Skip to content

chore(deps): bump github.com/tektoncd/pipeline from 1.7.0 to 1.9.2#1517

Open
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/go_modules/github.com/tektoncd/pipeline-1.9.2
Open

chore(deps): bump github.com/tektoncd/pipeline from 1.7.0 to 1.9.2#1517
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/go_modules/github.com/tektoncd/pipeline-1.9.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 25, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/tektoncd/pipeline from 1.7.0 to 1.9.2.

Release notes

Sourced from github.com/tektoncd/pipeline's releases.

Tekton Pipeline release v1.9.2 "Devon Rex Dreadnought"

-Docs @ v1.9.2 -Examples @ v1.9.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a6c7ee52741b34d7b7e9a3277e775365533a3669a49c3be92b372bcbda73ee439

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a6c7ee52741b34d7b7e9a3277e775365533a3669a49c3be92b372bcbda73ee439
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.2/release.yaml
REKOR_UUID=108e9186e8c5677a6c7ee52741b34d7b7e9a3277e775365533a3669a49c3be92b372bcbda73ee439
Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.9.2@sha256:" + .digest.sha256')
Download the release file
curl -L "$RELEASE_FILE" > release.yaml
For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

⚠️ Security Fixes

  • GHSA-j5q5-j9gm-2w5c (Critical): Path traversal in git resolver allows reading arbitrary files from the resolver pod. Fixed by validating the pathInRepo parameter to prevent directory traversal.

... (truncated)

Changelog

Sourced from github.com/tektoncd/pipeline's changelog.

Tekton Pipeline Releases

Release Frequency

Tekton Pipelines follows the Tekton community [release policy][release-policy] as follows:

  • Versions are numbered according to semantic versioning: vX.Y.Z
  • A new release is produced on a monthly basis
  • Four releases a year are chosen for long term support (LTS). All remaining releases are supported for approximately 1 month (until the next release is produced)
    • LTS releases take place in January, April, July and October every year
    • The first Tekton Pipelines LTS release will be v0.41.0 in October 2022
    • Releases happen towards the middle of the month, between the 13th and the 20th, depending on week-ends and readiness

Tekton Pipelines produces nightly builds, publicly available on gcr.io/tekton-nightly.

Transition Process

Before release v0.41 Tekton Pipelines has worked on the basis of an undocumented support period of four months, which will be maintained for the releases between v0.37 and v0.40.

Release Process

Tekton Pipeline releases are made of YAML manifests and container images. Manifests are published to cloud object-storage as well as [GitHub][tekton-pipeline-releases]. Container images are signed by [Sigstore][sigstore] via [Tekton Chains][tekton-chains]; signatures can be verified through the [public key][chains-public-key] hosted by the Tekton Chains project.

Further documentation available:

  • The Tekton Pipeline [release process][tekton-releases-docs]
  • [Installing Tekton][tekton-installation]
  • Standard for [release notes][release-notes-standards]

Release

v1.10

  • Latest Release: [v1.10.2][v1.10-2] (2026-03-18) ([docs][v1.10-2-docs], [examples][v1.10-2-examples])
  • Initial Release: [v1.10.0][v1.10-0] (2026-02-27)
  • End of Life: 2026-03-27
  • Patch Releases: [v1.10.0][v1.10-0], [v1.10.1][v1.10-1], [v1.10.2][v1.10-2]

v1.9 (LTS)

... (truncated)

Commits
  • 3ca7bc6 fix: prevent path traversal in git resolver pathInRepo parameter
  • edc64bb Fix panic in GenerateDeterministicNameFromSpec with long resolver names
  • 5a40b3f tekton: update plumbing ref to latest commit
  • 6941291 ci: add CI summary fan-in job for branch protection
  • e3bd070 tekton: update plumbing ref to include full image references fix
  • 11f5bb2 fix(pipelines): allow pipeline param defaults to use non-param variables
  • 0cc7987 fix: validate taskRef.apiVersion format for custom tasks
  • 13a014c build(deps): bump go.uber.org/zap from 1.27.0 to 1.27.1
  • 80ce1d5 build(deps): bump github.com/google/cel-go from 0.26.0 to 0.27.0
  • a7bac62 chore(ci): update cherry-pick workflow to fix multi-commit PRs
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Bumps [github.com/tektoncd/pipeline](https://github.com/tektoncd/pipeline) from 1.7.0 to 1.9.2.
- [Release notes](https://github.com/tektoncd/pipeline/releases)
- [Changelog](https://github.com/tektoncd/pipeline/blob/main/releases.md)
- [Commits](tektoncd/pipeline@v1.7.0...v1.9.2)

---
updated-dependencies:
- dependency-name: github.com/tektoncd/pipeline
  dependency-version: 1.9.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 25, 2026
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Mar 25, 2026
@dependabot dependabot Bot requested a review from NigelByrne1 as a code owner March 25, 2026 18:27
@dependabot dependabot Bot added the go Pull requests that update Go code label Mar 25, 2026
@snyk-io

snyk-io Bot commented Mar 25, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@codecov-commenter

codecov-commenter commented Mar 25, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.52%. Comparing base (344e692) to head (2b3a78b).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1517      +/-   ##
==========================================
- Coverage   65.55%   65.52%   -0.04%     
==========================================
  Files          59       59              
  Lines        8182     8182              
==========================================
- Hits         5364     5361       -3     
- Misses       2184     2186       +2     
- Partials      634      635       +1     
Flag Coverage Δ
unit-tests 65.52% <ø> (-0.04%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@kasemAlem

Copy link
Copy Markdown
Contributor

@dependabot rebase

@dependabot @github

dependabot Bot commented on behalf of github Mar 26, 2026

Copy link
Copy Markdown
Contributor Author

Looks like this PR is already up-to-date with main! If you'd still like to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

@dependabot @github

dependabot Bot commented on behalf of github Apr 24, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot can't resolve your Go dependency files. Because of this, Dependabot cannot update this pull request.

@kasemAlem

Copy link
Copy Markdown
Contributor

/retest

@konflux-ci-qe-bot

Copy link
Copy Markdown

Scenario: konflux-e2e
@dependabot[bot]: The following test has Failed, say /retest to rerun failed tests.

PipelineRun Name Status Rerun command Build Log Test Log
konflux-e2e-l72v8 Failed /retest View Pipeline Log View Test Logs

Inspecting Test Artifacts

To inspect your test artifacts, follow these steps:

  1. Install ORAS (see the ORAS installation guide).
  2. Download artifacts with the following commands:
mkdir -p oras-artifacts
cd oras-artifacts
oras pull quay.io/konflux-test-storage/konflux-team/integration-service:konflux-e2e-l72v8

Test results analysis

🚨 Failed to provision a cluster, see the log for more details:

Click to view logs
�[37mDEBU�[0m running 'mapt aws kind create'               
�[37mDEBU�[0m context initialized for mapt6f777772         
�[37mDEBU�[0m managing stack stackKind-kind-konflux-e2e-l72v8 
�[36mINFO�[0m Updating (stackKind-kind-konflux-e2e-l72v8): 
�[36mINFO�[0m                                              
�[36mINFO�[0m @ updating...........                        
�[36mINFO�[0m  +  pulumi:pulumi:Stack kind-konflux-e2e-l72v8-stackKind-kind-konflux-e2e-l72v8 creating (0s)  
�[36mINFO�[0m @ updating......                             
�[36mINFO�[0m  +  aws:ec2:Vpc vpc-main-akd-net creating (0s)  
�[36mINFO�[0m  +  aws:ec2:Eip main-akd-lbeip creating (0s)  
�[36mINFO�[0m @ updating.....                              
�[36mINFO�[0m  +  tls:index:PrivateKey main-akd-pk creating (0s)  
�[36mINFO�[0m  +  aws:ec2:Eip main-akd-lbeip created (2s)  
�[36mINFO�[0m @ updating....                               
�[36mINFO�[0m  +  aws:ec2:Vpc vpc-main-akd-net created (2s)  
�[36mINFO�[0m  +  aws:ec2:InternetGateway igw-main-akd-net creating (0s)  
�[36mINFO�[0m  +  aws:ec2:SecurityGroup default-main-akd-net-main-akd-net creating (0s)  
�[36mINFO�[0m  +  aws:ec2:Subnet subnet-publicmain-akd-net0 creating (0s)  
�[36mINFO�[0m @ updating....                               
�[36mINFO�[0m  +  aws:ec2:InternetGateway igw-main-akd-net created (1s)  
�[36mINFO�[0m @ updating....                               
�[36mINFO�[0m  +  aws:ec2:SecurityGroup main-akd-sg creating (0s)  
�[36mINFO�[0m  +  aws:ec2:Subnet subnet-publicmain-akd-net0 created (2s)  
�[36mINFO�[0m @ updating.....                              
�[36mINFO�[0m  +  aws:ec2:RouteTable routeTable-publicmain-akd-net0 creating (0s)  
�[36mINFO�[0m @ updating....                               
�[36mINFO�[0m  +  aws:ec2:SecurityGroup default-main-akd-net-main-akd-net created (4s)  
�[36mINFO�[0m @ updating....                               
�[36mINFO�[0m  +  aws:ec2:RouteTable routeTable-publicmain-akd-net0 created (1s)  
�[36mINFO�[0m  +  tls:index:PrivateKey main-akd-pk created (7s)  
�[36mINFO�[0m  +  aws:ec2:RouteTableAssociation routeTableAssociation-publicmain-akd-net0 creating (0s)  
�[36mINFO�[0m  +  aws:ec2:SecurityGroup main-akd-sg created (4s)  
�[36mINFO�[0m @ updating....                               
�[36mINFO�[0m  +  aws:ec2:KeyPair main-akd-pk creating (0s)  
�[36mINFO�[0m @ updating....                               
�[36mINFO�[0m  +  aws:ec2:RouteTableAssociation routeTableAssociation-publicmain-akd-net0 created (1s)  
�[36mINFO�[0m @ updating....                               
�[36mINFO�[0m  +  aws:ec2:KeyPair main-akd-pk created (1s)  
�[36mINFO�[0m  +  aws:ec2:Instance main-akd-instance creating (0s)  
�[36mINFO�[0m @ updating.................                  
�[36mINFO�[0m  +  aws:ec2:Instance main-akd-instance created (13s)  
�[36mINFO�[0m @ updating....                               
�[36mINFO�[0m  +  aws:ec2:EipAssociation main-akd-instance-eip creating (0s)  
�[36mINFO�[0m @ updating....                               
�[36mINFO�[0m  +  command:remote:Command main-kind-readiness-akd-cmd creating (0s)  
�[36mINFO�[0m @ updating....                               
�[36mINFO�[0m  +  aws:ec2:EipAssociation main-akd-instance-eip created (1s)  
�[36mINFO�[0m @ updating......                             
�[36mINFO�[0m  +  command:remote:Command main-kind-readiness-akd-cmd creating (3s) Dial 1/inf failed: retrying 
�[36mINFO�[0m  +  command:remote:Command main-kind-readiness-akd-cmd creating (3s) Dial 2/inf failed: retrying 
�[36mINFO�[0m @ updating....                               
�[36mINFO�[0m  +  command:remote:Command main-kind-readiness-akd-cmd creating (5s) Dial 3/inf failed: retrying 
�[36mINFO�[0m @ updating....                               
�[36mINFO�[0m  +  command:remote:Command main-kind-readiness-akd-cmd creating (5s) Dial 4/inf failed: retrying 
�[36mINFO�[0m @ updating......................................... 
�[36mINFO�[0m  +  command:remote:Command main-kind-readiness-akd-cmd creating (43s) ............................................................................................................................................... 
�[36mINFO�[0m  +  command:remote:Command main-kind-readiness-akd-cmd creating (43s) status: done 
�[36mINFO�[0m  +  command:remote:Command main-kind-readiness-akd-cmd creating (43s) extended_status: done 
�[36mINFO�[0m  +  command:remote:Command main-kind-readiness-akd-cmd creating (43s) boot_status_code: enabled-by-generator 
�[36mINFO�[0m  +  command:remote:Command main-kind-readiness-akd-cmd creating (43s) last_update: Thu, 01 Jan 1970 00:00:52 +0000 
�[36mINFO�[0m  +  command:remote:Command main-kind-readiness-akd-cmd creating (43s) detail: DataSourceEc2Local 
�[36mINFO�[0m  +  command:remote:Command main-kind-readiness-akd-cmd creating (43s) errors: [] 
�[36mINFO�[0m  +  command:remote:Command main-kind-readiness-akd-cmd creating (43s) recoverable_errors: {} 
�[36mINFO�[0m  +  command:remote:Command main-kind-readiness-akd-cmd created (43s) recoverable_errors: {} 
�[36mINFO�[0m @ updating....                               
�[36mINFO�[0m  +  command:remote:Command main-kubeconfig-akd-cmd creating (0s)  
�[36mINFO�[0m @ updating....                               
�[36mINFO�[0m  +  command:remote:Command main-kubeconfig-akd-cmd created (1s)  
�[36mINFO�[0m @ updating.....                              
�[36mINFO�[0m  +  pulumi:pulumi:Stack kind-konflux-e2e-l72v8-stackKind-kind-konflux-e2e-l72v8 created (78s)  
�[36mINFO�[0m Outputs:                                     
�[36mINFO�[0m     VPCID             : "vpc-04a4aa79916f995be" 
�[36mINFO�[0m     main-akdHost      : "ec2-184-34-182-211.us-west-2.compute.amazonaws.com" 
�[36mINFO�[0m     main-akdKubeconfig: [secret]             
�[36mINFO�[0m     main-akdPrivatekey: [secret]             
�[36mINFO�[0m     main-akdUsername  : "fedora"             
�[36mINFO�[0m                                              
�[36mINFO�[0m Resources:                                   
�[36mINFO�[0m     + 15 created                             
�[36mINFO�[0m                                              
�[36mINFO�[0m Duration: 1m28s                              
�[36mINFO�[0m                                              

OCI Artifact Browser URL

View in Artifact Browser

@dependabot @github

dependabot Bot commented on behalf of github May 22, 2026

Copy link
Copy Markdown
Contributor Author

A newer version of github.com/tektoncd/pipeline exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

@kasemAlem

Copy link
Copy Markdown
Contributor

/retest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code size: XL

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants