Skip to content

stable-20260607: Stable

Choose a tag to compare

View all tags
@castrojo castrojo released this 07 Jun 16:28
· 58 commits to main since this release
stable-20260607
58f1780
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Bluefin stable-20260607

Image: ghcr.io/projectbluefin/bluefin@sha256:5ba5d03c844a7bb18814b8cbc54e2d0f8d641cb1fe19c36a57ed0d4d2bbea70d

Changes since stable-20260602

  • fix(ci): use sigstore/cosign-installer in promotion (fixes cosign v2/v3 bundle format mismatch blocking stable releases for a week)
  • ci: fix cosign cert identity regexp — use repository_owner pattern (#417)
  • docs: add cosign regexp rule, production-down protocol
  • fix(ci): allow auto/promote-testing-to-main through base-branch check
  • feat: add weekly gated stable release on Tuesday (#371)
  • feat(build): add extension-builder stage to avoid build deps in final image (#333)
  • fix(security): require cosign v3+ in verify-container for Bundle v0.3 support
  • fix(deps): update common image digest to signed sha256:40128dda
  • feat(quality): add bats unit tests for package-lib.sh

Verification

cosign verify \
  --certificate-identity-regexp 'https://github.com/projectbluefin/(bluefin|actions)/.github/workflows/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  ghcr.io/projectbluefin/bluefin@sha256:5ba5d03c844a7bb18814b8cbc54e2d0f8d641cb1fe19c36a57ed0d4d2bbea70d

SBOM artifact not attached — see #418 for tracking.

Promoted from tested main HEAD 58f178066616175d8cbf770d27b94be2b346101f

Assets 2
Loading