Release v0.9.2

Security:

• xz upgrade fixes CVE-2025-58058 (PR 989)

Miscellaneous:

• Fix CLI lint errors. (PR 983)
• Cleanup version output. (PR 985)
• Dockerfile cleanup. (PR 986)

Contributors:

• @sudo-bmitch

Release v0.9.1

Features:

• Allow relative urls in bearer auth. (PR 963)
• Add "ns" query param to registry mirror requests. (PR 976)

Miscellaneous:

• Update to SLSA v1 provenance. (PR 968)
• Add a "make clean" command. (PR 969)

Contributors:

• @sudo-bmitch
• @wjordan

Release v0.9.0

Breaking:

• Drop support for 3rd Go release because of upstream forced upgrades (see golang/go#69095). (PR 948)

Features:

• Add a script to reproduce regclient images. (PR 940)
• Support IPv6 hosts. (PR 956)

Fixes:

• Convert docker attestations built with oci-artifact=true. (PR 949)
• Allow duplicate keys in yaml config. (PR 952)

Miscellaneous:

• Migrate yaml library. (PR 947)
• Convert the build to use OCI style attestations. (PR 950)

Contributors:

• @JimmyMa
• @sudo-bmitch

Release v0.8.3

Features:

• Add ref.AddDigest method that does not unset the tag. (PR 910)
• Adding a regctl registry whoami command. (PR 912)
• Improve regctl image check-base output. (PR 917)
• regsync option to abort on errors. (PR 924)
• Improve fallback tag handling. (PR 925)
• regctl flag to ignore missing images on delete. (PR 930)

Fixes:

• Validate registry names. (PR 911)
• Escape regexp example. (PR 920)
• Auth header parsing. (PR 936)

Changes:

• Update supported Go releases to 1.22, 1.23, and 1.24. (PR 909)
• Modernize Go to the 1.22 specs. (PR 910)
• Refactor cobra commands. (PR 915)
• Include Docker Hub repository documentation. (PR 918)
• Move documentation pointers to the website. (PR 939)

Contributors:

• @sudo-bmitch

Release v0.8.2

This fixes a regression in v0.8.1 for users authenticating using a refresh token.

Fixes:

• Allow authentication with a token. (PR 908)

Contributors:

• @sudo-bmitch

Release v0.8.1

Security:

• Go v1.23.6 fixes CVE-2025-22866. (PR 906)

Features:

• Improve regctl arg completion. (PR 895)
• Add cobra command for documentation. (PR 900)

Fixes:

• Do not request offline refresh token. (PR 893)
• Ignore unsupported entries in docker config. (PR 894)
• Align log levels with slog. (PR 901)
• Interval overrides a default schedule in regsync and regbot. (PR 904)

Miscellaneous:

• Adding a logo. (PR 889)

Contributors:

• @obaibula
• @sudo-bmitch

Release v0.8.0

Highlights

There are three headline changes in this release: slog support, external referrers, and deprecating legacy packages.

This release switches from logrus to slog.
Migration methods are included to minimize the impact on existing users.
Anyone parsing the logging output from regctl, regsync, and regbot will notice the format has changed.

External referrers allow referrers to be pushed and pulled from a separate repository from the subject image.
This feature requires users to provide the external repository themselves since a registry has no way to communicate this to the user.
An example use case of this feature are third parties, like security scanners, providing attestations of images they do not control.

Legacy packages have been disabled by default and will eventually be removed.
To continue using legacy packages until their removal, you may compile with -tags legacy.

Breaking

• Breaking: Warning handlers switched from logrus to slog which will only impact those with a custom warning handler. (PR 847)
• Breaking: Disable legacy packages by default. (PR 852)

Features

• Feat: Refactor logging to use log/slog. (PR 847)
• Feat: Switch regbot to slog. (PR 849)
• Feat: Switch regctl to slog. (PR 850)
• Feat: Switch regsync to slog. (PR 851)
• Feat: Move logrus calls into files excluded by wasm. (PR 853)
• Feat: Allow plus in ocidir path. (PR 856)
• Feat: Support referrers in an external repository. (PR 866)
• Feat: Image mod environment variables. (PR 867)
• Feat: Include source in referrers response. (PR 870)
• Feat: Add external flag to regctl artifact put. (PR 873)
• Feat: Copy image with external referrers. (PR 874)
• Feat: Document community maintained packages. (PR 878)
• Feat: Support external referrers in regsync. (PR 881)
• Feat: Support incomplete subject descriptor. (PR 885)

Fixes

• Fix: Inject release notes by file. (PR 854)
• Fix: Platform test for darwin/macos should not add variant. (PR 879)
• Fix: Handle repeated digest in copy with external referrers. (PR 882)

Chores

• Chore: Improve error message when inspecting artifacts. (PR 862)
• Chore: Remove unused short arg parameters. (PR 877)

Contributors

• @sudo-bmitch

Release v0.7.2

Breaking Changes:

The breaking changes are to internal methods and undocumented features that should not be encountered by users.

• Update scheme to use pqueue instead of throttle. (PR 803)
• Removes an undocumented API for deleting images from Hub. (PR 803)
• config.Host.Throttle() has been removed. Use scheme.Throttler instead. (PR 813)

Features:

• Significant refactor of http APIs to speed up image copies. (PR 803)
• Add a priority queue for network requests. (PR 803)
• Move logging into transport and rework backoff. (PR 803)
• Remove default rate limit. (PR 803)
• Add priority queue algorithm and reorder image copy steps. (PR 803)
• Consolidate warnings. (PR 810)
• Limit number of retries for a request. (PR 812)
• Add default host config. (PR 821)

Fixes:

• Update GHA output generating steps. (PR 800)
• Lookup referrers when registry does not give digest with head. (PR 801)
• Support auth on redirect. (PR 805)
• Prevent data race when reading blob and seeking. (PR 814)
• Detect integer overflows on type conversion. (PR 830)
• Add a warning if syft is not installed. (PR 841)
• Race condition in the pqueue tests. (PR 843)
• Dedup warnings on image mod. (PR 846)

Chores:

• Update staticcheck and fix linter warnings for Go 1.23. (PR 804)
• Remove digest calculation from reghttp. (PR 803)
• Remove ReqPerSec in tests. (PR 806)
• Move throttle from config to reghttp. (PR 813)
• Refactoring to remove globals in regsync. (PR 815)
• Refactor to remove globals in regbot. (PR 816)
• Remove throttle package. (PR 817)
• Update version-bump config for processors. (PR 828)
• Update config to use yaml anchors and aliases (PR 829)
• Do not automatically assign myself to GitHub issues. (PR 831)
• Remove OpenSSF scorecard and best practices. (PR 832)
• Update docker image base filesystem. (PR 837)

Contributors:

• @sudo-bmitch

Release v0.7.1

PR 798 fixes an issue where a malicious registry could return a pinned manifest different from the request.
Commands like regctl manifest get $image@$digest will now verify the digest of the returned manifest matches the request rather than the registry headers.

Security updates:

• Validate the digest of the ref when provided. (PR 798) (GHSA-qv35-3gw6-8q4j)

Features:

• Add a WithDockerCredsFile() regclient.Opt. (PR 784)
• Add regctl artifact get --config option to only return the config. (PR 795)

Fixes:

• Detect amd64 variants for --platform local. (PR 782)
• Mod tracking of changed manifests. (PR 783)
• Tar path separator should always be a /. (PR 788)

Other Changes:

• Remove docker build cache in GHA. (PR 780)

Contributors:

• @mmonaco
• @stormyyd
• @sudo-bmitch

Release v0.7.0

CVEs:

• CVE-2024-24790 fix included with Go 1.22.4 upgrade. (PR 762)
• CVE-2024-24791 fix included with Go 1.22.5 upgrade. (PR 777)

Breaking:

• regctl registry set and regctl registry login will return a non-zero if the ping fails. (PR 751)
• Removed WithFS which required access to an internal interface to use. (PR 772)

Features:

• Add an experimental regctl ref command. (PR 765)
• Support digest algorithms beyond sha256. (PR 776)
• Support modifying the digest algorithm on an image. (PR 776)
• Experimental support for pushing tagged manifests with different digest algorithms. (PR 778)

Fixes:

• Prevent panic on interrupted image mod. (PR 746)
• Enable deletion on olareg tests. (PR 758)
• Allow ~ (tilde) in ocidir reference paths. (PR 763)
• Allow well known architectures as a platform. (PR 771)
• Validate digests before calling methods that could panic. (PR 776)

Other changes:

• Refactor pulling manifests by platform. (PR 768)
• Cleanup Dockerfile linter warnings. (PR 770)
• Enable docker caching of GHA builds. (PR 773)
• Include a contributor list in the readme. (PR 774)

Contributors:

• @sudo-bmitch
• @thesayyn