v0.73.0

0.73.0 (2026-02-20)

⚠ BREAKING CHANGES

• SDK: avoid os exit in cmd (#4615)

Features

• SDK: avoid os exit in cmd (#4615) (7f67816)
• split wait-for command (#4614) (3340ead)

Bug Fixes

• wait: properly resolve kind when group conflicts between resources (#4628) (db3cd9d)

What's Changed

🚀 Updates

• feat(SDK)!: avoid os exit in cmd by @AustinAbro321 in #4615
• feat: split wait-for command by @AustinAbro321 in #4614
• fix(wait): properly resolve kind when group conflicts between resources by @AustinAbro321 in #4628
• chore(main): release 0.73.0 by @zarf-release-please[bot] in #4627

📦 Dependencies

• chore(deps): bump the golang group across 1 directory with 2 updates by @dependabot[bot] in #4624
• chore(deps): bump the k8s group across 1 directory with 4 updates by @dependabot[bot] in #4623

Full Changelog: v0.72.0...v0.73.0

v0.72.0

0.72.0 (2026-02-19)

⚠ BREAKING CHANGES

• bundle: bundle feature flag and version requirement (#4600)

Features

• add ability to supply custom init package (#4562) (f09b126)

Bug Fixes

• bundle: bundle feature flag and version requirement (#4600) (24f2738)
• make: always run unit tests with -race flag (#4610) (76950b3)
• skeleton: better error for missing skeleton (#4611) (25b3c78)
• template variables and values in .wait actions (#4604) (bfc0582)
• use cli tmpdir arg for image unpacks (#4618) (ea6dc0f)
• wait: ensure cluster is connectable in loop (#4616) (ade37d0)

Refactoring

• wait: avoid shelling out to kubectl during wait (#4567) (3660ece)

What's Changed

🚀 Updates

• chore(main): release 0.72.0 by @zarf-release-please[bot] in #4602

Full Changelog: v0.72.0-rc1...v0.72.0

v0.72.0-rc1

What's Changed

🚀 Updates

• test: move build machine info test to e2e-without-cluster by @AustinAbro321 in #4597
• feat: add ability to supply custom init package by @a1994sc in #4562
• refactor(wait): avoid shelling out to kubectl during wait by @AustinAbro321 in #4567
• fix: template variables and values in .wait actions by @AustinAbro321 in #4604
• fix(make): always run unit tests with -race flag by @soltysh in #4610
• fix(bundle)!: bundle feature flag and version requirement by @brandtkeller in #4600
• fix(skeleton): better error for missing skeleton by @brandtkeller in #4611
• chore(docs): update signing deprecation notice by @brandtkeller in #4612
• fix: use cli tmpdir arg for image unpacks by @goubew in #4618
• chore(deps): bump cosign to v3.0.5 by @brandtkeller in #4619
• fix(wait): ensure cluster is connectable in loop by @AustinAbro321 in #4616

📦 Dependencies

• chore(deps): bump actions/setup-go from 6.1.0 to 6.2.0 in the actions-organization group by @dependabot[bot] in #4593
• chore(deps): bump docker/login-action from 3.6.0 to 3.7.0 by @dependabot[bot] in #4594
• chore(deps): bump github/codeql-action from 4.32.0 to 4.32.2 by @dependabot[bot] in #4596
• chore(deps): bump aws-actions/configure-aws-credentials from 5.1.1 to 6.0.0 by @dependabot[bot] in #4595
• chore(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 by @dependabot[bot] in #4599
• chore(deps): bump github/codeql-action from 4.32.2 to 4.32.3 by @dependabot[bot] in #4607

New Contributors

• @goubew made their first contribution in #4618

Full Changelog: v0.71.1...v0.72.0-rc1

v0.72.0-rc1-helm-4

This R.C. was created to give users a chance to test out the upgrade to Helm 4. Here is a summary of the most impactful changes to Zarf:

• Helm 4 introduces Server Side Apply. If it is a first time chart install then server side apply will be used by default. Upgrades default to the apply method that was used in the latest deployment. To control the apply method for a specific packaged chart, a new field .Charts[x].ServerSideApply has been introduced with possible values true, false, auto . Auto will follow the default Helm behavior.
  • A good example of how this could effect some charts can be seen in the init package registry deployment. Server side apply caught that replicas were set even when they were controlled by the autoscaler, which led to a conflict error. To solve this we conditionally set replicas when the autoscaler is not enabled.
    -SSA enforces stricter field validation, if a field does not pass schema validation, you will receive an error instead of a warning.
• Helm now uses slog style logging.
• zarf tools helm is now a true copy of the Helm CLI. Previously, this command was a quasi fork of a subset of the Helm CLI and received infrequent updates. Zarf maintainer contributions made this functionality possible #13617
• Helm's now uses kstatus as a backend for it's wait logic, since Zarf already used kstatus after Helm deploys the wait logic should be near identical to earlier Zarf versions. Zarf maintainers contributed this functionality to Helm in #13604

What's Changed

🚀 Updates

• test: move build machine info test to e2e-without-cluster by @AustinAbro321 in #4597
• feat: add ability to supply custom init package by @a1994sc in #4562

📦 Dependencies

• chore(deps): bump actions/setup-go from 6.1.0 to 6.2.0 in the actions-organization group by @dependabot[bot] in #4593
• chore(deps): bump docker/login-action from 3.6.0 to 3.7.0 by @dependabot[bot] in #4594
• chore(deps): bump github/codeql-action from 4.32.0 to 4.32.2 by @dependabot[bot] in #4596
• chore(deps): bump aws-actions/configure-aws-credentials from 5.1.1 to 6.0.0 by @dependabot[bot] in #4595
• chore(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 by @dependabot[bot] in #4599

Full Changelog: v0.71.1...v0.72.0-rc1-helm-4

v0.71.1

0.71.1 (2026-02-06)

Bug Fixes

• actions: shell quote action wait bug (#4588) (331f46e)

What's Changed

🚀 Updates

• fix(actions): shell quote action wait bug by @AustinAbro321 in #4588
• chore(main): release 0.71.1 by @zarf-release-please[bot] in #4590

Full Changelog: v0.71.0...v0.71.1

v0.71.0

0.71.0 (2026-02-04)

⚠ BREAKING CHANGES

• registry-proxy: built-in mtls support (#4162)
• wait: create wait package and call it directly within actions (#4549)
• remove global plainHTTP and insecureSkipTLSVerify in favor of optional parameters (#4561)
• move v1alpha1 validation logic to it's own package (#4544)

Features

• add nodeSelector to zarf agent and registry charts (#4565) (a23e909)
• error early during healthchecks when status is terminal (#4547) (eb54546)
• prune: allow for pruning to continue on manifest unknown (#4566) (6814ead)
• registry-proxy: built-in mtls support (#4162) (b493381)
• release: add release please workflow and docs (#4558) (b4cb102)
• remove direct usage of parent command zarf package inspect (#4548) (1904293)
• remove global plainHTTP and insecureSkipTLSVerify in favor of optional parameters (#4561) (3eed404)
• sign: implement support for sigstore bundle format (#4519) (9c3d446)
• values: support for chart values merge (#4581) (81df552)

Bug Fixes

• helm: preserve block scalar semantics (#4541) (8655c1c)

Refactoring

• move v1alpha1 validation logic to it's own package (#4544) (502a6be)
• wait: create wait package and call it directly within actions (#4549) (2498e1c)

What's Changed

🚀 Updates

• feat: remove direct usage of parent command zarf package inspect by @AustinAbro321 in #4548
• fix(helm): preserve block scalar semantics by @brandtkeller in #4541
• feat: error early during healthchecks when status is terminal by @AustinAbro321 in #4547
• docs: fix grammatical error in OnlyHasImageLayers doc comment by @jasonwashburn in #4552
• chore: update dos games package 1.3.0 by @AustinAbro321 in #4555
• docs: clarify data injections deprecation timeline by @AustinAbro321 in #4556
• chore: update dos-games references to 1.3 by @AustinAbro321 in #4557
• refactor!: move v1alpha1 validation logic to it's own package by @AustinAbro321 in #4544
• feat(release): add release please workflow and docs by @brandtkeller in #4558
• feat(sign): implement support for sigstore bundle format by @brandtkeller in #4519
• feat(prune): allow for pruning to continue on manifest unknown by @brandtkeller in #4566
• feat: add nodeSelector to zarf agent and registry charts by @rodneyxr in #4565
• feat!: remove global plainHTTP and insecureSkipTLSVerify in favor of optional parameters by @AustinAbro321 in #4561
• chore: update TSC list in CONTRIBUTING.md by @mkcp in #4575
• chore(docs): add Brandt Keller to TSC by @brandtkeller in #4578
• feat(values): support for chart values merge by @brandtkeller in #4581
• refactor(wait)!: create wait package and call it directly within actions by @AustinAbro321 in #4549
• feat(registry-proxy)!: built-in mtls support by @AustinAbro321 in #4162
• chore(main): release 0.71.0 by @zarf-release-please[bot] in #4564

📦 Dependencies

• chore(deps): bump github/codeql-action from 4.31.10 to 4.31.11 by @dependabot[bot] in #4554
• chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 in the actions-organization group by @dependabot[bot] in #4553
• chore(deps): bump sigs.k8s.io/controller-runtime from 0.22.4 to 0.23.0 by @dependabot[bot] in #4534
• chore(deps): bump github/codeql-action from 4.31.11 to 4.32.0 by @dependabot[bot] in #4576

New Contributors

• @zarf-release-please[bot] made their first contribution in #4564

Full Changelog: v0.70.1...v0.71.0

v0.70.1

What's Changed

🚀 Updates

• feat: deprecate data injections by @AustinAbro321 in #4068
• feat(build): support arch detection and macos development by @brandtkeller in #4512
• feat(agent): mutate read-only OCI volumes by @a1994sc in #3235
• feat: add support for Argo CD ApplicationSets by @robinlieb in #4348
• feat!: remove insecure flag by @AustinAbro321 in #4521
• docs: update kiwix example and migration guide to use read-only oci volumes by @AustinAbro321 in #4520
• fix: inputting the same credentials as zarf state should not re-generate passwords by @AustinAbro321 in #4523
• chore(deps): npm updates for /site by @brandtkeller in #4526
• docs: replace adr reference with zep reference by @AustinAbro321 in #4532
• feat(load): support explicit VerificationStrategy by @brandtkeller in #4540
• chore(docs): 2026 roadmap by @brandtkeller in #4525
• feat: move value pkg out of internal by @mkcp in #4543
• feat: add --set-values flags and migrate --set to alias new --set-variables by @mkcp in #4466

📦 Dependencies

• chore(deps): bump the golang group across 1 directory with 2 updates by @dependabot[bot] in #4514
• chore(deps): bump the actions-organization group with 2 updates by @dependabot[bot] in #4529
• chore(deps): bump github/codeql-action from 4.31.9 to 4.31.10 by @dependabot[bot] in #4530
• chore(deps): bump the k8s group across 1 directory with 5 updates by @dependabot[bot] in #4485
• chore(deps): bump github.com/sigstore/fulcio from 1.8.3 to 1.8.5 by @dependabot[bot] in #4517
• chore(deps): bump github.com/sigstore/cosign/v3 from 3.0.3 to 3.0.4 by @dependabot[bot] in #4515
• chore(deps): bump diff from 5.2.0 to 5.2.2 in /site by @dependabot[bot] in #4533

Full Changelog: v0.69.0...v0.70.1

v0.69.0

👋 Hey Everyone! Zarf v0.69.0 has been released. :zarf:

Notably we have a few SDK breaking changes as we charge towards v1.0.0 (expect more on this soon):

1. Support for the injector being architecture aware (and thus only scheduling on a matching architecture node) has required updates to the cluster.StartInjection() function. This only impacts those who are using the SDK for injection.
2. SkipSignatureValidation has been removed from the packager.LoadOptions and layout.PackageLayoutOptions structs with the addition of a Verify field. This change impacts SDK users who explicitly set the SkipSignatureValidation field on the mentioned options.

Regarding package verification and item 2 above - Zarf is now attempting verification when possible on all deployments but only enforcing verification when --verify is set (or package.verify: true in your config file). See issue #4048 for more context on decision. --skip-signature-validation flag has been deprecated but retained so as to not break any users with automation.

Note!: If you are explicitly relying on Zarf to fail deployments based on verification - you will need to set --verify to have parity with previous behaviors.

Other improvements or fixes:

• k3s upstream bugs and init package updates - #4435
• fixes for flux objects with the registry proxy feature - #4486
• arbitrary manifest naming support - #4493

As well as other dependency updates and bug fixes for user and development experience.

Thanks to all of those who contributed to this release!

What's Changed

🚀 Updates

• feat!: update injector to respect arch of package by @a1994sc in #4405
• test: use arch of local machine in external tests by @robinlieb in #4488
• chore(dependencies): update k3s version to 1.34.3 by @AustinAbro321 in #4435
• feat: log git repo clone by @AustinAbro321 in #4498
• fix: properly mutate flux ocirepo and helmrepo objects when using the registry proxy by @AustinAbro321 in #4486
• chore: remove re-declared vars in test loops by @AustinAbro321 in #4500
• fix: remove values log by @AustinAbro321 in #4503
• CI: image archive test flake by @AustinAbro321 in #4506
• feat(create): allow creation with specified and arbitrary manifest file by @brandtkeller in #4493
• feat!(verify): deprecate --skip-signature-validation in favor of --verify by @brandtkeller in #4457

📦 Dependencies

• chore(deps): bump github/codeql-action from 4.31.8 to 4.31.9 by @dependabot[bot] in #4494
• chore(deps): bump the cosign-providers group across 1 directory with 4 updates by @dependabot[bot] in #4478
• chore(deps): bump helm.sh/helm/v3 from 3.19.3 to 3.19.4 by @dependabot[bot] in #4483
• chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0 by @dependabot[bot] in #4496
• chore(deps): bump github.com/goccy/go-yaml from 1.19.0 to 1.19.1 by @dependabot[bot] in #4497
• chore(deps): bump github.com/fluxcd/pkg/apis/meta from 1.23.0 to 1.24.0 by @dependabot[bot] in #4502
• chore(deps): bump github.com/goccy/go-yaml from 1.19.1 to 1.19.2 by @dependabot[bot] in #4504

Full Changelog: v0.68.1...v0.69.0

v0.69.0-rc1

What's Changed

🚀 Updates

• feat!: update injector to respect arch of package by @a1994sc in #4405
• test: use arch of local machine in external tests by @robinlieb in #4488
• chore(dependencies): update k3s version to 1.34.3 by @AustinAbro321 in #4435
• feat: log git repo clone by @AustinAbro321 in #4498
• fix: properly mutate flux ocirepo and helmrepo objects when using the registry proxy by @AustinAbro321 in #4486
• chore: remove re-declared vars in test loops by @AustinAbro321 in #4500
• fix: remove values log by @AustinAbro321 in #4503
• CI: image archive test flake by @AustinAbro321 in #4506
• feat(create): allow creation with specified and arbitrary manifest file by @brandtkeller in #4493
• feat!(verify): deprecate --skip-signature-validation in favor of --verify by @brandtkeller in #4457

📦 Dependencies

• chore(deps): bump github/codeql-action from 4.31.8 to 4.31.9 by @dependabot[bot] in #4494
• chore(deps): bump the cosign-providers group across 1 directory with 4 updates by @dependabot[bot] in #4478
• chore(deps): bump helm.sh/helm/v3 from 3.19.3 to 3.19.4 by @dependabot[bot] in #4483
• chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0 by @dependabot[bot] in #4496
• chore(deps): bump github.com/goccy/go-yaml from 1.19.0 to 1.19.1 by @dependabot[bot] in #4497
• chore(deps): bump github.com/fluxcd/pkg/apis/meta from 1.23.0 to 1.24.0 by @dependabot[bot] in #4502
• chore(deps): bump github.com/goccy/go-yaml from 1.19.1 to 1.19.2 by @dependabot[bot] in #4504

Full Changelog: v0.68.1...v0.69.0-rc1

v0.68.1

What's Changed

🚀 Updates

• fix!: correct proxy var by @AustinAbro321 in #4451
• refactor!: generate schema within Zarf by @AustinAbro321 in #4392
• fix(tools,wait): add an http client with a timeout slightly shorter than waitInterval to wait.go by @mkcp in #4453
• fix(deps): bump cosign to v3.0.3 to resolve vulnerabilities by @brandtkeller in #4462
• fix(make): add linxu arm detection to make build by @brandtkeller in #4465
• chore(schema): synchronize v1alpha1 schema with generation by @brandtkeller in #4463
• feat: add ability to store package documentation by @AustinAbro321 in #4393
• feat: support importing image archives into a package by @AustinAbro321 in #4334
• fix: use fully qualified reference during image archive duplication check by @AustinAbro321 in #4489
• fix: move image archive validation to assemble by @AustinAbro321 in #4490

📦 Dependencies

• chore(deps): bump github/codeql-action from 4.31.5 to 4.31.7 by @dependabot[bot] in #4449
• chore(deps): bump golangci/golangci-lint-action from 9.1.0 to 9.2.0 by @dependabot[bot] in #4448
• chore(deps): bump the actions-organization group with 3 updates by @dependabot[bot] in #4447
• chore(deps): bump github.com/go-git/go-billy/v5 from 5.6.2 to 5.7.0 by @dependabot[bot] in #4450
• chore(deps): bump the golang group across 1 directory with 3 updates by @dependabot[bot] in #4455
• chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 by @dependabot[bot] in #4433
• chore(deps): bump the cosign-providers group across 1 directory with 4 updates by @dependabot[bot] in #4459
• chore(deps): bump github.com/fairwindsops/pluto/v5 from 5.22.6 to 5.22.7 by @dependabot[bot] in #4461
• chore(deps): bump helm.sh/helm/v3 from 3.19.2 to 3.19.3 by @dependabot[bot] in #4472
• chore(deps): bump the k8s group across 1 directory with 6 updates by @dependabot[bot] in #4468
• chore(deps): bump the actions-organization group with 2 updates by @dependabot[bot] in #4475
• chore(deps): bump codecov/codecov-action from 5.5.1 to 5.5.2 by @dependabot[bot] in #4477
• chore(deps): bump github/codeql-action from 4.31.7 to 4.31.8 by @dependabot[bot] in #4476
• chore(deps): bump github.com/gabriel-vasile/mimetype from 1.4.11 to 1.4.12 by @dependabot[bot] in #4479
• chore(deps): bump github.com/mikefarah/yq/v4 from 4.49.2 to 4.50.1 by @dependabot[bot] in #4480

Full Changelog: v0.67.0...v0.68.1