chore(deps): update module github.com/tektoncd/pipeline to v1 [security] (release-v0.24)

[redhat-renovate-bot]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
github.com/tektoncd/pipeline	require	major	v0.65.2 → v1.6.1

GitHub Vulnerability Alerts

CVE-2026-33211

Summary

The Tekton Pipelines git resolver is vulnerable to path traversal via the pathInRepo parameter. A tenant with permission to create ResolutionRequests (e.g. by creating TaskRuns or PipelineRuns that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in resolutionrequest.status.data.

Details

The git resolver's getFileContent() function in pkg/resolution/resolver/git/repository.go constructs a file path by joining the repository clone directory with the user-supplied pathInRepo parameter:

fileContents, err := os.ReadFile(filepath.Join(repo.directory, path))

The pathInRepo parameter is not validated for path traversal sequences. An attacker can supply values like ../../../../etc/passwd to escape the cloned repository directory and read arbitrary files from the resolver pod's filesystem.

The vulnerability was introduced in commit 318006c4e3a5 which switched the git resolver from the go-git library (using an in-memory filesystem that cannot be escaped) to shelling out to the git binary and reading files with os.ReadFile() from the real filesystem.

Impact

Arbitrary file read — A namespace-scoped tenant who can create TaskRuns or PipelineRuns with git resolver parameters can read any file readable by the resolver pod process.

Credential exfiltration and privilege escalation — The resolver pod's ServiceAccount token is readable at a well-known path (/var/run/secrets/kubernetes.io/serviceaccount/token). In the default RBAC configuration, the tekton-pipelines-resolvers ServiceAccount has get, list, and watch permissions on secrets cluster-wide. An attacker who exfiltrates this token gains the ability to read all Secrets across all namespaces, escalating from namespace-scoped access to cluster-wide secret access.

Patches

Fixed in 1.0.x, 1.3.x, 1.6.x, 1.9.x, 1.10.x.

The fix validates pathInRepo to reject paths containing .. components at parameter validation time, and adds a containment check using filepath.EvalSymlinks() to prevent symlink-based escapes from attacker-controlled repositories.

Workarounds

There is no workaround other than restricting which users can create TaskRuns, PipelineRuns, or ResolutionRequests that use the git resolver. Administrators can also reduce the impact by scoping the resolver pod's ServiceAccount RBAC permissions using a custom ClusterRole with more restrictive rules.

Affected Versions

All releases from v1.0.0 through v1.10.0, including all patch releases:

• v1.0.0, v1.1.0, v1.2.0
• v1.3.0, v1.3.1, v1.3.2
• v1.4.0, v1.5.0, v1.6.0, v1.7.0
• v1.9.0, v1.9.1, v1.10.0

Releases prior to v1.0.0 (e.g. v0.70.0 and earlier) are not affected because they used the go-git library's in-memory filesystem where path traversal cannot escape the git worktree.

Acknowledgments

This vulnerability was reported by Oleh Konko (@​1seal), who provided a thorough vulnerability analysis, proof-of-concept, and review of the fix. Thank you!

References

• Fix: (link to merged PR/commit)
• Introduced in: 318006c4e3a5 ("fix: resolve Git Anonymous Resolver excessive memory usage")

---

Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun

CVE-2026-33022 / GHSA-cv4x-93xx-wgfj / GO-2026-4730

More information

Details

Summary

A user with permission to create or update a TaskRun or PipelineRun can crash the Tekton Pipelines controller by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31 characters or more, causing a denial of service for all reconciliation.

Details

The controller panics in GenerateDeterministicNameFromSpec when building a deterministic ResolutionRequest name. The generated name has the format {resolver}-{hash} and, when the resolver name is long enough, the result exceeds the DNS-1123 label limit of 63 characters.

The truncation logic attempts to find a word boundary using strings.LastIndex(name, " "). Since the generated name never contains spaces (it is composed of the resolver name, a dash, and a hex-encoded hash), LastIndex returns -1, which is then used as a slice bound:

return name[:strings.LastIndex(name[:maxLength], " ")], nil
// strings.LastIndex returns -1 → panic: slice bounds out of range [:-1]

The panic crashes the controller. Because the offending TaskRun or PipelineRun is re-reconciled on restart, the controller enters a CrashLoopBackOff, blocking all TaskRun and PipelineRun reconciliation cluster-wide until the offending resource is manually deleted.

Built-in resolvers use short names (git, cluster, bundles, hub) and are not affected under normal usage. The vulnerability is exploitable by any user who can create TaskRuns or PipelineRuns with a custom resolver name.

Impact

Denial of service — A single malicious TaskRun or PipelineRun with a long resolver name is sufficient to crash the Tekton Pipelines controller into a restart loop, blocking all CI/CD reconciliation cluster-wide until the resource is removed.

Patches

Fixed in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, 1.10.2.

The fix computes the hash first, then truncates only the prefix (resolver name) to fit within the DNS-1123 label limit, preserving the full hash to maintain determinism and uniqueness of ResolutionRequest names.

Workarounds

Restrict who can create TaskRun and PipelineRun resources via Kubernetes RBAC. There is no validation-side workaround without patching.

Affected Versions

All releases from v0.60.0 through v1.10.0.

The vulnerable truncation logic was introduced in commit ea1fa7ad1fdc ("Remote Resolution Refactor"), first released in v0.60.0 (2024-05-22).

Currently supported affected releases:

• v1.10.x (latest)
• v1.9.x (LTS, EOL 2027-01-30)
• v1.6.x (LTS, EOL 2026-10-31)
• v1.3.x (LTS, EOL 2026-08-04)
• v1.0.x (LTS, EOL 2026-04-29)

Releases prior to v0.60.0 are not affected — the truncation code did not exist.

Acknowledgments

This vulnerability was reported by Oleh Konko (@​1seal), who provided a thorough vulnerability analysis, proof-of-concept, and review of the fix. Thank you!

References

• Fix (main): 5eead3f859b9
• Fix (v1.10.x): 01673237c464
• Fix (v1.9.x): edc64bbf2232
• Fix (v1.6.x): 0fa2d66cff81
• Fix (v1.3.x): 5e4905fb6754
• Fix (v1.0.x): ebc197e2b973
• Introduced in: ea1fa7ad1fdc ("Remote Resolution Refactor")

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/tektoncd/pipeline/security/advisories/GHSA-cv4x-93xx-wgfj
• https://nvd.nist.gov/vuln/detail/CVE-2026-33022
• https://github.com/tektoncd/pipeline/commit/01673237c464cfac7e286183f5c9e9d6ec951a64
• https://github.com/tektoncd/pipeline/commit/0fa2d66cff814838c3a10cce252104c7fe618932
• https://github.com/tektoncd/pipeline/commit/5e4905fb6754efa5ecea54de195738d73fb0e01d
• https://github.com/tektoncd/pipeline/commit/5eead3f859b9f938e86039e4d29185092c1d4ee6
• https://github.com/tektoncd/pipeline/commit/ebc197e2b9733deedaa1624212ec66dcdf61eaaf
• https://github.com/tektoncd/pipeline/commit/edc64bbf22323fcf218170f19047c9bcd8163e90
• https://github.com/tektoncd/pipeline

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

tektoncd/pipeline (github.com/tektoncd/pipeline)

v1.6.1: Tekton Pipeline release v1.6.1 "Sphynx Sentinels"

Compare Source

-Docs @​ v1.6.1
-Examples @​ v1.6.1

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a4ba876bd39916b4123385435497b76a0e5cfee59ac292230166e5ded5b9d4596

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a4ba876bd39916b4123385435497b76a0e5cfee59ac292230166e5ded5b9d4596
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.1/release.yaml
REKOR_UUID=108e9186e8c5677a4ba876bd39916b4123385435497b76a0e5cfee59ac292230166e5ded5b9d4596

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.6.1@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

⚠️ Security Fixes

• GHSA-j5q5-j9gm-2w5c (Critical): Path traversal in git resolver allows reading arbitrary files from the resolver pod. Fixed by validating the pathInRepo parameter to prevent directory traversal.

• GHSA-cv4x-93xx-wgfj / CVE-2026-33022 (Medium): Controller panic via long resolver name in TaskRun/PipelineRun. A user with permission to create TaskRuns or PipelineRuns could crash the controller into a restart loop by setting a resolver name of 31+ characters, causing denial of service cluster-wide. Thanks to @​1seal for reporting this vulnerability.

Features

• ✨ Add support for hostUsers field in PodTemplate to control user namespace isolation (#​9324)

Fixes

• 🐛 fix: Prevent excessive reconciliation when timeout disabled (#​9303) — Fix an issue where there was excessive reconciliation in case of no timeout on TaskRun or PipelineRun.
• 🐛 fix: panic in v1beta1 matrix validation for invalid result refs (#​9257) — Resolved an issue where Pipelines with invalid result references in matrix parameters would cause a panic during validation (v1beta1 API)
• 🐛 fix(pipelinerun): fix the issue of massive invalid status updates caused by unordered arrays, which will greatly impact the resource load and stability of the apiserver (#​9314)

Misc

• 🔨 ci: add CI summary fan-in job for branch protection (#​9408)
• 🔨 tekton: update plumbing ref to latest commit (#​9412)
• 🔨 tekton: update plumbing ref to include full image references fix (#​9402)
• 🔨 Backported test reliability fixes including reduced test parallelism, image migration from DockerHub to mirror.gcr.io, and improved dind-sidecar probe configuration (#​9251)

Thanks

Thanks to these contributors who contributed to v1.6.1!

• ❤️ @​1seal
• ❤️ @​tekton-robot
• ❤️ @​vdemeester

v1.6.0: Tekton Pipeline release v1.6.0 LTS "Sphynx Sentinels"

Compare Source

🎉 Resolvers caching, Pipeline in Pipeline, and better ARM64 support & tested releases 🎉

-Docs @​ v1.6.0
-Examples @​ v1.6.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a288ca8343f66259e4a615801fa37703480d82893d1c6a45a2935a6632beb4164

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a288ca8343f66259e4a615801fa37703480d82893d1c6a45a2935a6632beb4164
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.0/release.yaml
REKOR_UUID=108e9186e8c5677a288ca8343f66259e4a615801fa37703480d82893d1c6a45a2935a6632beb4164

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.6.0@​sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ feat: implement shared cache for bundle, git, and cluster resolvers (#​9051)

Support caching for bundle, git, and cluster resolvers, reducing redundant fetches and improving pipeline performance.

Key Features:

• Automatic caching for immutable references (digest-based bundles, git SHAs)
• Three cache modes: always (cache everything), never (disable caching),auto (cache only immutable references - default)
• Configurable via ConfigMap: Set cache size and TTL without restarting controllers
• Per-task override: Tasks can override global cache settings using the cache parameter
• Observability: Cache hits/misses and timestamps added to resource annotations

This helps reduce external API calls, improves pipeline exec speed, and provides better resilience during remote resource resolution.

• ✨ feat: resolve array values in Input of When expressions (#​9038)

Array values can now be resolved in the Input attribute of When expressions

• ✨ Issue 9032 - Add support for step display name (#​9033)

add displayName field to Step.

• ✨ Implement Pipelines-in-Pipelines. (#​8873 #​8878 #​8879)

A Pipeline can now execute embedded Pipelines (Pipelines-in-Pipelines) using the PipelineSpec field under tasks. Refer to the TEP-0056 for more details.

Fixes

• 🐛 fix: do not fail PipelineRun when TaskRef reconciles with retryable err (#​9099)

With this change, unknown DryRunValidation errors during TaskRef and PipelineRef resolution no longer cause PipelineRuns and TaskRuns to fail. Explicit Validation errors will still cause the Run to fail.

• 🐛 Added signal handling in SidecarLog results to support Kubernetes-native sidecar functionality (#​9095)

Added signal handling to SidecarLog to support Kubernetes-native sidecar functionality, preventing repeated restarts of the init container.

• 🐛 Pods for timed out TaskRuns should not be deleted when keep-pod-on-cancel feature flag is true (#​9075)

If Feature flag "keep-pod-on-cancel" is set to true then pods corresponding to TaskRun will be not be deleted when TaskRun Times Out. Earlier pod was retained only if it taskrun was canceled.

• 🐛 fix(taskrun): ensure status steps are ordered correctly when using StepAction (#​9039)

Binary file (standard input) matches

• 🐛 entrypoint: handle linux in pkgs/platforms (#​9096)
• 🐛 test/e2e: remove data race on global variable requireAlphaFeatureFlag (#​9067)
• 🐛 tests: pdate csi-node-driver-registrar image reference (#​9089)
• 🐛 ci: Ensure e2e setup errors fail tests, add retries during e2e setup (#​9082)
• 🐛 test/e2e: Fix TestLargerResultsSidecarLogs and TestWaitCustomTask_V1_PipelineRun flakyness (#​9072)

Misc

• 🔨 e2e: migrate wait.PollImmediate deprecated functions (#​9073)
• 🔨 chore: centralize ko base image configuration (#​9110)
• 🔨 build(deps): bump k8s.io/code-generator from 0.32.8 to 0.32.9 (#​9106)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9105)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.3 to 1.5.7 (#​9104)
• 🔨 build(deps): bump github/codeql-action from 4.30.9 to 4.31.0 (#​9103)
• 🔨 build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#​9102)
• 🔨 build(deps): bump tj-actions/changed-files from d03a93c to dbf178c (#​9101)
• 🔨 build(deps): bump google.golang.org/protobuf from 1.36.8 to 1.36.10 (#​9097)
• 🔨 e2e: tests against 1.34 as well (#​9091)
• 🔨 ci/e2e: run one e2e on arm64 (#​9090)
• 🔨 build(deps): bump github/codeql-action from 3.30.1 to 4.30.9 (#​9088)
• 🔨 build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 (#​9087)
• 🔨 build(deps): bump actions/dependency-review-action from 4.8.0 to 4.8.1 (#​9086)
• 🔨 build(deps): bump golang.org/x/crypto from 0.41.0 to 0.43.0 (#​9085)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#​9081)
• 🔨 build(deps): bump actions/upload-artifact from 4.4.3 to 4.6.2 (#​9079)
• 🔨 build(deps): bump actions/cache from 4.2.4 to 4.3.0 (#​9078)
• 🔨 build(deps): bump peter-evans/create-or-update-comment from 4.0.0 to 5.0.0 (#​9077)
• 🔨 build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 (#​9076)
• 🔨 test/e2e: update kubernetes versions we test against (#​9068)
• 🔨 Pin actions by commit SHA or image digest (#​9061)
• 🔨 build(deps): bump tj-actions/changed-files from 2036da1 to d03a93c (#​9058)
• 🔨 build(deps): bump chainguard-dev/actions from 1.4.12 to 1.5.3 (#​9057)
• 🔨 Add GitHub Actions workflow for go coverage job (#​9055)
• 🔨 build(deps): bump actions/dependency-review-action from 4.7.2 to 4.8.0 (#​9047)
• 🔨 build(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 (#​9036)
• 🔨 build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 (#​9027)
• 🔨 fix: fix %w formatting leak in user-facing error (#​9003)
• 🔨 build(deps): bump the all group in /tekton with 3 updates (#​8990)
• 🔨 build(deps): bump github.com/spiffe/go-spiffe/v2 from 2.5.0 to 2.6.0 (#​8988)

Docs

• 📖 document the latest release - 1.5 (#​9054)
• 📖 Remove broken example link from TaskRuns doc (#​9023)

Thanks

Thanks to these contributors who contributed to v1.6.0!

• ❤️ @​AlanGreene
• ❤️ @​Maximilien-R
• ❤️ @​aThorp96
• ❤️ @​dependabot[bot]
• ❤️ @​lcarva
• ❤️ @​pramodbindal
• ❤️ @​pritidesai
• ❤️ @​twoGiants
• ❤️ @​valAndre07
• ❤️ @​vdemeester
• ❤️ @​waveywaves
• ❤️ @​yuzichen12123

Extra shout-out for awesome release notes:

• 😍 @​Maximilien-R
• 😍 @​aThorp96
• 😍 @​lcarva
• 😍 @​pramodbindal
• 😍 @​pritidesai
• 😍 @​twoGiants
• 😍 @​valAndre07

v1.5.0: Tekton Pipeline release v1.5.0 "Bombay Robbie"

Compare Source

🎉 Use managedBy to delegate pipelineRun and taskRun lifecycle control 🎉

-Docs @​ v1.5.0
-Examples @​ v1.5.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.5.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a657cc892687dc9dbf41be24c29f51d2f5fc1092446b0739ec5280bb6b0bc1b82

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a657cc892687dc9dbf41be24c29f51d2f5fc1092446b0739ec5280bb6b0bc1b82
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.5.0/release.yaml
REKOR_UUID=108e9186e8c5677a657cc892687dc9dbf41be24c29f51d2f5fc1092446b0739ec5280bb6b0bc1b82

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.5.0@​sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ Add Support for managedBy field in TaskRun and PipelineRun (#​8965)

Added a "managedBy" field to delegate responsibility of controlling the lifecycle of PipelineRuns/TaskRuns.

The semantics of the field:

Whenever the value is set, and it does not point to the built-in controller, then we skip the reconciliation.

• The field is immutable
• The field is not defaulted

Fixes

Misc

• 🔨 GHA label checker (#​9050)
• 🔨 build(deps): bump github/codeql-action from 3.29.10 to 3.30.1 (#​9030)
• 🔨 Set the user-agent in the release name tool (#​9016)
• 🔨 add khrm to reviewers in OWNERS_ALIASES (#​9026)

Docs

• 📖 document 1.3.2 patch (#​9022)
• 📖 Updates for release 1.4 (#​9020)

Thanks

Thanks to these contributors who contributed to v1.5.0!

• ❤️ @​afrittoli
• ❤️ @​dependabot[bot]
• ❤️ @​khrm
• ❤️ @​pritidesai
• ❤️ @​waveywaves

Extra shout-out for awesome release notes:

• 😍 @​khrm

v1.4.0: Tekton Pipeline release v1.4.0 "Kurilian K-2SO"

Compare Source

🎉 Improved remote resolution and timeout configuration 🎉

-Docs @​ v1.4.0
-Examples @​ v1.4.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.4.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a040c237838848039376864340e5217f6c7c23f294d61437c3d196cb1112b91f1

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a040c237838848039376864340e5217f6c7c23f294d61437c3d196cb1112b91f1
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.4.0/release.yaml
REKOR_UUID=108e9186e8c5677a040c237838848039376864340e5217f6c7c23f294d61437c3d196cb1112b91f1

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.4.0@​sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ feat: resolve steps referencing StepActions concurrently (#​8925)

The resolution of StepActions within a TaskRun is now performed concurrently, which can significantly reduce the time it takes for a TaskRun to start, especially when using multiple remote StepActions.

• ✨ Do not fail PipelineRun if pvc creation error is because of exceeded quotas (#​8903)

PipelineRun do not fail anymore if the pvc creation is due to an exceeded quota ; it will be requeued instead (until quota is available or it times out)

• ✨ feat: override task timeouts in pipelineruns (#​8636)

feature: PipelineRun can now override individual task timeouts with spec.taskRunSpecs[].timeout

Fixes

• 🐛 check for the kubernetes sidecar implementation (#​8986)

Updated the sidecar implementation to check the completion status of initContainers before marking the taskRun complete.

• 🐛 fix: exclude pending PipelineRuns from metric (#​8951)

Fixed tekton_pipelines_controller_running_pipelineruns metric to exclude pending PipelineRuns, it now counts only running PipelineRuns

• 🐛 Fix tini-git image to be multi-arch (#​8944)

Updating tini-git base image to be multi-platform, also fixing the resolvers image.

• 🐛 fix(#​8940): token-authentication header typo in git resolver (#​8937)

Bug fix: Before this change, there was a regression in which the git resolver was not authenticating with the provided gitToken and gitTokenKey, breaking the git resolver's http token-based auth. After this change, all git operations performed by the git resolver use the provided gitToken for remote authentication.

• 🐛 fix: allow finalizer updates on completed TaskRun and PipelineRuns (#​9011)
• 🐛 fix nightly-build workflow to use kind setup action from allowed list (#​8939)

Misc

• 🔨 [FIX] Remove the apt warning (#​8624)
• 🔨 build(deps): bump chainguard-dev/actions from 1.4.10 to 1.4.12 (#​8989)
• 🔨 build(deps): bump google.golang.org/protobuf from 1.36.7 to 1.36.8 (#​8985)
• 🔨 build(deps): bump google.golang.org/grpc from 1.74.2 to 1.75.0 (#​8984)
• 🔨 build(deps): bump the all group in /tekton with 3 updates (#​8978)
• 🔨 build(deps): bump github/codeql-action from 3.29.8 to 3.29.10 (#​8977)
• 🔨 build(deps): bump chainguard-dev/actions from 1.4.9 to 1.4.10 (#​8976)
• 🔨 build(deps): bump tj-actions/changed-files from f963b3f to 2036da1 (#​8975)
• 🔨 build(deps): bump actions/dependency-review-action from 4.7.1 to 4.7.2 (#​8974)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.32.7 to 0.32.8 (#​8973)
• 🔨 build(deps): bump tj-actions/changed-files from 0559708 to f963b3f (#​8964)
• 🔨 build(deps): bump github/codeql-action from 3.29.3 to 3.29.8 (#​8963)
• 🔨 build(deps): bump actions/checkout from 4 to 5 (#​8962)
• 🔨 build(deps): bump the all group in /tekton with 3 updates (#​8961)
• 🔨 build(deps): bump chainguard-dev/actions from 1.4.6 to 1.4.9 (#​8960)
• 🔨 build(deps): bump actions/cache from 4.2.3 to 4.2.4 (#​8959)
• 🔨 build(deps): bump google.golang.org/protobuf from 1.36.6 to 1.36.7 (#​8956)
• 🔨 build(deps): bump golang.org/x/crypto from 0.39.0 to 0.41.0 (#​8954)
• 🔨 .github/workflows/nightly-builds: only run on tektoncd org (#​8950)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.32.6 to 0.32.7 (#​8894)

Docs

• 📖 docs: Switch from deprecated Tekton Hub to ArtifactHub (#​8967)

Update examples and documentation to use ArtifactHub instead of the deprecated Tekton Hub for resource discovery and management.

• 📖 release.md: update releases with 1.2.x and 1.3.x (#​8952)

Thanks

Thanks to these contributors who contributed to v1.4.0!

• ❤️ @​Maximilien-R
• ❤️ @​aThorp96
• ❤️ @​anithapriyanatarajan
• ❤️ @​dependabot[bot]
• ❤️ @​divyansh42
• ❤️ @​infernus01
• ❤️ @​khrm
• ❤️ @​leshikus
• ❤️ @​pritidesai
• ❤️ @​vdemeester
• ❤️ @​waveywaves

Extra shout-out for awesome release notes:

• 😍 @​Maximilien-R
• 😍 @​aThorp96
• 😍 @​divyansh42
• 😍 @​infernus01
• 😍 @​pritidesai
• 😍 @​vdemeester
• 😍 @​waveywaves

v1.3.3: Tekton Pipeline release v1.3.3 "Maine Coon Melfina"

Compare Source

-Docs @​ v1.3.3
-Examples @​ v1.3.3

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.3.3/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a876fa60f37e6445548fabd0dc463c51c7f8b06b07c242eb0921ee277008b088c

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a876fa60f37e6445548fabd0dc463c51c7f8b06b07c242eb0921ee277008b088c
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.3.3/release.yaml
REKOR_UUID=108e9186e8c5677a876fa60f37e6445548fabd0dc463c51c7f8b06b07c242eb0921ee277008b088c

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.3.3@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

⚠️ Security Fixes

• GHSA-j5q5-j9gm-2w5c (Critical): Path traversal in git resolver allows reading arbitrary files from the resolver pod. Fixed by validating the pathInRepo parameter to prevent directory traversal.

• GHSA-cv4x-93xx-wgfj / CVE-2026-33022 (Medium): Controller panic via long resolver name in TaskRun/PipelineRun. A user with permission to create TaskRuns or PipelineRuns could crash the controller into a restart loop by setting a resolver name of 31+ characters, causing denial of service cluster-wide. Thanks to @​1seal for reporting this vulnerability.

Features

• ✨ Add support for hostUsers field in PodTemplate to control user namespace isolation (#​9323)

Fixes

• 🐛 fix: panic in v1beta1 matrix validation for invalid result refs (#​9260) — Resolved an issue where Pipelines with invalid result references in matrix parameters would cause a panic during validation (v1beta1 API)
• 🐛 fix(pipelinerun): fix the issue of massive invalid status updates caused by unordered arrays, which will greatly impact the resource load and stability of the apiserver (#​9312)
• 🐛 fix(#​8940): Fix token-authentication header in git resolver (#​9115) — Before this change, there was a regression in which the git resolver was not authenticating with the provided gitToken and gitTokenKey, breaking the git resolver's http token-based auth. After this change, all git operations performed by the git resolver use the provided gitToken for remote authentication.
• 🐛 fix: Prevent excessive reconciliation when timeout disabled (#​9355)

Misc

• 🔨 ci: add CI summary fan-in job for branch protection (#​9409)
• 🔨 tekton: update plumbing ref to latest commit (#​9414)
• 🔨 tekton: update plumbing ref to include full image references fix (#​9403)
• 🔨 Backported test reliability fixes including reduced test parallelism, image migration from DockerHub to mirror.gcr.io, and improved dind-sidecar probe configuration (#​9250)

Thanks

Thanks to these contributors who contributed to v1.3.3!

• ❤️ @​1seal
• ❤️ @​aThorp96
• ❤️ @​tekton-robot
• ❤️ @​vdemeester
• ❤️ @​waveywaves

v1.3.2: Tekton Pipeline release v1.3.2 "Maine Coon Melfina"

Compare Source

-Docs @​ v1.3.2
-Examples @​ v1.3.2

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.3.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a00888046c319538ae57e1af2654be73472fb885d0554f5181b0736e1edb7c6ed

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a00888046c319538ae57e1af2654be73472fb885d0554f5181b0736e1edb7c6ed
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.3.2/release.yaml
REKOR_UUID=108e9186e8c5677a00888046c319538ae57e1af2654be73472fb885d0554f5181b0736e1edb7c6ed

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.3.2@​sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 [release-v1.3.x] check for kubernetes sidecar implementation (#​8997)

Updated the sidecar implementation to check the completion status of initContainers before marking the taskRun complete.

• 🐛 [release-v1.3.x] Disable the Gitea e2e tests temporarily to unblock (#​9014)

• 🐛 [release-v1.3.x] Do not fail PipelineRun if pvc creation error is because of exceeded quotas (#​9000)

• 🐛 [release-v1.3.x] fix: exclude pending PipelineRuns from tekton_pipelines_controller_running_pipelineruns metric (#​8980)

Fixed tekton_pipelines_controller_running_pipelineruns metric to exclude pending PipelineRuns, it now counts only running PipelineRuns

Thanks

Thanks to these contributors who contributed to v1.3.2!

• ❤️ @​mbpavan
• ❤️ @​divyansh42
• ❤️ @​khrm
• ❤️ @​pritidesai
• ❤️ @​vdemeester
• ❤️ @​tekton-robot

Extra shout-out for awesome release notes:

• 😍 @​pritidesai
• 😍 @​divyansh42
• 😍 @​tekton-robot

v1.3.1: Tekton Pipeline release v1.3.1 LTS "Maine Coon Melfina"

Compare Source

-Docs @​ v1.3.1
-Examples @​ v1.3.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.3.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a77b37b5b643558bf2653e7f5a4673c506372b8892e9c8634dc7cae29721d15de

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a77b37b5b643558bf2653e7f5a4673c506372b8892e9c8634dc7cae29721d15de
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.3.1/release.yaml
REKOR_UUID=108e9186e8c5677a77b37b5b643558bf2653e7f5a4673c506372b8892e9c8634dc7cae29721d15de

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.3.1@​sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 [release-v1.3.x] Fix tini-git image to be multi-arch (#​8948)

pdating tini-git base image to be multi-platform, also fixing the resolvers image.

Misc

Docs

Thanks

Thanks to these contributors who contributed to v1.3.1!

• ❤️ @​tekton-robot

Extra shout-out for awesome release notes:

• 😍 @​tekton-robot

v1.3.0: Tekton Pipeline release v1.3.0 LTS "Maine Coon Melfina"

Compare Source

-Docs @​ v1.3.0
-Examples @​ v1.3.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.3.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a690a6f48618080e44983b879f4ffb9b371b7107159bb3d4ab3052aa68e47dc74

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a690a6f48618080e44983b879f4ffb9b371b7107159bb3d4ab3052aa68e47dc74
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.3.0/release.yaml
REKOR_UUID=108e9186e8c5677a690a6f48618080e44983b879f4ffb9b371b7107159bb3d4ab3052aa68e47dc74

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.3.0@​sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ exponential backoff in controller (#​8926)

Introduced exponential backoff retry mechanism for createPod function to improve robustness against transient webhook issues in a heavy cluster during resource creation.

• ✨ exponential backoff for and creation (#​8902)

• Introduced exponential backoff retry mechanism for createTaskRun and createCustomRun functions.
• Retries are triggered only on mutating admission webhook timeouts (HTTP 500 with "timeout" in the error message).
• Non-retryable errors (e.g., HTTP 400, validation failures) continue to fail immediately.
• Feature is disabled by default. To enable, set enable-wait-exponential-backoff: "true" in the feature-flags ConfigMap.
• Backoff parameters (duration, factor, steps) are configurable via the wait-exponential-backoff ConfigMap.
• Improves robustness against transient webhook issues in a heavy cluster during resource creation.

• ✨ Feature: Allow THREADS_PER_CONTROLLER env var to override default threads-per-controller value (#​8890)

Default threads-per-controller value can be override by THREADS_PER_CONTROLLER env var

• ✨ Add anti-affinity rules to controller's replicas (#​8864)

As part of improving high availability (HA) for the Tekton Pipelines controller, this update adds a preferredDuringSchedulingIgnoredDuringExecution pod anti-affinity rule. This ensures that multiple replicas of the controller are preferably scheduled on different nodes, red

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[redhat-renovate-bot]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: downloading github.com/alexflint/go-arg v1.5.1
go: downloading go.uber.org/zap v1.27.0
go: downloading kubevirt.io/api v1.4.0
go: downloading github.com/google/go-containerregistry v0.20.6
go: downloading k8s.io/apimachinery v0.32.9
go: downloading github.com/onsi/ginkgo/v2 v2.21.0
go: downloading kubevirt.io/containerdisks v0.0.0-20241001085853-ea2e8bf50322
go: downloading github.com/onsi/gomega v1.35.1
go: downloading k8s.io/api v0.32.8
go: downloading kubevirt.io/client-go v1.4.0
go: downloading sigs.k8s.io/yaml v1.6.0
go: downloading k8s.io/client-go v0.31.2
go: downloading github.com/spf13/cobra v1.9.1
go: downloading kubevirt.io/kubevirt v1.4.0
go: downloading kubevirt.io/containerized-data-importer-api v1.59.1
go: downloading github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
go: downloading k8s.io/cli-runtime v0.31.2
go: downloading kubevirt.io/containerized-data-importer v1.59.1
go: downloading github.com/tektoncd/pipeline v1.6.1
go: downloading github.com/openshift/client-go v0.0.0-20240528061634-b054aa794d87
go: downloading k8s.io/utils v0.0.0-20241210054802-24370beab758
go: downloading knative.dev/pkg v0.0.0-20250415155312-ed3e2158b883
go: downloading github.com/alexflint/go-scalar v1.2.0
go: downloading go.yaml.in/yaml/v2 v2.4.2
go: downloading go.uber.org/multierr v1.11.0
go: downloading k8s.io/apiextensions-apiserver v0.32.8
go: downloading github.com/inconshreveable/mousetrap v1.1.0
go: downloading github.com/spf13/pflag v1.0.6
go: downloading github.com/docker/cli v28.2.2+incompatible
go: downloading golang.org/x/sync v0.17.0
go: downloading github.com/containerd/stargz-snapshotter/estargz v0.16.3
go: downloading k8s.io/klog/v2 v2.130.1
go: downloading kubevirt.io/controller-lifecycle-operator-sdk/api v0.2.4
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.5.0
go: downloading github.com/google/gnostic-models v0.6.9
go: downloading golang.org/x/text v0.30.0
go: downloading k8s.io/kube-openapi v0.0.0-20240709000822-3c01b740850f
go: downloading sigs.k8s.io/kustomize/api v0.17.3
go: downloading sigs.k8s.io/kustomize/kyaml v0.17.2
go: downloading github.com/google/cel-go v0.26.0
go: downloading github.com/sigstore/sigstore v1.9.5
go: downloading github.com/openshift/api v0.0.0-20240722135205-ae4f370f361f
go: downloading golang.org/x/net v0.45.0
go: downloading golang.org/x/term v0.36.0
go: downloading gopkg.in/evanphx/json-patch.v4 v4.12.0
go: downloading github.com/gorilla/websocket v1.5.3
go: downloading golang.org/x/sys v0.37.0
go: downloading github.com/docker/distribution v2.8.3+incompatible
go: downloading github.com/opencontainers/image-spec v1.1.1
go: downloading github.com/klauspost/compress v1.18.0
go: downloading sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8
go: downloading github.com/vbatts/tar-split v0.12.1
go: downloading cel.dev/expr v0.24.0
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7
go: downloading golang.org/x/time v0.12.0
go: downloading github.com/go-openapi/swag v0.23.0
go: downloading github.com/go-openapi/jsonreference v0.21.0
go: downloading github.com/emicklei/go-restful/v3 v3.12.1
go: downloading github.com/cloudevents/sdk-go/v2 v2.16.1
go: downloading golang.org/x/oauth2 v0.30.0
go: downloading github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec
go: downloading github.com/secure-systems-lab/go-securesystemslib v0.9.0
go: downloading github.com/sigstore/protobuf-specs v0.4.1
go: downloading golang.org/x/crypto v0.43.0
go: downloading github.com/go-kit/kit v0.13.0
go: downloading k8s.io/apiserver v0.32.8
go: downloading github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.7.4
go: downloading github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.76.2
go: downloading github.com/go-task/slim-sprig/v3 v3.0.0
go: downloading golang.org/x/tools v0.37.0
go: downloading github.com/fxamacker/cbor/v2 v2.7.0
go: downloading google.golang.org/grpc v1.75.0
go: downloading github.com/blang/semver/v4 v4.0.0
go: downloading github.com/go-errors/errors v1.5.1
go: downloading github.com/stoewer/go-strcase v1.3.0
go: downloading github.com/antlr4-go/antlr/v4 v4.13.1
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7
go: downloading github.com/go-openapi/jsonpointer v0.21.0
go: downloading github.com/mailru/easyjson v0.9.0
go: downloading github.com/docker/docker-credential-helpers v0.9.3
go: downloading github.com/evanphx/json-patch/v5 v5.9.11
go: downloading gomodules.xyz/jsonpatch/v2 v2.5.0
go: downloading github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db
go: downloading github.com/evanphx/json-patch v5.9.0+incompatible
go: downloading google.golang.org/api v0.233.0
go: downloading github.com/prometheus/client_golang v1.20.5
go: downloading github.com/prometheus/statsd_exporter v0.26.1
go: downloading github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00
go: downloading github.com/xlab/treeprint v1.2.0
go: downloading github.com/x448/float16 v0.8.4
go: downloading k8s.io/kube-aggregator v0.31.2
go: downloading golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac
go: downloading github.com/openzipkin/zipkin-go v0.4.3
go: downloading github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1
go: downloading github.com/prometheus/client_model v0.6.1
go: downloading github.com/prometheus/common v0.62.0
go: downloading github.com/prometheus/procfs v0.15.1
go: downloading go.yaml.in/yaml/v3 v3.0.3
go: downloading github.com/go-logfmt/logfmt v0.6.0
go: downloading github.com/go-jose/go-jose/v4 v4.1.2
go: downloading go.starlark.net v0.0.0-20240314022150-ee8ed142361c
go: downloading k8s.io/api v0.35.3
go: github.com/kubevirt/kubevirt-tekton-tasks/cmd/disk-uploader imports
	k8s.io/client-go/kubernetes imports
	k8s.io/client-go/kubernetes/typed/coordination/v1alpha1 imports
	k8s.io/api/coordination/v1alpha1: cannot find module providing package k8s.io/api/coordination/v1alpha1

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign 0xfelix for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: redhat-renovate-bot
Once this PR has been reviewed and has the lgtm label, please assign 0xfelix for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@redhat-renovate-bot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	f589d15	link	true	/test images
ci/prow/e2e-tests	f589d15	link	true	/test e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.