fix(deps): update module github.com/tektoncd/pipeline to v1 [security] (alauda-v0.34.0)

[alaudaa-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/tektoncd/pipeline	v0.55.0 -> v1.1.0

GitHub Vulnerability Alerts

CVE-2026-33211

Summary

The Tekton Pipelines git resolver is vulnerable to path traversal via the pathInRepo parameter. A tenant with permission to create ResolutionRequests (e.g. by creating TaskRuns or PipelineRuns that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in resolutionrequest.status.data.

Details

The git resolver's getFileContent() function in pkg/resolution/resolver/git/repository.go constructs a file path by joining the repository clone directory with the user-supplied pathInRepo parameter:

fileContents, err := os.ReadFile(filepath.Join(repo.directory, path))

The pathInRepo parameter is not validated for path traversal sequences. An attacker can supply values like ../../../../etc/passwd to escape the cloned repository directory and read arbitrary files from the resolver pod's filesystem.

The vulnerability was introduced in commit 318006c4e3a5 which switched the git resolver from the go-git library (using an in-memory filesystem that cannot be escaped) to shelling out to the git binary and reading files with os.ReadFile() from the real filesystem.

Impact

Arbitrary file read — A namespace-scoped tenant who can create TaskRuns or PipelineRuns with git resolver parameters can read any file readable by the resolver pod process.

Credential exfiltration and privilege escalation — The resolver pod's ServiceAccount token is readable at a well-known path (/var/run/secrets/kubernetes.io/serviceaccount/token). In the default RBAC configuration, the tekton-pipelines-resolvers ServiceAccount has get, list, and watch permissions on secrets cluster-wide. An attacker who exfiltrates this token gains the ability to read all Secrets across all namespaces, escalating from namespace-scoped access to cluster-wide secret access.

Patches

Fixed in 1.0.x, 1.3.x, 1.6.x, 1.9.x, 1.10.x.

The fix validates pathInRepo to reject paths containing .. components at parameter validation time, and adds a containment check using filepath.EvalSymlinks() to prevent symlink-based escapes from attacker-controlled repositories.

Workarounds

There is no workaround other than restricting which users can create TaskRuns, PipelineRuns, or ResolutionRequests that use the git resolver. Administrators can also reduce the impact by scoping the resolver pod's ServiceAccount RBAC permissions using a custom ClusterRole with more restrictive rules.

Affected Versions

All releases from v1.0.0 through v1.10.0, including all patch releases:

• v1.0.0, v1.1.0, v1.2.0
• v1.3.0, v1.3.1, v1.3.2
• v1.4.0, v1.5.0, v1.6.0, v1.7.0
• v1.9.0, v1.9.1, v1.10.0

Releases prior to v1.0.0 (e.g. v0.70.0 and earlier) are not affected because they used the go-git library's in-memory filesystem where path traversal cannot escape the git worktree.

Acknowledgments

This vulnerability was reported by Oleh Konko (@​1seal), who provided a thorough vulnerability analysis, proof-of-concept, and review of the fix. Thank you!

References

• Fix: (link to merged PR/commit)
• Introduced in: 318006c4e3a5 ("fix: resolve Git Anonymous Resolver excessive memory usage")

---

Release Notes

tektoncd/pipeline (github.com/tektoncd/pipeline)

v1.1.0: Tekton Pipeline release v1.1.0 "Selkirk Rex Saul Tigh"

Compare Source

-Docs @​ v1.1.0
-Examples @​ v1.1.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.1.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a4abf3bb44246e552fdd917a58075df15b5f99ad1aa9e1da6ffd3c6aebc69689d

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a4abf3bb44246e552fdd917a58075df15b5f99ad1aa9e1da6ffd3c6aebc69689d
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.1.0/release.yaml
REKOR_UUID=108e9186e8c5677a4abf3bb44246e552fdd917a58075df15b5f99ad1aa9e1da6ffd3c6aebc69689d

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.1.0@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 fix: Ensure retryable errors during validation do not fail Runs (#​8746)

Retryable errors during dry-run Task validation will no longer cause a PipelineRun to be failed.

• 🐛 Add oomkilled reason (#​8709)

TaskRuns that fail due to Out of Memory (OOM) conditions will now show the termination reason in their failure message.

Misc

• 🔨 refactor: use os.UserHomeDir instead of go-homedir (#​8774)
• 🔨 Remove temporary GOPATH generation in in update-codegen.sh and update-openapigen.sh. (#​8719)
• 🔨 Refactor Step validation to implement apis.Validatable. (#​8717)
• 🔨 Raise test coverage in task_validation.go and container_validation.go. (#​8714)
• 🔨 Refactor sidecar validation to implement apis.Validatable. (#​8710)
• 🔨 Move Steps and Sidecars validation to container_validation.go. (#​8685)
• 🔨 build(deps): bump google.golang.org/grpc from 1.72.1 to 1.72.2 (#​8801)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​8800)
• 🔨 build(deps): bump tj-actions/changed-files from 480f494 to c6634ca (#​8799)
• 🔨 build(deps): bump go.opentelemetry.io/otel/trace from 1.35.0 to 1.36.0 (#​8798)
• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.20.3 to 0.20.5 (#​8796)
• 🔨 build(deps): bump go.opentelemetry.io/otel/sdk from 1.35.0 to 1.36.0 (#​8794)
• 🔨 build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.35.0 to 1.36.0 (#​8793)
• 🔨 Fix subpath capitalisation (#​8790)
• 🔨 build(deps): bump k8s.io/code-generator from 0.32.4 to 0.32.5 (#​8789)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​8787)
• 🔨 build(deps): bump actions/dependency-review-action from 4.7.0 to 4.7.1 (#​8786)
• 🔨 build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 (#​8785)
• 🔨 build(deps): bump k8s.io/client-go from 0.32.4 to 0.32.5 (#​8783)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.32.4 to 0.32.5 (#​8781)
• 🔨 build(deps): bump k8s.io/api from 0.32.4 to 0.32.5 (#​8780)
• 🔨 build(deps): bump google.golang.org/grpc from 1.72.0 to 1.72.1 (#​8771)
• 🔨 build(deps): bump actions/setup-go from 5.4.0 to 5.5.0 (#​8766)
• 🔨 build(deps): bump actions/dependency-review-action from 4.6.0 to 4.7.0 (#​8765)
• 🔨 build(deps): bump tj-actions/changed-files from 4168bb4 to 480f494 (#​8764)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​8763)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.32.1 to 0.32.4 (#​8762)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.14.56 to 1.14.58 (#​8754)
• 🔨 build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.34.0 to 1.35.0 (#​8753)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.8.15 to 1.9.4 (#​8752)
• 🔨 build(deps): bump github.com/google/cel-go from 0.24.1 to 0.25.0 (#​8751)
• 🔨 build(deps): bump google.golang.org/grpc from 1.71.1 to 1.72.0 (#​8749)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.8.15 to 1.9.4 (#​8748)
• 🔨 build(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 (#​8747)
• 🔨 Migration to golangci-lint v2… (#​8745)
• 🔨 Add @​waveywaves as a maintainer (#​8743)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​8742)
• 🔨 build(deps): bump github/codeql-action from 3.28.16 to 3.28.17 (#​8741)
• 🔨 build(deps): bump tj-actions/changed-files from 5426ecc to 4168bb4 (#​8739)
• 🔨 build(deps): bump github.com/cloudevents/sdk-go/v2 from 2.15.2 to 2.16.0 (#​8737)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.8.15 to 1.9.4 (#​8736)
• 🔨 build(deps): bump k8s.io/code-generator from 0.32.2 to 0.32.4 (#​8735)
• 🔨 build(deps): bump go.opentelemetry.io/otel/sdk from 1.34.0 to 1.35.0 (#​8734)
• 🔨 build(deps): bump code.gitea.io/sdk/gitea from 0.20.0 to 0.21.0 (#​8733)
• 🔨 build(deps): bump k8s.io/client-go from 0.32.2 to 0.32.4 (#​8732)
• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.11.2 to 1.12.0 (#​8731)
• 🔨 build(deps): bump tj-actions/changed-files from c34c1c1 to 5426ecc (#​8730)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.8.15 to 1.9.4 (#​8725)
• 🔨 build(deps): bump golang.org/x/net from 0.33.0 to 0.36.0 in /test/resolver-with-timeout (#​8708)
• 🔨 build(deps): bump golang.org/x/crypto from 0.31.0 to 0.35.0 in /test/resolver-with-timeout (#​8706)
• 🔨 build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0 in /test/custom-task-ctrls/wait-task-beta (#​8588)

Docs

• 📖 docs: add more explicit language in the Pipelines in Pipelines docs (#​8767)
• 📖 Update releases.md after v1.0.0 (#​8761)
• 📖 fix(docs): correct documentation link errors related to sidecar-logs (#​8744)
• 📖 Add ghcr.io migration banner to README.md. (#​8693)

Thanks

Thanks to these contributors who contributed to v1.1.0!

• ❤️ @​AlanGreene
• ❤️ @​aThorp96
• ❤️ @​afrittoli
• ❤️ @​dependabot[bot]
• ❤️ @​infernus01
• ❤️ @​l-qing
• ❤️ @​twoGiants
• ❤️ @​vdemeester

Extra shout-out for awesome release notes:

• 😍 @​aThorp96
• 😍 @​infernus01

v1.0.0: Tekton Pipeline release v1.0.0 "Oriental Omnidroid" LTS

Compare Source

🎉 1.0.0 is live 🎉 StepActions are GA and Git resolvers enhancements 🎉

-Docs @​ v1.0.0
-Examples @​ v1.0.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.0.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a3c232a877172a3c7967bdcb84afa4bc0a3819fe35e8796e324bbc364356d4349

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a3c232a877172a3c7967bdcb84afa4bc0a3819fe35e8796e324bbc364356d4349
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.0.0/release.yaml
REKOR_UUID=108e9186e8c5677a3c232a877172a3c7967bdcb84afa4bc0a3819fe35e8796e324bbc364356d4349

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.0.0@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ fix: resolve Git Anonymous Resolver excessive memory usage (#​8677)

RemoteResolutions using the Git Resolver now use the git binary instead of the Golang library go-git to shallow-clone, shallow-fetch, then checkout the provided repository at the given revision. This reduces resolution time and memory significantly. Some git providers such as Gitea may not support fetching revisions if the revision is a SHA which is not reachable via a ref or is not at a ref/head. In general, no user action is required.

See also: https://git-scm.com/docs/protocol-capabilities#\_allow\_reachable\_sha1\_in\_want

Resolves https://github.com/tektoncd/pipeline/issues/8652

• ✨ feat(pipeline): allow variable substitution in pipeline.tasks[].onError (#​8600)

feat(pipeline): allow variable substitution in pipeline.tasks[].onError

• ✨ Add configuration for custom bundle resolver backoff (#​8574)

Enables the configuration of backoffs for a bundle resolver requests.

• ✨ feat: promote StepActions to GA (#​8546)

StepActions promoted to GA and is available by default. The enable-step-actions feature flag exists as a no-op flag to ensure that existing user workflows which might rely on this flag are not disabled. This flag will be removed completely in a later release.

• ✨ feat: add support for authenticated git clone (#​8537)

n optional token can now be passed to the git clone method (using go-git library) to
bypass token limit when using the API.

Fixes

• 🐛 fix: add stepaction as a valid kind in the hub resolver (#​8635)

the hub resolver now validates StepActions as a valid kind

• 🐛 fix: avoid fan out matrix task failed due to result ref (#​8487)

fix: avoid fan out matrix task failed due to result ref

• 🐛 fix: handle subPath directory creation errors gracefully (#​8683)

Misc

• 🔨 cleanup: [TEP-0135] remove deprecated disable-affinity-assistant feature flag (#​8603)

Binary file (standard input) matches

• 🔨 cleanup: remove clustertask support (#​8601)

Remove ClusterTask support completely

• 🔨 Bump go.mod and tools/go.mod to go 1.23 (#​8482)

Updating go to 1.23

• 🔨 misc: promote to beta (#​8343)

keep-pod-on-cancel feature flag will be enabled in default

• 🔨 build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 (#​8729)
• 🔨 build(deps): bump step-security/harden-runner from 2.11.1 to 2.12.0 (#​8728)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​8727)
• 🔨 build(deps): bump github.com/sigstore/sigstore from 1.8.15 to 1.9.4 (#​8724)
• 🔨 build(deps): bump k8s.io/apimachinery from 0.32.2 to 0.32.4 (#​8723)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#​8722)
• 🔨 build(deps): bump tj-actions/changed-files from be393a9 to c34c1c1 (#​8721)
• 🔨 build(deps): bump github/codeql-action from 3.28.14 to 3.28.15 (#​8705)
• 🔨 build(deps): bump tj-actions/changed-files from 6abeaa5 to be393a9 (#​8704)
• 🔨 build(deps): bump ko-build/setup-ko from 0.8 to 0.9 (#​8703)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​8702)
• 🔨 build(deps): bump github/codeql-action from 3.28.13 to 3.28.14 (#​8690)
• 🔨 build(deps): bump tj-actions/changed-files from 27ae6b3 to 6abeaa5 (#​8689)
• 🔨 build(deps): bump actions/dependency-review-action from 4.5.0 to 4.6.0 (#​8688)
• 🔨 build(deps): bump step-security/harden-runner from 2.11.0 to 2.11.1 (#​8687)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#​8686)
• 🔨 build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#​8680)
• 🔨 build(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 (#​8678)
• 🔨 build(deps): bump go.opentelemetry.io/otel from 1.34.0 to 1.35.0 (#​8676)
• 🔨 Consume release pipeline images and task bundles from GHCR (#​8674)
• 🔨 build(deps): bump k8s.io/code-generator from 0.31.6 to 0.31.7 (#​8645)

Docs

• 📖 Add v0.70 to the releases doc and fix dates of v0.64 and v0.69 releases (#​8699)
• 📖 Move Step when expressions documentation from StepActions to Tasks documetnation. (#​8672)
• 📖 Update link to section on overriding task requests (#​8650)
• 📖 chore: param enum usage example for stepaction (#​8605)

Thanks

Thanks to these contributors who contributed to v1.0.0!

• ❤️ @​AlanGreene
• ❤️ @​aThorp96
• ❤️ @​arewm
• ❤️ @​chengjoey
• ❤️ @​chmouel
• ❤️ @​dependabot[bot]
• ❤️ @​l-qing
• ❤️ @​samdoran
• ❤️ @​twoGiants
• ❤️ @​vdemeester
• ❤️ @​waveywaves

Extra shout-out for awesome release notes:

• 😍 @​aThorp96
• 😍 @​arewm
• 😍 @​chengjoey
• 😍 @​chmouel
• 😍 @​l-qing
• 😍 @​vdemeester
• 😍 @​waveywaves

v0.70.0: Tekton Pipeline release v0.70.0 "Norwegian Forest Cat Number Five (Aaron Doral)"

Compare Source

🎉 OpenAPI schema to Tekton CRDs 🎉

-Docs @​ v0.70.0
-Examples @​ v0.70.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.70.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a9b98c9f620b1202d23cdf7b6bc38da3acecc1a9cb6f206d98fefed3ce02b0e09

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a9b98c9f620b1202d23cdf7b6bc38da3acecc1a9cb6f206d98fefed3ce02b0e09
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.70.0/release.yaml
REKOR_UUID=108e9186e8c5677a9b98c9f620b1202d23cdf7b6bc38da3acecc1a9cb6f206d98fefed3ce02b0e09

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.70.0@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• Add structural OpenAPI schema to Tekton CRDs (#​8490)

action required: The structural OpenAPI schema to Tekton CRDs are added enabling API server schema validation and supporting kubectl explain to describe fields and structure of Tekton CRDs. Due to the API server schema validation, users should make sure Tekton CRs have a valid schema when creating or updating CRs.

Fixes

• 🐛 fix: Fix remote task params default-value substitution (#​8641)

Task Param defaults will now be correctly substituted in Steps when the Task is referenced by a TaskRun

• 🐛 fix: configure StepAction to use conversion webhook (#​8644)

Misc

• 🔨 cleanup: breakup the pkg/credentials into writer and matcher + ensure non corev1 usage in entrypoint for FIPs compliance (#​8542)

import only the writer part of the credentials package in the entrypoint so that we do not pull core v1 API indirectly into the package

• 🔨 FIPS Compliance: Refactor Entrypoint, Remove zap Dependency & Update Build Checks (#​8544)
• 🔨 build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#​8670)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#​8668)
• 🔨 build(deps): bump actions/setup-go from 5.3.0 to 5.4.0 (#​8667)
• 🔨 build(deps): bump actions/cache from 4.2.2 to 4.2.3 (#​8666)
• 🔨 build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 (#​8665)
• 🔨 build(deps): bump tj-actions/changed-files from dcc7a0c to 27ae6b3 (#​8664)
• 🔨 build(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 (#​8654)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#​8653)
• 🔨 build(deps): bump github/codeql-action from 3.28.10 to 3.28.11 (#​8633)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#​8632)
• 🔨 build(deps): bump github.com/google/cel-go from 0.23.2 to 0.24.1 (#​8614)
• 🔨 build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 (#​8608)
• 🔨 Refactor pipelinerun metrics tests (#​8340)

Docs

• 📖 Document ko settings for kind clusters with and without a local registry. (#​8662)
• 📖 Fix wrong entry in development documentation and other minor documentation corrections. (#​8661)
• 📖 Add release 0.69 to releases.md (#​8630)

Thanks

Thanks to these contributors who contributed to v0.70.0!

• ❤️ @​PuneetPunamiya
• ❤️ @​aThorp96
• ❤️ @​afrittoli
• ❤️ @​burigolucas
• ❤️ @​dependabot[bot]
• ❤️ @​devholic
• ❤️ @​twoGiants
• ❤️ @​waveywaves

Extra shout-out for awesome release notes:

• 😍 @​aThorp96
• 😍 @​burigolucas
• 😍 @​waveywaves

v0.69.1: Tekton Pipeline release v0.69.1 "Oriental Longhair Omnibot"

Compare Source

-Docs @​ v0.69.1
-Examples @​ v0.69.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.69.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a76ee1ec9649527ab153790fc1b5385843dcb8c6522c3d9b0db77451a35b2068f

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a76ee1ec9649527ab153790fc1b5385843dcb8c6522c3d9b0db77451a35b2068f
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.69.1/release.yaml
REKOR_UUID=108e9186e8c5677a76ee1ec9649527ab153790fc1b5385843dcb8c6522c3d9b0db77451a35b2068f

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.69.1@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 [release-v0.69.x] fix: Fix remote task params default-value substitution (#​8651)

ask Param defaults will now be correctly substituted in Steps when the Task is referenced by a TaskRun

Misc

Docs

Thanks

Thanks to these contributors who contributed to v0.69.1!

• ❤️ @​tekton-robot

Extra shout-out for awesome release notes:

• 😍 @​tekton-robot

v0.69.0: Tekton Pipeline release v0.69.0 "Oriental Longhair Omnibot"

Compare Source

-Docs @​ v0.69.0
-Examples @​ v0.69.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.69.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a83b80360985c8a19920792656acc1566def6a298da6b73bd47b42307bceab304

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a83b80360985c8a19920792656acc1566def6a298da6b73bd47b42307bceab304
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.69.0/release.yaml
REKOR_UUID=108e9186e8c5677a83b80360985c8a19920792656acc1566def6a298da6b73bd47b42307bceab304

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.69.0@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ Add feature flag to set readOnlyRootFilesystem for containers (#​8186)

New feature flag set-security-context-read-only-root-filesystem in ConfigMap feature-flags. The new feature sets readOnlyRootFilesystem in securityContext for taskrun and affinity assistant containers.

Fixes

• 🐛 fix: Move when condition to higher priority (#​8569)

fix: Move when condition to higher priority

• 🐛 fix: resolve panic issue in pipeline controller caused by CustomRun (#​8562)

fix: resolve panic issue in pipeline controller caused by CustomRun

Misc

• 🔨 Bump knative.dev/pkg to release-1.17 (#​8538)

Bump knative.dev/pkg to release-1.17 while keeping KUBERNETES_MIN_VERSION to 1.28.

• 🔨 cleanup: use pkg/platforms instead of containerd/platforms to … (#​8579)
• 🔨 cleanup: add disable_spire build tag for entrypoint command (#​8548)
• 🔨 build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0 (#​8619)
• 🔨 build(deps): bump k8s.io/client-go from 0.31.4 to 0.31.6 (#​8618)
• 🔨 build(deps): bump k8s.io/code-generator from 0.31.4 to 0.31.6 (#​8615)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.8.12 to 1.8.15 (#​8613)
• 🔨 build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 (#​8612)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#​8611)
• 🔨 build(deps): bump actions/cache from 4.2.1 to 4.2.2 (#​8610)
• 🔨 build(deps): bump tj-actions/changed-files from 45.0.6 to 45.0.7 (#​8609)
• 🔨 chore: add yaml linting to pre-commit (#​8606)
• 🔨 .github/workflow: add only-new-issues on lint (#​8604)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.8.12 to 1.8.15 (#​8598)
• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.11.1 to 1.11.2 (#​8597)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.8.12 to 1.8.15 (#​8596)
• 🔨 build(deps): bump github.com/sigstore/sigstore from 1.8.12 to 1.8.15 (#​8595)
• 🔨 build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.5.0 (#​8594)
• 🔨 build(deps): bump step-security/harden-runner from 2.10.4 to 2.11.0 (#​8593)
• 🔨 build(deps): bump github/codeql-action from 3.28.8 to 3.28.10 (#​8592)
• 🔨 build(deps): bump actions/setup-go from 5.1.0 to 5.3.0 (#​8591)
• 🔨 build(deps): bump actions/cache from 4.2.0 to 4.2.1 (#​8590)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#​8589)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.8.12 to 1.8.15 (#​8585)
• 🔨 build(deps): bump k8s.io/api from 0.31.4 to 0.31.6 (#​8584)
• 🔨 .github/workflows: add a build and test workflows (#​8577)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.14.37 to 1.14.56 (#​8576)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#​8573)
• 🔨 .github/workflows: force go to 1.23 for the lint job (#​8570)
• 🔨 build(deps): bump github.com/golangci/golangci-lint from 1.63.4 to 1.64.5 in /tools (#​8568)
• 🔨 build(deps): bump k8s.io/client-go from 0.29.13 to 0.29.14 (#​8567)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#​8560)
• 🔨 build(deps): bump google.golang.org/protobuf from 1.36.4 to 1.36.5 (#​8557)
• 🔨 build(deps): bump golang.org/x/sync from 0.10.0 to 0.11.0 (#​8554)
• 🔨 build(deps): bump github/codeql-action from 3.28.5 to 3.28.8 (#​8552)
• 🔨 build(deps): bump github.com/spiffe/go-spiffe/v2 from 2.4.0 to 2.5.0 (#​8551)
• 🔨 build(deps): bump github.com/google/cel-go from 0.23.1 to 0.23.2 (#​8550)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#​8549)
• 🔨 tekton: fix micro typo on release-cheat-sheet (#​8545)

Docs

• 📖 releases.md: add 0.68.0 LTS and update other releases (#​8559)
• 📖 chore: fix some comments (#​8524)
• 📖 fix broken link to tutorials.md page (#​8444)

Thanks

Thanks to these contributors who contributed to v0.69.0!

• ❤️ @​Allda
• ❤️ @​clintonsteiner
• ❤️ @​damuzhi0810
• ❤️ @​dependabot[bot]
• ❤️ @​jkhelil
• ❤️ @​kristofferchr
• ❤️ @​l-qing
• ❤️ @​vdemeester
• ❤️ @​waveywaves

Extra shout-out for awesome release notes:

• 😍 @​Allda
• 😍 @​kristofferchr
• 😍 @​l-qing
• 😍 @​vdemeester

v0.68.1: Tekton Pipeline release v0.68.1 "LaPerm Giskard Reventlov" LTS

Compare Source

-Docs @​ v0.68.1
-Examples @​ v0.68.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.68.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677aff6b780d606f71d6cc2d430e71ac429ad21e107c13490490d164ab33f980851b

Obtain the attestation:

REKOR_UUID=108e9186e8c5677aff6b780d606f71d6cc2d430e71ac429ad21e107c13490490d164ab33f980851b
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.68.1/release.yaml
REKOR_UUID=108e9186e8c5677aff6b780d606f71d6cc2d430e71ac429ad21e107c13490490d164ab33f980851b

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.68.1@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 [release-v0.68.x] fix: Fix remote task params default-value substitution (#​8646)

ask Param defaults will now be correctly substituted in Steps when the Task is referenced by a TaskRun

Misc

• 🔨 [release-v0.68.x] .github/workflows: add a build and test workflows (#​8583)

Docs

Thanks

Thanks to these contributors who contributed to v0.68.1!

• ❤️ @​tekton-robot
• ❤️ @​vdemeester

Extra shout-out for awesome release notes:

• 😍 @​tekton-robot

v0.68.0: Tekton Pipeline release v0.68.0 "LaPerm Giskard Reventlov" LTS

Compare Source

-Docs @​ v0.68.0
-Examples @​ v0.68.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.68.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a666d35f8508100e4c8e112033d805978d152a05eef3872377816f3756a588089

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a666d35f8508100e4c8e112033d805978d152a05eef3872377816f3756a588089
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.68.0/release.yaml
REKOR_UUID=108e9186e8c5677a666d35f8508100e4c8e112033d805978d152a05eef3872377816f3756a588089

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.68.0@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ feat: improve step.Script variables references validation message (#​8312)

improve step.Script variables references validation message

Fixes

• 🐛 fix: reference params in default values, allow chained references in stepactions (#​8536)

fixes https://github.com/tektoncd/pipeline/issues/7935 allowing users to reference other parameters in default values

• 🐛 fix: avoid panic when validate enum param with special matrix task (#​8465)

fix: avoid panic when validate enum param with special matrix task

• 🐛 Bump go-billy to latest main to fix a git resolver issue (#​8306)

Binary file (standard input) matches

• 🐛 fix: improve parsing logic to handle empty results (#​8484)
• 🐛 fix: minor version check for sidecar logic (#​8447)
• 🐛 fix(computeresource/tasklevel): Fixed a bug where abnormal calculatio… (#​8399)

Misc

• 🔨 better step result referencing and docs for step param substitution order and (#​8528)
• 🔨 build(deps): bump github.com/google/cel-go from 0.22.1 to 0.23.1 (#​8541)
• 🔨 Fix deprecated golangci-lint configuration (#​8540)
• 🔨 build(deps): bump github/codeql-action from 3.28.1 to 3.28.5 (#​8534)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#​8533)
• 🔨 build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.4 (#​8530)
• 🔨 build(deps): bump github.com/go-git/go-git/v5 from 5.13.1 to 5.13.2 (#​8527)
• 🔨 build(deps): bump google.golang.org/grpc from 1.69.4 to 1.70.0 (#​8525)
• 🔨 build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.27.0 to 1.34.0 (#​8520)
• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.10.0 to 1.11.1 (#​8519)
• 🔨 build(deps): bump github.com/google/cel-go from 0.20.1 to 0.22.1 (#​8518)
• 🔨 build(deps): bump github/codeql-action from 3.28.0 to 3.28.1 (#​8509)
• 🔨 build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 (#​8508)
• 🔨 build(deps): bump step-security/harden-runner from 2.10.2 to 2.10.4 (#​8507)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#​8506)
• 🔨 build(deps): bump go.opentelemetry.io/otel/trace from 1.33.0 to 1.34.0 (#​8505)
• 🔨 build(deps): bump k8s.io/client-go from 0.29.6 to 0.29.13 (#​8504)
• 🔨 build(deps): bump github.com/containerd/containerd from 1.7.20 to 1.7.25 (#​8503)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.8.4 to 1.8.12 (#​8502)
• 🔨 build(deps): bump google.golang.org/grpc from 1.67.3 to 1.69.4 (#​8500)
• 🔨 build(deps): bump k8s.io/code-generator from 0.29.7 to 0.29.13 (#​8499)
• 🔨 build(deps): bump go.opentelemetry.io/otel/sdk from 1.29.0 to 1.33.0 (#​8498)
• 🔨 build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.3 (#​8497)
• 🔨 build(deps): bump k8s.io/api from 0.29.6 to 0.29.13 (#​8496)
• 🔨 build(deps): bump github.com/go-git/go-billy/v5 from 5.6.1 to 5.6.2 (#​8494)
• 🔨 build(deps): bump github.com/spiffe/go-spiffe/v2 from 2.3.0 to 2.4.0 (#​8493)
• 🔨 build(deps): bump code.gitea.io/sdk/gitea from 0.18.0 to 0.20.0 (#​8491)
• 🔨 build(deps): bump go.opentelemetry.io/otel/trace from 1.28.0 to 1.33.0 (#​8488)
• 🔨 build(deps): bump the all group in /tekton with 2 updates ([#​8481](https://redirect.github.com/tektoncd/pipelin

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[alaudaa-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: downloading github.com/docker/cli v29.2.1+incompatible
go: downloading github.com/google/go-containerregistry v0.21.2
go: downloading github.com/tektoncd/pipeline v1.1.0
go: downloading github.com/AlaudaDevops/chains v0.19.2-0.20260304040940-ee32327fe2af
go: downloading golang.org/x/term v0.40.0
go: downloading golang.org/x/sys v0.41.0
go: downloading golang.org/x/net v0.51.0
go: downloading k8s.io/apiextensions-apiserver v0.26.12
go: downloading google.golang.org/grpc v1.79.1
go: downloading golang.org/x/text v0.34.0
go: downloading golang.org/x/oauth2 v0.35.0
go: downloading golang.org/x/crypto v0.48.0
go: downloading cloud.google.com/go/storage v1.57.2
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.4
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.4
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.4
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.4
go: downloading cloud.google.com/go v0.123.0
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409
go: downloading google.golang.org/genproto v0.0.0-20260128011058-8636f8732409
go: downloading cel.dev/expr v0.25.1
go: downloading golang.org/x/mod v0.33.0
go: downloading google.golang.org/api v0.264.0
go: downloading cloud.google.com/go/firestore v1.21.0
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409
go: downloading github.com/googleapis/gax-go/v2 v2.17.0
go: downloading github.com/aws/aws-sdk-go-v2 v1.41.1
go: downloading github.com/aws/aws-sdk-go-v2/config v1.32.7
go: downloading github.com/aws/aws-sdk-go-v2/service/kms v1.49.5
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0
go: downloading cloud.google.com/go/kms v1.25.0
go: downloading cloud.google.com/go/auth v0.18.1
go: downloading go.opentelemetry.io/contrib/detectors/gcp v1.39.0
go: downloading cloud.google.com/go/longrunning v0.8.0
go: downloading github.com/eapache/go-resiliency v1.6.0
go: downloading github.com/pierrec/lz4/v4 v4.1.21
go: downloading github.com/aws/aws-sdk-go-v2/credentials v1.19.7
go: downloading github.com/aws/aws-sdk-go-v2/service/signin v1.0.5
go: downloading github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17
go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.30.9
go: downloading github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13
go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.41.6
go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0
go: downloading golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
go: downloading github.com/prometheus/procfs v0.19.2
go: downloading github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.11
go: downloading github.com/envoyproxy/go-control-plane/envoy v1.36.0
go: downloading github.com/golang-jwt/jwt/v5 v5.3.1
go: downloading github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5
go: downloading github.com/envoyproxy/protoc-gen-validate v1.3.0
go: github.com/tektoncd/cli/pkg/bundle imports
	github.com/tektoncd/pipeline/pkg/client/clientset/versioned/scheme: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/bundle imports
	github.com/tektoncd/pipeline/pkg/remote/oci: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/chain imports
	github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/cli imports
	github.com/tektoncd/pipeline/pkg/client/clientset/versioned: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/cmd/clustertask imports
	github.com/tektoncd/pipeline/pkg/apis/pipeline/v1: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/cmd/taskrun imports
	github.com/tektoncd/pipeline/pkg/apis/pipeline: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/pipelinerun imports
	github.com/tektoncd/pipeline/pkg/client/informers/externalversions: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/pods imports
	github.com/tektoncd/pipeline/pkg/apis/pipeline/pod: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/pipeline/pkg/client/clientset/versioned/fake: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/pipeline/pkg/client/informers/externalversions/pipeline/v1beta1: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/pipeline/pkg/client/injection/client/fake: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/pipeline/pkg/client/injection/informers/pipeline/v1beta1/clustertask/fake: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/pipeline/pkg/client/injection/informers/pipeline/v1beta1/pipeline/fake: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/pipeline/pkg/client/injection/informers/pipeline/v1beta1/pipelinerun/fake: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/pipeline/pkg/client/injection/informers/pipeline/v1beta1/task/fake: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/pipeline/pkg/client/injection/informers/pipeline/v1beta1/taskrun/fake: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/pipeline/pkg/reconciler/testing: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/pipeline/test: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/test/framework imports
	github.com/tektoncd/pipeline/pkg/apis/config: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/test/framework imports
	github.com/tektoncd/pipeline/pkg/client/clientset/versioned/typed/pipeline/v1: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/test/framework imports
	github.com/tektoncd/pipeline/pkg/client/clientset/versioned/typed/pipeline/v1beta1: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/test/framework imports
	github.com/tektoncd/pipeline/pkg/names: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/clustertriggerbinding imports
	github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1 imports
	github.com/tektoncd/pipeline/pkg/apis/validate: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/pipelinerun tested by
	github.com/tektoncd/cli/pkg/pipelinerun.test imports
	github.com/tektoncd/pipeline/test/diff: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

go: github.com/tektoncd/cli/pkg/clustertriggerbinding imports
	github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1 imports
	github.com/tektoncd/triggers/pkg/apis/config imports
	github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1: github.com/tektoncd/pipeline@v1.1.0: verifying module: checksum mismatch
	downloaded: h1:fSLhDyOt6oBF3HJ8mKvt3iKWR+vWimpGli3A11v1jXI=
	sum.golang.org: h1:OdrcOp6GK99oOYkQnjiK2OC5UkrwgHOV/iukggwe8HM=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

[alaudabot]

🤖 AI Code Review

Property	Value
Model	z-ai/glm-4.7:free
Style	strict
Issues Found	4
Warnings/Errors	2
Personalized Prompt	❌ No
Reviewed at	2026-03-18 23:30:40 UTC

---

Summary

This PR updates the github.com/tektoncd/pipeline dependency from v0.55.0 to v1.1.0 for a security fix. However, this is a major version upgrade (v0→v1) that introduces breaking API changes, and the PR only includes the go.mod change without updating the corresponding import paths in the codebase. The code uses v1alpha1 API imports that are incompatible with v1.x without migration.

Review Statistics

Category	Count
Critical Issues	2
Warnings	1
Suggestions	1
Files Reviewed	1

Critical Issues

• [go.mod:276] Incomplete Upgrade - Missing Import Path Changes: This is a major version upgrade (v0.55.0 → v1.1.0), which introduces breaking API changes. The tektoncd/pipeline v1.x release moved APIs from v1alpha1 to v1beta1/v1 packages. The codebase has 214+ imports of github.com/tektoncd/pipeline using v1alpha1 paths (e.g., pkg/apis/pipeline/v1alpha1). These imports must be updated to pkg/apis/pipeline/v1beta1 or pkg/apis/pipeline/v1 for the code to compile with v1.1.0.

• [go.mod:276] Missing Vendor Directory Update: The PR lacks the corresponding vendor directory changes. After updating go.mod, go mod vendor should be run to update the vendored dependencies. Without this, the build will fail or use outdated code.

Warnings

• [go.mod:276] Major Version Jump Risk: Upgrading from v0.55.0 to v1.1.0 is a significant version jump. Verify that all functionality still works correctly and check the tektoncd/pipeline v1.0.0 release notes for breaking changes that may affect this CLI.

Suggestions

• [go.mod:276] Security Fix Verification: While the PR title mentions "[security]", verify that v1.1.0 specifically addresses the security vulnerability. Check the tektoncd/pipeline security advisories to confirm the minimum secure version.

Positive Feedback

• The dependency update follows a clean pattern with minimal changes.
• The PR is appropriately scoped to dependency management.

---

Recommendation: This PR should NOT be merged in its current state. It requires:

1. Running go mod vendor to update vendored dependencies
2. Updating import paths from v1alpha1 to v1beta1/v1 throughout the codebase
3. Verifying compatibility with all API changes
4. Testing the build compiles successfully

---

ℹ️ About this review

This review was automatically generated using the run-actions workflow.

• Shared prompt: .github/prompts/code-review.md
• No repository-specific prompt configured

[alaudaa-renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 1.x releases. But if you manually upgrade to 1.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.