github mattrobinsonsre/terrapod v0.49.2
on GitHub

4 hours ago

Patch release correcting how the SBOM attestation is published so it is discoverable and verifiable alongside the image signatures and SLSA provenance shipped in v0.49.0.

Bug Fixes

  • SBOM attestation now published as an OCI 1.1 referrer — the per-image SPDX SBOM was previously attached via cosign attest, which writes the legacy .att tag that neither cosign verify-attestation nor gh attestation verify reads as a referrer. It is now attached with actions/attest-sbom (push-to-registry), the same discovery path as the SLSA provenance, so gh attestation verify oci://<image> --repo mattrobinsonsre/terrapod --predicate-type https://spdx.dev/Document succeeds. Image + Helm-chart signatures and SLSA provenance were already verifiable and are unchanged. (#626)

Verifying

See Supply-chain verification. All artifacts in this release were verified end-to-end: image signature, chart signature, SBOM (referrer), and SLSA build provenance.

Status

Beta — production-capable; APIs stabilising.

Full Changelog: v0.49.1...v0.49.2

Check out latest releases or
releases around mattrobinsonsre/terrapod v0.49.2

Don't miss a new terrapod release

NewReleases is sending notifications on new releases.

Get notifications