What's new in chart-v0.2.36
This is a metadata-only chart bump: appVersion advances from 0.7.0 to 0.7.1, the default image.tag now resolves to ghcr.io/robintra/perf-sentinel:0.7.1, and the artifacthub.io/changes annotation refreshes to surface the SLSA build provenance migration on Artifact Hub. No chart-level template diff, no values.yaml schema change, no new RBAC, no new optional ConfigMap or Secret, no .perf-sentinel.toml review needed. The chart-v0.2.35 surface is preserved byte-for-byte.
The 0.7.1 daemon image is a supply-chain maintenance release. It migrates the SLSA build provenance tooling from slsa-framework/slsa-github-generator@v2.1.0 (in de-facto maintenance since 2025-02-24, internal actions stuck on Node.js 20 while GitHub-hosted runners switch to Node 24 default on 2 June 2026) to GitHub-native actions/attest-build-provenance. Attestations now live on the GitHub attestations API instead of the previous release asset multiple.intoto.jsonl, the SLSA level claim moves from L2 to L3 (the new action produces a level-3 attestation by construction), and the verification recipe changes from slsa-verifier verify-artifact to gh attestation verify. Full release notes for the daemon at v0.7.1.
Breaking change for downstream CI pipelines verifying perf-sentinel binaries: a script that did curl ... multiple.intoto.jsonl && slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl ... no longer works on 0.7.1+ binaries. Migration recipe:
gh attestation verify perf-sentinel-linux-amd64 \
--owner robintra \
--repo perf-sentinelRequires gh CLI 2.49+. The chart itself does not exercise gh attestation verify, so a chart-level helm upgrade is metadata-only on every side, but a downstream pipeline that consumes the perf-sentinel binary attestation must update its verification command before pulling the 0.7.1 image.
Changed
appVersionbumped from0.7.0to0.7.1, defaultimage.tagnow resolves toghcr.io/robintra/perf-sentinel:0.7.1.artifacthub.io/changesannotation refreshed to surface the SLSA build provenance migration on Artifact Hub.- No chart-level config change.
values.yaml, every template, theServiceMonitorrendering, theNetworkPolicyrendering, the optional[daemon.ack]and[daemon.cors]plumbing, and theack-toml-baselinemount are byte-for-byte identical to chart-v0.2.35.
Behavior
- Daemon binary side: SLSA build provenance migrated from
slsa-github-generatortoactions/attest-build-provenance. Attestations stored in the GitHub attestations API, verifiable viagh attestation verify <binary> --owner robintra --repo perf-sentinel. The release no longer ships amultiple.intoto.jsonlasset. - Daemon binary side: SLSA level claim bumped from L2 to L3. Reflected in
integrity.binary_attestation.slsa_levelof any disclosure produced by the 0.7.1 binary. - Daemon binary side:
verify-hashhint updated. The PARTIAL skip detail now suggestsgh attestation verifyinstead ofslsa-verifier verify-artifact. PARTIAL exit code (2) triggers onghCLI absent instead ofslsa-verifierabsent. - No HTTP-shape change on the daemon side. Every
/api/*route, every/metricsline, the OTLP HTTP and gRPC routes and every JSON shape are byte-for-byte identical to chart-v0.2.35 for already-clean inputs. - No upgrade hook required, no on-disk migration. The runtime ack store JSONL schema is unchanged. Existing acks survive the upgrade.
Install
helm install perf-sentinel oci://ghcr.io/robintra/charts/perf-sentinel --version 0.2.36Upgrade an existing release:
helm upgrade perf-sentinel oci://ghcr.io/robintra/charts/perf-sentinel --version 0.2.36The bump is metadata-only on the chart side, no .perf-sentinel.toml edit required, but a downstream pipeline that verifies perf-sentinel binaries through SLSA must replace slsa-verifier verify-artifact with gh attestation verify before the upgraded daemon image rolls out.
Full Changelog: chart-v0.2.35...chart-v0.2.36