Bump the backend group across 1 directory with 13 updates

[dependabot]

Bumps the backend group with 7 updates in the / directory:

Package	From	To
github.com/aquasecurity/trivy	0.58.1	0.59.1
github.com/coreos/go-oidc	2.2.1+incompatible	2.3.0+incompatible
github.com/go-chi/chi/v5	5.2.0	5.2.1
github.com/operator-framework/api	0.27.0	0.29.0
github.com/tektoncd/pipeline	0.66.0	0.68.0
golang.org/x/crypto	0.32.0	0.33.0
golang.org/x/oauth2	0.25.0	0.26.0

Updates github.com/aquasecurity/trivy from 0.58.1 to 0.59.1

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.59.1

Changelog

• 9aabfd2a91e7278384bce7ccc6841a1d2851feb0 release: v0.59.1 [release/v0.59] (#8334)
• 412c690924d4414ef6d8a5f37b293969bc245d32 fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#8349)
• 98f9ba295a55da34914b849c73b2d003d57d238a chore(deps): bump Go to v1.23.5 [backport: release/v0.59] (#8343)
• 1741fddbe07d166dffbfb9b6f768940e52d08487 fix(python): add poetry v2 support [backport: release/v0.59] (#8335)
• 3fd8e2785b2b838327a80cdc8b489583c3664944 fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#8333)

v0.59.0

⚡Release highlights and summary⚡

👉 aquasecurity/trivy#8312

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0590-2025-01-30

v0.58.2

Changelog

• 936f06a57864d073aa77b38f77fe76c4fcb1f7c1 release: v0.58.2 [release/v0.58] (#8216)
• f72d2bce8d3418dbcb670434bc15bb857b421f98 fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
• 289636758eccf990f36ea2be34f6db2c02cfab6b fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)
• b733ecc7bc752d61837d08f2650bd480b645bb1d fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.59.1 (2025-02-04)

Bug Fixes

• misconf: do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#8349) (412c690)
• python: add poetry v2 support [backport: release/v0.59] (#8335) (1741fdd)
• sbom: preserve OS packages from multiple SBOMs [backport: release/v0.59] (#8333) (3fd8e27)

0.59.0 (2025-01-30)

Features

• add --distro flag to manually specify OS distribution for vulnerability scanning (#8070) (da17dc7)
• add a examples field to check metadata (#8068) (6d84e0c)
• add support for registry mirrors (#8244) (4316bcb)
• fs: use git commit hash as cache key for clean repositories (#8278) (b5062f3)
• image: prevent scanning oversized container images (#8178) (509e030)
• image: return error early if total size of layers exceeds limit (#8294) (73bd20d)
• k8s: improve artifact selections for specific namespaces (#8248) (db9e57a)
• misconf: generate placeholders for random provider resources (#8051) (ffe24e1)
• misconf: support for ignoring by inline comments for Dockerfile (#8115) (c002327)
• misconf: support for ignoring by inline comments for Helm (#8138) (a0429f7)
• nodejs: respect peer dependencies for dependency tree (#7989) (7389961)
• python: add support for poetry dev dependencies (#8152) (774e04d)
• python: add support for uv (#8080) (c4a4a5f)
• python: add support for uv dev and optional dependencies (#8134) (49c54b4)

Bug Fixes

• CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#8088) (d7ac286)
• CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#8207) (670fbf2)
• de-duplicate same dpkg packages with different filePaths from different layers (#8298) (846498d)
• enable err-error and errorf rules from perfsprint linter (#7859) (156a2aa)
• flag: skip hidden flags for --generate-default-config command (#8046) (5e68bdc)
• fs: fix cache key generation to use UUID (#8275) (eafd810)
• handle BLOW_UNKNOWN error to download DBs (#8060) (51f2123)
• improve conversion of image config to Dockerfile (#8308) (2e8e38a)
• java: correctly overwrite version from depManagement if dependency uses project.* props (#8050) (9d9f80d)
• license: always trim leading and trailing spaces for licenses (#8095) (f5e4291)
• misconf: allow null values only for tf variables (#8112) (23dc3a6)
• misconf: correctly handle all YAML tags in K8S templates (#8259) (f12054e)
• misconf: disable git terminal prompt on tf module load (#8026) (bbc5a85)
• misconf: handle heredocs in dockerfile instructions (#8284) (0a3887c)
• misconf: use log instead of fmt for logging (#8033) (07b2d7f)
• oracle: add architectures support for advisories (#4809) (90f1d8d)
• python: skip dev group's deps for poetry (#8106) (a034d26)
• redhat: check usr/share/buildinfo/ dir to detect content sets (#8222) (f352f6b)

... (truncated)

Commits

• 9aabfd2 release: v0.59.1 [release/v0.59] (#8334)
• 412c690 fix(misconf): do not log scanners when misconfig scanning is disabled [backpo...
• 98f9ba2 chore(deps): bump Go to v1.23.5 [backport: release/v0.59] (#8343)
• 1741fdd fix(python): add poetry v2 support [backport: release/v0.59] (#8335)
• 3fd8e27 fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59]...
• a58d685 release: v0.59.0 [main] (#8041)
• 73bd20d feat(image): return error early if total size of layers exceeds limit (#8294)
• 0031a38 chore(deps): Bump trivy-checks (#8310)
• 87f3751 chore(terraform): add accessors to underlying raw hcl values (#8306)
• 2e8e38a fix: improve conversion of image config to Dockerfile (#8308)
• Additional commits viewable in compare view

Updates github.com/coreos/go-oidc from 2.2.1+incompatible to 2.3.0+incompatible

Release notes

Sourced from github.com/coreos/go-oidc's releases.

v2.3.0

What's Changed

• Support signed jwt userinfo response by @​holowinski in coreos/go-oidc#254
• *: s/Json/JSON/g to appease lint by @​ericchiang in coreos/go-oidc#255
• userinfo - handling charset in Content-Type header by @​ericchiang in coreos/go-oidc#261
• Change Go Version Used in .travis.yml to v1.14 by @​dickynovanto1103 in coreos/go-oidc#268
• IDTokenVerifier: fix typo word in Verify function's comment by @​dickynovanto1103 in coreos/go-oidc#266
• also run travis tests under 1.15 by @​mikedanese in coreos/go-oidc#275
• support AWS Cognito, which is not completely OIDC compliant by @​DallanQ in coreos/go-oidc#257
• Added power support by @​dthadi3 in coreos/go-oidc#277
• fix up v2 CI by @​ericchiang in coreos/go-oidc#448
• Switch to maintained go-jose library by @​liggitt in coreos/go-oidc#447

New Contributors

• @​holowinski made their first contribution in coreos/go-oidc#254
• @​dickynovanto1103 made their first contribution in coreos/go-oidc#268
• @​mikedanese made their first contribution in coreos/go-oidc#275
• @​DallanQ made their first contribution in coreos/go-oidc#257
• @​dthadi3 made their first contribution in coreos/go-oidc#277
• @​liggitt made their first contribution in coreos/go-oidc#447

Full Changelog: coreos/go-oidc@v2.2.1...v2.3.0

Commits

• b7e896c Switch to maintained gopkg.in/go-jose/go-jose.v2 library
• a571417 fix up v2 CI
• e05c4c7 Added power support (#277)
• 0a5cd33 Merge pull request #257 from OurRootsOrg/v2
• 8e61fd8 Merge pull request #275 from mikedanese/bump
• a4badd1 also run travis tests under 1.15
• 50700f9 Merge pull request #266 from dickynovanto1103/fix-typo
• 86d950a IDTokenVerifier: fix typo word: preforms to performs
• 638d1d6 Merge pull request #268 from dickynovanto1103/fix-ci
• 2b28d0c add support for AWS Cognito, which returns email_verified as a string instead...
• Additional commits viewable in compare view

Updates github.com/go-chi/chi/v5 from 5.2.0 to 5.2.1

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.2.1

⚠️ Chi supports Go 1.20+

Starting this release, we will now support the four most recent major versions of Go. See go-chi/chi#963 for related discussion.

What's Changed

• Support the four most recent major versions of Go by @​VojtechVitek in go-chi/chi#969

Full Changelog: go-chi/chi@v5.2.0...v5.2.1

Commits

• 71307f9 Support the four most recent major versions of Go (#969)
• See full diff in compare view

Updates github.com/go-git/go-git/v5 from 5.13.1 to 5.13.2

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.13.2

What's Changed

• plumbing: use the correct user agent string. Fixes #883 by @​uragirii in go-git/go-git#1364
• build: bump golang.org/x/sys from 0.28.0 to 0.29.0 in the golang-org group by @​dependabot in go-git/go-git#1365
• build: bump the golang-org group with 2 updates by @​dependabot in go-git/go-git#1367
• build: bump github.com/ProtonMail/go-crypto from 1.1.3 to 1.1.4 by @​dependabot in go-git/go-git#1368
• build: bump github.com/go-git/go-billy/v5 from 5.6.1 to 5.6.2 by @​dependabot in go-git/go-git#1378
• build: bump github/codeql-action from 3.28.0 to 3.28.1 by @​dependabot in go-git/go-git#1376
• build: bump github.com/elazarl/goproxy from 1.2.3 to 1.4.0 by @​dependabot in go-git/go-git#1377
• git: worktree, fix restoring dot slash files (backported to v5). Fixes #1176 by @​BeChris in go-git/go-git#1361
• build: bump github.com/pjbgf/sha1cd from 0.3.0 to 0.3.2 by @​dependabot in go-git/go-git#1392
• git: worktree_status, fix adding dot slash files to working tree (backported to v5). Fixes #1150 by @​BeChris in go-git/go-git#1359
• build: bump github.com/ProtonMail/go-crypto from 1.1.4 to 1.1.5 by @​dependabot in go-git/go-git#1383

Full Changelog: go-git/go-git@v5.13.1...v5.13.2

Commits

• 2c68247 Merge pull request #1383 from go-git/dependabot/go_modules/github.com/ProtonM...
• d462c2e Merge pull request #1359 from BeChris/issue1150-v5
• 32ac23a Merge pull request #1392 from go-git/dependabot/go_modules/github.com/pjbgf/s...
• 93e635a build: bump github.com/pjbgf/sha1cd from 0.3.0 to 0.3.2
• b2bb975 git: worktree_status, took into account code review remarks
• 518ac88 git: worktree_status, fix adding dot slash files to working tree (backported ...
• 21b3150 build: bump github.com/ProtonMail/go-crypto from 1.1.4 to 1.1.5
• 189e7e4 Merge pull request #1361 from BeChris/issue1176-v5
• 654815a Merge pull request #1377 from go-git/dependabot/go_modules/github.com/elazarl...
• 91dbdb9 Merge pull request #1376 from go-git/dependabot/github_actions/github/codeql-...
• Additional commits viewable in compare view

Updates github.com/google/go-containerregistry from 0.20.2 to 0.20.3

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.20.3

What's Changed

• remote/transport: Make bearer transport go-routine-safe by @​2opremio in google/go-containerregistry#1806
• Expose compare package by @​jonjohnsonjr in google/go-containerregistry#2001
• fix: redact.URL uses (*URL).Redacted to omit basic-auth password by @​bmoylan in google/go-containerregistry#1947
• bump actions to latest by @​ajayk in google/go-containerregistry#2011
• don't pin chainguard-dev/actions by @​imjasonh in google/go-containerregistry#2025
• Check for 406 status code when handling referrers API endpoint response by @​malancas in google/go-containerregistry#2026
• mutate: Create a defensive annotations copy by @​jonjohnsonjr in google/go-containerregistry#2030
• Detect zstd in crane append by @​jonjohnsonjr in google/go-containerregistry#2023
• bump deps using hack/bump-deps.sh by @​imjasonh in google/go-containerregistry#2042

New Contributors

• @​bmoylan made their first contribution in google/go-containerregistry#1947
• @​ajayk made their first contribution in google/go-containerregistry#2011
• @​malancas made their first contribution in google/go-containerregistry#2026

Full Changelog: google/go-containerregistry@v0.20.2...v0.20.3

Commits

• c4dd792 bump deps using hack/bump-deps.sh (#2042)
• 6bce25e Detect zstd in crane append (#2023)
• 06dcd85 mutate: Create a defensive annotations copy (#2030)
• a9a53a8 check for 406 status code when handling referrers endpoint response (#2026)
• 4630c40 don't pin chainguard-dev/actions (#2025)
• 808e354 bump actions to latest (#2011)
• a07d1ca fix: redact.URL uses (*URL).Redacted to omit basic-auth password (#1947)
• 00f182b Expose compare package (#2001)
• b8e87ed remote/transport: Make bearer transport go-routine-safe (#1806)
• See full diff in compare view

Updates github.com/open-policy-agent/opa from 0.70.0 to 1.1.0

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.1.0

This release contains a mix of features, performance improvements, and bugfixes.

Performance Improvements

• ast: Remove jsonOptions from AST nodes and terms (#7281) authored by @​anderseknert
• ast+plugins: Optimize activation of bundles with no inter-bundle path overlap (#7144) authored and reported by @​sqyang94
• bundle: Optimizing rego-version management in bundle activation (#7296) authored by @​johanfylling
• cmd: Don't generate JSON from result in opa bench (#7291) authored by @​anderseknert
• topdown: Adding configurable token cache to io.jwt token verification built-ins (#7274) authored by @​johanfylling
• topdown: Reduce allocations in hot path (#7288) authored by @​anderseknert
• perf: Improvements to terms and built-in functions (#7284) authored by @​anderseknert
• perf: add Regorus ACI benchmark tests (#7298) authored by @​anderseknert
• plugins: Don't use reflect.DeepEqual for errors (#7238) authored by @​anderseknert
• testing: replace reflect.DeepEqual where possible (#7286) authored by @​anderseknert

Topdown and Rego

• topdown: Fix out of range error in numbers.range built-in (#7269) authored by @​anderseknert
• topdown+rego+server: Allow opt-in for evaluating non-det builtins in PE (#6496) authored by @​srenatus

Runtime, Tooling, SDK

• bundle: Add info about the correct rego version to parse modules on the store (#7278) co-authored by @​ashutosh-narkar and @​johanfylling
• bundle+plugins: Fixing issue where bundle plugin could panic on reconfiguration (SDK use) (#7297) authored by @​johanfylling reported by @​carabasdaniel
• cmd: Fix printed representation of ref head rules in opa repl (#7301) authored by @​anderseknert reported by @​tsandall
• cmd: Respect --v0-compatible for opa eval partial eval support modules (#7251) authored by @​johanfylling
• golangci: fix invalid linter-settings configuration name (#7244) authored by @​Juneezee
• plugins/logs: Add support for masking with array keys (#6883) authored by @​charlieegan3
• tester: code nitpicks (#7252) authored by @​srenatus
• util: Add util.Keys and util.KeysSorted (#7285) authored by @​anderseknert

Docs, Website, Ecosystem

• docs: Update docker compose file in HTTP API tutorial and use addr for binding (#7264) authored and reported by @​zanliffick
• docs: Make 'ancient' warnings closable (#7253) authored by @​srenatus reported by @​konradzagozda
• docs: Redirect opa-1 to v0-upgrade (#7259) authored by @​charlieegan3
• docs: Use preformatted strings in fmt help (#7263) authored by @​charlieegan3
• docs: Fix typo in k8s primer (#7242) authored by @​vicentinileonardo
• docs: Formatting and wording fixes (#7268) authored by @​kamilturek
• docs: Update output document of Envoy plugin. (#7241) authored by @​regeda

Miscellaneous

• ci(nightly): Remove vendor w/o modproxy check (#7292) authored by @​srenatus
• Dependency updates; notably:
  • build(go): bump to 1.23.5 (7279) authored by @​srenatus
  • build(deps): upgrade github.com/dgraph-io/badger to v4 (4.5.1) (#7239) authored by @​Juneezee
  • build(deps): bump github.com/containerd/containerd from 1.7.24 to 1.7.25
  • build(deps): bump github.com/tchap/go-patricia/v2 from 2.3.1 to 2.3.2

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.1.0

This release contains a mix of features, performance improvements, and bugfixes.

Performance Improvements

• ast: Remove jsonOptions from AST nodes and terms (#7281) authored by @​anderseknert
• ast+plugins: Optimize activation of bundles with no inter-bundle path overlap (#7144) authored and reported by @​sqyang94
• bundle: Optimizing rego-version management in bundle activation (#7296) authored by @​johanfylling
• cmd: Don't generate JSON from result in opa bench (#7291) authored by @​anderseknert
• topdown: Adding configurable token cache to io.jwt token verification built-ins (#7274) authored by @​johanfylling
• topdown: Reduce allocations in hot path (#7288) authored by @​anderseknert
• perf: Improvements to terms and built-in functions (#7284) authored by @​anderseknert
• perf: add Regorus ACI benchmark tests (#7298) authored by @​anderseknert
• plugins: Don't use reflect.DeepEqual for errors (#7238) authored by @​anderseknert
• testing: replace reflect.DeepEqual where possible (#7286) authored by @​anderseknert

Topdown and Rego

• topdown: Fix out of range error in numbers.range built-in (#7269) authored by @​anderseknert
• topdown+rego+server: Allow opt-in for evaluating non-det builtins in PE (#6496) authored by @​srenatus

Runtime, Tooling, SDK

• bundle: Add info about the correct rego version to parse modules on the store (#7278) co-authored by @​ashutosh-narkar and @​johanfylling
• bundle+plugins: Fixing issue where bundle plugin could panic on reconfiguration (SDK use) (#7297) authored by @​johanfylling reported by @​carabasdaniel
• cmd: Fix printed representation of ref head rules in opa repl (#7301) authored by @​anderseknert reported by @​tsandall
• cmd: Respect --v0-compatible for opa eval partial eval support modules (#7251) authored by @​johanfylling
• golangci: fix invalid linter-settings configuration name (#7244) authored by @​Juneezee
• plugins/logs: Add support for masking with array keys (#6883) authored by @​charlieegan3
• tester: code nitpicks (#7252) authored by @​srenatus
• util: Add util.Keys and util.KeysSorted (#7285) authored by @​anderseknert

Docs, Website, Ecosystem

• docs: Update docker compose file in HTTP API tutorial and use addr for binding (#7264) authored and reported by @​zanliffick
• docs: Make 'ancient' warnings closable (#7253) authored by @​srenatus reported by @​konradzagozda
• docs: Redirect opa-1 to v0-upgrade (#7259) authored by @​charlieegan3
• docs: Use preformatted strings in fmt help (#7263) authored by @​charlieegan3
• docs: Fix typo in k8s primer (#7242) authored by @​vicentinileonardo
• docs: Formatting and wording fixes (#7268) authored by @​kamilturek
• docs: Update output document of Envoy plugin. (#7241) authored by @​regeda

Miscellaneous

• ci(nightly): Remove vendor w/o modproxy check (#7292) authored by @​srenatus
• Dependency updates; notably:
  • build(go): bump to 1.23.5 (7279) authored by @​srenatus
  • build(deps): upgrade github.com/dgraph-io/badger to v4 (4.5.1) (#7239) authored by @​Juneezee
  • build(deps): bump github.com/containerd/containerd from 1.7.24 to 1.7.25

... (truncated)

Commits

• de28510 Prepare v1.1.0 release
• 2d47dd8 docs: Update generated CLI docs
• 4b8a138 topdown+rego+server: allow opt-in for evaluating non-det builtins in PE (#7313)
• 50a8c96 rego: Fixing broken BenchmarkCustomFunctionInHotPath (#7312)
• 6e83f2a topdown: jwt cache (#7274)
• 211e95d build(deps): bump github/codeql-action from 3.28.3 to 3.28.4
• e682a67 Don't use reflect.DeepEqual for errors (#7311)
• d20dd18 build(deps): bump google.golang.org/grpc from 1.69.4 to 1.70.0 (#7309)
• b032e3b Fixing issue where bundle plugin could panic on reconfiguration (SDK use) (#...
• e47bd4f bundle: Optimizing rego-version management in bundle activation (#7296)
• Additional commits viewable in compare view

Updates github.com/operator-framework/api from 0.27.0 to 0.29.0

Release notes

Sourced from github.com/operator-framework/api's releases.

v0.29.0

What's Changed

• Bump k8s.io/client-go from 0.31.3 to 0.32.0 by @​dependabot in operator-framework/api#384
• Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 by @​dependabot in operator-framework/api#381
• bump golang.org/x/net to 0.34.0 by @​perdasilva in operator-framework/api#387
• Bump to go1.23 by @​perdasilva in operator-framework/api#386
• revert go bump by @​perdasilva in operator-framework/api#389
• Fix go1.33 bump adding toolchain by @​perdasilva in operator-framework/api#390
• bump controller-runtime by @​perdasilva in operator-framework/api#388
• Upgrade indirect dependencies by @​camilamacedo86 in operator-framework/api#391
• Upgrade controller-gen v0.16.1 to v0.17.0 by @​camilamacedo86 in operator-framework/api#392

Full Changelog: operator-framework/api@v0.28.0...v0.29.0

v0.28.0

What's Changed

• Bump k8s.io/client-go from 0.31.0 to 0.31.1 by @​dependabot in operator-framework/api#362
• Bump k8s.io/apiextensions-apiserver from 0.31.0 to 0.31.1 by @​dependabot in operator-framework/api#360
• fix: add missing comment tags for Conditions by @​manusa in operator-framework/api#365
• Bump k8s.io/api from 0.31.1 to 0.31.2 by @​dependabot in operator-framework/api#366
• Bump sigs.k8s.io/controller-runtime from 0.19.0 to 0.19.1 by @​dependabot in operator-framework/api#367
• Bump k8s.io/apiextensions-apiserver from 0.31.1 to 0.31.2 by @​dependabot in operator-framework/api#369
• Bump github.com/google/cel-go from 0.20.1 to 0.22.0 by @​dependabot in operator-framework/api#371
• Bump codecov/codecov-action from 4 to 5 by @​dependabot in operator-framework/api#372
• Bump github.com/google/cel-go from 0.22.0 to 0.22.1 by @​dependabot in operator-framework/api#374
• Bump k8s.io/apiextensions-apiserver from 0.31.2 to 0.31.3 by @​dependabot in operator-framework/api#376
• Bump sigs.k8s.io/controller-runtime from 0.19.1 to 0.19.3 by @​dependabot in operator-framework/api#379
• 🌱 Bump go to v1.23.0 by @​perdasilva in operator-framework/api#358

New Contributors

• @​manusa made their first contribution in operator-framework/api#365

Full Changelog: operator-framework/api@v0.27.0...v0.28.0

Commits

• bd94d97 Upgrade controller-gen v0.16.1 to v0.17.0 (#392)
• 61b03f0 Upgrade indirect dependencies (#391)
• e1ecd3a bump controller-runtime (#388)
• 131d38a Fix go1.33 bump adding toolchain
• e8b7796 Revert "Bump to go1.23"
• dd6836d Bump to go1.23
• cbc5604 bump golang.org/x/net to 0.34.0 (#387)
• 4920dbd Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#381)
• 8fae9f5 Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#384)
• 70df85f 🌱 Bump go to v1.23.0 (#358)
• Additional commits viewable in compare view

Updates github.com/tektoncd/pipeline from 0.66.0 to 0.68.0

Release notes

Sourced from github.com/tektoncd/pipeline's releases.

Tekton Pipeline release v0.68.0 "LaPerm Giskard Reventlov" LTS

-Docs @ v0.68.0 -Examples @ v0.68.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.68.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a666d35f8508100e4c8e112033d805978d152a05eef3872377816f3756a588089

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a666d35f8508100e4c8e112033d805978d152a05eef3872377816f3756a588089
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.68.0/release.yaml
REKOR_UUID=108e9186e8c5677a666d35f8508100e4c8e112033d805978d152a05eef3872377816f3756a588089
Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.68.0@sha256:" + .digest.sha256')
Download the release file
curl "$RELEASE_FILE" > release.yaml
For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ feat: improve step.Script variables references validation message (#8312)

... (truncated)

Changelog

Sourced from github.com/tektoncd/pipeline's changelog.

Tekton Pipeline Releases

Release Frequency

Tekton Pipelines follows the Tekton community [release policy][release-policy] as follows:

• Versions are numbered according to semantic versioning: vX.Y.Z
• A new release is produced on a monthly basis
• Four releases a year are chosen for long term support (LTS). All remaining rele...

  Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.