Skip to content

fix(deps): update module github.com/tektoncd/pipeline to v1.14.0#1756

Open
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/github.com-tektoncd-pipeline-1.x
Open

fix(deps): update module github.com/tektoncd/pipeline to v1.14.0#1756
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/github.com-tektoncd-pipeline-1.x

Conversation

@red-hat-konflux

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/tektoncd/pipeline v1.13.1v1.14.0 age confidence

Warning

Some dependencies could not be looked up. Check the warning logs for more information.


Release Notes

tektoncd/pipeline (github.com/tektoncd/pipeline)

v1.14.0: Tekton Pipeline release v1.14.0 "Chartreux Cait Sith"

Compare Source

🎉 🐱 Pipelines in Pipelines by ref, leaner controllers & sturdier reconcilers 🤖 🎉

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.14.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677aa9d0ba4d268af76a6ffef1ad43d8ad6966ceef7663859284b3163eddafaa94ab

Obtain the attestation:

REKOR_UUID=108e9186e8c5677aa9d0ba4d268af76a6ffef1ad43d8ad6966ceef7663859284b3163eddafaa94ab
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.14.0/release.yaml
REKOR_UUID=108e9186e8c5677aa9d0ba4d268af76a6ffef1ad43d8ad6966ceef7663859284b3163eddafaa94ab

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.14.0@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • ✨ feat(tracing): record errors on TaskRun createPod and update spans (#​10273)

Errors creating a Pod or updating a TaskRun are now recorded on the TaskRun reconciler trace spans, so failures are visible in distributed traces.

  • ✨ feat(tracing): record errors on createTaskRun and createCustomRun spans (#​10272)

Errors creating a child TaskRun or CustomRun are now recorded on the PipelineRun reconciler trace spans, so failures are visible in distributed traces.

  • ✨ feat(tracing): add spans to PipelineRun cancel and timeout paths (#​10269)

Add tracing spans to the PipelineRun cancel and timeout code paths, so cancellation and timeout of a run and its children are visible in distributed traces.

  • ✨ feat(tracing): inject traceID and spanID into structured log output (#​10140)

Inject traceID and spanID into structured log output for TaskRun and PipelineRun reconcilers when tracing is enabled, enabling log-to-trace correlation in observability platforms.

  • ✨ feat(notifications): add tracing spans to CustomRun reconciler (#​10097)

[ENHANCEMENT] notifications: add OTel tracing spans to CustomRun reconciler (ReconcileKind, ReconcileRunObject, EmitCloudEvents)

  • ✨ feat(notifications): add tracing spans to PipelineRun notifications reconciler (#​10266)
  • ✨ feat(tracing): add spans to TaskRun validation functions (#​9907)
Fixes
  • 🐛 fix: bump Go to 1.26.4 for CVEs (#​10338)

Bump Go to 1.26.4 for CVE remediation.

  • 🐛 fix(taskrun): prevent concurrent map writes when resolving StepAction refs (#​10324)

Fixed a controller crash ("concurrent map writes") that could occur while resolving multiple StepAction references when the Task uses an object parameter with both a default and a TaskRun-provided value.

  • 🐛 fix: extract correct full Rekor EntryID from API response (#​10315)

Fix Rekor EntryID extraction in release pipeline to publish correct 80-char EntryIDs instead of truncated 64-char hashes.

  • 🐛 fix(resolvers): Allow ResolutionRequests to resolve all Tekton kinds (#​10242)

Before this change, ResolutionRequests could only resolve Pipelines, Tasks, and StepActions. After this change, ResolutionRequests can resolve PipelineRuns, Pipelines, TaskRuns, Tasks, Runs, CustomRuns, and StepActions.

  • 🐛 Fix cross-arch platform command lookup in entrypoint (#​10077)

Fix entrypoint command lookup when controller and worker nodes run on different CPU architectures (e.g., ARM controller with AMD64 workloads). The controller's CPU variant was leaking into TEKTON_PLATFORM_COMMANDS keys via platforms.NewPlatform(), causing "could not find command for platform" errors on worker nodes of a different architecture.

  • 🐛 Fix #​7756 - Validate variable references in Pipeline task params (#​10050)

Pipeline validation now rejects invalid variable references like $(new_image) in task parameters with a clear error message, instead of silently accepting them or crashing the webhook. Users who accidentally use $() (Tekton variable syntax) instead of ${} (shell variable syntax) in Pipeline param values will now receive a helpful validation error indicating the valid prefixes (params, tasks, finally, context, workspaces).

  • 🐛 fix issue #​8255 - seperating step level and task level validation. Va… (#​10007)

Fix validation error when a Task uses both spec.results and spec.steps[].results in the same step script

  • 🐛 fix: override OCI labels in ko publish task (#​9965)

Fix incorrect OCI image labels (title, url, description) inherited from base image in published pipeline images

  • 🐛 ci: add missing issues:write permission to cherry-pick workflow (#​10257)
  • 🐛 fix: replace symlinks with subpath params in create-draft-release (#​10203)
  • 🐛 Fix race condition in TestStepTimeout (#​10188)
  • 🐛 fix: correct alpine/k8s image reference in release pipeline (#​10143)
  • 🐛 test: use mirror.gcr.io/busybox in step_when_test to avoid Docker Hub flakes (#​10327)
Misc
  • 🔨 chore: move patch release cron from Thursday to Tuesday (#​10278)
  • 🔨 test(resolvers): cover resolved resource validation kinds (#​10250)
  • 🔨 chore: switch base image to ghcr.io/tektoncd/plumbing/static-base (#​10240)
  • 🔨 build(deps): bump tektoncd/pipeline to v1.13.0 in test modules (#​10225)
  • 🔨 [TEP-0056] Reuse fixture in PinP parent-not-found test (#​10207)
  • 🔨 chore: remove stale TODOs referencing closed issues #​4723 and #​6097 (#​10187)
  • 🔨 chore: remove stale TODO referencing closed issue #​4546 (#​10171)
  • 🔨 build(deps): bump knative.dev/pkg to release-1.22 (#​10158)
  • 🔨 refactor: remove placeholder URL workaround in hub resolver Validate() (#​10048)
  • 🔨 ci: scope workflow permissions to least privilege (#​9922)
  • 🔨 fix: replace kodata LICENSE symlinks with actual files (#​10358)
  • 🔨 build(deps): bump github.com/spiffe/go-spiffe/v2 from 2.7.0 to 2.8.1 (#​10356)
  • 🔨 build(deps): bump actions/checkout from 6.0.3 to 7.0.0 (#​10354)
  • 🔨 build(deps): bump chainguard-dev/actions/setup-kind from 1.6.22 to 1.6.24 (#​10347)
  • 🔨 build(deps): bump chainguard-dev/actions/kind-diag from 1.6.22 to 1.6.24 (#​10346)
  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10345)
  • 🔨 build(deps): bump github.com/google/go-containerregistry from 0.21.6 to 0.21.7 (#​10332)
  • 🔨 build(deps): bump the all group in /tekton with 3 updates (#​10316)
  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10306)
  • 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.15.28 to 1.15.30 (#​10304)
  • 🔨 build(deps): bump github.com/prometheus/common from 0.68.1 to 0.69.0 (#​10301)
  • 🔨 chore: group Dependabot updates by dependency family (#​10298)
  • 🔨 build(deps): bump k8s.io/code-generator from 0.35.5 to 0.35.6 (#​10284)
  • 🔨 build(deps): bump k8s.io/api from 0.35.5 to 0.35.6 in /test/custom-task-ctrls/wait-task-beta (#​10283)
  • 🔨 build(deps): bump k8s.io/client-go from 0.35.5 to 0.35.6 in /test/custom-task-ctrls/wait-task-beta (#​10282)
  • 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.35.5 to 0.35.6 (#​10281)
  • 🔨 build(deps): bump github.com/tektoncd/pipeline from 1.13.0 to 1.13.1 in /test/custom-task-ctrls/wait-task-beta (#​10279)
  • 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.15.22 to 1.15.28 (#​10270)
  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10264)
  • 🔨 build(deps): bump github.com/spiffe/go-spiffe/v2 from 2.6.0 to 2.7.0 (#​10260)
  • 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.15.0 to 1.15.1 (#​10244)
  • 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.10.6 to 1.10.8 (#​10243)
  • 🔨 build(deps): bump chainguard-dev/actions from 1.6.21 to 1.6.22 (#​10232)
  • 🔨 build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#​10230)
  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10228)
  • 🔨 build(deps): bump golang.org/x/crypto from 0.52.0 to 0.53.0 (#​10227)
  • 🔨 build(deps): bump github.com/sigstore/sigstore from 1.10.6 to 1.10.8 (#​10226)
  • 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.10.6 to 1.10.8 (#​10220)
  • 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.10.6 to 1.10.8 (#​10205)
  • 🔨 build(deps): bump chainguard-dev/actions from 1.6.19 to 1.6.21 (#​10193)
  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10192)
  • 🔨 build(deps): bump github/codeql-action from 4.36.0 to 4.36.2 (#​10191)
  • 🔨 build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#​10190)
  • 🔨 build(deps): bump github.com/prometheus/common from 0.67.5 to 0.68.1 (#​10167)
  • 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.10.6 to 1.10.8 (#​10145)
  • 🔨 build(deps): bump github.com/tektoncd/pipeline from 1.12.0 to 1.13.0 in /test/custom-task-ctrls/wait-task-beta (#​10144)
  • 🔨 build(deps): bump github/codeql-action from 4.35.5 to 4.36.0 (#​10124)
  • 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.10.5 to 1.10.6 (#​10059)
Docs
  • 📖 chore(docs): fix "pipeline" typo in examples (#​10344)
  • 📖 Remove duplicate step from release cheat sheet (#​10204)
  • 📖 docs: update releases.md for v1.13.0 (#​10142)
  • 📖 Add agent workflow context (#​10139)

Thanks

Thanks to these contributors who contributed to v1.14.0!

Extra shout-out for awesome release notes:


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@red-hat-konflux

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.26.0 -> 1.26.4

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:39 PM UTC · Completed 1:45 PM UTC
Commit: ec21706 · View workflow run →

@codecov

codecov Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.49%. Comparing base (13a2f01) to head (814e53b).

❗ There is a different number of reports uploaded between BASE (13a2f01) and HEAD (814e53b). Click for more details.

HEAD has 2 uploads less than BASE
Flag BASE (13a2f01) HEAD (814e53b)
unit-tests 2 1
e2e-tests 1 0
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1756      +/-   ##
==========================================
- Coverage   87.43%   81.49%   -5.95%     
==========================================
  Files          34       34              
  Lines        3566     3566              
==========================================
- Hits         3118     2906     -212     
- Misses        285      512     +227     
+ Partials      163      148      -15     
Flag Coverage Δ
e2e-tests ?
unit-tests 81.49% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 12 files with indirect coverage changes


Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 13a2f01...814e53b. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 3, 2026

Copy link
Copy Markdown

Looks good to me

Previous run

Looks good to me


Labels: Automated Renovate dependency version bump updating Go module files.

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 3, 2026
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update module github.com/tektoncd/pipeline to v1.14.0 fix(deps): update module github.com/tektoncd/pipeline to v1.14.0 - autoclosed Jul 3, 2026
@red-hat-konflux red-hat-konflux Bot closed this Jul 3, 2026
@red-hat-konflux red-hat-konflux Bot deleted the konflux/mintmaker/main/github.com-tektoncd-pipeline-1.x branch July 3, 2026 17:34
@fullsend-ai-retro

fullsend-ai-retro Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Finished Retro · ✅ Success · Started 5:36 PM UTC · Completed 5:41 PM UTC
Commit: ec21706 · View workflow run →

@fullsend-ai-retro

Copy link
Copy Markdown

Retro: PR #1756 — Renovate dependency bump (tektoncd/pipeline v1.14.0)

Workflow timeline:

  1. Renovate bot opened PR with a 2-file change (go.mod + go.sum)
  2. Review agent (Opus, ~10 min, 4 sub-agents) approved with "Looks good to me" and applied ready-for-merge
  3. PR was autoclosed ~4 hours later when Renovate superseded it
  4. Retro agent dispatched for the autoclosed PR

Assessment: The review agent behaved correctly — it identified a trivial dependency bump and approved it. No human review occurred and none was needed. The Codecov report showed a -5.95% coverage drop, but this was due to missing CI test uploads (not actual regression), so the agent was right to not flag it.

Token cost concern: Using Opus with 4 sub-agents for a trivial go.mod bump is expensive relative to the value delivered. Additionally, dispatching a retro for an autoclosed bot PR with no review findings adds unnecessary cost.

No new proposals filed. All identified improvements are already tracked upstream:

  • #2461 — Skip retro dispatch for autoclosed bot-authored PRs
  • #2842 — Use cheaper model for trivial bot-authored PRs
  • #1358 — Add lightweight review path for trivial bot dependency bumps

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot changed the title fix(deps): update module github.com/tektoncd/pipeline to v1.14.0 - autoclosed fix(deps): update module github.com/tektoncd/pipeline to v1.14.0 Jul 4, 2026
@red-hat-konflux red-hat-konflux Bot reopened this Jul 4, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/github.com-tektoncd-pipeline-1.x branch 2 times, most recently from 8154a90 to 814e53b Compare July 4, 2026 01:28
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 4, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:30 AM UTC · Completed 1:34 AM UTC
Commit: ec21706 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code ready-for-merge All reviewers approved — ready to merge

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants