Skip to content

Tekton Chains release v0.14.0
Compare
Choose a tag to compare
@tekton-robot tekton-robot released this 20 Dec 16:46
v0.14.0
7897fa4
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

-Docs @ v0.14.0
-Examples @ v0.14.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.14.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a0effca53af23b8160b8953a500bda03abdf13c89d41b0e1822630e03bd7dc5fe

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a0effca53af23b8160b8953a500bda03abdf13c89d41b0e1822630e03bd7dc5fe
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.14.0/release.yaml
REKOR_UUID=24296fb24b8ad77a0effca53af23b8160b8953a500bda03abdf13c89d41b0e1822630e03bd7dc5fe

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.14.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • Generalize format loading. (#603)
  • Record invocation.configSource section in slsa provenance (#554)

Fixes

  • Convert times to UTC (#631)
  • test/test_utils: Use kind instead of full GVK for tkn commands. (#648)

Misc

  • Add lcarva, chuangw6 to global approvers. (#619)
  • Added GHA to run go vet and go fmt checks. (#644)
  • Bump github.com/sigstore/sigstore from 1.4.6 to 1.5.0 (#643)
  • Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#639)
  • Bump github.com/hashicorp/go-hclog from 1.3.1 to 1.4.0 (#638)
  • Bump github.com/hashicorp/go-plugin from 1.4.6 to 1.4.7 (#637)
  • Bump cloud.google.com/go/storage from 1.28.0 to 1.28.1 (#635)
  • Bump cloud.google.com/go/compute/metadata from 0.2.1 to 0.2.2 (#634)
  • Bump go.uber.org/zap from 1.23.0 to 1.24.0 (#633)
  • Bump github.com/sigstore/sigstore from 1.4.5 to 1.4.6 (#628)
  • Bump github.com/google/go-containerregistry from 0.12.0 to 0.12.1 (#627)
  • Bump github.com/tektoncd/pipeline from 0.41.0 to 0.42.0 (#626)
  • Bump github.com/google/addlicense from 1.0.0 to 1.1.0 (#624)
  • Bump github.com/golangci/golangci-lint from 1.50.0 to 1.50.1 (#623)
  • Bump google.golang.org/grpc from 1.50.1 to 1.51.0 (#622)
  • Bump github.com/hashicorp/go-plugin from 1.4.5 to 1.4.6 (#621)
  • Bump golang.org/x/crypto from 0.1.0 to 0.3.0 (#620)
  • Bump cloud.google.com/go/storage from 1.27.0 to 1.28.0 (#618)
  • Bump github.com/sigstore/cosign from 1.12.1 to 1.13.1 (#617)
  • Bump github.com/hashicorp/vault/sdk from 0.6.0 to 0.6.1 (#616)
  • Bump scaffolding release, use newer pipelines. (#614)
  • Bump github.com/tektoncd/pipeline from 0.40.1 to 0.41.0 (#606)
  • Bump gocloud.dev, knative.dev/pkg, k8s.io dependencies. (#605)
  • Bump gocloud.dev/docstore/mongodocstore from 0.26.0 to 0.27.0 (#584)
  • Bump gocloud.dev/pubsub/kafkapubsub from 0.26.0 to 0.27.0 (#583)

Docs

  • Add spiffe-csi driver support to authentication part (#604)
  • Update README.md (#611)

Thanks

Thanks to these contributors who contributed to v0.14.0!

Extra shout-out for awesome release notes:

Contributors

zregvart, wlynch, and 6 other contributors
Assets 4
Loading