1.0 — first stable release. Promotes
0.10.0-rc.1to GA with no
functional changes — the same bits, validated across a wide range of AWS
tests, re-tagged1.0.0.Highlights since the beta line. AWS passwordless onboarding validated
end-to-end across all four credential methods —password,
secret_store(AWS Secrets Manager),secret_store(AWS SSM Parameter
Store), andaws_rds_iam; runnable AWS / Azure / GCP onboarding templates;
least-privilege owner-only collector degradation (pg_statistic_ext_data
collectors skip rather than fail under apg_monitorrole); CI-validated
Terraform modules; and a live-validated AWSaws_rds_iamdeploy path
(operator-gated smoke).Scope. GA support is the AWS deploy paths. The Azure (
azure_entra)
and GCP (gcp_cloudsql_iam) templates are runnable and unit/integration-
tested; end-to-end live validation is in progress and tracked for 1.1.Upgrade. No config or behavior changes from
0.10.0-rc.1. Pin the
1.0.0image / chart.
Supply chain
- Images (same manifest digest in both registries):
- GHCR:
ghcr.io/elevarq/signals:1.0.0 - Docker Hub:
elevarq/signals:1.0.0(when configured)
- GHCR:
- Digest:
sha256:a918ff8fa4ca24828d6807659fdf62ead3b077deb2cb1d5efcce5598082f5e5d - Architectures:
linux/amd64,linux/arm64 - Cosign-signed in both registries (keyless, GitHub OIDC)
- SBOM attached as OCI attestation and as
sbom.spdx.jsonrelease asset - SLSA build provenance attestation (
mode=max)
Quick signature verification (GHCR):
cosign verify ghcr.io/elevarq/signals:1.0.0 --certificate-identity-regexp='github.com/Elevarq/(Signals|signals)/.github/workflows/release.yml@' --certificate-oidc-issuer='https://token.actions.githubusercontent.com'Same command works against elevarq/signals:1.0.0 — the certificate identity is bound to the workflow, not the registry.
Full verification checklist (manifest, SBOM, provenance, Trivy):
docs/release-verification.md