Tekton Chains release v0.26.2

-Docs @ v0.26.2
-Examples @ v0.26.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a7e46855402bd228281747a3ed323026c284c56ac1b8a546aaf0ce6f32e6714bd

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a7e46855402bd228281747a3ed323026c284c56ac1b8a546aaf0ce6f32e6714bd
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.2/release.yaml
REKOR_UUID=108e9186e8c5677a7e46855402bd228281747a3ed323026c284c56ac1b8a546aaf0ce6f32e6714bd

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.2@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Fixes

• 🔨 chore(deps): fix stale deps (#1547) & CVE-2026-24137

Thanks

Thanks to all the contributors who contributed to v0.26.2!

Tekton Chains release v0.26.1

-Docs @ v0.26.1
-Examples @ v0.26.1

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677ae62945dea4e9789dbebdfee12e3cc85ee1f12ee9e6cb367731fa4e446af03670

Obtain the attestation:

REKOR_UUID=108e9186e8c5677ae62945dea4e9789dbebdfee12e3cc85ee1f12ee9e6cb367731fa4e446af03670
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.1/release.yaml
REKOR_UUID=108e9186e8c5677ae62945dea4e9789dbebdfee12e3cc85ee1f12ee9e6cb367731fa4e446af03670

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.1@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Fixes

• 🐛 fix: upgrade cosign 2.6.0 to 2.6.2 (#1537) to address CVE's CVE-2025-66564, CVE-2025-66506

Tekton Chains release v0.26.0 "v0.26.0"

-Docs @ v0.26.0
-Examples @ v0.26.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a3a5e8bb8eccd3483eb9d0f120eed8ee76c47fef28d1d49f3a738d7999b241fdc

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a3a5e8bb8eccd3483eb9d0f120eed8ee76c47fef28d1d49f3a738d7999b241fdc
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.0/release.yaml
REKOR_UUID=108e9186e8c5677a3a5e8bb8eccd3483eb9d0f120eed8ee76c47fef28d1d49f3a738d7999b241fdc

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.0@sha256:" + .digest.sha256')

# Download the release file
curl -LO "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• Allows users to disable image signing while still enabling provenance generation and attestation signing(#1419)
• Keyless Signing Change (Cosign v2.6.0). Chains now uses Cosign v2.6.0, which no longer accepts HS256 JWT tokens(#1441)
  Affected: Private OIDC providers using HS256
  Not affected: Public Sigstore (Fulcio) , Key-based signing , Private OIDC using RS256
  Action Required: - If your OIDC provider uses HS256, switch to RS256 before upgrading. All other users can upgrade safely.

Fixes

• 🐛 Remove old taskrun finalizer (#1394)

• 🐛 Fix the build error in e2e test (#1384)

Misc

• 🔨 Pin actions by commit SHA (#1453)

• 🔨 Add GitHub Actions workflow for go coverage job (#1447)

• 🔨 Remove ttl.sh dependency for microshift gh action (#1396)

• 🔨 Add path to taskrun finalizer name (#1391)

• 🔨 Run e2e tests on microshift (#1383)

• 🔨 Fix subpath capitalisation (#1358)

• 🔨 Bump the all group across 1 directory with 23 updates (#1424)

• 🔨 Bump chainguard-dev/actions from e0505cd917df3f8bd6fbf5a78c075de1ba4fcc63 to 3998adea1311c21a09c05d5749b154d2206e902b (#1360)

• 🔨 Bump the all group across 1 directory with 16 updates (#1359)

• 🔨 Bump chainguard-dev/actions from f3c4f016161c129594cb6a27d9339fc04b8aba54 to e0505cd917df3f8bd6fbf5a78c075de1ba4fcc63 (#1356)

• 🔨 Bump chainguard-dev/actions from 9c0be1ee0103db886d1887d114ec97f8766b7ef8 to f3c4f016161c129594cb6a27d9339fc04b8aba54 (#1352)

Docs

• 📖 Fix link to keyless signing doc (#1400)

Thanks

Thanks to these contributors who contributed to v0.26.0!

• ❤️ @AlanGreene
• ❤️ @PuneetPunamiya
• ❤️ @aThorp96
• ❤️ @anithapriyanatarajan
• ❤️ @arewm
• ❤️ @dependabot[bot]
• ❤️ @enarha
• ❤️ @jinjingroad
• ❤️ @jkhelil
• ❤️ @khrm
• ❤️ @l-qing
• ❤️ @lcarva
• ❤️ @mathur07
• ❤️ @overallteach
• ❤️ @st3penta
• ❤️ @tylerauerbeck
• ❤️ @waveywaves

Extra shout-out for awesome release notes:

• 😍 @AlanGreene
• 😍 @PuneetPunamiya
• 😍 @aThorp96
• 😍 @anithapriyanatarajan
• 😍 @arewm
• 😍 @enarha
• 😍 @jinjingroad
• 😍 @jkhelil
• 😍 @khrm
• 😍 @l-qing
• 😍 @lcarva
• 😍 @mathur07
• 😍 @overallteach
• 😍 @st3penta
• 😍 @tylerauerbeck
• 😍 @waveywaves

Tekton Chains release v0.25.1 "v0.25.1"

-Docs @ v0.25.1
-Examples @ v0.25.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.25.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677aa8cbf847acc4ce0aed8e3b794dcb0f8e20e495c9a994ca636d04b6d2680d0227

Obtain the attestation:

REKOR_UUID=108e9186e8c5677aa8cbf847acc4ce0aed8e3b794dcb0f8e20e495c9a994ca636d04b6d2680d0227
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.25.1/release.yaml
REKOR_UUID=108e9186e8c5677aa8cbf847acc4ce0aed8e3b794dcb0f8e20e495c9a994ca636d04b6d2680d0227

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.25.1@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Thanks

Thanks to these contributors who contributed to v0.25.1!

• ❤️ @savitaashture

Extra shout-out for awesome release notes:

• 😍 @savitaashture

Tekton Chains release v0.25.0 "v0.25.0"

-Docs @ v0.25.0
-Examples @ v0.25.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.25.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a76acbea0b7deeb21ada0fccb6951454f25f003ffd4e70762f5c602492e43749f

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a76acbea0b7deeb21ada0fccb6951454f25f003ffd4e70762f5c602492e43749f
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.25.0/release.yaml
REKOR_UUID=108e9186e8c5677a76acbea0b7deeb21ada0fccb6951454f25f003ffd4e70762f5c602492e43749f

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.25.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Misc

• 🔨 Consume release pipeline images and task bundles from GHCR (#1330)

• 🔨 Bump chainguard-dev/actions from 9ba949ac63357c725a9438f3e05a1e33d313498e to 9c0be1ee0103db886d1887d114ec97f8766b7ef8 (#1349)

• 🔨 Bump the all group across 1 directory with 26 updates (#1347)

• 🔨 Bump ko-build/setup-ko from 0.8 to 0.9 (#1339)

• 🔨 Bump imjasonh/setup-ko from 0.8 to 0.9 (#1338)

• 🔨 Bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#1328)

Docs

• 📖 Add ghcr.io migration banner to README.md. (#1335)

Thanks

Thanks to these contributors who contributed to v0.25.0!

• ❤️ @AlanGreene
• ❤️ @PuneetPunamiya
• ❤️ @abhishek-ghosh-codes
• ❤️ @anithapriyanatarajan
• ❤️ @dependabot[bot]
• ❤️ @mikhailswift
• ❤️ @riskrose
• ❤️ @teslaedison
• ❤️ @twoGiants

Extra shout-out for awesome release notes:

• 😍 @AlanGreene
• 😍 @PuneetPunamiya
• 😍 @abhishek-ghosh-codes
• 😍 @anithapriyanatarajan
• 😍 @mikhailswift
• 😍 @riskrose
• 😍 @teslaedison
• 😍 @twoGiants

Tekton Chains release v0.24.0 "v0.24.0"

-Docs @ v0.24.0
-Examples @ v0.24.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.24.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a78ff0273140a120730eca2b803dfc0fc1a07dfd419735c6f3a0119881c505a95

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a78ff0273140a120730eca2b803dfc0fc1a07dfd419735c6f3a0119881c505a95
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.24.0/release.yaml
REKOR_UUID=108e9186e8c5677a78ff0273140a120730eca2b803dfc0fc1a07dfd419735c6f3a0119881c505a95

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.24.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Misc

• 🔨 Update go to 1.23 and plumbing vendoring (#1284)

• 🔨 Bump the all group across 1 directory with 9 updates (#1302)

• 🔨 Bump golangci/golangci-lint-action from 6.1.0 to 6.2.0 (#1290)

• 🔨 Bump ko-build/setup-ko from 0.7 to 0.8 (#1289)

• 🔨 Bump imjasonh/setup-ko from 0.7 to 0.8 (#1288)

• 🔨 Bump the all group across 1 directory with 16 updates (#1287)

• 🔨 Bump the all group across 1 directory with 9 updates (#1271)

• 🔨 Bump the all group across 1 directory with 7 updates (#1263)

• 🔨 Bump the all group across 1 directory with 13 updates (#1257)

• 🔨 Bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#1240)

Docs

• 📖 Add buildType for Chains format slsa/v2alpha2 (SLSAv1.0 predicate). (#906)

Thanks

Thanks to these contributors who contributed to v0.24.0!

• ❤️ @PuneetPunamiya
• ❤️ @afrittoli
• ❤️ @chitrangpatel
• ❤️ @dependabot[bot]
• ❤️ @jkhelil
• ❤️ @lcarva
• ❤️ @morri-son

Extra shout-out for awesome release notes:

• 😍 @PuneetPunamiya
• 😍 @afrittoli
• 😍 @chitrangpatel
• 😍 @jkhelil
• 😍 @lcarva
• 😍 @morri-son

Tekton Chains release v0.23.1 "v0.23.1"

-Docs @ v0.23.1
-Examples @ v0.23.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.23.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677abb59fa4c082fc973d07d8056d1ef35e04aa8a6f1b25c41ff1401dfc6b7614b74

Obtain the attestation:

REKOR_UUID=108e9186e8c5677abb59fa4c082fc973d07d8056d1ef35e04aa8a6f1b25c41ff1401dfc6b7614b74
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.23.1/release.yaml
REKOR_UUID=108e9186e8c5677abb59fa4c082fc973d07d8056d1ef35e04aa8a6f1b25c41ff1401dfc6b7614b74

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.23.1@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Fixes

• 🐛 [release-v0.23.x] fix nil pointer (#1249)

Thanks

Thanks to these contributors who contributed to v0.23.1!

• ❤️ @lcarva
• ❤️ @savitaashture
• ❤️ @tekton-robot

Extra shout-out for awesome release notes:

• 😍 @lcarva
• 😍 @savitaashture
• 😍 @tekton-robot

Tekton Chains release v0.22.3 "v0.22.3"

-Docs @ v0.22.3
-Examples @ v0.22.3

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.22.3/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677abc5f8010a0a21be4daa53325a217f4df92955848f73f226c6ed054c429fb9f82

Obtain the attestation:

REKOR_UUID=108e9186e8c5677abc5f8010a0a21be4daa53325a217f4df92955848f73f226c6ed054c429fb9f82
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.22.3/release.yaml
REKOR_UUID=108e9186e8c5677abc5f8010a0a21be4daa53325a217f4df92955848f73f226c6ed054c429fb9f82

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.22.3@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Fixes

• 🐛 Fix nil-pointer references (#1286 and #1246)

Misc

• 🔨 Upgrade golang.org/x/crypto to 0.31.0 (#1269)

Thanks

Thanks to these contributors who contributed to v0.22.3!

• ❤️ @jkhelil
• ❤️ @lcarva
• ❤️ @savitaashture
• ❤️ @tekton-robot

Extra shout-out for awesome release notes:

• 😍 @jkhelil
• 😍 @lcarva
• 😍 @savitaashture
• 😍 @tekton-robot

Tekton Chains release v0.23.0 "v0.23.0"

-Docs @ v0.23.0
-Examples @ v0.23.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.23.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677ab986b84dbd84e8bcaeb653ee623796517fd53400ea437f6eb4623849befd0dfb

Obtain the attestation:

REKOR_UUID=108e9186e8c5677ab986b84dbd84e8bcaeb653ee623796517fd53400ea437f6eb4623849befd0dfb
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.23.0/release.yaml
REKOR_UUID=108e9186e8c5677ab986b84dbd84e8bcaeb653ee623796517fd53400ea437f6eb4623849befd0dfb

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.23.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ Support mongo server url path (#1213)

Fixes

• 🐛 Fix nil pointer dereference when taksrun is canceled (#1237)
• 🐛 Fix mapping between Status.Steps and Status.TaskSpec.Steps (#1188)

Misc

• 🔨 Controller image is now available at ghcr.io/tektoncd/chains/controller-92006fd957c0afd31de6a40b3e33b39f

Docs

• 📖 Added visual guide representing chains config options (#1183)

Thanks

Thanks to these contributors who contributed to v0.23.0!

• ❤️ @AlanGreene
• ❤️ @PuneetPunamiya
• ❤️ @afrittoli
• ❤️ @anithapriyanatarajan
• ❤️ @dependabot[bot]
• ❤️ @jkhelil
• ❤️ @lcarva
• ❤️ @vdemeester

Extra shout-out for awesome release notes:

• 😍 @AlanGreene
• 😍 @PuneetPunamiya
• 😍 @afrittoli
• 😍 @anithapriyanatarajan
• 😍 @jkhelil
• 😍 @lcarva
• 😍 @vdemeester

Tekton Chains release v0.22.2 "v0.22.2"

-Docs @ v0.22.2
-Examples @ v0.22.2

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/v0.22.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a49be2ef4baa7ddffeee2ddd856775f64215023ef1e11a91ef48873740f2d8c6c

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a49be2ef4baa7ddffeee2ddd856775f64215023ef1e11a91ef48873740f2d8c6c
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/chains/previous/v0.22.2/release.yaml
REKOR_UUID=108e9186e8c5677a49be2ef4baa7ddffeee2ddd856775f64215023ef1e11a91ef48873740f2d8c6c

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.22.2@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 Fix missing platforms in controller image 1212

Thanks

Thanks to these contributors who contributed to v0.22.2!

• ❤️ @lcarva

Extra shout-out for awesome release notes:

• 😍 @lcarva