Shipwright v0.15 Is Here

By Adam Kaplan (@adambkaplan) |

We are happy to announce the latest release of Shipwright’s main projects - v0.15.z. You may have noticed the usual “.0” in the version has been replaced with a “.z” - more on this in a minute!

Key Features

Below are the key features in this release:

Build: More Control for Node Scheduling

Builds v0.15 adds additional support for controlling which nodes a build can run on. In addition to specifying a node selector (introduced in v0.14), builds can now tolerate node taints and instruct Kubernetes to use a custom pod scheduler. The latter feature can be used with new projects like Volcano, which optimizes pod scheduling for batch workloads.

CLI: Maintenance Update

The CLI was updated to support Build v0.15.0 APIs.

Operator: Builds Upgrade

The operator was updated to deploy Builds v0.15.2.

Installing Shipwright

Build

  1. Install Tekton v0.68.0:

    kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.68.0/release.yaml

  2. Install v0.15.2 using the release YAML manifest:

    kubectl apply --filename https://github.com/shipwright-io/build/releases/download/v0.15.2/release.yaml --server-side

curl --silent --location https://raw.githubusercontent.com/shipwright-io/build/v0.15.2/hack/setup-webhook-cert.sh | bash

  3. (Optionally) Install the sample build strategies using the YAML manifest:

    kubectl apply --filename https://github.com/shipwright-io/build/releases/download/v0.15.2/sample-strategies.yaml --server-side

CLI

Windows

curl --silent --fail --location https://github.com/shipwright-io/cli/releases/download/v0.15.0/shp_0.15.0_windows_x86_64.tar.gz | tar xzf - shp.exe
shp version
shp help

Mac

curl --silent --fail --location https://github.com/shipwright-io/cli/releases/download/v0.15.0/shp_0.15.0_macOS_$(uname -m).tar.gz | tar -xzf - -C /usr/local/bin shp
shp version
shp help

Linux

curl --silent --fail --location "https://github.com/shipwright-io/cli/releases/download/v0.15.0/shp_0.15.0_linux_$(uname -m | sed 's/aarch64/arm64/').tar.gz" | sudo tar -xzf - -C /usr/bin shp
shp version
shp help

Operator

To deploy and manage Shipwright Builds in your cluster, first ensure the operator v0.15.2 is installed and running on your cluster. You can follow the instructions on OperatorHub.

Next, create the following:

---
apiVersion: operator.shipwright.io/v1alpha1
kind: ShipwrightBuild
metadata:
  name: shipwright-operator
spec:
  targetNamespace: shipwright-build

What About That .z?

Since v0.14.0 was released, we have done a lot of work behind the scenes to automate Shipwright’s release process and security posture. Part of this includes a set of nightly GitHub Actions that scan our container images for vulnerabilities at the code and operating system level. This process covers our most recent release as well as the nightly builds that come out of the main branch.

Less than a day after Builds v0.15.0 was released, vulnerabilties in the golang.org/x/crypto and golang.org/x/oauth2 packages were disclosed. These were picked up by our nightly automation, which filed a GitHub issue notifying the community of the problem. The maintainers quickly sprung into action, submitting pull requests to patch the vulnerable code. The next night our automation detected these vulnerabilities were fixed, and drafted a security patch release.

Two days later, we patched the Build project all over again. All this happened as the cli and operator projects were preparing releases of their own.

Special thank you to @SaschaSchwarze0 for not only fixing these vulnerabilties, but also building much of the workflows that automate these security updates. Bravo!

Last modified March 4, 2025: Fix link to shp CLI release (7095d5c)