Skip to content

Tekton Dashboard release v0.23.1

Compare
Choose a tag to compare
@AlanGreene AlanGreene released this 07 Apr 16:52

🚨 This release contains a security fix 🚨

Attestation

The Rekor UUID for this release is b748ce5c88942b0c616e202837aa621a69d04187d547c9f95dcd6a7b4ee95dea

Verify that all container images in the release file are in the attestation:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/dashboard/previous/v0.23.1/tekton-dashboard-release.yaml
REKOR_UUID=b748ce5c88942b0c616e202837aa621a69d04187d547c9f95dcd6a7b4ee95dea

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGE=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|select(.name | startswith("gcr.io"))|.name + ":v0.23.1@sha256:" + .digest.sha256')

# Download the release file
curl -s "$RELEASE_FILE" -o release.yaml

# Match the image used in the release file to an image in the attestation
DASHBOARD_IMAGE=$(cat release.yaml | grep image: | awk -F' ' '{print $2}')
echo
printf $DASHBOARD_IMAGE
if [[ "${REKOR_ATTESTATION_IMAGE}" = "${DASHBOARD_IMAGE}" ]]; then
  echo " ===> ok"
else
  echo " ===> no match"
fi

Fixes

  • πŸ› Validate Origin header on websocket connection upgrade to prevent cross-origin websocket hijacking #2333

Thanks

Thanks to these contributors who contributed to v0.23.1!