Releases: PlatformRelay/Kollect
Release list
kollect 0.9.0
0.9.0 - 2026-07-14
Bug Fixes
- docs: Correct OpenSSF Scorecard badge repo-name casing 4984cc7
Features
-
branding: Add favicon and social preview assets (#74)930a82b
-
pipeline: Sink credentials from env vars via ${env:VAR} secret placeholders 53b3d48
-
api: Per-sink-binding maxExportBytes override (merge feat/export-partitioning, AR-01/EC-P0-01 Option B) 37596e9
-
api: Per-sink-binding maxExportBytes override (AR-01/EC-P0-01 Phase C, Option B) 1d26bfc
Refactoring
- sink: Extract event-sink secret->auth helper into secretkv 4f14450
Container image (operator)
ghcr.io/platformrelay/kollect:0.9.0
Multi-arch (linux/amd64, linux/arm64), Debian bookworm-slim nonroot base (includes git and openssh-client for spec.git.engine: cli).
OCI attestations (SBOM + SLSA provenance) are attached in GHCR and on the repository
Attestations page. Verify the signature:
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/PlatformRelay/Kollect/.+' \
ghcr.io/platformrelay/kollect@sha256:99f33015dede4e6be4e4d8b122021e204d5181ac4c282f8f6a6e0e28b26845c5Container image (kollect-ui)
Optional read-only UI SPA — enable with Helm ui.enabled=true.
ghcr.io/platformrelay/kollect-ui:0.9.0
Multi-arch (linux/amd64, linux/arm64), nginx alpine static server.
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/PlatformRelay/Kollect/.+' \
ghcr.io/platformrelay/kollect-ui@sha256:56b2cfa81bd3667c8dbb657f3f592504f855fc14d2b46763efb47cb859f9ad68Container image (kollect-pipeline)
One-shot CI/CD collection CLI (ADR-0801) — collect inventory from a kubeconfig without installing
the operator. See the pipeline CLI guide.
ghcr.io/platformrelay/kollect-pipeline:0.9.0
Multi-arch (linux/amd64, linux/arm64), distroless static nonroot base. The git snapshot sink
uses the pure-Go go-git engine over HTTPS; git.engine: cli and file:// remotes are not supported
in this minimal image.
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/PlatformRelay/Kollect/.+' \
ghcr.io/platformrelay/kollect-pipeline@sha256:fe7799600540ca849b68d67fe5b7e0acb19823d55f83cfc6e61842488ffc4825Install (Kustomize)
kubectl apply -f install-crds.yaml
kubectl apply -f install.yamlInstall (Helm — OCI)
helm upgrade --install kollect oci://ghcr.io/platformrelay/kollect \
--version 0.9.0 \
--namespace kollect-system \
--create-namespace \
--set image.repository=ghcr.io/platformrelay/kollect \
--set image.tag=0.9.0 \
--set ui.image.tag=0.9.0Install (Helm — GitHub Release tarball)
helm upgrade --install kollect kollect-0.9.0.tgz \
--namespace kollect-system \
--create-namespace \
--set image.repository=ghcr.io/platformrelay/kollect \
--set image.tag=0.9.0 \
--set ui.image.tag=0.9.0Verify checksums with sha256sum -c checksums.txt. Each release asset includes a
<file>.sigstore.json Sigstore bundle; release-provenance.intoto.jsonl attests all assets.
See docs/RELEASE.md.
kollect 0.8.0
0.8.0 - 2026-07-10
Bug Fixes
-
pipeline: Drop computed make() capacity flagged by CodeQL overflow 11b9ee3
-
cli: Context selection, skip-to-exitcode, and dead --namespace flag ba53f06
-
controller: Requeue on family-sink status conflict instead of dropping it 7cb5cbe
-
collect: Block on dispatch backpressure instead of inline sync fallback c570338
-
controller: Degrade scope not whole target on RBAC-forbidden namespace (#28) 7cdc108
-
release: Tolerate Rekor 409 on asset re-sign 0a8f61a
-
sink/nats: Reconnect when cached connection is closed 05323e7
-
sink/bigquery: Snapshot emulator mode in Config 7ab6387
-
test: Drop duplicate family sink condition tests b6bfdb7
-
build: Fix go-arch-lint exclude paths for local dirs 95850bb
-
validation: Block private sink endpoint targets 6c1ed5b
-
sink: Retry BigQuery emulator readiness in L3 tests 5106a32
-
controller: Enforce namespace intersections in rollups c4439c3
-
sink: Re-enable backend pool after layout integration test bea1372
-
sink: Infer resource manifest layout e83c30f
-
build: Compile full cmd package after pprof fold 796e744
-
controller: Panic-guard family-sink, connection-test, cluster-target reconcilers b333ce0
-
controller: Aggregate per-sink export errors af341f8
-
controller: Stop requeue on terminal finalizer cleanup b3ae025
-
api: [breaking] Reject stub sink types at admission 5eee44d
-
sink: Remove stub backends, make unknown sink type terminal eaf5a15
-
sink/git: Redact credentials from git CLI errors 7a8e6d0
-
collect: Stabilize export fingerprints for debounce 038cbec
-
docs: Purge stale hub/spoke from operator manual 367b6bf
-
docs: Repair broken links and stale ADR references be7c448
-
chart: Sync family-sink CRDs with ADR-0416 fields 7baaa66
-
build: Upgrade alpine packages in UI image for Trivy 3cdce54
-
ci: Stop perf-report writing agent-context in CI 5efafd6
-
ui: Disambiguate Playwright inventory row locator 878dff2
-
ci: Stabilize nightly Playwright and perf-report fcb0533
-
build: Upgrade debian packages for Trivy gate 5c8f07f
-
controller: Recover panics and suspend status 3bb8c55
-
git: Resolve lint issues in sink hardening 1cd7ef7
-
docs: Remove extra blank line in git-sink-attribution 152cb40
-
e2e: Guard multitenant port-forward cleanup trap fde54d4
-
e2e: Use object form for snapshotSinkRefs c434c9e
-
e2e: Validate git-export and multitenant via HTTP b934eb2
-
e2e: Drop legacy sinkRefs from multitenant scope 7efd330
-
e2e: Drop removed inventory sinkRefs field f7de7af
-
e2e: Validate collection via inventory HTTP 67404df
-
e2e,test: Stabilize smoke bootstrap and debounce IT 2b7b31d
-
samples: Drop legacy sinkRefs from team-a scope 4598ce5
-
e2e: Wait on family sink CRDs in kind smoke fac0a82
-
gitlab: Basic auth for Forgejo Gitea MR API 92e2ce0
-
collect,controller: Resolve race detector findings 2fc1aff
-
api: Keep KollectRemoteCluster status optional in codegen 578af5e
-
api: Drop required status on KollectRemoteCluster create 88e7bc5
-
ops: P2 hardening and chart connectionTest default 4a07ab6
-
git: Terminal auth errors and per-repo export lock 2b596ba
-
lint: Gofmt webhooks and phase A envtest cleanup f132bf9
-
sink: Isolate circuit breaker test from parallel pollution d5ec865
-
e2e: Revert multitenant namespaceSelector 4ba734c
-
controller: Continue multi-sink export on partial failure 6b1fa36
-
e2e: Apply tenant-scope after multitenant asserts 475f3f9
-
e2e: Stabilize multitenant matrix job waits 9ed2c7a
-
sink: Validate git export paths for CodeQL 4855b3d
-
ci: Sync CHANGELOG and UI Docker npm ci 0eef82c
-
e2e: Bootstrap samples for matrix git-export 7957b7b
-
sink: Gitlab HTTP client timeout 2c1377c
-
sink: Postgres connect uses request context 3590d22
-
collect: Degrade target on SAR API error 9ada555
-
hub: Rollback merge when export fails 6065122
-
controller: Requeue conflicts and log map errors a9cd353
-
sink: Close backends and log close errors a52d779
-
transport: Commit Kafka offset on handler success e15ef5b
-
spoke: Retain delta until publish succeeds 42fe240
-
sink: Valida...
kollect 0.7.0
0.7.0 - 2026-06-17
Container image (operator)
ghcr.io/konih/kollect:0.7.0
Multi-arch (linux/amd64, linux/arm64), Debian bookworm-slim nonroot base (includes git and openssh-client for spec.git.engine: cli).
OCI attestations (SBOM + SLSA provenance) are attached in GHCR and on the repository
Attestations page. Verify the signature:
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/konih/kollect/.+' \
ghcr.io/konih/kollect@sha256:bd50c251502495931669703a7bfea6d13c4c44f45f4c5972acf3b97f8f734543Container image (kollect-ui)
Optional read-only UI SPA — enable with Helm ui.enabled=true.
ghcr.io/konih/kollect-ui:0.7.0
Multi-arch (linux/amd64, linux/arm64), nginx alpine static server.
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/konih/kollect/.+' \
ghcr.io/konih/kollect-ui@sha256:3bd72b73493018bf8cccfff536e97013e92cca4262624a5990e8ab9fd55b4291Install (Kustomize)
kubectl apply -f install-crds.yaml
kubectl apply -f install.yamlInstall (Helm — OCI)
helm upgrade --install kollect oci://ghcr.io/konih/kollect \
--version 0.7.0 \
--namespace kollect-system \
--create-namespace \
--set image.repository=ghcr.io/konih/kollect \
--set image.tag=0.7.0 \
--set ui.image.tag=0.7.0Install (Helm — GitHub Release tarball)
helm upgrade --install kollect kollect-0.7.0.tgz \
--namespace kollect-system \
--create-namespace \
--set image.repository=ghcr.io/konih/kollect \
--set image.tag=0.7.0 \
--set ui.image.tag=0.7.0Verify checksums with sha256sum -c checksums.txt. Each release asset includes a
<file>.sigstore.json Sigstore bundle; release-provenance.intoto.jsonl attests all assets.
See docs/RELEASE.md.
kollect 0.7.0-rc.1
0.7.0-rc.1 - 2026-06-13
Bug Fixes
-
release: Tolerate Rekor 409 on asset re-sign 94de025
-
sink/nats: Reconnect when cached connection is closed 319a2bf
-
sink/bigquery: Snapshot emulator mode in Config 4c58988
Features
-
webhook: Reject cluster kinds in tenantMode 3dbfd6b
-
controller: Classify forbidden static refs for cluster kinds ae3057d
-
api: [breaking] Reference namespaced static config from cluster kinds 9753744
Container image (operator)
ghcr.io/konih/kollect:0.7.0-rc.1
Multi-arch (linux/amd64, linux/arm64), Debian bookworm-slim nonroot base (includes git and openssh-client for spec.git.engine: cli).
OCI attestations (SBOM + SLSA provenance) are attached in GHCR and on the repository
Attestations page. Verify the signature:
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/konih/kollect/.+' \
ghcr.io/konih/kollect@sha256:05fe500edf271489def67e61dc7f456f54983e83471f56ff4f5d226b806dcf7eContainer image (kollect-ui)
Optional read-only UI SPA — enable with Helm ui.enabled=true.
ghcr.io/konih/kollect-ui:0.7.0-rc.1
Multi-arch (linux/amd64, linux/arm64), nginx alpine static server.
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/konih/kollect/.+' \
ghcr.io/konih/kollect-ui@sha256:b3c4169f0c72475e0abdfbcc1e0788e0eedd47d5c321dcbe830db1ca37977178Install (Kustomize)
kubectl apply -f install-crds.yaml
kubectl apply -f install.yamlInstall (Helm — OCI)
helm upgrade --install kollect oci://ghcr.io/konih/kollect \
--version 0.7.0-rc.1 \
--namespace kollect-system \
--create-namespace \
--set image.repository=ghcr.io/konih/kollect \
--set image.tag=0.7.0-rc.1 \
--set ui.image.tag=0.7.0-rc.1Install (Helm — GitHub Release tarball)
helm upgrade --install kollect kollect-0.7.0-rc.1.tgz \
--namespace kollect-system \
--create-namespace \
--set image.repository=ghcr.io/konih/kollect \
--set image.tag=0.7.0-rc.1 \
--set ui.image.tag=0.7.0-rc.1Verify checksums with sha256sum -c checksums.txt. Each release asset includes a
<file>.sigstore.json Sigstore bundle; release-provenance.intoto.jsonl attests all assets.
See docs/RELEASE.md.
kollect 0.6.0-rc.2
0.6.0-rc.2 - 2026-06-10
Bug Fixes
-
test: Drop duplicate family sink condition tests f0bfb36
-
build: Fix go-arch-lint exclude paths for local dirs 4e443f6
-
validation: Block private sink endpoint targets f1c0d79
Features
- controller: Shard snapshot exports by max bytes d6ee50a
Refactoring
-
bigquery: Inject query execution adapter 0d2208d
-
s3: Isolate head-bucket check helper 12a47ea
-
postgres: Narrow upsert tx interfaces 82e7bb1
-
export: Extract envelope partition helpers 391bbb8
-
mongodb: Isolate export scope planning 51154e7
-
postgres: Extract export planning helpers 1e0248f
Container image (operator)
ghcr.io/konih/kollect:0.6.0-rc.2
Multi-arch (linux/amd64, linux/arm64), Debian bookworm-slim nonroot base (includes git and openssh-client for spec.git.engine: cli).
OCI attestations (SBOM + SLSA provenance) are attached in GHCR and on the repository
Attestations page. Verify the signature:
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/konih/kollect/.+' \
ghcr.io/konih/kollect@sha256:6fda5bd7b4ae43775687a5d8f5dad69522baee7822b76c56830b6cd5bfbecb42Container image (kollect-ui)
Optional read-only UI SPA — enable with Helm ui.enabled=true.
ghcr.io/konih/kollect-ui:0.6.0-rc.2
Multi-arch (linux/amd64, linux/arm64), nginx alpine static server.
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/konih/kollect/.+' \
ghcr.io/konih/kollect-ui@sha256:43c9fdce6219dadd2f7885f9095d4796b24e090bf6af4564dec03c7eb7f5aa36Install (Kustomize)
kubectl apply -f install-crds.yaml
kubectl apply -f install.yamlInstall (Helm — OCI)
helm upgrade --install kollect oci://ghcr.io/konih/kollect \
--version 0.6.0-rc.2 \
--namespace kollect-system \
--create-namespace \
--set image.repository=ghcr.io/konih/kollect \
--set image.tag=0.6.0-rc.2 \
--set ui.image.tag=0.6.0-rc.2Install (Helm — GitHub Release tarball)
helm upgrade --install kollect kollect-0.6.0-rc.2.tgz \
--namespace kollect-system \
--create-namespace \
--set image.repository=ghcr.io/konih/kollect \
--set image.tag=0.6.0-rc.2 \
--set ui.image.tag=0.6.0-rc.2Verify checksums with sha256sum -c checksums.txt. Each release asset includes a
<file>.sigstore.json Sigstore bundle; release-provenance.intoto.jsonl attests all assets.
See docs/RELEASE.md.
kollect 0.6.0-rc.1
0.6.0-rc.1 - 2026-06-09
Bug Fixes
-
sink: Retry BigQuery emulator readiness in L3 tests b5a6b85
-
controller: Enforce namespace intersections in rollups 8e11ab6
-
sink: Re-enable backend pool after layout integration test 95a417c
-
sink: Infer resource manifest layout 90725d6
-
build: Compile full cmd package after pprof fold 5045839
-
controller: Panic-guard family-sink, connection-test, cluster-target reconcilers 95f2cae
-
controller: Aggregate per-sink export errors 61d28d4
-
controller: Stop requeue on terminal finalizer cleanup 439e5dd
-
api: [breaking] Reject stub sink types at admission 2ebc8df
-
sink: Remove stub backends, make unknown sink type terminal f39d19c
-
sink/git: Redact credentials from git CLI errors f25cafb
-
collect: Stabilize export fingerprints for debounce 76813eb
-
docs: Purge stale hub/spoke from operator manual 5135c41
-
docs: Repair broken links and stale ADR references d8b37cb
-
chart: Sync family-sink CRDs with ADR-0416 fields 067c5c7
Features
-
api: Add cluster rollup shard status 4809cfd
-
api: Add cluster inventory namespaces list 3959ba2
-
helm: Add minimal RBAC team install profile 907487e
-
sink: Add BigQuery database backend 83fb2f3
-
sink/nats: Version event envelope schema 48fd7dd
-
demo: Add hero harness with in-kind Forgejo c64c14c
-
sink: Wire ADR-0419 git layout into export pipeline 12d7f80
-
export: Full-resource pruning and Git layout 3df4027
-
sink: Render status.preview surface (ADR-0416) 5c9c80f
-
sink: MongoDB database sink (ADR-0417) f49bf3e
Refactoring
-
controller: Compose cluster rollups by namespace b1af6b1
-
inventory: Fold internal/httpauth into inventory f89e2cd
-
cmd: Fold internal/pprof into cmd 8a3004f
-
validation: Decouple layout path checks from sink package a558394
Container image (operator)
ghcr.io/konih/kollect:0.6.0-rc.1
Multi-arch (linux/amd64, linux/arm64), Debian bookworm-slim nonroot base (includes git and openssh-client for spec.git.engine: cli).
OCI attestations (SBOM + SLSA provenance) are attached in GHCR and on the repository
Attestations page. Verify the signature:
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/konih/kollect/.+' \
ghcr.io/konih/kollect@sha256:89c310a5f3a960366b71f987cf9f75c53662964834a8ab58d0639a8f8920743dContainer image (kollect-ui)
Optional read-only UI SPA — enable with Helm ui.enabled=true.
ghcr.io/konih/kollect-ui:0.6.0-rc.1
Multi-arch (linux/amd64, linux/arm64), nginx alpine static server.
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/konih/kollect/.+' \
ghcr.io/konih/kollect-ui@sha256:8e69a4b8a2ec55294c68801493ed85be7fd6a2513b6dc643c77ce8bbba14f8faInstall (Kustomize)
kubectl apply -f install-crds.yaml
kubectl apply -f install.yamlInstall (Helm — OCI)
helm upgrade --install kollect oci://ghcr.io/konih/kollect \
--version 0.6.0-rc.1 \
--namespace kollect-system \
--create-namespace \
--set image.repository=ghcr.io/konih/kollect \
--set image.tag=0.6.0-rc.1 \
--set ui.image.tag=0.6.0-rc.1Install (Helm — GitHub Release tarball)
helm upgrade --install kollect kollect-0.6.0-rc.1.tgz \
--namespace kollect-system \
--create-namespace \
--set image.repository=ghcr.io/konih/kollect \
--set image.tag=0.6.0-rc.1 \
--set ui.image.tag=0.6.0-rc.1Verify checksums with sha256sum -c checksums.txt. Each release asset includes a
<file>.sigstore.json Sigstore bundle; release-provenance.intoto.jsonl attests all assets.
See docs/RELEASE.md.
kollect 0.5.0-rc.1
0.5.0-rc.1 - 2026-06-07
Bug Fixes
-
build: Upgrade alpine packages in UI image for Trivy 45d08ce
-
ci: Stop perf-report writing agent-context in CI 5ee2088
-
ui: Disambiguate Playwright inventory row locator f422a78
-
ci: Stabilize nightly Playwright and perf-report b6ea35f
Features
- api: ADR-0416 sink config layering dcc5fa9
Container image (operator)
ghcr.io/konih/kollect:0.5.0-rc.1
Multi-arch (linux/amd64, linux/arm64), Debian bookworm-slim nonroot base (includes git and openssh-client for spec.git.engine: cli).
OCI attestations (SBOM + SLSA provenance) are attached in GHCR and on the repository
Attestations page. Verify the signature:
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/konih/kollect/.+' \
ghcr.io/konih/kollect@sha256:a06464989768c266713824390e2fd4497b0cf28ab30ed88a68d97ec0858dfe85Container image (kollect-ui)
Optional read-only UI SPA — enable with Helm ui.enabled=true.
ghcr.io/konih/kollect-ui:0.5.0-rc.1
Multi-arch (linux/amd64, linux/arm64), nginx alpine static server.
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/konih/kollect/.+' \
ghcr.io/konih/kollect-ui@sha256:22fa74946e4211577fb7030d2d185368bd4366b1f86e712d3b3c68c902ed18a6Install (Kustomize)
kubectl apply -f install-crds.yaml
kubectl apply -f install.yamlInstall (Helm — OCI)
helm upgrade --install kollect oci://ghcr.io/konih/kollect \
--version 0.5.0-rc.1 \
--namespace kollect-system \
--create-namespace \
--set image.repository=ghcr.io/konih/kollect \
--set image.tag=0.5.0-rc.1 \
--set ui.image.tag=0.5.0-rc.1Install (Helm — GitHub Release tarball)
helm upgrade --install kollect kollect-0.5.0-rc.1.tgz \
--namespace kollect-system \
--create-namespace \
--set image.repository=ghcr.io/konih/kollect \
--set image.tag=0.5.0-rc.1 \
--set ui.image.tag=0.5.0-rc.1Verify checksums with sha256sum -c checksums.txt. Each release asset includes a
<file>.sigstore.json Sigstore bundle; release-provenance.intoto.jsonl attests all assets.
See docs/RELEASE.md.
kollect 0.5.0
0.5.0 - 2026-06-07
Container image (operator)
ghcr.io/konih/kollect:0.5.0
Multi-arch (linux/amd64, linux/arm64), Debian bookworm-slim nonroot base (includes git and openssh-client for spec.git.engine: cli).
OCI attestations (SBOM + SLSA provenance) are attached in GHCR and on the repository
Attestations page. Verify the signature:
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/konih/kollect/.+' \
ghcr.io/konih/kollect@sha256:04c8d5515ae81e63c4386e2afc2da14b0e7c81a3acffafda2511edd867ade23fContainer image (kollect-ui)
Optional read-only UI SPA — enable with Helm ui.enabled=true.
ghcr.io/konih/kollect-ui:0.5.0
Multi-arch (linux/amd64, linux/arm64), nginx alpine static server.
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/konih/kollect/.+' \
ghcr.io/konih/kollect-ui@sha256:152ece79facc46c82d9f92d82a3e77aae99906c555c660bc9c61e80b21e2f6ffInstall (Kustomize)
kubectl apply -f install-crds.yaml
kubectl apply -f install.yamlInstall (Helm — OCI)
helm upgrade --install kollect oci://ghcr.io/konih/kollect \
--version 0.5.0 \
--namespace kollect-system \
--create-namespace \
--set image.repository=ghcr.io/konih/kollect \
--set image.tag=0.5.0 \
--set ui.image.tag=0.5.0Install (Helm — GitHub Release tarball)
helm upgrade --install kollect kollect-0.5.0.tgz \
--namespace kollect-system \
--create-namespace \
--set image.repository=ghcr.io/konih/kollect \
--set image.tag=0.5.0 \
--set ui.image.tag=0.5.0Verify checksums with sha256sum -c checksums.txt. Each release asset includes a
<file>.sigstore.json Sigstore bundle; release-provenance.intoto.jsonl attests all assets.
See docs/RELEASE.md.