chore(deps): update module github.com/tektoncd/pipeline to v1.6.1 [security] (main)

[redhat-renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change
github.com/tektoncd/pipeline	require	minor	v1.5.0 → v1.6.1

GitHub Vulnerability Alerts

CVE-2026-33211

Summary

The Tekton Pipelines git resolver is vulnerable to path traversal via the pathInRepo parameter. A tenant with permission to create ResolutionRequests (e.g. by creating TaskRuns or PipelineRuns that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in resolutionrequest.status.data.

Details

The git resolver's getFileContent() function in pkg/resolution/resolver/git/repository.go constructs a file path by joining the repository clone directory with the user-supplied pathInRepo parameter:

fileContents, err := os.ReadFile(filepath.Join(repo.directory, path))

The pathInRepo parameter is not validated for path traversal sequences. An attacker can supply values like ../../../../etc/passwd to escape the cloned repository directory and read arbitrary files from the resolver pod's filesystem.

The vulnerability was introduced in commit 318006c4e3a5 which switched the git resolver from the go-git library (using an in-memory filesystem that cannot be escaped) to shelling out to the git binary and reading files with os.ReadFile() from the real filesystem.

Impact

Arbitrary file read — A namespace-scoped tenant who can create TaskRuns or PipelineRuns with git resolver parameters can read any file readable by the resolver pod process.

Credential exfiltration and privilege escalation — The resolver pod's ServiceAccount token is readable at a well-known path (/var/run/secrets/kubernetes.io/serviceaccount/token). In the default RBAC configuration, the tekton-pipelines-resolvers ServiceAccount has get, list, and watch permissions on secrets cluster-wide. An attacker who exfiltrates this token gains the ability to read all Secrets across all namespaces, escalating from namespace-scoped access to cluster-wide secret access.

Patches

Fixed in 1.0.x, 1.3.x, 1.6.x, 1.9.x, 1.10.x.

The fix validates pathInRepo to reject paths containing .. components at parameter validation time, and adds a containment check using filepath.EvalSymlinks() to prevent symlink-based escapes from attacker-controlled repositories.

Workarounds

There is no workaround other than restricting which users can create TaskRuns, PipelineRuns, or ResolutionRequests that use the git resolver. Administrators can also reduce the impact by scoping the resolver pod's ServiceAccount RBAC permissions using a custom ClusterRole with more restrictive rules.

Affected Versions

All releases from v1.0.0 through v1.10.0, including all patch releases:

• v1.0.0, v1.1.0, v1.2.0
• v1.3.0, v1.3.1, v1.3.2
• v1.4.0, v1.5.0, v1.6.0, v1.7.0
• v1.9.0, v1.9.1, v1.10.0

Releases prior to v1.0.0 (e.g. v0.70.0 and earlier) are not affected because they used the go-git library's in-memory filesystem where path traversal cannot escape the git worktree.

Acknowledgments

This vulnerability was reported by Oleh Konko (@​1seal), who provided a thorough vulnerability analysis, proof-of-concept, and review of the fix. Thank you!

References

• Fix: (link to merged PR/commit)
• Introduced in: 318006c4e3a5 ("fix: resolve Git Anonymous Resolver excessive memory usage")

---

Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod

CVE-2026-33211 / GHSA-j5q5-j9gm-2w5c / GO-2026-4761

More information

Details

Summary

The Tekton Pipelines git resolver is vulnerable to path traversal via the pathInRepo parameter. A tenant with permission to create ResolutionRequests (e.g. by creating TaskRuns or PipelineRuns that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in resolutionrequest.status.data.

Details

The git resolver's getFileContent() function in pkg/resolution/resolver/git/repository.go constructs a file path by joining the repository clone directory with the user-supplied pathInRepo parameter:

fileContents, err := os.ReadFile(filepath.Join(repo.directory, path))

The pathInRepo parameter is not validated for path traversal sequences. An attacker can supply values like ../../../../etc/passwd to escape the cloned repository directory and read arbitrary files from the resolver pod's filesystem.

The vulnerability was introduced in commit 318006c4e3a5 which switched the git resolver from the go-git library (using an in-memory filesystem that cannot be escaped) to shelling out to the git binary and reading files with os.ReadFile() from the real filesystem.

Impact

Arbitrary file read — A namespace-scoped tenant who can create TaskRuns or PipelineRuns with git resolver parameters can read any file readable by the resolver pod process.

Credential exfiltration and privilege escalation — The resolver pod's ServiceAccount token is readable at a well-known path (/var/run/secrets/kubernetes.io/serviceaccount/token). In the default RBAC configuration, the tekton-pipelines-resolvers ServiceAccount has get, list, and watch permissions on secrets cluster-wide. An attacker who exfiltrates this token gains the ability to read all Secrets across all namespaces, escalating from namespace-scoped access to cluster-wide secret access.

Patches

Fixed in 1.0.x, 1.3.x, 1.6.x, 1.9.x, 1.10.x.

The fix validates pathInRepo to reject paths containing .. components at parameter validation time, and adds a containment check using filepath.EvalSymlinks() to prevent symlink-based escapes from attacker-controlled repositories.

Workarounds

There is no workaround other than restricting which users can create TaskRuns, PipelineRuns, or ResolutionRequests that use the git resolver. Administrators can also reduce the impact by scoping the resolver pod's ServiceAccount RBAC permissions using a custom ClusterRole with more restrictive rules.

Affected Versions

All releases from v1.0.0 through v1.10.0, including all patch releases:

• v1.0.0, v1.1.0, v1.2.0
• v1.3.0, v1.3.1, v1.3.2
• v1.4.0, v1.5.0, v1.6.0, v1.7.0
• v1.9.0, v1.9.1, v1.10.0

Releases prior to v1.0.0 (e.g. v0.70.0 and earlier) are not affected because they used the go-git library's in-memory filesystem where path traversal cannot escape the git worktree.

Acknowledgments

This vulnerability was reported by Oleh Konko (@​1seal), who provided a thorough vulnerability analysis, proof-of-concept, and review of the fix. Thank you!

References

• Fix: (link to merged PR/commit)
• Introduced in: 318006c4e3a5 ("fix: resolve Git Anonymous Resolver excessive memory usage")

Severity

• CVSS Score: 9.6 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

References

• https://github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5c
• https://nvd.nist.gov/vuln/detail/CVE-2026-33211
• https://github.com/tektoncd/pipeline/commit/10fa538f9a2b6d01c75138f1ed7ba3da0e34687c
• https://github.com/tektoncd/pipeline/commit/318006c4e3a5
• https://github.com/tektoncd/pipeline/commit/3ca7bc6e6dd1d97f80b84f78370d91edaf023cbd
• https://github.com/tektoncd/pipeline/commit/961388fcf3374bc7656d28ab58ca84987e0a75ae
• https://github.com/tektoncd/pipeline/commit/b1fee65b88aa969069c14c120045e97c37d9ee5e
• https://github.com/tektoncd/pipeline/commit/cdb4e1e97a4f3170f9bc2cbfff83a6c8107bc3db
• https://github.com/tektoncd/pipeline/commit/ec7755031a183b345cf9e64bea0e0505c1b9cb78
• https://github.com/tektoncd/pipeline

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod in github.com/tektoncd/pipeline

CVE-2026-33211 / GHSA-j5q5-j9gm-2w5c / GO-2026-4761

More information

Details

Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod in github.com/tektoncd/pipeline

Severity

Unknown

References

• https://github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5c

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun

CVE-2026-33022 / GHSA-cv4x-93xx-wgfj / GO-2026-4730

More information

Details

Summary

A user with permission to create or update a TaskRun or PipelineRun can crash the Tekton Pipelines controller by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31 characters or more, causing a denial of service for all reconciliation.

Details

The controller panics in GenerateDeterministicNameFromSpec when building a deterministic ResolutionRequest name. The generated name has the format {resolver}-{hash} and, when the resolver name is long enough, the result exceeds the DNS-1123 label limit of 63 characters.

The truncation logic attempts to find a word boundary using strings.LastIndex(name, " "). Since the generated name never contains spaces (it is composed of the resolver name, a dash, and a hex-encoded hash), LastIndex returns -1, which is then used as a slice bound:

return name[:strings.LastIndex(name[:maxLength], " ")], nil
// strings.LastIndex returns -1 → panic: slice bounds out of range [:-1]

The panic crashes the controller. Because the offending TaskRun or PipelineRun is re-reconciled on restart, the controller enters a CrashLoopBackOff, blocking all TaskRun and PipelineRun reconciliation cluster-wide until the offending resource is manually deleted.

Built-in resolvers use short names (git, cluster, bundles, hub) and are not affected under normal usage. The vulnerability is exploitable by any user who can create TaskRuns or PipelineRuns with a custom resolver name.

Impact

Denial of service — A single malicious TaskRun or PipelineRun with a long resolver name is sufficient to crash the Tekton Pipelines controller into a restart loop, blocking all CI/CD reconciliation cluster-wide until the resource is removed.

Patches

Fixed in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, 1.10.2.

The fix computes the hash first, then truncates only the prefix (resolver name) to fit within the DNS-1123 label limit, preserving the full hash to maintain determinism and uniqueness of ResolutionRequest names.

Workarounds

Restrict who can create TaskRun and PipelineRun resources via Kubernetes RBAC. There is no validation-side workaround without patching.

Affected Versions

All releases from v0.60.0 through v1.10.0.

The vulnerable truncation logic was introduced in commit ea1fa7ad1fdc ("Remote Resolution Refactor"), first released in v0.60.0 (2024-05-22).

Currently supported affected releases:

• v1.10.x (latest)
• v1.9.x (LTS, EOL 2027-01-30)
• v1.6.x (LTS, EOL 2026-10-31)
• v1.3.x (LTS, EOL 2026-08-04)
• v1.0.x (LTS, EOL 2026-04-29)

Releases prior to v0.60.0 are not affected — the truncation code did not exist.

Acknowledgments

This vulnerability was reported by Oleh Konko (@​1seal), who provided a thorough vulnerability analysis, proof-of-concept, and review of the fix. Thank you!

References

• Fix (main): 5eead3f859b9
• Fix (v1.10.x): 01673237c464
• Fix (v1.9.x): edc64bbf2232
• Fix (v1.6.x): 0fa2d66cff81
• Fix (v1.3.x): 5e4905fb6754
• Fix (v1.0.x): ebc197e2b973
• Introduced in: ea1fa7ad1fdc ("Remote Resolution Refactor")

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/tektoncd/pipeline/security/advisories/GHSA-cv4x-93xx-wgfj
• https://nvd.nist.gov/vuln/detail/CVE-2026-33022
• https://github.com/tektoncd/pipeline/commit/01673237c464cfac7e286183f5c9e9d6ec951a64
• https://github.com/tektoncd/pipeline/commit/0fa2d66cff814838c3a10cce252104c7fe618932
• https://github.com/tektoncd/pipeline/commit/5e4905fb6754efa5ecea54de195738d73fb0e01d
• https://github.com/tektoncd/pipeline/commit/5eead3f859b9f938e86039e4d29185092c1d4ee6
• https://github.com/tektoncd/pipeline/commit/ebc197e2b9733deedaa1624212ec66dcdf61eaaf
• https://github.com/tektoncd/pipeline/commit/edc64bbf22323fcf218170f19047c9bcd8163e90
• https://github.com/tektoncd/pipeline

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

tektoncd/pipeline (github.com/tektoncd/pipeline)

v1.6.1: Tekton Pipeline release v1.6.1 "Sphynx Sentinels"

Compare Source

-Docs @​ v1.6.1
-Examples @​ v1.6.1

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a4ba876bd39916b4123385435497b76a0e5cfee59ac292230166e5ded5b9d4596

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a4ba876bd39916b4123385435497b76a0e5cfee59ac292230166e5ded5b9d4596
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.1/release.yaml
REKOR_UUID=108e9186e8c5677a4ba876bd39916b4123385435497b76a0e5cfee59ac292230166e5ded5b9d4596

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.6.1@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

⚠️ Security Fixes

• GHSA-j5q5-j9gm-2w5c (Critical): Path traversal in git resolver allows reading arbitrary files from the resolver pod. Fixed by validating the pathInRepo parameter to prevent directory traversal.

• GHSA-cv4x-93xx-wgfj / CVE-2026-33022 (Medium): Controller panic via long resolver name in TaskRun/PipelineRun. A user with permission to create TaskRuns or PipelineRuns could crash the controller into a restart loop by setting a resolver name of 31+ characters, causing denial of service cluster-wide. Thanks to @​1seal for reporting this vulnerability.

Features

• ✨ Add support for hostUsers field in PodTemplate to control user namespace isolation (#​9324)

Fixes

• 🐛 fix: Prevent excessive reconciliation when timeout disabled (#​9303) — Fix an issue where there was excessive reconciliation in case of no timeout on TaskRun or PipelineRun.
• 🐛 fix: panic in v1beta1 matrix validation for invalid result refs (#​9257) — Resolved an issue where Pipelines with invalid result references in matrix parameters would cause a panic during validation (v1beta1 API)
• 🐛 fix(pipelinerun): fix the issue of massive invalid status updates caused by unordered arrays, which will greatly impact the resource load and stability of the apiserver (#​9314)

Misc

• 🔨 ci: add CI summary fan-in job for branch protection (#​9408)
• 🔨 tekton: update plumbing ref to latest commit (#​9412)
• 🔨 tekton: update plumbing ref to include full image references fix (#​9402)
• 🔨 Backported test reliability fixes including reduced test parallelism, image migration from DockerHub to mirror.gcr.io, and improved dind-sidecar probe configuration (#​9251)

Thanks

Thanks to these contributors who contributed to v1.6.1!

• ❤️ @​1seal
• ❤️ @​tekton-robot
• ❤️ @​vdemeester

v1.6.0: Tekton Pipeline release v1.6.0 LTS "Sphynx Sentinels"

Compare Source

🎉 Resolvers caching, Pipeline in Pipeline, and better ARM64 support & tested releases 🎉

-Docs @​ v1.6.0
-Examples @​ v1.6.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a288ca8343f66259e4a615801fa37703480d82893d1c6a45a2935a6632beb4164

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a288ca8343f66259e4a615801fa37703480d82893d1c6a45a2935a6632beb4164
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.0/release.yaml
REKOR_UUID=108e9186e8c5677a288ca8343f66259e4a615801fa37703480d82893d1c6a45a2935a6632beb4164

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.6.0@​sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ feat: implement shared cache for bundle, git, and cluster resolvers (#​9051)

Support caching for bundle, git, and cluster resolvers, reducing redundant fetches and improving pipeline performance.

Key Features:

• Automatic caching for immutable references (digest-based bundles, git SHAs)
• Three cache modes: always (cache everything), never (disable caching),auto (cache only immutable references - default)
• Configurable via ConfigMap: Set cache size and TTL without restarting controllers
• Per-task override: Tasks can override global cache settings using the cache parameter
• Observability: Cache hits/misses and timestamps added to resource annotations

This helps reduce external API calls, improves pipeline exec speed, and provides better resilience during remote resource resolution.

• ✨ feat: resolve array values in Input of When expressions (#​9038)

Array values can now be resolved in the Input attribute of When expressions

• ✨ Issue 9032 - Add support for step display name (#​9033)

add displayName field to Step.

• ✨ Implement Pipelines-in-Pipelines. (#​8873 #​8878 #​8879)

A Pipeline can now execute embedded Pipelines (Pipelines-in-Pipelines) using the PipelineSpec field under tasks. Refer to the TEP-0056 for more details.

Fixes

• 🐛 fix: do not fail PipelineRun when TaskRef reconciles with retryable err (#​9099)

With this change, unknown DryRunValidation errors during TaskRef and PipelineRef resolution no longer cause PipelineRuns and TaskRuns to fail. Explicit Validation errors will still cause the Run to fail.

• 🐛 Added signal handling in SidecarLog results to support Kubernetes-native sidecar functionality (#​9095)

Added signal handling to SidecarLog to support Kubernetes-native sidecar functionality, preventing repeated restarts of the init container.

• 🐛 Pods for timed out TaskRuns should not be deleted when keep-pod-on-cancel feature flag is true (#​9075)

If Feature flag "keep-pod-on-cancel" is set to true then pods corresponding to TaskRun will be not be deleted when TaskRun Times Out. Earlier pod was retained only if it taskrun was canceled.

• 🐛 fix(taskrun): ensure status steps are ordered correctly when using StepAction (#​9039)

Binary file (standard input) matches

• 🐛 entrypoint: handle linux in pkgs/platforms (#​9096)
• 🐛 test/e2e: remove data race on global variable requireAlphaFeatureFlag (#​9067)
• 🐛 tests: pdate csi-node-driver-registrar image reference (#​9089)
• 🐛 ci: Ensure e2e setup errors fail tests, add retries during e2e setup (#​9082)
• 🐛 test/e2e: Fix TestLargerResultsSidecarLogs and TestWaitCustomTask_V1_PipelineRun flakyness (#​9072)

Misc

• 🔨 e2e: migrate wait.PollImmediate deprecated functions (#​9073)
• 🔨 chore: centralize ko base image configuration (#​9110)
• 🔨 build(deps): bump k8s.io/code-generator from 0.32.8 to 0.32.9 (#​9106)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9105)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.3 to 1.5.7 (#​9104)
• 🔨 build(deps): bump github/codeql-action from 4.30.9 to 4.31.0 (#​9103)
• 🔨 build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#​9102)
• 🔨 build(deps): bump tj-actions/changed-files from d03a93c to dbf178c (#​9101)
• 🔨 build(deps): bump google.golang.org/protobuf from 1.36.8 to 1.36.10 (#​9097)
• 🔨 e2e: tests against 1.34 as well (#​9091)
• 🔨 ci/e2e: run one e2e on arm64 (#​9090)
• 🔨 build(deps): bump github/codeql-action from 3.30.1 to 4.30.9 (#​9088)
• 🔨 build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 (#​9087)
• 🔨 build(deps): bump actions/dependency-review-action from 4.8.0 to 4.8.1 (#​9086)
• 🔨 build(deps): bump golang.org/x/crypto from 0.41.0 to 0.43.0 (#​9085)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#​9081)
• 🔨 build(deps): bump actions/upload-artifact from 4.4.3 to 4.6.2 (#​9079)
• 🔨 build(deps): bump actions/cache from 4.2.4 to 4.3.0 (#​9078)
• 🔨 build(deps): bump peter-evans/create-or-update-comment from 4.0.0 to 5.0.0 (#​9077)
• 🔨 build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 (#​9076)
• 🔨 test/e2e: update kubernetes versions we test against (#​9068)
• 🔨 Pin actions by commit SHA or image digest (#​9061)
• 🔨 build(deps): bump tj-actions/changed-files from 2036da1 to d03a93c (#​9058)
• 🔨 build(deps): bump chainguard-dev/actions from 1.4.12 to 1.5.3 (#​9057)
• 🔨 Add GitHub Actions workflow for go coverage job (#​9055)
• 🔨 build(deps): bump actions/dependency-review-action from 4.7.2 to 4.8.0 (#​9047)
• 🔨 build(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 (#​9036)
• 🔨 build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 (#​9027)
• 🔨 fix: fix %w formatting leak in user-facing error (#​9003)
• 🔨 build(deps): bump the all group in /tekton with 3 updates (#​8990)
• 🔨 build(deps): bump github.com/spiffe/go-spiffe/v2 from 2.5.0 to 2.6.0 (#​8988)

Docs

• 📖 document the latest release - 1.5 (#​9054)
• 📖 Remove broken example link from TaskRuns doc (#​9023)

Thanks

Thanks to these contributors who contributed to v1.6.0!

• ❤️ @​AlanGreene
• ❤️ @​Maximilien-R
• ❤️ @​aThorp96
• ❤️ @​dependabot[bot]
• ❤️ @​lcarva
• ❤️ @​pramodbindal
• ❤️ @​pritidesai
• ❤️ @​twoGiants
• ❤️ @​valAndre07
• ❤️ @​vdemeester
• ❤️ @​waveywaves
• ❤️ @​yuzichen12123

Extra shout-out for awesome release notes:

• 😍 @​Maximilien-R
• 😍 @​aThorp96
• 😍 @​lcarva
• 😍 @​pramodbindal
• 😍 @​pritidesai
• 😍 @​twoGiants
• 😍 @​valAndre07

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: redhat-renovate-bot
Once this PR has been reviewed and has the lgtm label, please assign ksimon1 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ksimon1 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[redhat-renovate-bot]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
github.com/go-jose/go-jose/v4	v4.1.1 -> v4.1.2
google.golang.org/protobuf	v1.36.8 -> v1.36.10

[openshift-ci]

@redhat-renovate-bot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-tests	a63f4e7	link	true	/test e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.