Skip to content

Releases: actions-gateway/github-actions-gateway

v1.0.0

16 Jun 09:42
@karlkfi karlkfi
v1.0.0
f105b22
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.0.0 Latest
Latest

GitHub Actions Gateway v1.0.0 — General Availability

First GA release. The actions-gateway Helm chart and all four first-party images
are published to GHCR, multi-arch (linux/amd64 + linux/arm64), keyless
cosign-signed (recursive: index + per-arch manifests) with per-arch SPDX-JSON SBOM
and SLSA build-provenance attestations. The chart is published as a final release
(artifacthub.io/prerelease: "false").

Install

helm install gag oci://ghcr.io/actions-gateway/charts/actions-gateway \
  --version 1.0.0 \
  --namespace gmc-system --create-namespace \
  --set gmc.image.digest=sha256:41cda3cfb697468b98e620b558daf089be615df680d43244132554d41aa01d48 \
  --set agc.image.digest=sha256:d4387ea238da5564a2ab44881776fecdf2c3d83ceea60c00b6a9d2d2287d9c6f \
  --set proxy.image.digest=sha256:2fb5a42e07ef3ee9827cc0c0921eda435049c6b966c2f5eae8012e1dd14eee44

See docs/operations/install.md
for prerequisites, the cert-manager toggle, and healthy-install verification.

Published image digests (multi-arch index digests — pin these)

Image Digest
ghcr.io/actions-gateway/gmc sha256:41cda3cfb697468b98e620b558daf089be615df680d43244132554d41aa01d48
ghcr.io/actions-gateway/agc sha256:d4387ea238da5564a2ab44881776fecdf2c3d83ceea60c00b6a9d2d2287d9c6f
ghcr.io/actions-gateway/proxy sha256:2fb5a42e07ef3ee9827cc0c0921eda435049c6b966c2f5eae8012e1dd14eee44
ghcr.io/actions-gateway/worker sha256:8c8420b3dd4de12437fbe16fac19196c944cb2a2a257ccdf5785dd46698ec802

Chart artifact digest: sha256:cb69390db396f2e681b43add7df62a2e7e1caa32709b1edfe25c1038428cb41e
(oci://ghcr.io/actions-gateway/charts/actions-gateway:1.0.0).

Verify provenance

One-command verification (downloads the pinned cosign and checks all four image
signatures plus the chart against the publish workflow's keyless identity):

make verify-release VERSION=v1.0.0

Equivalent explicit check for any single artifact:

cosign verify \
  --certificate-identity-regexp '^https://github.com/actions-gateway/github-actions-gateway/\.github/workflows/publish\.yml@refs/tags/v.*$' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  ghcr.io/actions-gateway/gmc:v1.0.0

What v1.0.0 means

An operator can helm install the chart, onboard isolated multi-tenant gateways
that each run real GitHub jobs through a per-tenant egress proxy, and trust the
documented security controls. Capacity (thousands of sessions per AGC) and
sandboxed runtimes (gVisor/Kata) remain documented design targets not yet
validated at scale — see the validation-status notes in the design appendices.
NetworkPolicy egress enforcement requires a CNI that enforces it (Calico/Cilium).

Assets 2
Loading