v1.1.0-rc.3

Pre-release v1.1.0-rc.3 — bundles the live-dogfood fixes that landed after v1.1.0-rc.2, so the GKE dogfood (Q224/Q231) can run against a released image.

What's in this RC (since v1.1.0-rc.2)

• Q227 — GMC system-cluster-critical pods permitted on GKE via a scoped ResourceQuota (#428)
• Q228 — v2 controllers start only when the v2alpha1 CRDs are installed (#429)
• Q229 — egress NetworkPolicy DNS rule allows the node-local-dns peer (GKE Dataplane V2 + NodeLocal DNSCache) (#430)

Published images (multi-arch linux/amd64 + linux/arm64)

Pin the index digest — it serves both architectures:

ghcr.io/actions-gateway/gmc@sha256:e650d216b0cf08f1077d3c1781ad5e3abae2dc340c6cd7b88bc20619f0afbd2b
ghcr.io/actions-gateway/agc@sha256:f0810eddc4d5403f213841931470adcfb276b530437796baf48dc241fb2f093b
ghcr.io/actions-gateway/proxy@sha256:7825869c74af0e4a7ba12742ae24cf04a266ba7d877ae34d0af5e38ba2fee999
ghcr.io/actions-gateway/worker@sha256:50257add62f0d8b639e6692e1cc6f93695ab74c58908cffdb34ceaf6e3a66eb1

Verify provenance

Each image and chart carries a keyless cosign signature, an SPDX SBOM attestation, and a SLSA build-provenance attestation from the publish workflow. Verify any image with:

cosign verify \
  --certificate-identity-regexp '^https://github.com/actions-gateway/github-actions-gateway/\.github/workflows/publish\.yml@refs/tags/v.*$' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  ghcr.io/actions-gateway/gmc:v1.1.0-rc.3

Install

helm install gag oci://ghcr.io/actions-gateway/charts/actions-gateway --version 1.1.0-rc.3 \
  --set gmc.image.digest=sha256:e650d216b0cf08f1077d3c1781ad5e3abae2dc340c6cd7b88bc20619f0afbd2b \
  --set agc.image.digest=sha256:f0810eddc4d5403f213841931470adcfb276b530437796baf48dc241fb2f093b \
  --set proxy.image.digest=sha256:7825869c74af0e4a7ba12742ae24cf04a266ba7d877ae34d0af5e38ba2fee999

The opt-in v2 CRD chart is published alongside at oci://ghcr.io/actions-gateway/charts/actions-gateway-crds-v2 (version 1.1.0-rc.3).