Skip to content

Releases

ugallu uses Semantic Versioning for every public surface. The latest release is v0.1.0-alpha.2. Pre-v1.0.0 minor versions can break compat - you’ll find the breaking changes called out at the top of every CHANGELOG.md entry.

Every release ships:

  • a tag on ninsun-labs/ugallu (this monorepo).
  • one OCI image per binary: ghcr.io/ninsun-labs/ugallu/<binary>:<version>.
  • the umbrella Helm chart published as an OCI artifact at oci://ghcr.io/ninsun-labs/charts/ugallu (Helm 3.8+ pulls it directly; no classic helm repo add index).
  • a cosign-keyless signature on every image and on the chart, with the SBOM attached as a separate cosign attestation.

Every image is signed via GitHub OIDC -> Fulcio -> Rekor. No long-lived keys. To verify:

Terminal window
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp 'https://github.com/ninsun-labs/ugallu/.+' \
ghcr.io/ninsun-labs/ugallu/audit-detection:v0.1.0-alpha.2

The certificate identity regex matches any workflow under ninsun-labs/ugallu. To pin to the release workflow specifically:

Terminal window
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity 'https://github.com/ninsun-labs/ugallu/.github/workflows/release.yml@refs/tags/v0.1.0-alpha.2' \
ghcr.io/ninsun-labs/ugallu/audit-detection:v0.1.0-alpha.2

A successful verification confirms:

  1. The image was produced by a GitHub Actions workflow in this repo at this tag.
  2. The signature is logged in Rekor (the inclusion proof is verified inline).

The SBOM is an SPDX 2.3 document attached as a cosign attestation:

Terminal window
cosign verify-attestation --type spdxjson \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp 'https://github.com/ninsun-labs/ugallu/.+' \
ghcr.io/ninsun-labs/ugallu/audit-detection:v0.1.0-alpha.2 \
| jq -r .payload | base64 -d | jq .predicate

The predicate is a full SPDX document - feed it to your favourite SCA tool (Grype, Dependency-Track) for vulnerability tracking.

The OCI-published chart is signed with the same keyless flow:

Terminal window
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp 'https://github.com/ninsun-labs/ugallu/.+' \
ghcr.io/ninsun-labs/charts/ugallu:0.1.0-alpha.2

Note the chart version drops the leading v (Helm strips it per SemVer). The signature is over the OCI artifact digest, so helm pull oci://... followed by cosign verify against the same digest closes the loop.

Pre-v1.0.0 we don’t commit to a calendar - quality gates the release, not the date. Each public release rolls a stable batch of feature work plus a CHANGELOG / docs sweep.

The CHANGELOG lives at the top of the repo. Each release entry calls out:

  • new operators and CRD kinds
  • behavioural changes on existing CRDs (status fields added / reshaped, condition types added)
  • breaking changes (these get a clear BREAKING: prefix)
  • a link to the upgrade guide when one is needed