Skip to content

v0.49.2

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 29 Jun 16:25
· 1 commit to main since this release
v0.49.2
ef8dffb
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Patch release correcting how the SBOM attestation is published so it is discoverable and verifiable alongside the image signatures and SLSA provenance shipped in v0.49.0.

Bug Fixes

  • SBOM attestation now published as an OCI 1.1 referrer — the per-image SPDX SBOM was previously attached via cosign attest, which writes the legacy .att tag that neither cosign verify-attestation nor gh attestation verify reads as a referrer. It is now attached with actions/attest-sbom (push-to-registry), the same discovery path as the SLSA provenance, so gh attestation verify oci://<image> --repo mattrobinsonsre/terrapod --predicate-type https://spdx.dev/Document succeeds. Image + Helm-chart signatures and SLSA provenance were already verifiable and are unchanged. (#626)

Verifying

See Supply-chain verification. All artifacts in this release were verified end-to-end: image signature, chart signature, SBOM (referrer), and SLSA build provenance.

Status

Beta — production-capable; APIs stabilising.

Full Changelog: v0.49.1...v0.49.2

Assets 32
Loading