fix: validate taskRef.apiVersion format for custom tasks

Add validation to ensure taskRef.apiVersion follows the correct format
(group/version) when specified. Previously, invalid apiVersion values
like 'invalid-api-version' were accepted, causing PipelineRuns to create
unhandled CustomRuns that would timeout. Now Pipeline creation fails
immediately with a clear error message when an invalid apiVersion is provided.

Fixes #9044

Author: waveywaves

pkg/apis/pipeline/v1/pipeline_types_test.go

@@ -483,6 +483,46 @@ func TestPipelineTask_ValidateCustomTask(t *testing.T) {
 			Message: `invalid value: custom task ref must specify apiVersion`,
 			Paths:   []string{"taskRef.apiVersion"},
 		},
+	}, {
+		name: "custom task - taskRef with invalid apiVersion format",
+		task: PipelineTask{Name: "foo", TaskRef: &TaskRef{APIVersion: "invalid-api-version", Kind: "some-kind", Name: ""}},
+		expectedError: apis.FieldError{
+			Message: `invalid value: invalid apiVersion format "invalid-api-version", must be in the format "group/version"`,
+			Paths:   []string{"taskRef.apiVersion"},
+		},
+	}, {
+		name: "custom task - taskSpec with invalid apiVersion format",
+		task: PipelineTask{Name: "foo", TaskSpec: &EmbeddedTask{
+			TypeMeta: runtime.TypeMeta{
+				APIVersion: "no-slash-no-dot",
+				Kind:       "some-kind",
+			},
+		}},
+		expectedError: apis.FieldError{
+			Message: `invalid value: invalid apiVersion format "no-slash-no-dot", must be in the format "group/version"`,
+			Paths:   []string{"taskSpec.apiVersion"},
+		},
+	}, {
+		name: "custom task - taskRef with missing group in apiVersion",
+		task: PipelineTask{Name: "foo", TaskRef: &TaskRef{APIVersion: "nogroup/v1", Kind: "some-kind", Name: ""}},
+		expectedError: apis.FieldError{
+			Message: `invalid value: invalid apiVersion format "nogroup/v1", must be in the format "group/version"`,
+			Paths:   []string{"taskRef.apiVersion"},
+		},
+	}, {
+		name: "custom task - taskRef with empty group in apiVersion",
+		task: PipelineTask{Name: "foo", TaskRef: &TaskRef{APIVersion: "/v1", Kind: "some-kind", Name: ""}},
+		expectedError: apis.FieldError{
+			Message: `invalid value: invalid apiVersion format "/v1", must be in the format "group/version"`,
+			Paths:   []string{"taskRef.apiVersion"},
+		},
+	}, {
+		name: "custom task - taskRef with empty version in apiVersion",
+		task: PipelineTask{Name: "foo", TaskRef: &TaskRef{APIVersion: "example.dev/", Kind: "some-kind", Name: ""}},
+		expectedError: apis.FieldError{
+			Message: `invalid value: invalid apiVersion format "example.dev/", must be in the format "group/version"`,
+			Paths:   []string{"taskRef.apiVersion"},
+		},
 	}}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -497,6 +537,35 @@ func TestPipelineTask_ValidateCustomTask(t *testing.T) {
 	}
 }
 
+func TestPipelineTask_ValidateCustomTask_ValidAPIVersion(t *testing.T) {
+	tests := []struct {
+		name string
+		task PipelineTask
+	}{{
+		name: "custom task - valid apiVersion with group/version",
+		task: PipelineTask{Name: "foo", TaskRef: &TaskRef{APIVersion: "example.dev/v1", Kind: "Example", Name: "example"}},
+	}, {
+		name: "custom task - valid apiVersion with multi-level group",
+		task: PipelineTask{Name: "foo", TaskRef: &TaskRef{APIVersion: "custom.tekton.dev/v1beta1", Kind: "Custom", Name: "custom"}},
+	}, {
+		name: "custom task - valid apiVersion in taskSpec",
+		task: PipelineTask{Name: "foo", TaskSpec: &EmbeddedTask{
+			TypeMeta: runtime.TypeMeta{
+				APIVersion: "example.io/v2",
+				Kind:       "CustomTask",
+			},
+		}},
+	}}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.task.validateCustomTask()
+			if err != nil {
+				t.Errorf("PipelineTask.validateCustomTask() returned unexpected error: %v", err)
+			}
+		})
+	}
+}
+
 func TestPipelineTask_ValidateRegularTask_Success(t *testing.T) {
 	tests := []struct {
 		name      string
@@ -691,7 +760,7 @@ func TestPipelineTask_Validate_Failure(t *testing.T) {
 		name: "custom task reference in taskref missing apiversion Kind",
 		p: PipelineTask{
 			Name:    "invalid-custom-task",
-			TaskRef: &TaskRef{APIVersion: "example.com"},
+			TaskRef: &TaskRef{APIVersion: "example.com/v1"},
 		},
 		expectedError: apis.FieldError{
 			Message: `invalid value: custom task ref must specify kind`,
@@ -701,7 +770,7 @@ func TestPipelineTask_Validate_Failure(t *testing.T) {
 		name: "custom task reference in taskspec missing kind",
 		p: PipelineTask{Name: "foo", TaskSpec: &EmbeddedTask{
 			TypeMeta: runtime.TypeMeta{
-				APIVersion: "example.com",
+				APIVersion: "example.com/v1",
 			}}},
 		expectedError: *apis.ErrInvalidValue("custom task spec must specify kind", "taskSpec.kind"),
 	}, {

pkg/apis/pipeline/v1/pipeline_validation.go

@@ -336,6 +336,31 @@ func (pt PipelineTask) validateRefOrSpec(ctx context.Context) (errs *apis.FieldE
 	return errs
 }
 
+// isValidAPIVersion validates the format of an apiVersion string.
+// Valid formats are "group/version" where group contains at least one dot.
+// For custom tasks, apiVersion must always be in the "group/version" format.
+func isValidAPIVersion(apiVersion string) bool {
+	parts := strings.Split(apiVersion, "/")
+	// For custom tasks, apiVersion must be in group/version format (2 parts)
+	if len(parts) != 2 {
+		return false
+	}
+
+	group := parts[0]
+	version := parts[1]
+	// Group and version should not be empty
+	if group == "" || version == "" {
+		return false
+	}
+	// Group should contain at least one dot (e.g., tekton.dev)
+	// This is a common pattern for Kubernetes API groups
+	if !strings.Contains(group, ".") {
+		return false
+	}
+
+	return true
+}
+
 // validateCustomTask validates custom task specifications - checking kind and fail if not yet supported features specified
 func (pt PipelineTask) validateCustomTask() (errs *apis.FieldError) {
 	if pt.TaskRef != nil && pt.TaskRef.Kind == "" {
@@ -350,6 +375,17 @@ func (pt PipelineTask) validateCustomTask() (errs *apis.FieldError) {
 	if pt.TaskSpec != nil && pt.TaskSpec.APIVersion == "" {
 		errs = errs.Also(apis.ErrInvalidValue("custom task spec must specify apiVersion", "taskSpec.apiVersion"))
 	}
+	// Validate apiVersion format for custom tasks
+	if pt.TaskRef != nil && pt.TaskRef.APIVersion != "" {
+		if !isValidAPIVersion(pt.TaskRef.APIVersion) {
+			errs = errs.Also(apis.ErrInvalidValue(fmt.Sprintf("invalid apiVersion format %q, must be in the format \"group/version\"", pt.TaskRef.APIVersion), "taskRef.apiVersion"))
+		}
+	}
+	if pt.TaskSpec != nil && pt.TaskSpec.APIVersion != "" {
+		if !isValidAPIVersion(pt.TaskSpec.APIVersion) {
+			errs = errs.Also(apis.ErrInvalidValue(fmt.Sprintf("invalid apiVersion format %q, must be in the format \"group/version\"", pt.TaskSpec.APIVersion), "taskSpec.apiVersion"))
+		}
+	}
 	return errs
 }
 

pkg/apis/pipeline/v1beta1/pipeline_types_test.go

@@ -483,6 +483,46 @@ func TestPipelineTask_ValidateCustomTask(t *testing.T) {
 			Message: `invalid value: custom task ref must specify apiVersion`,
 			Paths:   []string{"taskRef.apiVersion"},
 		},
+	}, {
+		name: "custom task - taskRef with invalid apiVersion format",
+		task: PipelineTask{Name: "foo", TaskRef: &TaskRef{APIVersion: "invalid-api-version", Kind: "some-kind", Name: ""}},
+		expectedError: apis.FieldError{
+			Message: `invalid value: invalid apiVersion format "invalid-api-version", must be in the format "group/version"`,
+			Paths:   []string{"taskRef.apiVersion"},
+		},
+	}, {
+		name: "custom task - taskSpec with invalid apiVersion format",
+		task: PipelineTask{Name: "foo", TaskSpec: &EmbeddedTask{
+			TypeMeta: runtime.TypeMeta{
+				APIVersion: "no-slash-no-dot",
+				Kind:       "some-kind",
+			},
+		}},
+		expectedError: apis.FieldError{
+			Message: `invalid value: invalid apiVersion format "no-slash-no-dot", must be in the format "group/version"`,
+			Paths:   []string{"taskSpec.apiVersion"},
+		},
+	}, {
+		name: "custom task - taskRef with missing group in apiVersion",
+		task: PipelineTask{Name: "foo", TaskRef: &TaskRef{APIVersion: "nogroup/v1", Kind: "some-kind", Name: ""}},
+		expectedError: apis.FieldError{
+			Message: `invalid value: invalid apiVersion format "nogroup/v1", must be in the format "group/version"`,
+			Paths:   []string{"taskRef.apiVersion"},
+		},
+	}, {
+		name: "custom task - taskRef with empty group in apiVersion",
+		task: PipelineTask{Name: "foo", TaskRef: &TaskRef{APIVersion: "/v1", Kind: "some-kind", Name: ""}},
+		expectedError: apis.FieldError{
+			Message: `invalid value: invalid apiVersion format "/v1", must be in the format "group/version"`,
+			Paths:   []string{"taskRef.apiVersion"},
+		},
+	}, {
+		name: "custom task - taskRef with empty version in apiVersion",
+		task: PipelineTask{Name: "foo", TaskRef: &TaskRef{APIVersion: "example.dev/", Kind: "some-kind", Name: ""}},
+		expectedError: apis.FieldError{
+			Message: `invalid value: invalid apiVersion format "example.dev/", must be in the format "group/version"`,
+			Paths:   []string{"taskRef.apiVersion"},
+		},
 	}}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -497,6 +537,35 @@ func TestPipelineTask_ValidateCustomTask(t *testing.T) {
 	}
 }
 
+func TestPipelineTask_ValidateCustomTask_ValidAPIVersion(t *testing.T) {
+	tests := []struct {
+		name string
+		task PipelineTask
+	}{{
+		name: "custom task - valid apiVersion with group/version",
+		task: PipelineTask{Name: "foo", TaskRef: &TaskRef{APIVersion: "example.dev/v1", Kind: "Example", Name: "example"}},
+	}, {
+		name: "custom task - valid apiVersion with multi-level group",
+		task: PipelineTask{Name: "foo", TaskRef: &TaskRef{APIVersion: "custom.tekton.dev/v1beta1", Kind: "Custom", Name: "custom"}},
+	}, {
+		name: "custom task - valid apiVersion in taskSpec",
+		task: PipelineTask{Name: "foo", TaskSpec: &EmbeddedTask{
+			TypeMeta: runtime.TypeMeta{
+				APIVersion: "example.io/v2",
+				Kind:       "CustomTask",
+			},
+		}},
+	}}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.task.validateCustomTask()
+			if err != nil {
+				t.Errorf("PipelineTask.validateCustomTask() returned unexpected error: %v", err)
+			}
+		})
+	}
+}
+
 func TestPipelineTask_ValidateRegularTask_Success(t *testing.T) {
 	tests := []struct {
 		name      string
@@ -687,7 +756,7 @@ func TestPipelineTask_Validate_Failure(t *testing.T) {
 		name: "custom task reference in taskref missing apiversion Kind",
 		p: PipelineTask{
 			Name:    "invalid-custom-task",
-			TaskRef: &TaskRef{APIVersion: "example.com"},
+			TaskRef: &TaskRef{APIVersion: "example.com/v1"},
 		},
 		expectedError: apis.FieldError{
 			Message: `invalid value: custom task ref must specify kind`,
@@ -697,7 +766,7 @@ func TestPipelineTask_Validate_Failure(t *testing.T) {
 		name: "custom task reference in taskspec missing kind",
 		p: PipelineTask{Name: "foo", TaskSpec: &EmbeddedTask{
 			TypeMeta: runtime.TypeMeta{
-				APIVersion: "example.com",
+				APIVersion: "example.com/v1",
 			},
 		}},
 		expectedError: *apis.ErrInvalidValue("custom task spec must specify kind", "taskSpec.kind"),
@@ -846,7 +915,7 @@ func TestPipelineTaskList_Validate(t *testing.T) {
 		name: "validate all valid custom task, and regular task",
 		tasks: PipelineTaskList{{
 			Name:    "valid-custom-task",
-			TaskRef: &TaskRef{APIVersion: "example.com", Kind: "custom"},
+			TaskRef: &TaskRef{APIVersion: "example.com/v1", Kind: "custom"},
 		}, {
 			Name:    "valid-task",
 			TaskRef: &TaskRef{Name: "task"},
@@ -856,7 +925,7 @@ func TestPipelineTaskList_Validate(t *testing.T) {
 		name: "validate list of tasks with valid custom task and invalid regular task",
 		tasks: PipelineTaskList{{
 			Name:    "valid-custom-task",
-			TaskRef: &TaskRef{APIVersion: "example.com", Kind: "custom"},
+			TaskRef: &TaskRef{APIVersion: "example.com/v1", Kind: "custom"},
 		}, {
 			Name:    "invalid-task-without-name",
 			TaskRef: &TaskRef{Name: ""},
@@ -867,7 +936,7 @@ func TestPipelineTaskList_Validate(t *testing.T) {
 		name: "validate all invalid tasks - custom task and regular task",
 		tasks: PipelineTaskList{{
 			Name:    "invalid-custom-task",
-			TaskRef: &TaskRef{APIVersion: "example.com"},
+			TaskRef: &TaskRef{APIVersion: "example.com/v1"},
 		}, {
 			Name:    "invalid-task",
 			TaskRef: &TaskRef{Name: ""},

pkg/apis/pipeline/v1beta1/pipeline_validation.go

@@ -341,6 +341,31 @@ func (pt PipelineTask) validateRefOrSpec(ctx context.Context) (errs *apis.FieldE
 	return errs
 }
 
+// isValidAPIVersion validates the format of an apiVersion string.
+// Valid formats are "group/version" where group contains at least one dot.
+// For custom tasks, apiVersion must always be in the "group/version" format.
+func isValidAPIVersion(apiVersion string) bool {
+	parts := strings.Split(apiVersion, "/")
+	// For custom tasks, apiVersion must be in group/version format (2 parts)
+	if len(parts) != 2 {
+		return false
+	}
+
+	group := parts[0]
+	version := parts[1]
+	// Group and version should not be empty
+	if group == "" || version == "" {
+		return false
+	}
+	// Group should contain at least one dot (e.g., tekton.dev)
+	// This is a common pattern for Kubernetes API groups
+	if !strings.Contains(group, ".") {
+		return false
+	}
+
+	return true
+}
+
 // validateCustomTask validates custom task specifications - checking kind and fail if not yet supported features specified
 func (pt PipelineTask) validateCustomTask() (errs *apis.FieldError) {
 	if pt.TaskRef != nil && pt.TaskRef.Kind == "" {
@@ -355,6 +380,17 @@ func (pt PipelineTask) validateCustomTask() (errs *apis.FieldError) {
 	if pt.TaskSpec != nil && pt.TaskSpec.APIVersion == "" {
 		errs = errs.Also(apis.ErrInvalidValue("custom task spec must specify apiVersion", "taskSpec.apiVersion"))
 	}
+	// Validate apiVersion format for custom tasks
+	if pt.TaskRef != nil && pt.TaskRef.APIVersion != "" {
+		if !isValidAPIVersion(pt.TaskRef.APIVersion) {
+			errs = errs.Also(apis.ErrInvalidValue(fmt.Sprintf("invalid apiVersion format %q, must be in the format \"group/version\"", pt.TaskRef.APIVersion), "taskRef.apiVersion"))
+		}
+	}
+	if pt.TaskSpec != nil && pt.TaskSpec.APIVersion != "" {
+		if !isValidAPIVersion(pt.TaskSpec.APIVersion) {
+			errs = errs.Also(apis.ErrInvalidValue(fmt.Sprintf("invalid apiVersion format %q, must be in the format \"group/version\"", pt.TaskSpec.APIVersion), "taskSpec.apiVersion"))
+		}
+	}
 	return errs
 }