Skip to content

chains

v0.27.0 Feature

This release adds 2 notable features for engineering teams evaluating rollout.

Published 6d Pipelines
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Summary

AI summary

Migrate metrics to OpenTelemetry, add insecure OCI registry support, and fix CI cherry‑pick workflow.

Changes in this release

Feature Medium

Migrate from OpenCensus to OpenTelemetry for metrics.

Migrate from OpenCensus to OpenTelemetry for metrics.

Source: llm_adapter@2026-05-28

Confidence: high
Feature Low

Support insecure OCI registry access.

Support insecure OCI registry access.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Fix duplicate .att/.sig OCI layers for same digest type hints.

Fix duplicate .att/.sig OCI layers for same digest type hints.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Handle signing OCI artifacts in *ARTIFACT_OUTPUTS.

Handle signing OCI artifacts in *ARTIFACT_OUTPUTS.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Low

Update DocDB storage logic to resolve issue #1178.

Update DocDB storage logic to resolve issue #1178.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Low

Fix microshift e2e test failures on merge.

Fix microshift e2e test failures on merge.

Source: llm_adapter@2026-05-28

Confidence: high
Refactor Low

Update cherry-pick CI workflow to fix multi-commit PR handling.

Update cherry-pick CI workflow to fix multi-commit PR handling.

Source: llm_adapter@2026-05-28

Confidence: high
Full changelog

Tekton Chains release v0.27.0

-Docs @ v0.27.0
-Examples @ v0.27.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a71df6799eebef48b36c3a91fcb47d8a0bd0d6ed9943b2cbc07271e8cf521366d

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a71df6799eebef48b36c3a91fcb47d8a0bd0d6ed9943b2cbc07271e8cf521366d
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.27.0/release.yaml
REKOR_UUID=108e9186e8c5677a71df6799eebef48b36c3a91fcb47d8a0bd0d6ed9943b2cbc07271e8cf521366d

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.27.0@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • :sparkles: feat(metrics): Migrate from OpenCensus to OpenTelemetry (#1550)

  • :sparkles: feat(oci): support insecure OCI registry (#1374)

Fixes

  • :bug: Fix duplicate .att/.sig OCI layers for same digest type hints (#1601)

  • :bug: Handle signing OCI artifacts in *ARTIFACT_OUTPUTS (#1578)

  • :bug: chore(ci): update cherry-pick workflow to fix multi-commit PRs (#1539)

  • :bug: Fix- Update Docdb storage logic (issue #1178) (#1505)

  • :bug: fix: microshift e2e test failures on merge (#1500)

Misc

  • :hammer: includes dependency and doc updates

Thanks

Thanks to these contributors who contributed to v0.27.0!

  • :heart: @AlanGreene
  • :heart: @ab-ghosh
  • :heart: @anithapriyanatarajan
  • :heart: @app/dependabot
  • :heart: @bradbeck
  • :heart: @emmanuel-ferdman
  • :heart: @enarha
  • :heart: @infernus01
  • :heart: @jkhelil
  • :heart: @l-qing
  • :heart: @ngelman1
  • :heart: @socialsister
  • :heart: @vdemeester

Extra shout-out for awesome release notes:

  • :heart_eyes: @AlanGreene
  • :heart_eyes: @ab-ghosh
  • :heart_eyes: @anithapriyanatarajan
  • :heart_eyes: @app/dependabot
  • :heart_eyes: @bradbeck
  • :heart_eyes: @emmanuel-ferdman
  • :heart_eyes: @enarha
  • :heart_eyes: @infernus01
  • :heart_eyes: @jkhelil
  • :heart_eyes: @l-qing
  • :heart_eyes: @ngelman1
  • :heart_eyes: @socialsister
  • :heart_eyes: @vdemeester
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track chains

Get notified when new releases ship.

Sign up free

About chains

Supply Chain Security in Tekton Pipelines

All releases →

Related context

Beta — feedback welcome: [email protected]