v0.12.0

Changelog

• a07f405 feat(reconciler): cronix adopt for crontab backend (#11) (#44)
• 2af2d8d v0.12.0

Verify this release

Every release artifact is signed two ways: a cosign keyless signature
over checksums.txt (Sigstore Fulcio cert + transparency log) and a
SLSA Build Level 3 provenance attestation generated by
slsa-framework/slsa-github-generator. Both bind the artifacts to this
repository's GitHub Actions release workflow; both are verifiable with
no public key to track.

Cosign — verify the checksum file and your binary:

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/awbx/cronix/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  checksums.txt

sha256sum -c --ignore-missing checksums.txt

SLSA — verify any binary directly against the provenance file:

slsa-verifier verify-artifact cronix_0.12.0_linux_amd64.tar.gz \
  --provenance-path cronix-v0.12.0.intoto.jsonl \
  --source-uri github.com/awbx/cronix \
  --source-tag v0.12.0

Cosign — verify a container image (image tags omit the v, since
GoReleaser's .Version is the bare semver):

cosign verify \
  --certificate-identity-regexp 'https://github.com/awbx/cronix/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/awbx/cronix:0.12.0-amd64

SBOM — inspect the SPDX JSON for a binary:

# Every archive ships with an .sbom.spdx.json file containing the
# full software bill of materials (packages, licenses, suppliers).
jq '.packages[] | {name, versionInfo, licenseConcluded}' \
  cronix_0.12.0_linux_amd64.tar.gz.sbom.spdx.json

SBOM — verify the SBOM attestation on a container image:

cosign verify-attestation \
  --type spdxjson \
  --certificate-identity-regexp 'https://github.com/awbx/cronix/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/awbx/cronix:0.12.0-amd64

npm — every @awbx/cronix- package has its own SLSA-shaped
provenance*, visible on the package's npm page; tooling like
npm audit signatures validates it automatically.

See README §Verify a release
for the full verification reference.

v0.11.0

Changelog

• d69b043 feat(helm): PSS-restricted, NetworkPolicy, RBAC trim (#9) (#36)
• f0fa501 feat(trigger): --otel flag emits D-037 trace shape (#37) (#39)
• e44ca3c spec: OpenTelemetry trace shape for cronix trigger (D-037, #7) (#38)
• 4ee55c1 v0.11.0

Verify this release

Every release artifact is signed two ways: a cosign keyless signature
over checksums.txt (Sigstore Fulcio cert + transparency log) and a
SLSA Build Level 3 provenance attestation generated by
slsa-framework/slsa-github-generator. Both bind the artifacts to this
repository's GitHub Actions release workflow; both are verifiable with
no public key to track.

Cosign — verify the checksum file and your binary:

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/awbx/cronix/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  checksums.txt

sha256sum -c --ignore-missing checksums.txt

SLSA — verify any binary directly against the provenance file:

slsa-verifier verify-artifact cronix_0.11.0_linux_amd64.tar.gz \
  --provenance-path cronix-v0.11.0.intoto.jsonl \
  --source-uri github.com/awbx/cronix \
  --source-tag v0.11.0

Cosign — verify a container image (image tags omit the v, since
GoReleaser's .Version is the bare semver):

cosign verify \
  --certificate-identity-regexp 'https://github.com/awbx/cronix/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/awbx/cronix:0.11.0-amd64

SBOM — inspect the SPDX JSON for a binary:

# Every archive ships with an .sbom.spdx.json file containing the
# full software bill of materials (packages, licenses, suppliers).
jq '.packages[] | {name, versionInfo, licenseConcluded}' \
  cronix_0.11.0_linux_amd64.tar.gz.sbom.spdx.json

SBOM — verify the SBOM attestation on a container image:

cosign verify-attestation \
  --type spdxjson \
  --certificate-identity-regexp 'https://github.com/awbx/cronix/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/awbx/cronix:0.11.0-amd64

npm — every @awbx/cronix- package has its own SLSA-shaped
provenance*, visible on the package's npm page; tooling like
npm audit signatures validates it automatically.

See README §Verify a release
for the full verification reference.

v0.10.3

Changelog

• 0cf5293 feat(supply-chain): verify multi-arch image manifests post-release (#5) (#33)
• 1ef9cef v0.10.3

Verify this release

Every release artifact is signed two ways: a cosign keyless signature
over checksums.txt (Sigstore Fulcio cert + transparency log) and a
SLSA Build Level 3 provenance attestation generated by
slsa-framework/slsa-github-generator. Both bind the artifacts to this
repository's GitHub Actions release workflow; both are verifiable with
no public key to track.

Cosign — verify the checksum file and your binary:

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/awbx/cronix/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  checksums.txt

sha256sum -c --ignore-missing checksums.txt

SLSA — verify any binary directly against the provenance file:

slsa-verifier verify-artifact cronix_0.10.3_linux_amd64.tar.gz \
  --provenance-path cronix-v0.10.3.intoto.jsonl \
  --source-uri github.com/awbx/cronix \
  --source-tag v0.10.3

Cosign — verify a container image (image tags omit the v, since
GoReleaser's .Version is the bare semver):

cosign verify \
  --certificate-identity-regexp 'https://github.com/awbx/cronix/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/awbx/cronix:0.10.3-amd64

SBOM — inspect the SPDX JSON for a binary:

# Every archive ships with an .sbom.spdx.json file containing the
# full software bill of materials (packages, licenses, suppliers).
jq '.packages[] | {name, versionInfo, licenseConcluded}' \
  cronix_0.10.3_linux_amd64.tar.gz.sbom.spdx.json

SBOM — verify the SBOM attestation on a container image:

cosign verify-attestation \
  --type spdxjson \
  --certificate-identity-regexp 'https://github.com/awbx/cronix/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/awbx/cronix:0.10.3-amd64

npm — every @awbx/cronix- package has its own SLSA-shaped
provenance*, visible on the package's npm page; tooling like
npm audit signatures validates it automatically.

See README §Verify a release
for the full verification reference.

v0.10.2

Changelog

• 386c51c feat(supply-chain): SPDX SBOM per archive + image SBOM attestation (#4) (#31)
• d61d39d v0.10.2

Verify this release

Every release artifact is signed two ways: a cosign keyless signature
over checksums.txt (Sigstore Fulcio cert + transparency log) and a
SLSA Build Level 3 provenance attestation generated by
slsa-framework/slsa-github-generator. Both bind the artifacts to this
repository's GitHub Actions release workflow; both are verifiable with
no public key to track.

Cosign — verify the checksum file and your binary:

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/awbx/cronix/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  checksums.txt

sha256sum -c --ignore-missing checksums.txt

SLSA — verify any binary directly against the provenance file:

slsa-verifier verify-artifact cronix_0.10.2_linux_amd64.tar.gz \
  --provenance-path cronix-v0.10.2.intoto.jsonl \
  --source-uri github.com/awbx/cronix \
  --source-tag v0.10.2

Cosign — verify a container image (image tags omit the v, since
GoReleaser's .Version is the bare semver):

cosign verify \
  --certificate-identity-regexp 'https://github.com/awbx/cronix/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/awbx/cronix:0.10.2-amd64

SBOM — inspect the SPDX JSON for a binary:

# Every archive ships with an .sbom.spdx.json file containing the
# full software bill of materials (packages, licenses, suppliers).
jq '.packages[] | {name, versionInfo, licenseConcluded}' \
  cronix_0.10.2_linux_amd64.tar.gz.sbom.spdx.json

SBOM — verify the SBOM attestation on a container image:

cosign verify-attestation \
  --type spdxjson \
  --certificate-identity-regexp 'https://github.com/awbx/cronix/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/awbx/cronix:0.10.2-amd64

npm — every @awbx/cronix- package has its own SLSA-shaped
provenance*, visible on the package's npm page; tooling like
npm audit signatures validates it automatically.

See README §Verify a release
for the full verification reference.

v0.10.1

Changelog

• dd31bbd fix(supply-chain): SLSA smoke shouldn't verify checksums.txt; image tag has no v prefix (#30)
• 7b29f84 v0.10.1

Verify this release

Every release artifact is signed two ways: a cosign keyless signature
over checksums.txt (Sigstore Fulcio cert + transparency log) and a
SLSA Build Level 3 provenance attestation generated by
slsa-framework/slsa-github-generator. Both bind the artifacts to this
repository's GitHub Actions release workflow; both are verifiable with
no public key to track.

Cosign — verify the checksum file and your binary:

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/awbx/cronix/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  checksums.txt

sha256sum -c --ignore-missing checksums.txt

SLSA — verify any binary directly against the provenance file:

slsa-verifier verify-artifact cronix_0.10.1_linux_amd64.tar.gz \
  --provenance-path cronix-v0.10.1.intoto.jsonl \
  --source-uri github.com/awbx/cronix \
  --source-tag v0.10.1

Cosign — verify a container image (image tags omit the v, since
GoReleaser's .Version is the bare semver):

cosign verify \
  --certificate-identity-regexp 'https://github.com/awbx/cronix/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/awbx/cronix:0.10.1-amd64

npm — every @awbx/cronix- package has its own SLSA-shaped
provenance*, visible on the package's npm page; tooling like
npm audit signatures validates it automatically.

See README §Verify a release
for the full verification reference.

v0.10.0

Changelog

• 14b1812 feat(supply-chain): SLSA Build L3 provenance + npm provenance (#3) (#29)
• 5dcfc31 feat(supply-chain): cosign-sign release artifacts (#2) (#28)
• dd39909 v0.10.0

Verify this release

Every release artifact is signed two ways: a cosign keyless signature
over checksums.txt (Sigstore Fulcio cert + transparency log) and a
SLSA Build Level 3 provenance attestation generated by
slsa-framework/slsa-github-generator. Both bind the artifacts to this
repository's GitHub Actions release workflow; both are verifiable with
no public key to track.

Cosign — verify the checksum file and your binary:

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/awbx/cronix/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  checksums.txt

sha256sum -c --ignore-missing checksums.txt

SLSA — verify any binary directly against the provenance file:

slsa-verifier verify-artifact cronix_0.10.0_linux_amd64.tar.gz \
  --provenance-path cronix-v0.10.0.intoto.jsonl \
  --source-uri github.com/awbx/cronix \
  --source-tag v0.10.0

Cosign — verify a container image:

cosign verify \
  --certificate-identity-regexp 'https://github.com/awbx/cronix/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/awbx/cronix:v0.10.0-amd64

npm — every @awbx/cronix- package has its own SLSA-shaped
provenance*, visible on the package's npm page; tooling like
npm audit signatures validates it automatically.

See README §Verify a release
for the full verification reference.

v0.9.1

Changelog

• ee11533 feat(cli): kubectl-style per-backend sub-subcommands for apply/plan/drift/list/show/prune/history
• 67bf5b4 fix(ci): unblock Windows release build + biome import sort
• 8734336 v0.9.1

v0.7.4

Changelog

• de0b8fa Change asset link in README
• a2ad111 Update README with user attachments link
• c3825a8 ci: cancel in-progress run on same ref to save runner minutes
• b02e6dc ci: opt every workflow into Node 24 for JS-based actions
• eff97b2 docs(landing): swap video URL + minor copy polish
• 38828d5 feat(sdk): extension points — skipVerify, hooks, custom error response, standalone verify utils
• c21c79c spec: scrub planning-phase references, rewrite changelog
• 099f2da v0.7.4

v0.7.3

Changelog

• d386751 chore(changelog): regenerate after history rewrite
• 2f2ef11 ci(docs): pin pnpm@10.33.0 in docs/package.json
• ce7095e ci: skip CI on docs-only changes
• e2a526a docs(landing): code-first hero, feature grid, install tabs, backend cards
• 05675ee docs(readme): refocus on OSS positioning, install paths, and examples
• 2174956 v0.7.3

v0.7.2

Changelog

• 59f6184 ci(release): generate Homebrew formula and push to awbx/homebrew-cronix tap
• 65aa3fb v0.7.2