v1.27.0 Release 2026-03-05

Update Notice

In this Release we activated two feature-flags:

• FF_KANIKO_RUN_MOUNT_SECRET
• FF_KANIKO_OCI_STAGES

This will allow you to use the type=secret mount option in your dockerfile RUN steps.

RUN --mount=type=secret,id=netrc,target=/root/.netrc \
  uv pip install -r requirements.txt

Note: The secret is not stored securely during the build and may be recoverable by other RUN steps even without explicitly mounting it. It should therefore not be considered confidential within the context of the build. The secret is never added to the image and never pushed.

Note: The mediatype of your output image might change from dockerv2 to ociv1, if it's a multistage build and the base image is ociv1, as we no longer enforce dockerv2 during stage transitions.

You can roll-back those changes by overriding them in the environment ie.

job:
  variables:
    FF_KANIKO_RUN_MOUNT_SECRET: "0"
    FF_KANIKO_OCI_STAGES: "0"

Please also notify us by filing a new issue.

We further deprecated these feature-flags and cli-options:

• FF_KANIKO_RUN_MOUNT_CACHE
• FF_KANIKO_NEW_CACHE_LAYOUT
• --skip-unused-stages

They have no effect and can be removed.

If you rely on --skip-unused-stages to build multiple stages, you can now explicitly target multiple stages in a single build instead:

--target final --target test

Note: The order is important to avoid accidentally pushing the wrong image. The convention introduced here is that the first target listed denotes the image that will be pushed, if a push is desired. There is currently no option to push multiple targets.

Community Update

Many thanks to @sentoz for reporting an issue fixed in this release.

What's Changed

Security

• go.opentelemetry.io/otel/sdk 1.39.0: CVE-2026-24051
• github.com/cloudflare/circl 1.6.1: CVE-2026-1229

Bugfixes

• FF_KANIKO_CLEAN_KANIKO_DIR=true --cleanup causes push to fail: #532

Performance

• allow squashing pure copydependencies again: #488

Usability

• multitarget builds - part 1: #485
• activate featureflags for v1.27.0 release: #554

Maintenance

• chore(deps): bump github.com/google/go-containerregistry from 0.20.7 to 0.21.2: #519 #525 #544
• chore(deps): bump google.golang.org/api from 0.267.0 to 0.269.0: #522 #528
• chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.1 to 1.41.3: #521 #547
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.9 to 1.32.11: #521 #547
• chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager from 0.1.4 to 0.1.7: #521 #538 #547
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.96.0 to 1.96.3: #521 #538 #547
• chore(deps): bump github.com/go-git/go-billy/v5 from 5.7.0 to 5.8.0: #526
• chore(deps): bump step-security/harden-runner from 2.14.2 to 2.15.0: #527
• chore(deps): bump github.com/go-git/go-git/v5 from 5.16.5 to 5.17.0: #530
• chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3: #531
• chore(deps): bump actions/setup-go from 6.2.0 to 6.3.0: #534
• chore(deps): bump docker/setup-docker-action from 4.7.0 to 5.0.0: #543
• chore(deps): bump github.com/moby/buildkit from 0.27.1 to 0.28.0: #548
• chore(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.0: #546
• chore(deps): bump docker/login-action from 3 to 4: #545
• chore(deps): bump github.com/awslabs/amazon-ecr-credential-helper/ecr-login from 0.11.0 to 0.12.0: #541
• chore(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0: #540
• chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0: #558
• chore(deps): bump github.com/moby/moby/api from 1.53.0 to 1.54.0: #557
• chore(deps): bump dominikh/staticcheck-action from 1.4.0 to 1.4.1: #556
• chore(deps): bump github.com/docker/cli from 29.2.1+incompatible to 29.3.0+incompatible: #555

Fork Related

• docs: #517 #536

Refactorings

• cache-lookahead refactoring - part 2: #518
• drop redundant saveStage function: #520
• minor fixes: #537