v1.26.5

Community Update

@Bixilon made their first contribution in #458

Also many thanks to @BlackTurtle123 and @xathon for reporting the issues fixed in this release.

What's Changed

Security

• go stdlib v1.25.5: CVE-2025-61726 CVE-2025-61728 CVE-2025-61730 CVE-2025-68121

Bugfixes

• dockerfile: don't use +x for chmod: by @Bixilon in #458
• fix KANIKO_DIR bootstrapping: #475
• cache mount fails to rename across filesystems: #455
• cleanup kaniko workspace on failure too: #453

Standardization

• resolve remote ONBUILD instructions: #354

Usability

• dynamically determine kanikoDir: #454

Maintenance

• chore(deps): bump cloud.google.com/go/storage from 1.58.0 to 1.59.2: #457 #461 #482
• chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.0 to 1.41.1: #456
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.6 to 1.32.7: #456
• chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.20.18 to 1.21.1: #456 #467 #482
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.95.0 to 1.96.0: #456 #482
• chore(deps): bump actions/setup-go from 6.1.0 to 6.2.0: #459
• chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/storage/azblob from 1.6.3 to 1.6.4: #460
• chore(deps): bump google.golang.org/api from 0.259.0 to 0.265.0: #462 #469 #472 #479 #484 #490
• chore(deps): bump github.com/sirupsen/logrus from 1.9.3 to 1.9.4: #463
• chore(deps): bump github.com/docker/cli from 29.1.4+incompatible to 29.2.1+incompatible: #465 #478 #489
• chore(deps): bump actions/checkout from 6.0.1 to 6.0.2: #471
• chore(deps): bump golang from 1.25.5 to 1.25.7: #466 #491
• chore(deps): bump github.com/moby/buildkit from 0.26.3 to 0.27.1: #470 #483
• chore(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1: #476
• chore(deps): bump github.com/moby/moby/api from 1.52.0 to 1.53.0: #477
• chore(deps): bump imjasonh/setup-crane from 0.4 to 0.5: #492

v1.26.4

Community Update

• @mesaglio made their first contribution in #435
• @nejch made their first contribution in #445

What's Changed

Standardization

• Skip chown/chmod for paths in ignore list: by @mesaglio in #435
• FF_KANIKO_RUN_VIA_TINI=false reap zombie processes: #211 #450

Performance

• FF_KANIKO_OCI_WARMER=false ocilayout warmer: #307

Maintenance

• chore(deps): bump github.com/go-git/go-billy/v5 from 5.6.2 to 5.7.0: #423
• chore(deps): bump golang.org/x/sync from 0.18.0 to 0.19.0: #424
• chore(deps): bump golang.org/x/sys from 0.38.0 to 0.40.0: #425 #448
• chore(deps): bump golang.org/x/net from 0.47.0 to 0.48.0: #429
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.3 to 1.32.6: #427 #431 #434
• chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.20.13 to 1.20.18: #427 #431 #433 #434 #441
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.93.0 to 1.95.0: #427 #431 #433 #441
• chore(deps): bump step-security/harden-runner from 2.13.3 to 2.14.0 in the actions group: #430
• chore(deps): bump github.com/docker/cli from 29.1.2+incompatible to 29.1.4+incompatible: #432 #451
• chore(deps): github.com/moby/buildkit from 0.26.2 to 0.26.3: #434
• chore(deps): bump google.golang.org/api from 0.257.0 to 0.259.0: #436 #447
• chore(deps): bump docker/setup-buildx-action from 3.11.1 to 3.12.0: #437
• chore(deps): bump github.com/moby/go-archive from 0.1.0 to 0.2.0: #438
• chore(deps): bump github.com/GoogleCloudPlatform/docker-credential-gcr/v2 from 2.1.30 to 2.1.31: #439
• chore(deps): bump github.com/docker/docker-credential-helpers from 0.9.4 to 0.9.5: #451

Fork Related

• update docs: #426
• chore(ci): run staticcheck: by @nejch in #445

Refactorings

• staticcheck: golang.org/x/net/context is deprecated: #442

v1.26.3

Community Update

We thank our sponsor L3montree for their generous support and commitment to open-source sustainability.

@brandon1024 made their first contribution in #407

What's Changed

Security

• go stdlib v1.25.4: CVE-2025-61729 CVE-2025-61727

Standardization

• cache mount option implements additional flags: #390
• FF_KANIKO_RUN_MOUNT_SECRET=false secret mounts: #391 #409

Usability

• new subcommand executor login to authenticate with a registry: by @brandon1024 in #407

Maintenance

• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.31.20 to 1.32.3: #400 #406 #408 #418
• chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.20.7 to 1.20.13: #399 #406 #408 #418
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.90.2 to 1.92.1: #399 #408
• chore(deps): bump github.com/moby/buildkit from 0.26.1 to 0.26.2: #399
• chore(deps): bump actions/checkout from 5.0.1 to 6.0.1: #405 #415
• chore(deps): bump github.com/go-git/go-git/v5 from 5.16.3 to 5.16.4: #406
• chore(deps): bump github.com/google/go-containerregistry from 0.20.6 to 0.20.7: #408
• chore(deps): bump github.com/docker/cli from 29.0.3+incompatible to 29.1.2+incompatible: #411 #418
• chore(deps): bump step-security/harden-runner from 2.13.2 to 2.13.3 in the actions group: #412
• chore(deps): bump google.golang.org/api from 0.256.0 to 0.257.0: #417
• chore(deps): bump golang from 1.25.4 to 1.25.5: #414
• chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.40.0 to 1.40.1: #418
• chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2: #418
• chore(deps): bump cloud.google.com/go/storage from 1.57.2 to 1.58.0: #421

Fork Related

• docs update: #403
• sponsorships: #413
• ci: rework for clarity: by @babs in #419

v1.26.2

What's Changed

Security

• golang.org/x/crypto 0.44.0: CVE-2025-47914 CVE-2025-58181

Usability

• fix harbor authentication: #369

Maintenance

• chore(deps): bump github.com/moby/moby/api from 1.52.0-beta.4 to 1.52.0: #367 #377
• chore(deps): bump golang.org/x/sync from 0.17.0 to 0.18.0: #374
• chore(deps): bump golang.org/x/sys from 0.37.0 to 0.38.0: #373
• chore(deps): bump github.com/awslabs/amazon-ecr-credential-helper/ecr-login from 0.10.1 to 0.11.0: #376
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.31.17 to 1.31.20: #375 #383 #386
• chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.20.4 to 1.20.7: #375 #383 #386
• chore(deps): bump google.golang.org/api from 0.255.0 to 0.256.0: #384
• chore(deps): bump golang.org/x/net from 0.46.0 to 0.47.0: #385
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.90.0 to 1.90.2: #383 #386
• chore(deps): bump github.com/moby/buildkit from 0.25.2 to 0.26.1: #387 #395
• chore(deps): bump cloud.google.com/go/storage from 1.57.1 to 1.57.2: #395
• chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 in the actions group: #396
• chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0: #397
• chore(deps): bump actions/setup-go from 6.0.0 to 6.1.0 in the actions group: #398
• chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.39.6 to 1.40.0: #401

Fork Related

• update security overview: #366
• ci: rework, use GHCR as primary, separate dev builds from release: by @babs in #368 #371
• readd maximize disk space: #392

Refactorings

• replace github.com/pkg/errors with stdlib errors: by @BobDu in #370
• staticcheck: global aws endpoint resolver is deprecated: #378
• staticcheck: archive.Compression is deprecated: #380
• staticcheck: xattrs is deprecated: #379
• unittests should call makeKanikoStages directly: #356
• staticcheck: code quality: #372

v1.26.1

Community Update

Please welcome our new maintainers: @0hlov3 @babs @BobDu and @nejch

If you're interested in joining our community too, please reach out here: #304

Also many thanks to @Ashex @ehfd and @YevheniiSemendiak for reporting the issues fixed in this release.

What's Changed

Bugfixes

• squashing breaks ONBUILD instructions: #339
• image-index digests causes warmer cache misses: #321
• fix copy capabilities: #343

Performance

• recompute whether a stage must be saved: #335
• port digest optimization to warmer: #325
• FF_KANIKO_DISABLE_HTTP2=false stop forcing http/2.0: #340

Maintenance

• chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.39.2 to 1.39.6: #317 #331 #349 #359
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.31.12 to 1.31.17: #317 #327 #331 #349 #359
• chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.19.12 to 1.20.4: #317 #327 #331 #341 #344 #349 #359 #363
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.88.4 to 1.90.0: #317 #327 #331 #344 #359 #363
• chore(deps): bump sigstore/cosign-installer from 3.10.0 to 4.0.0: #318 #349
• chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/storage/azblob from 1.6.2 to 1.6.3 in the gomod group: #319
• chore(deps): bump google.golang.org/api from 0.252.0 to 0.255.0: #328 #345 #361
• chore(deps): bump cloud.google.com/go/storage from 1.57.0 to 1.57.1 in the gomod group: #346
• chore(deps): bump github.com/moby/moby/api from 1.52.0-beta.2 to 1.52.0-beta.4: #348 #357
• chore(deps): bump github.com/moby/buildkit from 0.25.1 to 0.25.2: #359
• chore(deps): bump github.com/containerd/platforms from 1.0.0-rc.1 to 1.0.0-rc.2: #360
• chore(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2 in the actions group: #358
• chore(deps): bump docker/setup-qemu-action from 3.6.0 to 3.7.0 in the actions group: #358
• chore(deps): bump golang from 1.25.3 to 1.25.4: #362

Fork Related

• cleanup docs: #315
• cleanup unused release script: by @BobDu in #347
• publish images to ghcr: by @babs in #329 #353
• use upstream images from local registry: #355

Refactorings

• stageIdx is an int: #336

v1.26.0

Update Notice

In this Release we activated three feature flags:

• FF_KANIKO_SQUASH_STAGES
• FF_KANIKO_RUN_MOUNT_CACHE
• FF_KANIKO_NEW_CACHE_LAYOUT

You can roll-back those changes by overriding them in the environment ie.

job:
  variables:
    FF_KANIKO_SQUASH_STAGES: "0"
    FF_KANIKO_RUN_MOUNT_CACHE: "0"
    FF_KANIKO_NEW_CACHE_LAYOUT: "0"

Please also notify us by filing a new issue.

What's Changed

Bugfixes

• skip-unused-stages invalidates numeric references: #306

Performance

• FF_KANIKO_OCI_STAGES=false use ocilayout instead of tarballs during stage transitions: #303

Usability

• activate featureflags for v1.26.0 release: #312

Maintenance

• chore(deps): bump golang.org/x/sys from 0.36.0 to 0.37.0: #296
• chore(deps): bump golang.org/x/oauth2 from 0.31.0 to 0.32.0: #297
• chore(deps): bump golang.org/x/net from 0.45.0 to 0.46.0: #298
• chore(deps): bump github.com/moby/moby/api from 1.52.0-beta.1 to 1.52.0-beta.2: #311
• chore(deps): bump golang from 1.25.2 to 1.25.3: #310

Fork Related

• update docs: #294 #302 #313 #314
• update docs: by @6543 in #300
• enable FF_KANIKO_SQUASH_STAGES in integrationtests: #309

v1.25.6

What's changed

Bugfixes

• parse metaArgs in warmer: #256
• warmer tries to load stage references: #266
• FF_KANIKO_IGNORE_CACHED_MANIFEST=false ignore potentially invalid cached manifest files: by @luxurine in #267
• oversteer predefined args: #277
• skip ignored stages during squash: #283
• don't hardcode kaniko dir: #284
• don't reuse interstage dependencies: #286

Standardization

• FF_KANIKO_RUN_MOUNT_CACHE=false cache mounts: #245 #274

Usability

• allow skip push cache: #268
• FF_KANIKO_NEW_CACHE_LAYOUT=false organize kaniko dir: #285

Maintenance

• remove deprecated github.com/containerd/containerd/platforms: by @BobDu in #252
• drop deprecated packages: #255
• remove github.com/docker/docker/builder as dependency: by @BobDu in #260
• vendor in Lsetxattr: #261
• move github.com/docker/docker/api -> github.com/moby/moby/api: by @BobDu in #258
• drop docker daemon: #263
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.31.8 to 1.31.12: #262 #264 #273 #275
• chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.19.6 to 1.19.12: #262 #264 #273 #275 #281 #290
• chore(deps): bump cloud.google.com/go/storage from 1.56.2 to 1.57.0: #265
• chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.39.0 to 1.39.2: #264 #273
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.88.1 to 1.88.4: #264 #273 #290
• chore(deps): bump google.golang.org/api from 0.249.0 to 0.252.0: #269 #278 #292
• chore(deps): bump github.com/moby/buildkit from 0.24.0 to 0.25.1: #279 #290
• chore(deps): bump github.com/docker/docker-credential-helpers from 0.9.3 to 0.9.4: #281
• chore(deps): bump github.com/go-git/go-git/v5 from 5.16.2 to 5.16.3: #287
• chore(deps): bump golang from 1.25.1 to 1.25.2: #289
• chore(deps): bump golang.org/x/net from 0.44.0 to 0.45.0: #291

Fork Related

• update readme: #254 #288 #293
• rename repository: #270 #271
• 🔗 fix code scanning alert 1: by @cpanato in #272

v1.25.5

What's changed

Bugfixes

• prevent layer overwrites in image resulting in BLOB_UNKNOWN error: by @mafredri in #230
• Adjust the determination priority of runtime under the Kubernetes cluster with cgroupv2: by @lcgash in #235
• avoid skipping siblings if /var/run is a soft-link: #248

Usability

• add env credential helper: #236 #249

Maintenance

• chore(deps): bump github.com/spf13/pflag from 1.0.9 to 1.0.10 in the gomod group: #225
• chore(deps): bump github.com/moby/buildkit from 0.23.2 to 0.24.0: #226
• chore(deps): bump github.com/docker/docker from 28.3.3+incompatible to 28.4.0+incompatible: #228
• chore(deps): bump actions/setup-go from 5.5.0 to 6.0.0: #227
• chore(deps): bump golang from 1.25.0 to 1.25.1 in /deploy: #229
• chore(deps): bump golang.org/x/oauth2 from 0.30.0 to 0.31.0: #232
• chore(deps): bump golang.org/x/sys from 0.35.0 to 0.36.0: #233
• chore(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0: #234
• chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.38.3 to 1.39.0: #241
• chore(deps): bump github.com/spf13/afero from 1.14.0 to 1.15.0: #239
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.31.6 to 1.31.8: #238 #246
• chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.19.4 to 1.19.6: #238 #246
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.87.3 to 1.88.1: #238 #246
• chore(deps): bump google.golang.org/api from 0.248.0 to 0.249.0: #240
• chore(deps): bump golang.org/x/net from 0.43.0 to 0.44.0: #242
• chore(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 in the actions group: #244
• chore(deps): bump sigstore/cosign-installer from 3.9.2 to 3.10.0 in the actions group: #250
• chore(deps): bump cloud.google.com/go/storage from 1.56.1 to 1.56.2 in the gomod group: #251

Fork Related

• update readme: #223 #253

v1.25.4

What's changed

Bugfixes

• pass correct storage account URL to azure blob client: by @okhaliavka in #201
• AWS ECR immutable tag update error message: by @Sapr0 in #204

Standardization

• add heredoc <<EOF syntax support: #206 #213 #214 #215

Caching

• whiteout annotations to prevent cache misses through --annotation: #209

Performance

• FF_KANIKO_SQUASH_STAGES=false squash stages together skipping inter-stage cleanup & restore: #141

Usability

• new cli option --pre-cleanup to clean the filesystem prior to build, allowing customized kaniko images to work properly: #196
• add git depth option: #203
• add docs for azure chinacloud: #216
• riscv image: #220

Maintenance

• chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.38.0 to 1.38.3: #193 #205 #217
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.31.1 to 1.31.6: #193 #207 #205 #210 #217
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.87.0 to 1.87.3: #193 #205 #217
• chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.18.5 to 1.19.4: #194 #207 #205 #210 #217
• chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.9 in the gomod group: #218
• chore(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1: #219

Fork Related

• cleanup integration tests: #198 #199 #202 #200 #212
• switch to cross-compilation of images for faster builds: #221

v1.25.3

What's changed

Standardization

• snapshotting preserves atime: #178
• skip snapshotting rootdir: #183
• predefined build args: by @kit101 in #185

Usability

• 🔗 Annotation flag: by @markusthoemmes in #98
• relative OCILayoutPath: by @EladAviczer in #187

Maintenance

• chore(deps): bump actions/checkout from 4.2.2 to 5.0.0: #174
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.30.3 to 1.31.1: #177 #191
• chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.18.3 to 1.18.5: #175 #191
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.86.0 to 1.87.0: #175
• chore(deps): bump golang from 1.24.6 to 1.25.0: #182
• chore(deps): bump google.golang.org/api from 0.246.0 to 0.248.0: #179 #186
• chore(deps): bump cloud.google.com/go/storage from 1.56.0 to 1.56.1 in the gomod group: #188

Fork Related

• pass feature flag into integration tests correctly: #173
• drop karrick/godirwalk in favour of stdlib: #180
• swap out filepath.Walk -> filepath.WalkDir: #181
• add OCI-Annotations to the images: #184