Shipwright v0.14.0 Is Here

We are happy to announce the v0.14.0 release of Shipwright. This is our first release since we have joined the Cloud Native Computing Foundation (CNCF) as a sandbox project.

In this release, we have put together some nice features:

Features

Vulnerability Scanning

Keeping your environments secure is key these days. For container images, scanning them is widely adopted. Shipwright now performs a shift left of those scans by incorporating image scanning into the image build itself. We’ll ensure that a vulnerable image never makes it into your container registry (though, you’d still have to re-scan it regularly to determine when it becomes vulnerable). This is a great safeguard for example against base images you consume in your Dockerfile that suddenly are not updated anymore.

You can read more about it in the separate blog post Building Secure Container images with Shipwright.

Parameters in the CLI

The Shipwright CLI finally received the first support for build parameters. You can use the --param-value argument to provide values for strategy parameters such as the Go version and Go flags in our ko sample build strategy like this: shp build create my-app --param-value go-version=1.23 --param-value go-flags=-mod=vendor.

The smaller but still nice things

Often the small changes are what help you, here are some:

  • If a step in your BuildRun goes out of memory, then it is now easier to determine that as the BuildRun status will have StepOutOfMemory as reason.
  • A new sample build strategy has been added which orchestrates a multi-arch build using Kubernetes Jobs. See our documentation for more information.
  • We started to implement node selection properties on Builds and BuildRuns with node selector support. Tolerations are planned to be added in v0.15.
  • As usual, we have done our due diligence. DependaBot helped us to keep our dependencies secure. We are now building with Go 1.22. Kubernetes and Tekton dependencies have been updated. We are also in the process of establishing automation across our repositories that gives us a GitHub issue once our latest release becomes vulnerable. You’ll probably see more patch releases in the future where we keep our release free of vulnerabilities.

Installing Shipwright

Build

  1. Install Tekton v0.65.1:

    kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.65.1/release.yaml
    
  2. Install v0.14.0 using the release YAML manifest:

    kubectl apply --filename https://github.com/shipwright-io/build/releases/download/v0.14.0/release.yaml --server-side
    
    curl --silent --location https://raw.githubusercontent.com/shipwright-io/build/v0.14.0/hack/setup-webhook-cert.sh | bash
    
  3. (Optionally) Install the sample build strategies using the YAML manifest:

    kubectl apply --filename https://github.com/shipwright-io/build/releases/download/v0.14.0/sample-strategies.yaml --server-side
    

If you are a long-standing Shipwright user that started to use us on our Alpha API (before v0.13.0), then we recommend you to run a storage version migration. It will update the stored version of all Shipwright resources in your cluster to the Beta API to unnecessary invocations of our conversion webhook in the future.

curl --silent --location https://raw.githubusercontent.com/shipwright-io/build/v0.14.0/hack/storage-version-migration.sh | bash

CLI

Windows

curl --silent --fail --location https://github.com/shipwright-io/cli/releases/download/v0.14.0/cli_0.14.0_windows_x86_64.tar.gz | tar xzf - shp.exe
shp version
shp help

Mac

curl --silent --fail --location https://github.com/shipwright-io/cli/releases/download/v0.14.0/cli_0.14.0_macOS_$(uname -m).tar.gz | tar -xzf - -C /usr/local/bin shp
shp version
shp help

Linux

curl --silent --fail --location "https://github.com/shipwright-io/cli/releases/download/v0.14.0/cli_0.14.0_linux_$(uname -m | sed 's/aarch64/arm64/').tar.gz" | sudo tar -xzf - -C /usr/bin shp
shp version
shp help