Skip to content

v1.1.1

Choose a tag to compare

View all tags
@miki725 miki725 released this 22 Jun 20:55
· 1 commit to main since this release
v1.1.1
This tag was signed with the committer’s verified signature.
miki725 Miroslav Shubernetskiy
GPG key ID: 991175EBA30A4DAD
Verified
Learn about vigilant mode.
cfd43fc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Download binaries at https://chalkproject.io/download/

June 22, 2026

Breaking Changes

  • FAILED_KEYS and _OP_FAILED_KEYS now store a list of error objects per key instead of a single object. The value for each key changes from {code, error, description} to [{code, error, description}, ...]. This allows multiple distinct failures for the same key to be recorded (e.g. a context that is both too large and fails to upload) without the later error silently overwriting the earlier one. Consumers reading these keys must handle the new list format.

New Features

  • Build context upload as OCI attestation. When docker_context_upload is configured inside a docker_push section, Chalk uploads the build context as a .tar.gz layer attached to an OCI attestation manifest, enabling downstream tools such as Ocular to inspect the exact sources used to produce an image.

    New configuration section nested under docker_push:

    • docker.docker_registry.<name>.docker_push.<name>.docker_context_upload
      • enabled - set to true to activate (default: false)
      • strategy - registry, local, disk, or auto
      • size_threshold - skip upload when tarball exceeds this size (default: 100mb); failure reported in _OP_FAILED_KEYS with code CONTEXT_TOO_LARGE; set to 0 to disable
      • max_file_size - skip individual files that exceed this size (default: 0 = no limit); skipped files are recorded in _REPO_BUILD_CONTEXT_SKIPPED_FILES with their path, size, and SHA-256 digest for audit purposes
      • additional_dockerignore - extra glob patterns appended after .dockerignore (last-match-wins; default: [".git"])
      • honor_dockerignore - apply .dockerignore patterns (default: true)
    docker_context_upload {
  enabled:  true
  strategy: "auto"
}

    Upload strategies:

    • registry - uploads the blob at build time; only the manifest is created at push time (recommended for CI)
    • local - saves the tarball at build time and uploads at push time; tarball is retained for multi-registry pushes and cleaned up by TTL (default for non-CI environments)
    • disk - records the context path at build time and reads from disk at push time (single-machine workflows only)
    • auto - selects registry when a CI environment is detected, otherwise local

    Git URL contexts are intentionally skipped - their content is already captured in git state. Both the main context and any extra contexts added via --build-context name=path are supported for local directory contexts.

    New chalk keys:

    • DOCKER_BUILD_CONTEXT_SNAPSHOTS (chalk-time) - intermediate upload state embedded in the chalk mark, consumed at push time
    • _REPO_BUILD_CONTEXTS (runtime) - map of context manifest digests keyed by registry -> repo -> context name
    • _REPO_BUILD_CONTEXT_TAR_SIZES (runtime) - tarball sizes in bytes keyed by registry -> repo -> context name
    • _REPO_BUILD_CONTEXT_SKIPPED_FILES (runtime) - files skipped due to max_file_size, keyed by registry -> repo -> context name -> file path -> {hash, size}

    New configuration fields on docker:

    • build_context_cache_max_age - maximum age of cached tarballs under /tmp/chalk-build-contexts/ (default: 1 hour); cleanup runs at both chalk docker build and chalk docker push
    • registry_layer_chunk_size - chunk size for registry layer uploads (default: 5mb)
    • registry_layer_upload_timeout - timeout for a single chunk upload (default: 30 sec)

    See docs/design-docker-registry.md for full details.

    (#669)

  • OCI Referrers API support for attestations. When the target registry supports GET /v2/{name}/referrers/{digest}, Chalk attaches attestations as referrer manifests (using the subject field) instead of relying solely on the legacy sha256-<digest> tag. The referrers path is detected automatically via the OCI-Subject response header.

    New configuration field on docker:

    • attestation_use_oci_tag - when the referrers API is available, also maintain the legacy attestation tag for clients that do not support the referrers API (default: true)

    (#674)

  • All outgoing HTTP requests now include a User-Agent header identifying the chalk version, e.g. chalk/1.1.1 Nim-httpclient/2.2.6. (#678)

  • DOCKER_CHALK_ADDED_LABELS is now populated with the labels chalk injects during docker build, keyed by the original (pre-prefix) key name. (#679)

Bug Fixes

  • _OP_PUBLIC_IPV4_ADDR was defined but never set; it is now populated in every chalk operation report. (#679)

  • Three docker image keys were silently absent due to name mismatches between the keyspec and the collector:

    • _IMAGE_HOSTNAME
    • _IMAGE_EXPOSED_PORTS
    • _INSTANCE_IP

    (#679)

  • FROM --platform=<var> instructions with multiple spaces between FROM and --platform were incorrectly parsed: the flag was not recognized and the platform flag string was used as the image name instead. (#681)

  • File sinks and the report cache no longer emit continuous errors when chalk runs in a container with a read-only root filesystem. A file sink whose destination directory is not writable is now disabled at startup with a single warning. Similarly, if the report cache location is on a read-only filesystem, the cache is disabled with a single warning rather than repeatedly failing on every publish attempt. (#676)

Commits since the previous tag: v1.1.0...v1.1.1

Assets 2
Loading