Tekton Dashboard release v0.24.2
π¨ This release contains a security fix π¨
Attestation
The Rekor UUID for this release is ad80c25971f6cb3a755f250354ce8e2f68ff24c978b4578428f64cebcbfa260a
Verify that all container images in the release file are in the attestation:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/dashboard/previous/v0.24.2/tekton-dashboard-release.yaml
REKOR_UUID=ad80c25971f6cb3a755f250354ce8e2f68ff24c978b4578428f64cebcbfa260a
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGE=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | base64 --decode | jq -r '.subject[]|select(.name | startswith("gcr.io"))|.name + ":v0.24.2@sha256:" + .digest.sha256')
# Download the release file
curl -s "$RELEASE_FILE" -o release.yaml
# Match the image used in the release file to an image in the attestation
DASHBOARD_IMAGE=$(cat release.yaml | grep image: | awk -F' ' '{print $2}')
echo
printf $DASHBOARD_IMAGE
if [[ "${REKOR_ATTESTATION_IMAGE}" = "${DASHBOARD_IMAGE}" ]]; then
echo " ===> ok"
else
echo " ===> no match"
fi
Fixes
- π Validate
Originheader on websocket connection upgrade to prevent cross-origin websocket hijacking #2333
Thanks
Thanks to these contributors who contributed to v0.24.2!
- β€οΈ @AlanGreene
Contributors
AlanGreene