tektoncd · tekton-robot · Feb 2, 2026 · Feb 2, 2026
diff --git a/.github/workflows/goclean.yml b/.github/workflows/goclean.yml
@@ -24,12 +24,12 @@ jobs:
   goclean:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3 # check-out repository
-
-    - name: Setup Go
-      uses: actions/setup-go@v3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      with:
+        fetch-depth: 0
+    - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5  # v6.2.0
       with:
-        go-version: '1.20.0'
+        go-version-file: "go.mod"
 
     - name: go vet
       run: |

diff --git a/.github/workflows/kind-e2e.yaml b/.github/workflows/kind-e2e.yaml
@@ -18,25 +18,21 @@ jobs:
       matrix:
         # Keep in sync with the list of supported releases: https://kubernetes.io/releases/
         k8s-version:
-        - v1.25.x
-        - v1.26.x
         - v1.27.x
-        # Needs https://github.com/sigstore/scaffolding/pull/756
-        # - v1.28.x
+        - v1.28.x
+        - v1.29.x
+        - v1.30.x
     uses: ./.github/workflows/reusable-e2e.yaml
     with:
       k8s-version: ${{ matrix.k8s-version }}
-      pipelines-release: v0.50.1
+      pipelines-release: v0.59.6
   pipelines-lts:
     strategy:
       fail-fast: false # Keep running if one leg fails.
       matrix:
         pipelines-release:
-        - v0.44.4  # LTS
-        - v0.47.3  # LTS
-        - v0.50.1  # LTS
-        - v0.51.0
+        - v0.59.6 # Had to change this to working versions during CVE fixes. Older versions gave gcr issue
     uses: ./.github/workflows/reusable-e2e.yaml
     with:
-      k8s-version: v1.26.x
+      k8s-version: v1.27.x
       pipelines-release: ${{ matrix.pipelines-release }}
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -17,33 +17,14 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
-          go-version: "1.20"
-
-      - uses: actions/checkout@v3
-
+          fetch-depth: 0
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5  # v6.2.0
+        with:
+          go-version-file: "go.mod"
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20  # v9.2.0
         with:
-          # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: latest
-
-          # Optional: working directory, useful for monorepos
-          # working-directory: somedir
-
-          # Optional: golangci-lint command line arguments.
-          args: --timeout 10m0s
-
-          # Optional: show only new issues if it's a pull request. The default value is `false`.
-          only-new-issues: true
-
-          # Optional: if set to true then the all caching functionality will be complete disabled,
-          #           takes precedence over all other caching options.
-          # skip-cache: true
-
-          # Optional: if set to true then the action don't cache or restore ~/go/pkg.
-          # skip-pkg-cache: true
-
-          # Optional: if set to true then the action don't cache or restore ~/.cache/go-build.
-          # skip-build-cache: true
+          version: v2.7.2
+          args: --new-from-merge-base=origin/${{ github.base_ref }} --timeout=10m
diff --git a/.github/workflows/reusable-e2e.yaml b/.github/workflows/reusable-e2e.yaml
@@ -27,15 +27,20 @@ jobs:
       GOFLAGS: -ldflags=-s -ldflags=-w
       KO_DOCKER_REPO: registry.local:5000/knative
       KOCACHE: ~/ko
-      SIGSTORE_SCAFFOLDING_RELEASE_VERSION: "v0.6.6"
-      TEKTON_PIPELINES_RELEASE: "https://storage.googleapis.com/tekton-releases/pipeline/previous/${{ inputs.pipelines-release }}/release.yaml"
+      SIGSTORE_SCAFFOLDING_RELEASE_VERSION: "v0.7.2"
+      TEKTON_PIPELINES_RELEASE: "https://github.com/tektoncd/pipeline/releases/download/${{ inputs.pipelines-release }}/release.yaml"
       # Note that we do not include the v prefix here so we can use it in all
       # the places this is used.
       TEKTON_CLI_RELEASE: "0.30.0"
 
     steps:
+    - name: Check out our repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      with:
+        path: ./src/github.com/tektoncd/chains
+
     # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-    - uses: actions/cache@v2
+    - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830  # v4.3.0
       with:
         # In order:
         # * Module download cache
@@ -48,43 +53,45 @@ jobs:
         restore-keys: |
           ${{ runner.os }}-go-
 
-    - name: Set up Go
-      uses: actions/setup-go@v2
+    - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5  # v6.2.0
       with:
-        go-version: 1.20.x
+        go-version-file: "src/github.com/tektoncd/chains/go.mod"
 
-    - uses: imjasonh/setup-ko@v0.6
-      with:
-        version: tip
+    - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
     - name: Install tkn cli
       run: |
         curl -Lo ./tkn_${{ env.TEKTON_CLI_RELEASE }}_Linux_x86_64.tar.gz https://github.com/tektoncd/cli/releases/download/v${{ env.TEKTON_CLI_RELEASE }}/tkn_${{ env.TEKTON_CLI_RELEASE }}_Linux_x86_64.tar.gz
         tar xvzf ./tkn_${{ env.TEKTON_CLI_RELEASE }}_Linux_x86_64.tar.gz tkn
         chmod u+x ./tkn
 
-    - name: Check out our repo
-      uses: actions/checkout@v2
-      with:
-        path: ./src/github.com/tektoncd/chains
+    - name: Setup Docker daemon config
+      run: |
+        sudo mkdir -p /etc/docker
+        if [ ! -f /etc/docker/daemon.json ]; then
+          echo '{}' | sudo tee /etc/docker/daemon.json
+        fi
 
     - name: Install mirror, kind, knative + sigstore
-      uses: sigstore/scaffolding/actions/setup@main
+      uses: sigstore/scaffolding/actions/setup@039e0ece31c5fc9fe0466d2f7b289ed643b88fdb  # v0.7.2
       with:
         k8s-version: ${{ inputs.k8s-version }}
         version: ${{ env.SIGSTORE_SCAFFOLDING_RELEASE_VERSION }}
         knative-version: 1.9.0
 
     - name: Install Tekton pipelines
       run: |
-        while ! kubectl apply --filename ${{ env.TEKTON_PIPELINES_RELEASE }}
-        do
-          echo "waiting for tekton pipelines to get installed"
-          sleep 2
-        done
-
-        # Restart so picks up the changes.
-        kubectl -n tekton-pipelines delete po -l app=tekton-pipelines-controller
+        kubectl apply --filename ${{ env.TEKTON_PIPELINES_RELEASE }}
+
+        # Wait for deployments to be available
+        kubectl wait --for=condition=available --timeout=5m deployment/tekton-pipelines-controller -n tekton-pipelines
+        kubectl wait --for=condition=available --timeout=5m deployment/tekton-pipelines-webhook -n tekton-pipelines
+
+        # Restart controller so it picks up the changes
+        kubectl -n tekton-pipelines rollout restart deployment/tekton-pipelines-controller
+
+        # Wait for controller to be ready after restart
+        kubectl -n tekton-pipelines rollout status deployment/tekton-pipelines-controller --timeout=5m
 
     - name: Install all the everythings
       working-directory: ./src/github.com/tektoncd/chains
@@ -140,7 +147,7 @@ jobs:
 
     - name: Collect diagnostics
       if: ${{ failure() }}
-      uses: chainguard-dev/actions/kind-diag@84c993eaf02da1c325854fb272a4df9184bd80fc # main
+      uses: chainguard-dev/actions/kind-diag@17095df6250b18f9cc2c2e45b179d9a641668d8c # main
       with:
         cluster-resources: nodes
         namespace-resources: pods,taskruns,jobs
diff --git a/.golang-ci.yaml b/.golang-ci.yaml
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -0,0 +1,82 @@
+version: "2"
+run:
+  build-tags:
+    - e2e
+  modules-download-mode: vendor
+  issues-exit-code: 1
+linters:
+  default: none
+  enable:
+    - bodyclose
+    - containedctx
+    - decorder
+    - depguard
+    - dogsled
+    - dupl
+    - dupword
+    - errcheck
+    - errchkjson
+    - errname
+    - errorlint
+    - exhaustive
+    - goconst
+    - gocritic
+    - gomodguard
+    - gosec
+    - govet
+    - ireturn
+    - maintidx
+    - makezero
+    - misspell
+    - musttag
+    - nakedret
+    - nilerr
+    - nilnil
+    - noctx
+    - nolintlint
+    - nosprintfhostport
+    - revive
+    - staticcheck
+    - thelper
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - whitespace
+  settings:
+    depguard:
+      rules:
+        main:
+          list-mode: lax
+          allow:
+            - $gostd
+  exclusions:
+    generated: lax
+    presets:
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - errcheck
+          - gosec
+        path: _test\.go
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
+  new: true
+  uniq-by-line: false
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/docs/performance.md b/docs/performance.md
@@ -19,7 +19,7 @@ spec:
     template:
         spec:
             containers:
-                - image: gcr.io/tekton-releases/github.com/tektoncd/chains/cmd/controller:v0.20.0
+                - image: ghcr.io/tekton-releases/github.com/tektoncd/chains/cmd/controller:v0.20.0
                   args:
                     - --threads-per-controller=32
                     - --kube-api-burst=2

diff --git a/examples/releases/v0.3.0-build-chains-taskrun.yaml b/examples/releases/v0.3.0-build-chains-taskrun.yaml
@@ -38,7 +38,7 @@ spec:
       - name: IMAGE_DIGEST
     steps:
     - name: ko
-      image: gcr.io/tekton-releases/dogfooding/ko@sha256:ff918ec2c8bbe416d5a9b6f9d25dfe9012dce673922fe7b2d5d69a99b02df0ac
+      image: ghcr.io/tekton-releases/dogfooding/ko@sha256:ff918ec2c8bbe416d5a9b6f9d25dfe9012dce673922fe7b2d5d69a99b02df0ac
       workingDir: /workspaces
       env:
       - name: KO_DOCKER_REPO

diff --git a/go.mod b/go.mod
@@ -29,6 +29,7 @@ require (
 	github.com/stretchr/testify v1.8.4
 	github.com/tektoncd/pipeline v0.56.0
 	github.com/tektoncd/plumbing v0.0.0-20230907180608-5625252a2de1
+	go.opencensus.io v0.24.0
 	go.uber.org/zap v1.26.0
 	gocloud.dev v0.36.0
 	gocloud.dev/docstore/mongodocstore v0.36.0
@@ -400,7 +401,6 @@ require (
 	gitlab.com/bosi/decorder v0.4.1 // indirect
 	go-simpler.org/sloglint v0.1.2 // indirect
 	go.mongodb.org/mongo-driver v1.13.1 // indirect
-	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
 	go.opentelemetry.io/otel v1.21.0 // indirect