (#605)
  • Bump gocloud.dev/docstore/mongodocstore from 0.26.0 to 0.27.0 (#584)
  • Bump gocloud.dev/pubsub/kafkapubsub from 0.26.0 to 0.27.0 (#583)

Docs

  • Add spiffe-csi driver support to authentication part (#604)
  • Update README.md (#611)

Thanks

Thanks to these contributors who contributed to v0.14.0!

Extra shout-out for awesome release notes:

Tekton Chains release v0.13.0

Choose a tag to compare

@tekton-robot tekton-robot released this 08 Nov 15:56
516e492

-Docs @ v0.13.0
-Examples @ v0.13.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.13.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a71f63b3241ed6951f0f2d29cda204b818e0ac6cc80598d11aacf301aa1f139bc

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a71f63b3241ed6951f0f2d29cda204b818e0ac6cc80598d11aacf301aa1f139bc
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.13.0/release.yaml
REKOR_UUID=24296fb24b8ad77a71f63b3241ed6951f0f2d29cda204b818e0ac6cc80598d11aacf301aa1f139bc

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# Verify images in manifest (tekton.pub can be found in the chains repo)
cosign manifest verify release.yaml --key=tekton.pub

Changes

Features

  • 🎁 Added support for PipelineRun attestations (#436, #568, #573, #564, #598, #599, #601) 🎉 🎉 🎉
  • 🎁 Allow reading the pull secret from the podTemplate (#579)
  • 🎁 Add feature to extract structured signable targets and store them in subjects and materials in intoto provenance (#491)

Fixes

  • 🐛 Stop reconciliation on unrecoverable error (#607)

Misc

  • 🧹 Removed usage of Tekton Pipelines v1alpha for everything but PipelineResources (#538)
  • 🧹 Removed tekton-provenance storage option (#590) (This was already partially deprecated in v0.8.0, this removed lagging config options).

Docs

  • 📖 getting rid of 'pipelien' (#526)
  • 📖 Add the OpenSSF badge to the main README (#580)
  • 📖 fix: pubusub to pubsub in storage backend support of experimental features (#582)

Thanks

Thanks to these contributors who contributed to v0.13.0!

Extra shout-out for awesome release notes:

v0.12.0

Choose a tag to compare

@tekton-robot tekton-robot released this 31 Aug 19:33

🎉 v0.12.0 🎉

-Docs @ v0.12.0
-Examples @ v0.12.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.12.0/release.yaml

Attestation

The Rekor UUID for this release is 362f8ecba72f4326ceb2cb602c68d5e85ed349ab95d68611cfc3b2dacf654cc326b6582bbfed00cf

Obtain the attestation:

REKOR_UUID=362f8ecba72f4326ceb2cb602c68d5e85ed349ab95d68611cfc3b2dacf654cc326b6582bbfed00cf
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.12.0/release.yaml
REKOR_UUID=362f8ecba72f4326ceb2cb602c68d5e85ed349ab95d68611cfc3b2dacf654cc326b6582bbfed00cf

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.12.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • ✨ Grafeas storage for non-image artifacts (#531)
    Support other artifact types for grafeas backend storage i.e. maven
  • ✨ Make grafeas notehint configurable and change the BuildType field #495
    Add storage.grafeas.notehint field in configmap that allows the note hint field in the grafeas attestation note to be customizable.

Fixes

  • Fix param value ordering in materials #527
  • Fix for issue #515, This PR ensures only those signers which are specified as signers for any artifact are initialized. #519
  • Fix the default value for builder.id in the config doc (#498)

Misc

  • Bump to use scaffolding v0.4.3. (#518)
  • Pin to scaffolding v0.4.2, test with k8s 1.22, 1.23, and 1.24. (#513)
  • Pinning sigstore/scaffolding/actions/setup version (#512)
  • Use industry standard names for payloadType field (#509)
  • Fix typo in v0.3.0-build-chains-taskrun.yaml. (#505)

Docs

  • 📖 Add pull_request_template.md. (#511)
  • 📖 Clarify documentation for (#510)
  • Add more supported GCP KMS key ref formats in config doc (#506)

Thanks

Thanks to these contributors who contributed to v0.12.0!

v0.11.0

Choose a tag to compare

@tekton-robot tekton-robot released this 26 Jul 18:25

🎉 v0.11.0 🎉

-Docs @ v0.11.0
-Examples @ v0.11.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.11.0/release.yaml

Attestation

The Rekor UUID for this release is 362f8ecba72f43269e5f6575dce248d044d0ac28e849fed13e7bcf58955aa6d13a9b40a4211c56c9

Obtain the attestation:

REKOR_UUID=362f8ecba72f43269e5f6575dce248d044d0ac28e849fed13e7bcf58955aa6d13a9b40a4211c56c9
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.11.0/release.yaml
REKOR_UUID=362f8ecba72f43269e5f6575dce248d044d0ac28e849fed13e7bcf58955aa6d13a9b40a4211c56c9

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.11.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • Add Intoto Signable Target support in Chains using strings in results. (#465)

Misc

  • Switch to Grafeas v1 API in grafeas storage (#453)

Thanks

Thanks to these contributors who contributed to v0.11.0!

Extra shout-out for awesome release notes:

v0.10.0

Choose a tag to compare

@tekton-robot tekton-robot released this 28 Jun 22:19
7894a22

🎉 v0.10.0🎉

-Docs @ v0.10.0
-Examples @ v0.10.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.10.0/release.yaml

Attestation

The Rekor UUID for this release is 362f8ecba72f43267da925cfee5ee315f14e826bd13d4ca0d20721c14d110bb155d7e8045d19b2b7

Obtain the attestation:

REKOR_UUID=362f8ecba72f43267da925cfee5ee315f14e826bd13d4ca0d20721c14d110bb155d7e8045d19b2b7
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | base64 --decode | jq

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.10.0/release.yaml
REKOR_UUID=362f8ecba72f43267da925cfee5ee315f14e826bd13d4ca0d20721c14d110bb155d7e8045d19b2b7

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|.name + ":v0.10.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • Add s390x arch support to chains (#463)
  • Add ppc64le arch support to chains (#461)
  • Allow TaskRun payloads other than IMAGE_URL (#444)
  • add mongodb service support (#390)

Fixes

  • Fix error msg in case no image produced (#464)
  • Fix default params in attestation invocation (#449)
  • Change SCC from anyuid to nonroot (#432)

Misc

  • Disable unit test for grafeas backend creation (#446)

Docs

Thanks

Thanks to these contributors who contributed to v0.10.0!

Extra shout-out for awesome release notes: