Shipwright Build release v0.14.0

Release changes since v0.13.0

Features

#1723 by @SaschaSchwarze0: The sample build strategy for BuildKit now uses the latest BuildKit release instead of its nightly build

#1702 by @HeavyWombat: Added flag to bundle-step and git-step command to print a file listing when pull and unpack of the source bundle, or Git clone is complete.

#1683 by @dorzel: Added NodeSelector on Build and BuildRun objects, which enables specifying the scheduling behavior of TaskRuns.

#1646 by @karanibm6: You can now run a post-installation step to migrate the storage version of the custom resources

#1600 by @SaschaSchwarze0: The sample build strategies now uses imagePullPolicy=Always for the BuildAh steps to ensure the latest available image version is always used

#1588 by @SaschaSchwarze0: You can now easily determine that your BuildRun failed because a step went out of memory as the reason is now set to StepOutOfMemory

#1489 by @karanibm6: Vulnerability Scanning Implementation

Fixes

#1700 by @SaschaSchwarze0: The image-processing step now retries the vulnerability scan using Trivy if that failed to download the vulnerability database due to rate-limiting

#1699 by @HeavyWombat: Fixed an issue when unpacking a code bundle that contains a non-writable sub-directory.

#1634 by @aleskandro: Add sample build strategy to orchestrate multi-arch container image builds. The service account executing this build strategy must have the ability to manage Jobs and Pods, as well as have the ability to exec into Pods.

#1628 by @HeavyWombat: The bundle prune option now also supports the legacy registry endpoints for both DockerHub and IBM Container Registry in its registry detection routine.

#1623 by @SaschaSchwarze0: The controller now does not panic when no vulnerabilities are found, also severity is correctly parsed

#1569 by @SaschaSchwarze0: An Alpha Build where spec.dockerfile is set to "", is now transformed to a Beta Build without the dockerfile parameter to behave like in Alpha

#1566 by @SaschaSchwarze0: The usage of different secrets or secret keys as values inside one array parameter is now possible

API Changes

#1683 by @dorzel: Added NodeSelector on Build and BuildRun objects, which enables specifying the scheduling behavior of TaskRuns.

#1489 by @karanibm6: Vulnerability Scanning Implementation

Docs

Misc

#1727 by @SaschaSchwarze0: The supported Kubernetes versions are now v1.29 to v1.31

#1710 by @SaschaSchwarze0: The new minimum Tekton version is v0.56

#1704 by @shipwright-ci-bot: Update to the new latest Tekton LTS release v0.65.0

#1697 by @shipwright-ci-bot: Update the the new latest Tekton LTS release v0.62.4

#1671 by @SaschaSchwarze0: We now build Shipwright Build with the latest Tekton LTS version

#1649 by @SaschaSchwarze0: Shipwright Build is now validated on the oldest supported and the newest available Tekton LTS releases

#1629 by @SaschaSchwarze0: The kaniko-trivy sample build strategy is removed as you can now enable a vulnerability scan for the image in the output section of your Build or BuildRun

Shipwright Build release v0.14.0-rc0

Draft Release changes since v0.13.0

Features

#1723 by @SaschaSchwarze0: The sample build strategy for BuildKit now uses the latest BuildKit release instead of its nightly build

#1702 by @HeavyWombat: Added flag to bundle-step and git-step command to print a file listing when pull and unpack of the source bundle, or Git clone is complete.

#1683 by @dorzel: Added NodeSelector on Build and BuildRun objects, which enables specifying the scheduling behavior of TaskRuns.

#1646 by @karanibm6: You can now run a post-installation step to migrate the storage version of the custom resources

#1600 by @SaschaSchwarze0: The sample build strategies now uses imagePullPolicy=Always for the BuildAh steps to ensure the latest available image version is always used

#1588 by @SaschaSchwarze0: You can now easily determine that your BuildRun failed because a step went out of memory as the reason is now set to StepOutOfMemory

#1489 by @karanibm6: Vulnerability Scanning Implementation

Fixes

#1700 by @SaschaSchwarze0: The image-processing step now retries the vulnerability scan using Trivy if that failed to download the vulnerability database due to rate-limiting

#1699 by @HeavyWombat: Fixed an issue when unpacking a code bundle that contains a non-writable sub-directory.

#1628 by @HeavyWombat: The bundle prune option now also supports the legacy registry endpoints for both DockerHub and IBM Container Registry in its registry detection routine.

#1623 by @SaschaSchwarze0: The controller now does not panic when no vulnerabilities are found, also severity is correctly parsed

#1569 by @SaschaSchwarze0: An Alpha Build where spec.dockerfile is set to \"\", is now transformed to a Beta Build without the dockerfile parameter to behave like in Alpha

#1566 by @SaschaSchwarze0: The usage of different secrets or secret keys as values inside one array parameter is now possible

API Changes

#1489 by @karanibm6: Vulnerability Scanning Implementation

Docs

Misc

#1727 by @SaschaSchwarze0: The supported Kubernetes versions are now v1.29 to v1.31

#1710 by @SaschaSchwarze0: The new minimum Tekton version is v0.56

#1704 by @shipwright-ci-bot: Update to the new latest Tekton LTS release v0.65.0

#1697 by @shipwright-ci-bot: Update the the new latest Tekton LTS release v0.62.4

#1671 by @SaschaSchwarze0: We now build Shipwright Build with the latest Tekton LTS version

#1649 by @SaschaSchwarze0: Shipwright Build is now validated on the oldest supported and the newest available Tekton LTS releases

#1634 by @aleskandro: Add sample build strategy to orchestrate multi-arch container image builds. The service account executing this build strategy must have the ability to manage Jobs and Pods, as well as have the ability to exec into Pods.

#1629 by @SaschaSchwarze0: The kaniko-trivy sample build strategy is removed as you can now enable a vulnerability scan for the image in the output section of your Build or BuildRun

Shipwright Build release v0.13.0

Release changes since v0.12.0

Features

#1471 by @HeavyWombat: Git and Bundle sources now produce additional status fields in a BuildRun to return the commit timestamp of the commit being used, or the image/source timestamp of Bundle images respectively.

#1448 by @SaschaSchwarze0: action required: after you upgraded from v0.12 to v0.13, you can run the following two commands to remove unnecessary permissions: kubectl delete crb shipwright-build-webhook && kubectl delete cr shipwright-build-webhook

#1435 by @SaschaSchwarze0: Controllers now use Tekton's V1 API to create and access the TaskRun that backs a BuildRun

Fixes

#1499 by @SaschaSchwarze0: You can now patch a completed BuildRun on the Beta API without removing its status

#1486 by @SaschaSchwarze0: A BuildRun object in v1alpha1 version is now correctly converted to v1beta1 when it has .spec.serviceAccount.generate set to true

#1429 by @SaschaSchwarze0: You can now use files and directories with two subsequent dots in its name when using an OCI artifact as source

API Changes

#1504 by @SaschaSchwarze0: You can now define a Build without any source. This is for example useful when you want to run this build only with local source. Also, some corrections have been made to the Go types.

#1463 by @qu1queee: Set the storage version to v1beta1 and update Shipwright controllers to operate on the same.

#1441 by @SaschaSchwarze0: The Build in the beta API has been corrected so that when defining .spec.source.git, then .spec.source.git.url is mandatory.

Docs

#1461 by @qu1queee: Add ADOPTERS doc

#1460 by @qu1queee: Add ROADMAP doc

Misc

#1593 by @openshift-cherrypick-robot: The usage of different secrets or secret keys as values inside one array parameter is now possible

#1591 by @openshift-cherrypick-robot: An Alpha Build where spec.dockerfile is set to \"\", is now transformed to a Beta Build without the dockerfile parameter to behave like in Alpha

#1552 by @qu1queee: Improve conversion webhook logging

#1513 by @SaschaSchwarze0: The minimum Kubernetes version is now 1.27. The minimum Tekton version is 0.50.

#1509 by @HeavyWombat: Output image section now supports an optional timestamp field, which can be used to change the image creation timestamp, i.e. use string "SourceTimestamp" to let the output image creation timestamp to be modified to the timestamp of the source timestamp.

#1495 by @SaschaSchwarze0: Shipwright Build is now compiled with Go 1.21

Shipwright Build release v0.13.0-rc0

Changes since v0.12.0

Features

#1471 by @HeavyWombat: Git and Bundle sources now produce additional status fields in a BuildRun to return the commit timestamp of the commit being used, or the image/source timestamp of Bundle images respectively.

#1448 by @SaschaSchwarze0: action required: after you upgraded from v0.12 to v0.13, you can run the following two commands to remove unnecessary permissions: kubectl delete crb shipwright-build-webhook && kubectl delete cr shipwright-build-webhook

#1435 by @SaschaSchwarze0: Controllers now use Tekton's V1 API to create and access the TaskRun that backs a BuildRun

Fixes

#1499 by @SaschaSchwarze0: You can now patch a completed BuildRun on the Beta API without removing its status

#1486 by @SaschaSchwarze0: A BuildRun object in v1alpha1 version is now correctly converted to v1beta1 when it has .spec.serviceAccount.generate set to true

#1429 by @SaschaSchwarze0: You can now use files and directories with two subsequent dots in its name when using an OCI artifact as source

API Changes

#1504 by @SaschaSchwarze0: You can now define a Build without any source. This is for example useful when you want to run this build only with local source. Also, some corrections have been made to the Go types.

#1463 by @qu1queee: Set the storage version to v1beta1 and update Shipwright controllers to operate on the same.

#1441 by @SaschaSchwarze0: The Build in the beta API has been corrected so that when defining .spec.source.git, then .spec.source.git.url is mandatory.

Docs

#1461 by @qu1queee: Add ADOPTERS doc

#1460 by @qu1queee: Add ROADMAP doc

Misc

#1552 by @qu1queee: Improve conversion webhook logging

#1513 by @SaschaSchwarze0: The minimum Kubernetes version is now 1.27. The minimum Tekton version is 0.50.

#1509 by @HeavyWombat: Output image section now supports an optional timestamp field, which can be used to change the image creation timestamp, i.e. use string "SourceTimestamp" to let the output image creation timestamp to be modified to the timestamp of the source timestamp.

#1495 by @SaschaSchwarze0: Shipwright Build is now compiled with Go 1.21

Shipwright Build release v0.12.0

Release changes since v0.11.0

Features

#1398 by @apoorvajagtap: The Strategy struct does not have an APIVersion field anymore.

#1384 by @SaschaSchwarze0: Installing a nightly release now requires you to run a post-script that sets up the TLS certificate of the conversion webhook

#1370 by @apoorvajagtap: The BuildAh sample build strategies now do not anymore run privileged containers

#1342 by @SaschaSchwarze0: The shipwright-build namespace is now configured to enforce restricted PodSecurity. The shipwright-build-controller deployment was updated to fulfill all requirements.

#1323 by @SaschaSchwarze0: Buildpacks sample build strategies are updated to the latest Heroku version and a newer platform API version

#1302 by @qu1queee: Introduce conversion-webhook to convert SHP Custom Resources from v1beta1 to v1alpha1.

#1268 by @SaschaSchwarze0: Introduce a common base image for all supporting steps

#1266 by @SaschaSchwarze0: You can now define a securityContext on build strategy level to control the runAs user for all steps including the shipwright-managed steps. This allows you to use any runAs user for your build strategy steps while still being able to run without any runAsRoot steps.

#1235 by @qu1queee: API additions: Introduce Shipwright Build v1beta1 API types

#1046 by @SaschaSchwarze0: Shipwright is now capable of pushing the image built by the strategy steps to the container registry

Fixes

#1407 by @qu1queee: Downgrade k8s.io/utils/ptr to k8s.io/utils/pointer due to dependency conflicts with controller-runtime pkg

#1390 by @isibeni: The logic to detect whether a BuildRun failed due to an evicted Pod was improved

#1277 by @SaschaSchwarze0: The platform support for the ko build strategy is functional again

#1239 by @mjgallag: Fix buildkit cluster build strategy's cache import from insecure registry.

#1219 by @SaschaSchwarze0: The ko sample build strategy now makes the source directory a Git safe directory so that Go builds can retrieve version control information

#1176 by @HeavyWombat: The Git source step of a build strategy now returns a more elaborate error in case basic authentication (username and password) are used in combination with a HTTP URI. Instead of a generic error, an error message with an explanation is presented to be more clear and helpful. Also, inline credentials used in the URL will be redacted in the log output.

#1156 by @dalbar: Fixes cancelation of buildruns without a build reference.

API Changes

#1403 by @qu1queee: Add conversion logic for local type of sources. BuildRun CRs now support a .spec.source object that can only be of the type Local. Build CRs now make it explicit on support for the .spec.source of the type Local.

#1266 by @SaschaSchwarze0: You can now define a securityContext on build strategy level to control the runAs user for all steps including the shipwright-managed steps. This allows you to use any runAs user for your build strategy steps while still being able to run without any runAsRoot steps.

#1235 by @qu1queee: API additions: Introduce Shipwright Build v1beta1 API types

#1046 by @SaschaSchwarze0: Shipwright is now capable of pushing the image built by the strategy steps to the container registry

Docs

#1403 by @qu1queee: Add conversion logic for local type of sources. BuildRun CRs now support a .spec.source object that can only be of the type Local. Build CRs now make it explicit on support for the .spec.source of the type Local.

#1388 by @apoorvajagtap: Documentation was updated to describe the beta version of the custom resources

#1196 by @qu1queee: Marks BuildSpec volumes description field as deprecated.

#1117 by @dheerajodha: Deprecated support for passwords. Use Personal Access Tokens instead.

Misc

#1401 by @SaschaSchwarze0: Updates google.golang.org/grpc to address CVE-2023-44487

#1397 by @SaschaSchwarze0: The supported Kubernetes releases are now 1.25 to 1.28. The supported Tekton versions are 0.47 and 0.50

#1371 by @qu1queee: Add action to cleanup nightly assets regularly

#1362 by @SaschaSchwarze0: The BuildKit sample build strategy now does not cause BuildKit to tar the image to then untar it

#1361 by @SaschaSchwarze0: The Kaniko sample build strategy now uses the --snapshot-mode and --tar-path command line flags instead of the deprecated --snapshotMode and --tarPath

#1351 by @SaschaSchwarze0: Golang 1.20 is used to compile

#1202 by @SaschaSchwarze0: Updated the Kubernetes support to v1.24, v1.25, and v1.26, and Tekton to v0.41 and v0.44.

Shipwright Build release v0.11.0

Fixes

#1112 by @SaschaSchwarze0: The ko sample build strategy was fixed to download from the ko-build organization.

#1081 by @SaschaSchwarze0: Secret names which had a dash at the 59th characters could not be used for a bundle source because of an error in the translation of secret into volume names

API Changes

#1008 by @otaviof: Adding the API for Shipwright Triggers, a event driven approach to instantiate new builds. This is preparation work for the Triggers project

#1111 by @adambkaplan: The following features are deprecated: 1) Multiple sources for builds, 2) HTTP artifact downloads, 3) Status validations for Builds, 4) Providing a builder image in a Build, 5) Providing the path to a Dockerfile in a Build, 6) Generating service accounts in a BuildRun.

Misc

#1108 by @SaschaSchwarze0: Sample build strategies updated to use BuildAh v1.27, Kaniko v1.9, Crane v0.11, Trivy v0.31.3, and UBI9

#1093 by @SaschaSchwarze0: Updated the support statement to the current Kubernetes and Tekton version

#1086 by @SaschaSchwarze0: The base image of our released images are now based on UBI 9

#1077 by @SaschaSchwarze0: The sample build strategies are using the latest v1.26.0 BuildAh version.

Shipwright Build release v0.10.0

Features

#1068 by @SaschaSchwarze0: The ko sample build strategy now supports a gocache volume that you can assign a writable volume in your Build to speed up rebuilds

#1035 by @alicerum: Build Strategies can now define volumes, which can be mounted in build steps, and overridden by Builds and BuildRuns. Build strategies which contain volume mounts in their buid steps must also declare the associated volumes in the strategy spec.

Fixes

#1043 by @HeavyWombat: Fixed delete issue for bundle image prune feature when using the IBM Container Registry for the source image

API Changes

#1035 by @alicerum: Build Strategies can now define volumes, which can be mounted in build steps, and overridden by Builds and BuildRuns. Build strategies which contain volume mounts in their buid steps must also declare the associated volumes in the strategy spec.

Misc

#1064 by @SaschaSchwarze0: The sample build strategies have been updated to use the most recent BuildAh image, v1.23.3

#1061 by @SaschaSchwarze0: We now build our binaries with Go 1.18

#1054 by @qu1queee: Bump Tekton/Pipelines to v0.35.0

Shipwright Build release v0.9.0

Features

#1027 by @raghavbhatnagar96: Introducing support for automatic cleanup by extending build and buildrun specifications. A new optional retention section has been introduced in both buildrun and build specifications, that consists of 4 optional fields - ttlAfterFailed, ttlAfterSucceeded, failedLimit, succeededLimit in build specifications and 2 optional fields - ttlAfterFailed, ttlAfterSucceeded - in buildrun specifications.

#1025 by @adambkaplan: Add default RBAC controls for "view" and "edit" users.

#1020 by @HeavyWombat: New field for BundleContainer to allow to specify whether the source bundle image is suppose to be deleted after it was successfully pulled from the registry.

#1016 by @HeavyWombat: Introducing support to embed a BuildSpec inside a BuildRun to have one-off builds, where only a BuildRun is required without the need of a Build resource. This includes an API change as the BuildRef in BuildRuns is no longer mandatory. Either BuildRef or BuildSpec can be used.

#1012 by @SaschaSchwarze0: All sample build strategies now use a documented secure approach to access parameter values that does not allow code injection

#1007 by @SaschaSchwarze0: The BuildKit sample build strategy now supports a platforms parameter to enable multi-platform builds

#1001 by @SaschaSchwarze0: action required: The Buildah sample build strategy now supports build-args. The registry related parameters were changed to arrays in favor of comma-separated strings. You need to update your builds accordingly.

Fixes

#1029 by @SaschaSchwarze0: Use BuildAh's --digestfile argument in the sample build strategies

#1026 by @SaschaSchwarze0: The BuildKit and BuildAh sample build strategies were fixed to correctly set the shp-result-image-digest system result.

#990 by @dalbar: The buildpacks strategy now assumes the version "0.4" as its platform api version. The buildpacks strategies are more granular in their build process and chose "web" as a default process.

API Changes

#1027 by @raghavbhatnagar96: Introducing support for automatic cleanup by extending build and buildrun specifications. A new optional retention section has been introduced in both buildrun and build specifications, that consists of 4 optional fields - ttlAfterFailed, ttlAfterSucceeded, failedLimit, succeededLimit in build specifications and 2 optional fields - ttlAfterFailed, ttlAfterSucceeded - in buildrun specifications.

#1020 by @HeavyWombat: New field for BundleContainer to allow to specify whether the source bundle image is suppose to be deleted after it was successfully pulled from the registry.

#1016 by @HeavyWombat: Introducing support to embed a BuildSpec inside a BuildRun to have one-off builds, where only a BuildRun is required without the need of a Build resource. This includes an API change as the BuildRef in BuildRuns is no longer mandatory. Either BuildRef or BuildSpec can be used.

Misc

#1036 by @SaschaSchwarze0: The sample build strategies now use Kaniko v1.8.1 and Trivy v0.25.3

#1022 by @adambkaplan: Released images for shipwright-io/build also include a Software Bills of Materials (SBOM), published as a separate OCI artifact.

#1021 by @karanibm6: action required: Minimum required version for kubernetes is 1.21

#1014 by @SaschaSchwarze0: Update sample build strategy tools: Kaniko to 1.8.0, Trivy to 0.24.4

#1000 by @qu1queee: Enhance waiter timeout processing.

#945 by @shahulsonhal: action required: We have cleaned up our APIs to provide a consistent representation of optional fields in Go. If you consume our Go types, many optional field types have been converted to pointers.

Shipwright Build release v0.8.0

Features

#975 by @SaschaSchwarze0: The parameter support in build strategy now includes arrays. Build users can start to reference parameter values from ConfigMaps and Secrets. Action required: If you previously used the go types with parameters, then you will need to make slight changes to adopt to the changed type structure.

#972 by @dalbar: In case of failures during the Git source step, further error details are now made available in .status.failureDetails.

#934 by @otaviof: Adding support for local sources. Action required: .spec.sources contains a new attribute type, for Remote Artifacts the type is "HTTP". The newly introduced type is LocalCopy.

#930 by @dalbar: Added a new field FailureDetails to BuildRun's Status that has the failure location of a failed build pod and container. Additionally the new field contains a Reason and Message to communicate error information to users and third parties.

Fixes

#982 by @dalbar: Fixes override bug for pkg/config: Setting the environment variabel MUTATE_IMAGE_CONTAINER_TEMPLATE now works as intended and does not override config.GitContainerTemplate.

#970 by @shahulsonhal: Fix the Buildpack build strategies failing for python source with a requirements.txt that failed during pip install

API Changes

#930 by @dalbar: Added a new field FailureDetails to BuildRun's Status that has the failure location of a failed build pod and container. Additionally the new field contains a Reason and Message to communicate error information to users and third parties.

Misc

#992 by @SaschaSchwarze0: Update build strategy tool: Trivy to 0.22.0, go-containerregistry/crane to 0.8.0

#959 by @SaschaSchwarze0: Update Buildah to 1.23.1, introduce parameters to setup registry configuration

v0.7.0

Breaking Changes

• The minimum supported Kubernetes version is now v1.20.

Deprecations

• Shipwright's implicit association of an emptyDir volume to any BuildStep that has a volume mount is deprecated, with the intent of replacing it with an implementation of SHIP-0022 in the following release. If your build strategies leverage this behavior, please start planning to employ the alternative approach described in https://github.com/shipwright-io/community/blob/main/ships/0022-build-strategy-volumes.md.

Features

#944 by @sm43: Users can now specify output image labels and annotation in BuildRun which will be merged with Build's before adding to the image.

#941 by @gabemontero: Shipwright's implicit association of an emptydir volume to any BuildStep/Container VolumeSource that needs an associated Volume is marked as deprecated in the upcoming release, with the intent of replacing it with an implementation of SHIP-22 in the following release. If your build strategies (both Clustered and Namespaced) leverage this behavior, please start planning to employ the alternative approach described in https://github.com/shipwright-io/community/blob/main/ships/0022-build-strategy-volumes.md

#938 by @imjasonh: Released images are signed with an ephemeral key using cosign

#937 by @HeavyWombat: Git step now supports setting an optional rewrite rule so that HTTPS URLs are translated into Git+SSH URLs during the Git clone and Git submodule operations.

#933 by @sm43: Adds branchName in buildrun results if revision is not specified in Build

#906 by @shahulsonhal: The Buildpacks sample build strategies now pass environment variables to the the Buildpacks allowing users to customize their behavior

Fixes

#953 by @HeavyWombat: Fixed incorrect flag name for Git step in controller code.

#952 by @HeavyWombat: Fixed issue where a HTTPS URL and private SSH key could not be used due to the credentials verification routine not taking the Git URL rewrite flag into account.

API Changes

#933 by @sm43: Adds branchName in buildrun results if revision is not specified in Build

Misc

#958: by @SaschaSchwarze0: action required: We updated our used Tekton and Kubernetes dependencies. The minimum Kubernetes version now is v1.20

#957 by @SaschaSchwarze0: Removing compatibility code that deleted generated service accounts with the naming pattern from before v0.6

#956 by @SaschaSchwarze0: Update Trivy in the sample build strategy to 0.21.2

#950 by @sm43: Shipwright Build is now built with Go v1.17

#917 by @imjasonh: Released images are available on ghcr.io, instead of quay.io

#909 by @SaschaSchwarze0: Updated Kaniko in the sample build strategies to v1.7.0

#905 by @SaschaSchwarze0: Update Trivy in sample build strategy to 0.20.1

#713 by @sbose78: Fix source-to-image strategy's kaniko step to ignore missing AWS credentials