Skip to content

v0.10.0-beta.5

Pre-release
Pre-release

Choose a tag to compare

View all tags
@github-actions github-actions released this 11 Jun 19:28
· 71 commits to main since this release
v0.10.0-beta.5
This tag was signed with the committer’s verified signature.
fheikens Frank Heikens
SSH Key Fingerprint: joKs3uOwuc1bCYgiABcVQqXU/OVfWYWN0yScIoSBXlo
Verified
Learn about vigilant mode.
088f4bc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Re-cut of v0.10.0-beta.4: that tag's publish job died at the Docker
Hub login (expired mirror token) before the GHCR image, chart, and
GitHub Release published (#82). Same data-collection layer as
beta.4 - only the release pipeline changed (Docker Hub login is now
non-fatal; GHCR-only on mirror-credential failure). beta.4 preserved
below for history.

Supply chain

  • Images (same manifest digest in both registries):
    • GHCR: ghcr.io/elevarq/arq-signals:0.10.0-beta.5
    • Docker Hub: elevarq/arq-signals:0.10.0-beta.5 (when configured)
  • Digest: sha256:460c0c8eb3acc751c4651cb3310fee588efe5699a268da8de2d636b36eb5800a
  • Architectures: linux/amd64, linux/arm64
  • Cosign-signed in both registries (keyless, GitHub OIDC)
  • SBOM attached as OCI attestation and as sbom.spdx.json release asset
  • SLSA build provenance attestation (mode=max)

Quick signature verification (GHCR):

cosign verify ghcr.io/elevarq/arq-signals:0.10.0-beta.5   --certificate-identity-regexp='github.com/Elevarq/Arq-Signals/.github/workflows/release.yml@'   --certificate-oidc-issuer='https://token.actions.githubusercontent.com'

Same command works against elevarq/arq-signals:0.10.0-beta.5 — the certificate identity is bound to the workflow, not the registry.

Full verification checklist (manifest, SBOM, provenance, Trivy):
docs/release-verification.md

Assets 12
Loading