Update module github.com/tektoncd/pipeline to v1.11.0 [SECURITY] (release-v0.7)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/tektoncd/pipeline	v1.9.2 → v1.11.0

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching

CVE-2026-25542 / GHSA-rmx9-2pp3-xhcr

More information

Details

Summary

The Trusted Resources verification system matches a resource source string (refSource.URI) against spec.resources[].pattern using Go's regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the input string. As a result, common unanchored patterns—including examples found in Tekton documentation—can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This may cause an unintended policy match and alter which verification mode or keys are applied.

Affected Component

• Repository: https://github.com/tektoncd/pipeline
• Commit: 0133513db03dadb3cb08301d6b0330badcb63830
• Call site: pkg/trustedresources/verify.go:118–137 (getMatchedPolicies)

Impact

An attacker can craft a Trusted Resources source string that embeds a trusted substring and still matches an unanchored VerificationPolicy spec.resources[].pattern, even if the policy is intended to constrain matches to a specific trusted source. This occurs because regexp.MatchString succeeds on substring matches. For example, a pattern such as https://github.com/tektoncd/catalog.git would match an attacker-controlled source like https://evil.com/?x=https://github.com/tektoncd/catalog.git.

Affected: Deployments using Trusted Resources verification with unanchored VerificationPolicy patterns, where an attacker can influence the refSource.URI value used for policy matching.

Not affected: Deployments that anchor all patterns (^...$) or otherwise enforce full-string matching; deployments where attackers cannot influence refSource.URI.

Reproduction

Canonical (Demonstrates Vulnerability)

unzip -q -o poc.zip -d /tmp/poc-tekton-regex-001
cd /tmp/poc-tekton-regex-001/poc-F-TEKTON-REGEX-001
bash ./run.sh canonical | tee /tmp/tekton-regex-001-canonical.log

• Expected (secure): Capability not reached; canonical does not emit vulnerability markers.
• Actual (vulnerable): Capability reached; canonical emits vulnerability markers.
• Canonical markers (mandatory): [CALLSITE_HIT] + [PROOF_MARKER]

Negative Control

bash ./run.sh control | tee /tmp/tekton-regex-001-control.log

• Expected: Capability not reached under the same harness; control emits the control marker and does not emit vulnerability markers.
• Control markers (mandatory): [CALLSITE_HIT] + [NC_MARKER]

Verification

grep -n '\[PROOF_MARKER\]' /tmp/tekton-regex-001-canonical.log \
  && grep -n '\[NC_MARKER\]' /tmp/tekton-regex-001-control.log \
  && ! grep -n '\[PROOF_MARKER\]' /tmp/tekton-regex-001-control.log

Suggested Fix

It is recommended to make matching safe-by-default by requiring full-string matches, or by validating patterns and clearly documenting substring semantics. Possible approaches include:

1. Anchor patterns before matching — e.g., wrap pattern as ^(?:pattern)$ when not already anchored.
2. Introduce a separate field for exact match vs. regex match semantics.
3. Document substring semantics explicitly and update all documentation examples to include anchors.

A fix is considered accepted when, under the same harness, the canonical test still hits [CALLSITE_HIT] but does not emit [PROOF_MARKER].

Workarounds

Anchor all VerificationPolicy resource patterns so they must match the full source string. For example:

pattern: "^https://github\\.com/tektoncd/catalog\\.git$"

Proof Bundle

• Bundle: poc.zip
• Convention: The zip extracts under a single top-level folder (poc-F-TEKTON-REGEX-001/) to avoid collisions.
• Contains: canonical.log, control.log, witness.txt
• Extracted paths: ./poc/poc-F-TEKTON-REGEX-001/canonical.log, ./poc/poc-F-TEKTON-REGEX-001/control.log, ./poc/poc-F-TEKTON-REGEX-001/witness.txt
• Integrity verification: Compare shasum -a 256 for canonical.log, control.log, fix.patch, and test source against witness.txt.

Note: If a supported integration uses verified HTTPS app-links or universal links only, provide the supported tag or branch and retesting on that pin can be arranged.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/tektoncd/pipeline/security/advisories/GHSA-rmx9-2pp3-xhcr
• https://github.com/tektoncd/pipeline/commit/2c398711e6e9e232180508f0648425a8ea34dc9e
• https://github.com/tektoncd/pipeline/releases/tag/v1.11.0
• https://github.com/advisories/GHSA-rmx9-2pp3-xhcr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

tektoncd/pipeline (github.com/tektoncd/pipeline)

v1.11.0: Tekton Pipeline release v1.11.0 "Javanese Jocasta"

Compare Source

🎉 🐱 TaskRun pending parity, multiple Git credentials, and PVC auto-cleanup 🤖 🎉

-Docs @​ v1.11.0
-Examples @​ v1.11.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.11.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677ae7cc1db0d04d478cc74a86ca458747f1ca41fe102d4ec5f14a6f8ec59c48facd

Obtain the attestation:

REKOR_UUID=108e9186e8c5677ae7cc1db0d04d478cc74a86ca458747f1ca41fe102d4ec5f14a6f8ec59c48facd
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.11.0/release.yaml
REKOR_UUID=108e9186e8c5677ae7cc1db0d04d478cc74a86ca458747f1ca41fe102d4ec5f14a6f8ec59c48facd

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.11.0@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ feat(webhook): Bump knative.dev/pkg to enable centrally managed WEBHOOK_* TLS for the webhook (#​9466)

Bump knative.dev/pkg to enable centralized WEBHOOK_* TLS configuration for the webhook (min/max version, cipher suites, curves).
Webhook now inherits TLS policy from environment (operator/cluster); defaults remain TLS 1.3 when unset.

• ✨ Add multi-URL support and per-resolution url param to Hub Resolver (#​9465)

dd multi-URL support and per-resolution url parameter to Hub Resolver, enabling ordered fallback across multiple hub instances and explicit URL targeting per resolution request.

• ✨ Add pending status support for TaskRun (parity with PipelineRun) (#​9464)

TaskRun now supports spec.status: TaskRunPending to defer execution.
When pending, no Pod is created and status.startTime is not set.
Clearing spec.status starts execution, or setting TaskRunCancelled cancels without running.

• ✨ feat: add optional PVC auto-cleanup annotation for workspaces mode (#​9354)

Add optional PVC auto-cleanup for workspaces mode via tekton.dev/auto-cleanup-pvc: "true" annotation. When set on a PipelineRun using coschedule: workspaces, PVCs created from volumeClaimTemplate workspaces are automatically deleted on completion. User-provided persistentVolumeClaim workspaces are never affected.

• ✨ Add Gitea e2e tests to CI (#​9442)

Fixes

• 🐛 Fix: Add SSH Host aliases to support multiple SSH credentials on same host (#​9643)

Fixed SSH credential matching to support multiple repositories on the same host with different SSH keys. Previously, when using multiple SSH auth secrets for different repositories on the same Git server (e.g., github.com/org/repo1 and github.com/org/repo2), SSH would use the first key for all repositories, causing authentication failures with deploy keys. SSH Host aliases and Git url.*.insteadOf rewriting now enable per-repository SSH key selection when the secret annotation URL includes a repo path.

• 🐛 fix: make step-init symlink creation idempotent (#​9600)

ix entrypoint step-init to handle container restarts gracefully. Previously, if a container restarted within a pod (e.g. due to OOM or eviction), the init process would fail with "symlink: file exists" because symlinks from the previous run persisted on the shared volume.

• 🐛 fix: replace silent default namespace fallback with explicit error in GetNameAndNamespace (#​9594)

eplace silent "default" namespace fallback in GetNameAndNamespace with an explicit error, preventing potential ResolutionRequest creation in wrong namespace.

• 🐛 fix: resolve context key collision and ownerRef nil panic in resolution framework (#​9593)

ix context key collision in resolution framework where RequestName() silently returned the namespace value, and fix nil pointer panic in ownerRefsAreEqual when both Controller fields are nil.

• 🐛 fix: cluster resolver namespace access control whitespace and wildcard bugs (#​9592)

ix cluster resolver namespace access control: trim whitespace in allowed/blocked namespace lists, fix wildcard (*) handling when combined with explicit entries, and reject empty default-namespace values.

• 🐛 fix: convert pod latency metric to histogram and remove pod label (#​9530)

ction required: The tekton_pipelines_controller_taskruns_pod_latency_milliseconds metric has been converted from a Gauge to a Histogram and the pod label has been removed. Dashboards or alerts referencing this metric will need to be updated to use histogram_quantile() instead of direct value queries.

• 🐛 fix: use hashed volume names to prevent credential volume name collisions (#​9528)

ix credential volume name collisions when namespaces have many (118+)
annotated secrets. Volume names now use deterministic SHA-256 hashing
instead of truncation with random suffix.

• 🐛 Fix running_taskruns metric overcounting TaskRuns with no condition (#​9485)

Fixed overcounting in the running_taskruns metric for TaskRuns with no condition set yet.

• 🐛 fix: propagate PipelineRun tasks/finally timeout to child TaskRuns (#​9419)

When spec.timeouts.tasks or spec.timeouts.finally on a PipelineRun exceeds the global default timeout, the value is now propagated to individual child TaskRuns that do not have an explicit per-task timeout. This prevents TaskRuns from being prematurely canceled at the global default (e.g., 1h) when the PipelineRun allows a longer duration.

• 🐛 Bugfix: deduplicate concurrent resolver cache requests with singleflight. (#​9365)

Fix resolver cache race condition causing duplicate upstream pulls under concurrent load.

• 🐛 Fix: Add useHttpPath to support multiple Git credentials on same host (#​9143)

Fixed Git credential matching to support multiple repositories on the same host with different credentials. Previously, when using multiple secrets for different repositories on the same Git server (e.g., github.com/org/repo1 and github.com/org/repo2), it incorrectly use the first credential for all repositories, causing authentication failures. Git credential contexts now include useHttpPath = true, enabling proper per-repository credential selection.

• 🐛 fix: record metrics for cancelled PipelineRuns (#​9658)
• 🐛 Add explicit permissions blocks to workflows missing them (#​9562)
• 🐛 fix: revert mistaken metadata changes in resolvers config-observability (#​9468)
• 🐛 fix: update default tracing endpoint to http protobuf endpoint (#​9141)
• 🐛 fix: Pin Ubuntu,Bash,Python, Node & Perl container images to digests in examples/v1/taskruns/step-script.yaml (#​9618)
• 🐛 fix: Pin alpine-git-nonroot,alpine/git,busybox & nop container images to digests in examples/v1/taskruns (#​9614)
• 🐛 fix: Pin Bash,Alpine & Busybox container images to digests in examples/v1/taskruns (#​9610)
• 🐛 fix: Pin Ubuntu container images to digests in examples/v1/taskruns (#​9607)

Misc

• 🔨 perf(pipelinerun): hoist VerificationPolicy list out of per-task loop in resolvePipelineState (#​9601)

• 🔨 ci: fix GitHub Actions security issues found by zizmor (#​9667)

• 🔨 Extract memberOfLookup from createChildResourceLabels to reduce nested loop (#​9596)

• 🔨 cleanup: replace GCS release URLs with infra.tekton.dev (#​9569)

• 🔨 fix: Upgrade Gitea test infrastructure from v1.17.1 to latest (#​9568)

• 🔨 chore: bump knative.dev/pkg to main and k8s libs to 0.35.1 (#​9470)

• 🔨 Update stale comment about storing TaskSpec in status (#​9661)

• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9652)

• 🔨 build(deps): bump github/codeql-action from 4.33.0 to 4.34.1 (#​9651)

• 🔨 build(deps): bump actions/cache from 5.0.3 to 5.0.4 (#​9650)

• 🔨 build(deps): bump chainguard-dev/actions from 1.6.8 to 1.6.9 (#​9649)

• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.3 to 1.14.4 (#​9648)

• 🔨 build(deps): bump k8s.io/apimachinery from 0.35.2 to 0.35.3 (#​9639)

• 🔨 build(deps): bump k8s.io/client-go from 0.35.2 to 0.35.3 (#​9638)

• 🔨 build(deps): bump k8s.io/api from 0.34.5 to 0.34.6 in /test/custom-task-ctrls/wait-task-beta (#​9637)

• 🔨 build(deps): bump k8s.io/client-go from 0.34.5 to 0.34.6 in /test/custom-task-ctrls/wait-task-beta (#​9634)

• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.1 to 1.14.3 (#​9629)

• 🔨 build(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 (#​9628)

• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.21.2 to 0.21.3 (#​9627)

• 🔨 build(deps): bump github.com/tektoncd/pipeline from 1.10.0 to 1.10.2 in /test/custom-task-ctrls/wait-task-beta (#​9626)

• 🔨 build(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0 (#​9611)

• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9587)

• 🔨 build(deps): bump github/codeql-action from 4.32.6 to 4.33.0 (#​9586)

• 🔨 build(deps): bump fgrosse/go-coverage-report from 1.2.0 to 1.3.0 (#​9585)

• 🔨 build(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 (#​9584)

• 🔨 build(deps): bump chainguard-dev/actions from 1.6.7 to 1.6.8 (#​9583)

• 🔨 Remove opencensus dependency from test files (#​9553)

• 🔨 Update tj-actions/changed-files version comment to v47.0.5 (#​9552)

• 🔨 build(deps): bump go.opentelemetry.io/otel/trace from 1.41.0 to 1.42.0 (#​9549)

• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.21.1 to 0.21.2 (#​9548)

• 🔨 build(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.2 (#​9547)

• 🔨 build(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 (#​9542)

• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9541)

• 🔨 build(deps): bump tj-actions/changed-files from 47.0.4 to 47.0.5 (#​9540)

• 🔨 build(deps): bump chainguard-dev/actions from 1.6.5 to 1.6.7 (#​9539)

• 🔨 build(deps): bump github/codeql-action from 4.32.5 to 4.32.6 (#​9538)

• 🔨 build(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 (#​9536)

• 🔨 Nominate khrm and aThorp96 as pipeline approvers (#​9519)

• 🔨 Move inactive approvers to alumni (#​9518)

• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.35.1 to 0.35.2 (#​9487)

• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9483)

• 🔨 build(deps): bump github/codeql-action from 4.32.4 to 4.32.5 (#​9482)

• 🔨 build(deps): bump step-security/harden-runner from 2.14.2 to 2.15.0 (#​9481)

• 🔨 build(deps): bump actions/setup-go from 6.2.0 to 6.3.0 (#​9480)

• 🔨 build(deps): bump chainguard-dev/actions from 1.6.4 to 1.6.5 (#​9479)

• 🔨 build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (#​9478)

• 🔨 build(deps): bump go.opentelemetry.io/otel/metric from 1.40.0 to 1.41.0 (#​9477)

• 🔨 build(deps): bump k8s.io/apimachinery from 0.35.1 to 0.35.2 (#​9476)

• 🔨 build(deps): bump k8s.io/client-go from 0.34.3 to 0.34.5 in /test/custom-task-ctrls/wait-task-beta (#​9475)

• 🔨 build(deps): bump k8s.io/code-generator from 0.35.1 to 0.35.2 (#​9473)

• 🔨 build(deps): bump k8s.io/api from 0.34.3 to 0.34.5 in /test/custom-task-ctrls/wait-task-beta (#​9472)

• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.34.3 to 0.34.5 (#​9455)

• 🔨 build(deps): bump github.com/tektoncd/pipeline from 1.9.1 to 1.10.0 in /test/custom-task-ctrls/wait-task-beta (#​9453)

• 🔨 build(deps): bump k8s.io/client-go from 0.34.3 to 0.34.4 (#​9447)

• 🔨 build(deps): bump go.opentelemetry.io/otel/trace from 1.39.0 to 1.40.0 (#​9445)

• 🔨 fix: release cheat sheet doc typos (#​9415)

Docs

• 📖 Re-enable pipeline-api.md generation (#​9604)

Update the pipeline API published at https://tekton.dev/docs/pipelines/pipeline-api/

• 📖 docs(auth): clean stale TODO (#​9504)

Clean up stale TODO in auth.md

• 📖 doc: Clarify scope of auth documentation (#​9461)

Added auth doc scope to distinguish credentials for processes inside Steps from Kubernetes imagePullSecrets for pulling Step images.

• 📖 docs: update releases.md with security patch releases (#​9616)
• 📖 docs: add 4 undocumented metrics to docs/metrics.md (#​9512)
• 📖 docs: fix broken internal markdown links (#​9507)
• 📖 docs: add README files for pipelinerun and taskrun examples (#​9505)
• 📖 doc: Fix broken Tekton Bundles example link in taskruns.md (#​9462)
• 📖 docs: update releases.md for v1.10.0 (#​9448)

Thanks

Thanks to these contributors who contributed to v1.11.0!

• ❤️ @​AiswaryaR6
• ❤️ @​BizerNotNull
• ❤️ @​ChinonsoNwakudu
• ❤️ @​Goutham-AR
• ❤️ @​Paramesh324
• ❤️ @​ab-ghosh
• ❤️ @​adityavshinde
• ❤️ @​afrittoli
• ❤️ @​anirudh242
• ❤️ @​ankrsinha
• ❤️ @​app/dependabot
• ❤️ @​infernus01
• ❤️ @​jkhelil
• ❤️ @​jorqen
• ❤️ @​khrm
• ❤️ @​ngelman1
• ❤️ @​sahilleth
• ❤️ @​srivickynesh
• ❤️ @​twoGiants
• ❤️ @​vdemeester
• ❤️ @​waveywaves

Extra shout-out for awesome release notes:

• 😍 @​BizerNotNull
• 😍 @​ab-ghosh
• 😍 @​afrittoli
• 😍 @​ankrsinha
• 😍 @​infernus01
• 😍 @​jkhelil
• 😍 @​jorqen
• 😍 @​sahilleth
• 😍 @​twoGiants
• 😍 @​vdemeester
• 😍 @​waveywaves

v1.10.2: Tekton Pipeline release v1.10.2 "LaPerm Little Helper"

Compare Source

-Docs @​ v1.10.2
-Examples @​ v1.10.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.10.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a104b9492904b91b09e714ee02dae9637eee78dfd892d6ca7cab46ce0208fd387

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a104b9492904b91b09e714ee02dae9637eee78dfd892d6ca7cab46ce0208fd387
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.10.2/release.yaml
REKOR_UUID=108e9186e8c5677a104b9492904b91b09e714ee02dae9637eee78dfd892d6ca7cab46ce0208fd387

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.10.2@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

⚠️ Security Fixes

• GHSA-j5q5-j9gm-2w5c (Critical): Path traversal in git resolver allows reading arbitrary files from the resolver pod. Fixed by validating the pathInRepo parameter to prevent directory traversal.

• GHSA-cv4x-93xx-wgfj / CVE-2026-33022 (Medium): Controller panic via long resolver name in TaskRun/PipelineRun. A user with permission to create TaskRuns or PipelineRuns could crash the controller into a restart loop by setting a resolver name of 31+ characters, causing denial of service cluster-wide. Thanks to @​1seal for reporting this vulnerability.

Thanks

Thanks to these contributors who contributed to v1.10.2!

• ❤️ @​vdemeester
• ❤️ @​1seal

v1.10.1: Tekton Pipeline release v1.10.1 "LaPerm Little Helper"

Compare Source

-Docs @​ v1.10.1
-Examples @​ v1.10.1

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.10.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a8754062aee1bb73b992fe19d8c70544f16dd0bd502e19006c984c56928e9df4f

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a8754062aee1bb73b992fe19d8c70544f16dd0bd502e19006c984c56928e9df4f
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.10.1/release.yaml
REKOR_UUID=108e9186e8c5677a8754062aee1bb73b992fe19d8c70544f16dd0bd502e19006c984c56928e9df4f

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.10.1@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 [cherry-pick: release-v1.10.x] fix: revert mistaken metadata changes in resolvers config-observability (#​9469)

Misc

Docs

Thanks

Thanks to these contributors who contributed to v1.10.1!

• ❤️ @​tekton-robot

Extra shout-out for awesome release notes:

v1.10.0: Tekton Pipeline release v1.10.0 "LaPerm Little Helper"

Compare Source

🎉 Observability, evolved: Tekton Pipelines migrates to OpenTelemetry 🎉

-Docs @​ v1.10.0
-Examples @​ v1.10.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.10.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a94dd58f7cfb4996ccce2c937681486ef690dab5e560e66c6c34aa9b446f32651

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a94dd58f7cfb4996ccce2c937681486ef690dab5e560e66c6c34aa9b446f32651
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.10.0/release.yaml
REKOR_UUID=108e9186e8c5677a94dd58f7cfb4996ccce2c937681486ef690dab5e560e66c6c34aa9b446f32651

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.10.0@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Upgrade Notices

• 🚨 Metrics migration from OpenCensus to OpenTelemetry (#​9043)

  ACTION REQUIRED: Infrastructure metrics (Go runtime, Workqueue, K8s Client) have been renamed from the tekton_pipelines_controller_ prefix to standard OpenTelemetry/Knative namespaces. The reason label has been added to duration metrics (pipelinerun_duration_seconds, taskrun_duration_seconds). The reconcile_count and reconcile_latency metrics have been removed.

  Upgrade actions:

  1. Update Config: Ensure your config-observability ConfigMap uses metrics-protocol: prometheus (or grpc/http) instead of the old metrics.backend-destination. If prometheus was already being used, no changes are needed.
  2. Update Dashboards:
     • Replace tekton_pipelines_controller_workqueue_* queries with kn_workqueue_*
     • Replace tekton_pipelines_controller_go_* queries with standard go_* metrics
     • Check aggregations on pipelinerun_duration_seconds to account for the new reason label

  See the full migration table in PR #​9043 for complete details.

Changes

Features

• ✨ feat: Add SHA-256 support for Git resolver revision validation (#​9278)

  Git resolver now supports SHA-256 commit hashes for revision validation.

• ✨ feat(metrics): Migrate from OpenCensus to OpenTelemetry (#​9043)

  Migrated PipelineRun and TaskRun metrics to OpenTelemetry instruments (histograms, counters, gauges). Updated Knative to 1.19. See Upgrade Notices for breaking changes and required actions.

• ✨ ci: add /rebase slash command workflow (#​9375)

Fixes

• 🐛 fix: Remove redundant shortNames from ResolutionRequest CRD (#​9398)

  Remove redundant shortNames from ResolutionRequest CRD that caused ShortNamesConflict on Kubernetes 1.33+

• 🐛 fix(pipelines): allow pipeline param defaults to use non-param variables (#​9386)

  Fixed a bug which caused PipelineRun validation to fail when a pipeline parameter's default value referenced a non-parameter variable (e.g. $(context.pipelineRun.name))

• 🐛 fix: pipeline-level results not recorded from failed tasks (#​9367)

  Pipeline-level results now include results from failed, cancelled, and timed-out tasks, fixing cases where results referencing non-successful task outputs were left as unresolved variable strings.

• 🐛 ci: replace e2e-only fan-in with unified CI summary job (#​9394)

• 🐛 fix: Align cache configstore with framework implementation (#​9282)

• 🐛 accept featureFlags.EnableTektonOCIBundles to fix unknown field error (#​8996)

Misc

• 🔨 build(deps): bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /test/resolver-with-timeout (#​9426)
• 🔨 Move v0.68 LTS to End of Life releases (#​9434)
• 🔨 Assess several new gosec findings (#​9405)
• 🔨 ci: Update cherry-pick command to latest plumbing (#​9400)
• 🔨 build(deps): bump opentelemetry exporter packages to v1.39.0 (#​9332)
• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.21.0 to 0.21.1 (#​9433)
• 🔨 build(deps): bump github/codeql-action from 4.32.3 to 4.32.4 (#​9431)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9430)
• 🔨 build(deps): bump tj-actions/changed-files from 47.0.2 to 47.0.4 (#​9429)
• 🔨 build(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3 (#​9428)
• 🔨 build(deps): bump chainguard-dev/actions from 1.6.1 to 1.6.4 (#​9427)
• 🔨 build(deps): bump github.com/sigstore/sigstore from 1.8.4 to 1.10.4 in /test/resolver-with-timeout (#​9425)
• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.20.7 to 0.21.0 (#​9418)
• 🔨 build(deps): bump github.com/tektoncd/pipeline from 1.9.0 to 1.9.1 in /test/custom-task-ctrls/wait-task-beta (#​9417)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9397)
• 🔨 build(deps): bump github/codeql-action from 4.32.2 to 4.32.3 (#​9396)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.16 to 1.6.1 (#​9395)
• 🔨 build(deps): bump google.golang.org/grpc from 1.79.0 to 1.79.1 (#​9392)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.15.16 to 1.15.17 (#​9391)
• 🔨 build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.0 (#​9389)
• 🔨 build(deps): bump k8s.io/code-generator from 0.32.11 to 0.32.12 (#​9388)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.32.11 to 0.32.12 (#​9385)
• 🔨 build(deps): bump k8s.io/apimachinery from 0.33.7 to 0.33.8 (#​9384)
• 🔨 build(deps): bump k8s.io/client-go from 0.32.11 to 0.32.12 (#​9383)
• 🔨 build(deps): bump k8s.io/client-go from 0.32.11 to 0.32.12 in /test/custom-task-ctrls/wait-task-beta (#​9382)
• 🔨 build(deps): bump k8s.io/api from 0.32.11 to 0.32.12 in /test/custom-task-ctrls/wait-task-beta (#​9381)
• 🔨 build(deps): bump k8s.io/apimachinery from 0.33.7 to 0.33.8 in /test/custom-task-ctrls/wait-task-beta (#​9380)
• 🔨 build(deps): bump github/codeql-action from 4.32.1 to 4.32.2 (#​9374)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9373)
• 🔨 build(deps): bump step-security/harden-runner from 2.14.1 to 2.14.2 (#​9372)
• 🔨 build(deps): bump tj-actions/changed-files from 47.0.1 to 47.0.2 (#​9371)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.14 to 1.5.16 (#​9370)
• 🔨 build(deps): bump golang.org/x/crypto from 0.47.0 to 0.48.0 (#​9369)
• 🔨 build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.39.0 to 1.40.0 (#​9363)
• 🔨 fix(ci): simplify e2e test health status result (#​9361)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9352)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.13 to 1.5.14 (#​9351)
• 🔨 build(deps): bump github/codeql-action from 4.32.0 to 4.32.1 (#​9350)
• 🔨 build(deps): bump actions/cache from 4.2.3 to 5.0.3 (#​9348)
• 🔨 build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.37.0 to 1.40.0 (#​9345)
• 🔨 build(deps): bump github.com/tektoncd/pipeline from 1.7.0 to 1.9.0 in /test/custom-task-ctrls/wait-task-beta (#​9340)
• 🔨 build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0 (#​9337)
• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.0 to 1.14.1 (#​9336)
• 🔨 build(deps): bump sigstore/sigstore from 1.9.5 to 1.10.4 (#​9331)
• 🔨 build(deps): bump github.com/tektoncd/pipeline to v1.7.0 in wait-task-beta (#​9329)

Docs

• 📖 docs: clarify flag availability across controller binaries (#​9390)
• 📖 docs: update releases.md for v1.9.0 LTS (#​9339)
• 📖 docs: Document roadmap project board workflows and best practices (#​9311)
• 📖 Update examples in docs for changes in apiVersion v1 (#​9042)

Thanks

Thanks to these contributors who contributed to v1.10.0!

• ❤️ @​7h3-3mp7y-m4n
• ❤️ @​SaschaSchwarze0
• ❤️ @​aThorp96
• ❤️ @​anithapriyanatarajan
• ❤️ @​dependabot[bot]
• ❤️ @​johankok
• ❤️ @​khrm
• ❤️ @​lusqua
• ❤️ @​softho0n
• ❤️ @​vdemeester
• ❤️ @​waveywaves
• ❤️ @​wilderbridge
• ❤️ @​wmypku

Extra shout-out for awesome release notes:

• 😍 @​7h3-3mp7y-m4n
• 😍 @​aThorp96
• 😍 @​dependabot[bot]
• 😍 @​khrm
• 😍 @​lusqua
• 😍 @​vdemeester
• 😍 @​waveywaves
• 😍 @​wmypku

v1.9.3: Tekton Pipeline release v1.9.3 "Devon Rex Dreadnought"

Compare Source

-Docs @​ v1.9.3
-Examples @​ v1.9.3

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.3/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a7943c77b03fff46f83c0876773ae3dcc84e6dcb29d64ca605afb3cbc0ff77ecb

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a7943c77b03fff46f83c0876773ae3dcc84e6dcb29d64ca605afb3cbc0ff77ecb
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.3/release.yaml
REKOR_UUID=108e9186e8c5677a7943c77b03fff46f83c0876773ae3dcc84e6dcb29d64ca605afb3cbc0ff77ecb

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.9.3@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

⚠️ Security Fixes

• GHSA-wjxp-xrpv-xpff / CVE-2026-40161 (HIGH): Git resolver API mode leaks system-configured API token to user-controlled serverURL. A user who can create TaskRuns can exfiltrate the system Git API token by pointing the resolver at an attacker-controlled server.

• GHSA-94jr-7pqp-xhcq / CVE-2026-40938 (HIGH): Git resolver unsanitized revision parameter enables argument injection. A malicious revision value can inject arbitrary flags into the git CLI, potentially leading to remote code execution on the resolver pod.

• GHSA-rx35-6rhx-7858 / CVE-2026-40923 (Medium): VolumeMount path restriction bypass via missing filepath normalization. Paths like /tekton/../sensitive bypass the /tekton/ prefix restriction check.

• GHSA-rmx9-2pp3-xhcr / CVE-2026-25542 (Medium): VerificationPolicy regex pattern bypass via substring matching. Unanchored patterns allow partial matches, letting unsigned resources pass verification.

• GHSA-m2cx-gpqf-qf74 / CVE-2026-40924 (Medium): HTTP resolver unbounded response body read enables OOM denial of service. A malicious URL returning a very large response can exhaust the resolver pod's memory. Response body is now limited to 1 MiB.

Fixes

• 🐛 Fix running_taskruns metric overcounting TaskRuns with no condition
• 🐛 Pin registry image and relax log-based cache assertion
• 🐛 Bump Go to 1.24.13 to fix CVE-2025-61728, CVE-2025-61726, CVE-2025-61729
• 🐛 Fix TextParser struct usage for prometheus/common v0.62.0 compatibility
• 🐛 Remove corrupted resolver cache entries on type error
• 🐛 Resolve resolver cache race condition with singleflight
• 🐛 Align resolver cache configstore with framework implementation

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
github.com/sigstore/sigstore	v1.9.1 -> v1.9.4
gomodules.xyz/jsonpatch/v2	v2.4.0 -> v2.5.0
knative.dev/pkg	v0.0.0-20250117084104-c43477f0052b -> v0.0.0-20250415155312-ed3e2158b883

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 5 additional dependencies were updated

Details:

Package	Change
github.com/sigstore/sigstore	v1.9.1 -> v1.9.4
github.com/coreos/go-oidc/v3	v3.12.0 -> v3.14.1
github.com/evanphx/json-patch/v5	v5.9.0 -> v5.9.11
gomodules.xyz/jsonpatch/v2	v2.4.0 -> v2.5.0
knative.dev/pkg	v0.0.0-20250117084104-c43477f0052b -> v0.0.0-20250415155312-ed3e2158b883

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
generative	68.07% <ø> (-1.48%)	⬇️
integration	68.07% <ø> (-1.48%)	⬇️
unit	68.07% <ø> (-1.48%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 107 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: acceptance/go.sum

Command failed: go mod tidy
go: downloading github.com/go-openapi/testify/v2 v2.0.2
go: downloading github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.4
go: downloading github.com/go-openapi/testify/enable/yaml/v2 v2.0.2
go: downloading github.com/tink-crypto/tink-go-hcvault/v2 v2.3.0
go: downloading google.golang.org/api v0.260.0
go: downloading cloud.google.com/go/kms v1.23.2
go: downloading cloud.google.com/go v0.121.6
go: downloading cloud.google.com/go/auth v0.18.0
go: downloading cloud.google.com/go/longrunning v0.7.0
go: downloading github.com/googleapis/gax-go/v2 v2.16.0
go: downloading google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217
go: downloading cuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084
go: downloading github.com/emicklei/proto v1.14.2
go: downloading github.com/protocolbuffers/txtpbfmt v0.0.0-20251016062345-16587c79cd91
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.9
go: finding module for package knative.dev/pkg/metrics
go: finding module for package knative.dev/pkg/tracing/config
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/metrics: module knative.dev/pkg@latest found (v0.0.0-20260422015212-ec452872dcc1), but does not contain package knative.dev/pkg/metrics
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/tracing/config: module knative.dev/pkg@latest found (v0.0.0-20260422015212-ec452872dcc1), but does not contain package knative.dev/pkg/tracing/config