Tekton Chains release v0.16.2 "v0.16.2"

-Docs @ v0.16.2
-Examples @ v0.16.2

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.16.2/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77ad276f944cf9798a9954b710976f8f2c9cfb9df8f568b340e3258ce6bfbf05a87

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77ad276f944cf9798a9954b710976f8f2c9cfb9df8f568b340e3258ce6bfbf05a87
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.16.2/release.yaml
REKOR_UUID=24296fb24b8ad77ad276f944cf9798a9954b710976f8f2c9cfb9df8f568b340e3258ce6bfbf05a87

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.16.2@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

✨ Expose new performance parameters to control controller's execution. See docs at https://tekton.dev/docs/chains/performance for details.

Thanks

Thanks to these contributors who contributed to v0.16.2!

• ❤️ @lcarva

Extra shout-out for awesome release notes:

• 😍 @lcarva

Tekton Chains release v0.20.0 "v0.20.0"

-Docs @ v0.20.0
-Examples @ v0.20.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.20.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a79f6dabf3b9add9b797b33976d32f36f15c8316405a84f1dcd2c509a86d9cc0c

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a79f6dabf3b9add9b797b33976d32f36f15c8316405a84f1dcd2c509a86d9cc0c
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.20.0/release.yaml
REKOR_UUID=24296fb24b8ad77a79f6dabf3b9add9b797b33976d32f36f15c8316405a84f1dcd2c509a86d9cc0c

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.20.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ Change Leader Election Config Map for Chains Controller (#1025)
• ✨ Add PipelineRun support to storage/gcs (#971)
• ✨ Add v2alpha3 format (#1031)

Fixes

• 🐛 Fix value for storage.oci.repository (#974)

Misc

• 🔨 feat: update chain's controllers to use v1 Tekton APIs natively while converting to v1beta1 to keep formats backwards compatible (#1016)

Docs

Thanks

Thanks to these contributors who contributed to v0.20.0!

• ❤️ @PuneetPunamiya
• ❤️ @SergK
• ❤️ @aaron-prindle
• ❤️ @dependabot[bot]
• ❤️ @khrm
• ❤️ @sudhishmk
• ❤️ @wlynch

Extra shout-out for awesome release notes:

• 😍 @PuneetPunamiya
• 😍 @SergK
• 😍 @aaron-prindle
• 😍 @dependabot[bot]
• 😍 @khrm
• 😍 @sudhishmk
• 😍 @wlynch

Tekton Chains release v0.19.0 "v0.19.0"

-Docs @ v0.19.0
-Examples @ v0.19.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.19.0/release.yaml

Attestation

Verify that all container images in the attestation are in the release file:

Note

Due to a bug in Pipelines, this release's signatures were not uploaded to the Rekor transparency log.
To verify the release images without Rekor, run:

cosign verify --key=tekton.pub --insecure-ignore-tlog=true gcr.io/tekton-releases/github.com/tektoncd/chains/cmd/controller:v0.19.0@sha256:a94236f0cb474d018b3a1a65e1e59e75fd03d7aaecf8c6a8d7df51ab7f04e5d3

Build attestation can be found here: https://search.sigstore.dev/?logIndex=45626858

Changes

Features

Fixes

• 🐛 Handle duplicates in subjects and materials consistently (#926)

Misc

• Removes unused context from the wrap function (#960)

Thanks

Thanks to these contributors who contributed to v0.19.0!

• ❤️ @PuneetPunamiya
• ❤️ @cguest97
• ❤️ @chuangw6
• ❤️ @dependabot[bot]
• ❤️ @joejstuart
• ❤️ @lcarva
• ❤️ @wlynch

Extra shout-out for awesome release notes:

• 😍 @PuneetPunamiya
• 😍 @cguest97
• 😍 @chuangw6
• 😍 @dependabot[bot]
• 😍 @joejstuart
• 😍 @lcarva
• 😍 @wlynch

Tekton Chains release v0.13.2 "v0.13.2"

-Docs @ v0.13.2
-Examples @ v0.13.2

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.13.2/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a87c2b34f4a9c02154b324b6f655a83ee4534a9c1cdbd28fab5b957f560c1b840

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a87c2b34f4a9c02154b324b6f655a83ee4534a9c1cdbd28fab5b957f560c1b840
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.13.2/release.yaml
REKOR_UUID=24296fb24b8ad77a87c2b34f4a9c02154b324b6f655a83ee4534a9c1cdbd28fab5b957f560c1b840

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.13.2@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛Bump golang.org/x/net from 0.14.0 to 0.17.0 (#955)

Misc

Docs

Thanks

Thanks to these contributors who contributed to v0.13.2!

• ❤️ @lcarva

Extra shout-out for awesome release notes:

• 😍 @lcarva

Tekton Chains release v0.18.1 "v0.18.1"

-Docs @ v0.18.1
-Examples @ v0.18.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.18.1/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a87c2b34f4a9c02154b324b6f655a83ee4534a9c1cdbd28fab5b957f560c1b840

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a87c2b34f4a9c02154b324b6f655a83ee4534a9c1cdbd28fab5b957f560c1b840
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.18.1/release.yaml
REKOR_UUID=24296fb24b8ad77a87c2b34f4a9c02154b324b6f655a83ee4534a9c1cdbd28fab5b957f560c1b840

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.18.1@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

🐛Bump golang.org/x/net from 0.14.0 to 0.17.0 (#958)

Misc

Docs

Thanks

Thanks to these contributors who contributed to v0.18.1!

• ❤️ @lcarva

Extra shout-out for awesome release notes:

• 😍 @lcarva

Tekton Chains release v0.17.1 "v0.17.1"

-Docs @ v0.17.1
-Examples @ v0.17.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.17.1/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a87c2b34f4a9c02154b324b6f655a83ee4534a9c1cdbd28fab5b957f560c1b840

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a87c2b34f4a9c02154b324b6f655a83ee4534a9c1cdbd28fab5b957f560c1b840
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.17.1/release.yaml
REKOR_UUID=24296fb24b8ad77a87c2b34f4a9c02154b324b6f655a83ee4534a9c1cdbd28fab5b957f560c1b840

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.17.1@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛Bump golang.org/x/net from 0.14.0 to 0.17.0 (#957)

Misc

Docs

Thanks

Thanks to these contributors who contributed to v0.17.1!

• ❤️ @lcarva

Extra shout-out for awesome release notes:

• 😍 @lcarva

Tekton Chains release v0.16.1 "v0.16.1"

-Docs @ v0.16.1
-Examples @ v0.16.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.16.1/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a87c2b34f4a9c02154b324b6f655a83ee4534a9c1cdbd28fab5b957f560c1b840

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a87c2b34f4a9c02154b324b6f655a83ee4534a9c1cdbd28fab5b957f560c1b840
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.16.1/release.yaml
REKOR_UUID=24296fb24b8ad77a87c2b34f4a9c02154b324b6f655a83ee4534a9c1cdbd28fab5b957f560c1b840

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.16.1@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 Bump golang.org/x/net from 0.14.0 to 0.17.0 (#956)

Misc

Docs

Thanks

Thanks to these contributors who contributed to v0.16.1!

• ❤️ @lcarva

Extra shout-out for awesome release notes:

• 😍 @lcarva

Tekton Chains release v0.18.0 "v0.18.0"

-Docs @ v0.18.0
-Examples @ v0.18.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.18.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a87f3cdb6d4078507d9d3b943968f2cf3af530b417d79a7da05cbfddd3c447a95

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a87f3cdb6d4078507d9d3b943968f2cf3af530b417d79a7da05cbfddd3c447a95
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.18.0/release.yaml
REKOR_UUID=24296fb24b8ad77a87f3cdb6d4078507d9d3b943968f2cf3af530b417d79a7da05cbfddd3c447a95

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.18.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ Deep inspection for materials (#903)

• ✨ Smarter Chains: check taskrun level results for Subjects (#866)

Fixes

• 🐛 Fix SPDX format function (#904)

Misc

• 🔨 Make e2e tests faster (#911)

• 🔨 Increase direct usage of Tekton Object Interface (#896)

• 🔨 Clean up Subjects compare (#891)

• 🔨 Add slsa compare options (#887)

• 🔨 Add k8s 1.26 + 1.27 to e2e test matrix. (#848)

Docs

Thanks

Thanks to these contributors who contributed to v0.18.0!

• ❤️ @PuneetPunamiya
• ❤️ @SergK
• ❤️ @chitrangpatel
• ❤️ @chuangw6
• ❤️ @dependabot[bot]
• ❤️ @joejstuart
• ❤️ @lcarva
• ❤️ @wlynch

Extra shout-out for awesome release notes:

• 😍 @PuneetPunamiya
• 😍 @SergK
• 😍 @chitrangpatel
• 😍 @chuangw6
• 😍 @dependabot[bot]
• 😍 @joejstuart
• 😍 @lcarva
• 😍 @wlynch

Tekton Chains release v0.17.0 "v0.17.0"

-Docs @ v0.17.0
-Examples @ v0.17.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.17.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a8f418b4ea48826b2469c46cd8208f150592cdf78d1277e7c29b847fa5517c375

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a8f418b4ea48826b2469c46cd8208f150592cdf78d1277e7c29b847fa5517c375
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.17.0/release.yaml
REKOR_UUID=24296fb24b8ad77a8f418b4ea48826b2469c46cd8208f150592cdf78d1277e7c29b847fa5517c375

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.17.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ Add top-level build config to External Parameters (#863)

• ✨ SLSAv1.0 predicate format wire-up (#823)

• ✨ Slsa1.0 params, builderID, buildType, subjects, metadata, byProducts (#800)

• ✨ Introduce Resolved dependencies for SLSA v1.0 predicate (#798)

Fixes

Misc

• 🔨 Cleanup Materials usage (#857)
• 🔨 Update e2e tests to Pipelines v0.49. (#847)

Docs

Thanks

Thanks to these contributors who contributed to v0.17.0!

• ❤️ @Juneezee
• ❤️ @avinal
• ❤️ @bradbeck
• ❤️ @chitrangpatel
• ❤️ @chuangw6
• ❤️ @dependabot[bot]
• ❤️ @lcarva
• ❤️ @wlynch
• ❤️ @zregvart

Extra shout-out for awesome release notes:

• 😍 @Juneezee
• 😍 @avinal
• 😍 @bradbeck
• 😍 @chitrangpatel
• 😍 @chuangw6
• 😍 @dependabot[bot]
• 😍 @lcarva
• 😍 @wlynch
• 😍 @zregvart

Tekton Chains release v0.16.0 "v0.16.0"

-Docs @ v0.16.0
-Examples @ v0.16.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.16.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a3c42d79eba887ff35f251406199a42b1707976f80eaab969211e6db424640a52

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a3c42d79eba887ff35f251406199a42b1707976f80eaab969211e6db424640a52
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.16.0/release.yaml
REKOR_UUID=24296fb24b8ad77a3c42d79eba887ff35f251406199a42b1707976f80eaab969211e6db424640a52

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.16.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ Re-add support for full task status for backward compatibility (#790)

• ✨ Set metadata completeness for parameters as true for slsav2/alpha1 (#763)

• ✨ [TEP0122] Add feature flags field to Invocation.Environment (#720)

• ✨ TEP 0122 - Adding taskspec to buildConfig and taskrunspec to parameters (#663)

Fixes

• 🐛 Bump tektoncd/pipelines dependency to v0.45 (#712)

Misc

• 🔨 Replace deprecated type/function (#779)

• 🔨 Cleanup: generics replace deprecated sets.String. (#776)

• 🔨 Hygiene: enable additional linters. (#735)

• 🔨 Hygiene: enable additional linters. (#731)

• 🔨 Add Pipelines v0.46.0 and v0.47.0 to e2e tests. (#785)

• 🔨 Bump sigstore to v1.6.3 (#784)

Docs

• 📖 Update docs for cosign v2 (#725)

• 📖 [TEP0122]: Add example showing provenance in README (#724)

Thanks

Thanks to these contributors who contributed to v0.16.0!

• ❤️ @PuneetPunamiya
• ❤️ @bendory
• ❤️ @bradbeck
• ❤️ @chitrangpatel
• ❤️ @chuangw6
• ❤️ @dependabot[bot]
• ❤️ @lcarva
• ❤️ @pratap0007
• ❤️ @sallyom
• ❤️ @vdemeester
• ❤️ @wlynch

Extra shout-out for awesome release notes:

• 😍 @PuneetPunamiya
• 😍 @bendory
• 😍 @bradbeck
• 😍 @chitrangpatel
• 😍 @chuangw6
• 😍 @dependabot[bot]
• 😍 @lcarva
• 😍 @pratap0007
• 😍 @sallyom
• 😍 @vdemeester
• 😍 @wlynch