Skip to content
ugallu

Releases

ugallu uses Semantic Versioning for every public surface. The first public release will be tagged v0.1.0-alpha.1. Pre-v1.0.0 minor versions can break compat - you’ll find the breaking changes called out at the top of every CHANGELOG.md entry.

What’s in a release

Section titled “What’s in a release”

Every release ships:

  • a tag on ninsun-labs/ugallu (this monorepo).
  • one OCI image per operator + the BFF, plus a single multi-binary “runtime” image used for ad-hoc deployments: ghcr.io/ninsun-labs/ugallu/<binary>:<version> and ghcr.io/ninsun-labs/ugallu/runtime:<version>.
  • a Helm chart at version <chartVersion> (matches the release tag), published to:
    • the classic helm repo add index at https://ugallu.io/charts/
    • the OCI mirror at oci://ghcr.io/ninsun-labs/ugallu/charts/ugallu
  • a cosign-keyless signature on every image, with the SBOM attached as a separate cosign attestation.

Verifying an image

Section titled “Verifying an image”

Every image is signed via GitHub OIDC -> Fulcio -> Rekor. No long-lived keys. To verify:

Terminal window
cosign verify \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity-regexp 'https://github.com/ninsun-labs/ugallu/.+' \
  ghcr.io/ninsun-labs/ugallu/audit-detection:v0.1.0-alpha.1

The certificate identity regex matches any workflow under ninsun-labs/ugallu. To pin to the release workflow specifically:

Terminal window
cosign verify \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity 'https://github.com/ninsun-labs/ugallu/.github/workflows/release.yml@refs/tags/v0.1.0-alpha.1' \
  ghcr.io/ninsun-labs/ugallu/audit-detection:v0.1.0-alpha.1

A successful verification confirms:

  1. The image was produced by a GitHub Actions workflow in this repo at this tag.
  2. The signature is logged in Rekor (the inclusion proof is verified inline).

Verifying the SBOM

Section titled “Verifying the SBOM”

The SBOM is an SPDX 2.3 document attached as a cosign attestation:

Terminal window
cosign verify-attestation --type spdxjson \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity-regexp 'https://github.com/ninsun-labs/ugallu/.+' \
  ghcr.io/ninsun-labs/ugallu/audit-detection:v0.1.0-alpha.1 \
  | jq -r .payload | base64 -d | jq .predicate

The predicate is a full SPDX document - feed it to your favourite SCA tool (Grype, Dependency-Track) for vulnerability tracking.

Verifying the chart

Section titled “Verifying the chart”

The OCI-published chart is signed with the same keyless flow:

Terminal window
cosign verify \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity-regexp 'https://github.com/ninsun-labs/ugallu/.+' \
  ghcr.io/ninsun-labs/ugallu/charts/ugallu:v0.1.0-alpha.1

The classic helm repo add index at https://ugallu.io/charts/ serves a provenance file alongside each chart tarball, signed with the same identity. helm install --verify honours it.

Cadence

Section titled “Cadence”

Pre-v1.0.0 we don’t commit to a calendar - quality gates the release, not the date. Each public release rolls a stable batch of feature work plus a CHANGELOG / docs sweep.

Release notes

Section titled “Release notes”

The CHANGELOG lives at the top of the repo. Each release entry calls out:

  • new operators and CRD kinds
  • behavioural changes on existing CRDs (status fields added / reshaped, condition types added)
  • breaking changes (these get a clear BREAKING: prefix)
  • a link to the upgrade guide when one is needed