Release history
chains releases
Supply Chain Security in Tekton Pipelines
All releases
5 shown
v0.26.3
Security relevant
Security fixes
- CVE-2026-34986
- CVE-2026-33211
- CVE-2026-33186
Full changelog
-Docs @ v0.26.3
-Examples @ v0.26.3
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.3/release.yaml
Attestation
The Rekor UUID for this release is 108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.3/release.yaml
REKOR_UUID=108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.3@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done
Changes
Security Fixes
- :hammer: [Release-v0.26.x] fix: CVE-2026-34986, CVE-2026-33211, & CVE-2026-33186 (#1630)
Thanks
Thanks to these contributors who contributed to v0.26.3!
- :heart: @anithapriyanatarajan
- :heart: @infernus01
Extra shout-out for awesome release notes:
- :heart_eyes: @anithapriyanatarajan
- :heart_eyes: @infernus01
v0.25.2
Security relevant
Security fixes
- CVE-2026-34986
- CVE-2026-33211
- CVE-2025-66506
Full changelog
Tekton Chains release v0.25.2
-Docs @ v0.25.2
-Examples @ v0.25.2
Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.25.2/release.yaml
Attestation
The Rekor UUID for this release is 108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89
Obtain the attestation:
REKOR_UUID=108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.25.2/release.yaml
REKOR_UUID=108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.25.2@sha256:" + .digest.sha256')
# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done
Changes
Features
Fixes
Misc
- :hammer: [release-v0.25.x] fix: ci action for release branch (#1632)
- :hammer: [Release-v0.25.x] fix: CVE-2026-34986, CVE-2026-33211, CVE-2025-66506, & CVE-2026-33186 (#1631)
Docs
Thanks
Thanks to these contributors who contributed to v0.25.2!
- :heart: @anithapriyanatarajan
- :heart: @infernus01
Extra shout-out for awesome release notes:
- :heart_eyes: @anithapriyanatarajan
- :heart_eyes: @infernus01
v0.26.2
Security relevant
Security fixes
- Dependency updates address CVE-2026-24137
v0.26.1
Security relevant
Security fixes
- cosign upgrade to 2.6.2 addresses CVE-2025-66564 and CVE-2025-66506
- CVE-2025-66506
- CVE-2025-66506