v0.10.0-beta.3
Pre-release
fheikens
Frank Heikens
Re-cut after release-pipeline fix. v0.10.0-beta.2's container
image and GitHub Release were published successfully, but the
publish-chart job failed to sign the Helm chart with cosign — the
job authenticated GHCR via helm registry login (helm's own config),
not the docker keychain cosign reads. The fix
(docker/login-action before Sign chart) is now on main. Same
data-collection layer as beta.2; this artifact's chart is signed.
Also fixes the prerelease flag on the GitHub Release page that beta.2
was missing (action-gh-release@v3 no longer auto-detects from the
semver suffix). (#50)
Supply chain
- Images (same manifest digest in both registries):
- GHCR:
ghcr.io/elevarq/arq-signals:0.10.0-beta.3 - Docker Hub:
elevarq/arq-signals:0.10.0-beta.3(when configured)
- GHCR:
- Digest:
sha256:17440ab583728621203d9aa191e188d5868b0232aa7d8b63329d4a8fffc47f31 - Architectures:
linux/amd64,linux/arm64 - Cosign-signed in both registries (keyless, GitHub OIDC)
- SBOM attached as OCI attestation and as
sbom.spdx.jsonrelease asset - SLSA build provenance attestation (
mode=max)
Quick signature verification (GHCR):
cosign verify ghcr.io/elevarq/arq-signals:0.10.0-beta.3 --certificate-identity-regexp='github.com/Elevarq/Arq-Signals/.github/workflows/release.yml@' --certificate-oidc-issuer='https://token.actions.githubusercontent.com'Same command works against elevarq/arq-signals:0.10.0-beta.3 — the certificate identity is bound to the workflow, not the registry.
Full verification checklist (manifest, SBOM, provenance, Trivy):
docs/release-verification.md