🎉 Enforce resource verification, GA policy documented and Custom Task Beta 🎉

-Docs @ v0.42.0
-Examples @ v0.42.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.42.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a92f523df8531edb5cb063ec9ef24a9e652e0643ff0f7ac9ce89edc8aa9395ffd

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a92f523df8531edb5cb063ec9ef24a9e652e0643ff0f7ac9ce89edc8aa9395ffd
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.42.0/release.yaml
REKOR_UUID=24296fb24b8ad77a92f523df8531edb5cb063ec9ef24a9e652e0643ff0f7ac9ce89edc8aa9395ffd

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.42.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ Make the webhook port number configurable (#5696)

The port on which the webhook server listens may be configured via the WEBHOOK_PORT environment variable.

• ✨ Set ConfigSource in clusterresolver (#5687)

Set source value for cluster resource to link back its origin i.e. url and checksum.

• ✨ Set ConfigSource in bundleresolver (#5684)

ociresolver captures correct source information about where remote image came from.

• ✨ Feature flag for provenance field in status (#5670)

Added a new boolean feature flag named "enable-provenance-in-status" in feature-flags configmap to enable the provenance field in status to be populated. This field in status aims to record authenticated metadata about how a software artifact was built i.e. the source where remote resource came from.

• ✨ Set ConfigSource in gitresolver (#5664)

Set ConfigSource value for gitresolver to record the source where the remote resource came from.

• ✨ TEP-0114: Reconciler, event, config, webhook support for CustomRuns (#5662)

Reconciler, event, config, and webhook support for CustomRuns

• ✨ [TEP-0091] Add Verification at reconciler (#5581)

Trusted Resource feature enable tekton pipeline to verify the resources resolved from resolver. With trusted resource feature, users can configure public keys in configmap and choose to turn on/off this feature via feature flag resource-verification-mode. This commit enables mount public key files as secrets into Pipeline and used for verification. Taskrun/Pipelinerun that fail the verification will be marked as failed and be stopped from execution if resource-verification-mode is set to enforce

• ✨ Populate the field (#5397)

Populate the TaskRun/PipelineRun's Status.Provenance.ConfigSource field with the value from the remote ResolutionRequest Status.

Note: the feature flag enable-provenance-in-status needs to be set to "true" to enable this provenance field to be populated & available in *Run.Status.

• ✨ Bring Retries and RetriesStatus back (#5765)

Fixes

• 🐛 Add conversion config to ResolutionRequest CRD (#5742)

Properly configures conversion from v1alpha1.ResolutionRequest to v1beta1.ResolutionRequest

• 🐛 fix: the pipelinerun never done due to repeated workspace (#5724)

Check for duplicate workspaces of pipeline task.

• 🐛 Remove logging.request-log-template from resolvers config-observability CM (#5717)

Clean up example configuration in config-observability configmap for tekton-pipelines-resolvers namespace

• 🐛 Fixes default value for enabling resolvers (#5725)
• 🐛 Fix TaskRef and PipelineRef name with Resolver Conversion (#5702)

Misc

• 🔨 TEP-0114 Serve Custom Task Beta (#5780)

Custom Task Beta is available.

• 🔨 Use SchemeGroupVersion for tekton objects in cluster resolver (#5705)

Use v1beta1.SchemeGroupVersion.String() for the APIVersion field in the tekton object retrieved by cluster resolver.

• 🔨 fix cloud event flaky unit tests by adding waitgroup to fakeclient (#5690)

Fix cloud event flacky unit tests by adding EventSender

• 🔨 Add unit tests for bundle resolver (#5704)

Add unit test for bundle resolver

• 🔨 Add GA API policy and describe feature gates (#5634)

Updates API compatibility policy for the V1 api version

• 🔨 main branch's codegen is out of sync. (#5764)
• 🔨 fix knative downstream tests (#5763)
• 🔨 TEP-0114: Stop serving v1beta1.CustomRun until we align on Retries (#5736)
• 🔨 Order methods to appear next to their receiving types (#5733)
• 🔨 [upgrade test] Change to Kind cluster and Unfixed upgrade test release version (#5726)
• 🔨 Remove retriesStatus from CustomRunStatus (#5719)
• 🔨 Add RunReason and CustomRunReason (#5718)
• 🔨 Stop using copy-paste of old git-clone catalog task in examples/tests (#5712)
• 🔨 Bump k8s.io/code-generator from 0.25.2 to 0.25.4 (#5762)
• 🔨 Bump k8s.io/client-go from 0.25.3 to 0.25.4 (#5761)
• 🔨 Bump k8s.io/api from 0.25.3 to 0.25.4 (#5759)
• 🔨 Bump github.com/containerd/containerd from 1.6.9 to 1.6.10 (#5758)
• 🔨 Bump k8s.io/apimachinery from 0.25.3 to 0.25.4 (#5745)
• 🔨 Bump github.com/google/go-containerregistry from 0.12.0 to 0.12.1 (#5743)
• 🔨 Bump golang.org/x/oauth2 from 0.1.0 to 0.2.0 (#5739)
• 🔨 Bump golang.org/x/crypto from 0.1.0 to 0.2.0 (#5738)
• 🔨 Bump go.opencensus.io from 0.23.0 to 0.24.0 (#5731)
• 🔨 Rename v1beta1 clients for test (#5701)
• 🔨 Bump github.com/jenkins-x/go-scm from 1.11.29 to 1.11.35 (#5642)

Docs

• 📖 Update Roadmap with link to project board (#5735)
• 📖 Add finallystarttime to PipelineRun status docs (#5729)
• 📖 Update README and releases for v0.41.0 (#5698)
• 📖 TEP-0114: Custom Task Beta - User Guide (#5677)

Thanks

Thanks to these contributors who contributed to v0.42.0!

• ❤️ @JeromeJu
• ❤️ @ScrapCodes
• ❤️ @XinruZhang
• ❤️ @Yongxuanzhang
• ❤️ @abayer
• ❤️ @afrittoli
• ❤️ @chuangw6
• ❤️ @cugykw
• ❤️ @dependabot[bot]
• ❤️ @dibyom
• ❤️ @imjasonh
• ❤️ @jerop
• ❤️ @lbernick
• ❤️ @sel
• ❤️ @sm43
• ❤️ @urbanikb

Extra shout-out for awesome release notes:

• 😍 @XinruZhang
• 😍 @Yongxuanzhang
• 😍 @abayer
• 😍 @chuangw6
• 😍 @cugykw
• 😍 @dibyom
• 😍 @sel