Tekton Pipeline release v1.9.0 LTS "Devon Rex Dreadnought"

🎉 hostUsers support and digest validation for http resolver 🎉

-Docs @ v1.9.0
-Examples @ v1.9.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a692b1410db6e04e5e4a25aec2e361118647fe42c5ad8d7ef3e087b5cd11463d6

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a692b1410db6e04e5e4a25aec2e361118647fe42c5ad8d7ef3e087b5cd11463d6
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.0/release.yaml
REKOR_UUID=108e9186e8c5677a692b1410db6e04e5e4a25aec2e361118647fe42c5ad8d7ef3e087b5cd11463d6

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.9.0@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ feat: add ServiceAccount inheritance to Affinity Assistants (#9253)

• ✨ Add hostUsers field support to PodTemplate (#9227)

• ✨ feat: Add digest validation support to HTTP resolver (#9171)

• ✨ taskrun: include actual result size in error when exceeding maxResultSize (#8869)

Fixes

• 🐛 fix(pipelinerun): fix the issue of massive invalid status updates caused by unordered arrays, which will greatly impact the resource load and stability of the apiserver. (#9295)

• 🐛 Fix parameter resolution for defaults with references (#9271)

• 🐛 Fix duplicated protobuf tag in pod.Template struct (#9229)

• 🐛 fix: Prevent excessive reconciliation when timeout disabled (#9202)

• 🐛 fix: Detect pod configuration errors early instead of timeout (#9197)

• 🐛 chore(ci): update cherry-pick workflow to fix multi-commit PRs (#9320)

• 🐛 fix: validate taskRef.apiVersion format for custom tasks (#9045)

• 🐛 test(e2e): move flaky retry/matrix tests to no-ci temporarily (#9242)

• 🐛 fix(e2e): improve dind-sidecar probe configuration for reliability (#9241)

Misc

• 🔨 fix: reduce CRD size by shortening verbose descriptions (#9252)
• 🔨 ci: add KOCACHE to speed up ko builds in GitHub Actions (#9319)
• 🔨 Improve code consistency and fix missing test annotation (#9266)
• 🔨 Remove the GHCR migration notice from the readme (#9237)
• 🔨 fix: release pipeline feedback (#9210)
• 🔨 build(deps): bump go.uber.org/zap from 1.27.0 to 1.27.1 (#9333)
• 🔨 build(deps): bump github.com/google/cel-go from 0.26.0 to 0.27.0 (#9330)
• 🔨 build(deps): bump github/codeql-action from 4.31.9 to 4.32.0 (#9310)
• 🔨 build(deps): bump the all group in /tekton with 3 updates (#9309)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.12 to 1.5.13 (#9308)
• 🔨 build(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#9307)
• 🔨 build(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1 (#9306)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#9299)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.11 to 1.5.12 (#9298)
• 🔨 build(deps): bump actions/setup-go from 6.1.0 to 6.2.0 (#9297)
• 🔨 build(deps): bump actions/cache from 5.0.1 to 5.0.2 (#9296)
• 🔨 build(deps): bump golang.org/x/sync from 0.18.0 to 0.19.0 (#9293)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#9291)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.10 to 1.5.11 (#9290)
• 🔨 build(deps): bump github.com/hashicorp/go-version from 1.7.0 to 1.8.0 (#9288)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.32.8 to 0.32.11 (#9286)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#9281)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#9268)
• 🔨 build(deps): bump chainguard/go from 2f71c4d to 0cd4986 in /tekton in the all group (#9264)
• 🔨 build(deps): bump peter-evans/slash-command-dispatch from 5.0.1 to 5.0.2 (#9263)
• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.12.4 to 1.14.0 (#9261)
• 🔨 build(deps): bump go.opentelemetry.io/otel/sdk from 1.38.0 to 1.39.0 (#9259)
• 🔨 build(deps): bump github.com/cloudevents/sdk-go/v2 from 2.16.1 to 2.16.2 (#9258)
• 🔨 build(deps): bump k8s.io/client-go from 0.32.8 to 0.32.11 (#9256)
• 🔨 build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11 (#9254)
• 🔨 .github/workflows: Add a comment to main for plumbing's shared workflows (#9248)
• 🔨 build(deps): bump github/codeql-action from 4.31.8 to 4.31.9 (#9247)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#9246)
• 🔨 build(deps): bump go.opentelemetry.io/otel/trace from 1.37.0 to 1.39.0 (#9245)
• 🔨 build(deps): bump k8s.io/apimachinery from 0.33.3 to 0.33.7 (#9244)
• 🔨 fix(codegen): Correct JSON tags for streaming lists (#9240)
• 🔨 Fix golangci-lint action step for large diff (#9239)
• 🔨 Fix: CI job incorrectly skipped by file change detection (#9238)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#9236)
• 🔨 build(deps): bump step-security/harden-runner from 2.13.3 to 2.14.0 (#9235)
• 🔨 build(deps): bump github/codeql-action from 4.31.7 to 4.31.8 (#9234)
• 🔨 build(deps): bump actions/cache from 4.3.0 to 5.0.1 (#9233)
• 🔨 build(deps): bump tj-actions/changed-files from abdd2f68ea150cee8f236d4a9fb4e0f2491abf1b to e0021407031f5be11a464abee9a0776171c79891 (#9232)
• 🔨 build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 (#9231)
• 🔨 Add twoGiants as pipeline maintainers (#9230)
• 🔨 fix: Add permissions to cherry-pick workflow (#9225)
• 🔨 Proposal: test: implement parallel/serial test categorization system (#9224)
• 🔨 github/workflows: use cherry-pick workflows from plumbing (#9222)
• 🔨 .github/workflows: fixing go-coverage token issues (#9221)
• 🔨 build(deps): bump the all group across 1 directory with 4 updates (#9220)
• 🔨 build(deps): bump actions/checkout from 6.0.0 to 6.0.1 (#9219)
• 🔨 build(deps): bump golangci/golangci-lint-action from 9.1.0 to 9.2.0 (#9218)
• 🔨 build(deps): bump peter-evans/slash-command-dispatch from 4.0.0 to 5.0.1 (#9217)
• 🔨 build(deps): bump step-security/harden-runner from 2.13.2 to 2.13.3 (#9216)
• 🔨 build(deps): bump github/codeql-action from 4.31.6 to 4.31.7 (#9215)
• 🔨 chore: enhance cherry-pick PR format with original context (#9214)
• 🔨 Fix commit SHA of github-script action (#9203)
• 🔨 test: limit examples test parallelism to 2 to prevent timeouts (#9200)
• 🔨 .github/workflows: use CHATOPS_TOKEN for coverage comments (#9198)
• 🔨 build(deps): bump actions/github-script from 7.0.1 to 8.0.0 (#9195)
• 🔨 build(deps): bump github/codeql-action from 4.31.5 to 4.31.6 (#9194)
• 🔨 .github/workflows: use plumbing workflow for chatops_retest (#9192)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.15.4 to 1.15.16 (#9183)
• 🔨 build(deps): bump google.golang.org/grpc from 1.75.0 to 1.77.0 (#9177)

Docs

• 📖 chore: fix YAML indentation in release cheat sheet (#9226)
• 📖 Remove beta note from projected workspaces and csi as they are stable (#9208)
• 📖 Update releases.md for 1.7 (#9205)

Thanks

Thanks to these contributors who contributed to v1.9.0!

• ❤️ @AlanGreene
• ❤️ @BastiaanN
• ❤️ @Pangjiping
• ❤️ @SarthakPandey2002
• ❤️ @a-ateek
• ❤️ @ab-ghosh
• ❤️ @afrittoli
• ❤️ @anithapriyanatarajan
• ❤️ @dependabot[bot]
• ❤️ @infernus01
• ❤️ @khrm
• ❤️ @twoGiants
• ❤️ @vdemeester
• ❤️ @waveywaves
• ❤️ @zakisk

Extra shout-out for awesome release notes:

• 😍 @Pangjiping
• 😍 @SarthakPandey2002
• 😍 @a-ateek
• 😍 @ab-ghosh
• 😍 @khrm
• 😍 @twoGiants
• 😍 @vdemeester
• 😍 @zakisk

Tekton Pipeline release v1.7.0 "LaPerm Little Helper"

🎉 Bug fixes, stability improvements and dependency updates 🎉

-Docs @ v1.7.0
-Examples @ v1.7.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.7.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a0af3ff47db2d68605b227b75af0aa40d87262257e2b9295f35454fe3d050ed38

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a0af3ff47db2d68605b227b75af0aa40d87262257e2b9295f35454fe3d050ed38
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.7.0/release.yaml
REKOR_UUID=108e9186e8c5677a0af3ff47db2d68605b227b75af0aa40d87262257e2b9295f35454fe3d050ed38

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.7.0@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Fixes

• 🐛 fix: Populate step statuses before TaskRun timeout handling (#9184)

Fix a race condition on timeout that would result in a TaskRun status without steps statuses.

• 🐛 fix: panic in v1beta1 matrix validation for invalid result refs (#9135)

Resolved an issue where Pipelines with invalid result references in matrix parameters would cause a panic during validation (v1beta1 API)

• 🐛 Use patch instead of update to replace sidecars with nop image (#9128)

Fixed race condition causing TaskRuns to fail with 409 conflict error when stopping sidecars.
StopSidecars now uses Patch instead of Update to avoid conflicts with concurrent kubelet pod status updates.

• 🐛 fix: Add missing comma in slash commands workflow (#9157)
• 🐛 Fix tekton/publish sed for combined-based-image digest replacement (#9119)
• 🐛 examples: reduce the size of the matrix to reduce flakiness (#9187)

Misc

• 🔨 Migrate tests images out of dockerhub. (#9158)
• 🔨 refactor: add clock injection to cache for testing (#9142)
• 🔨 Remove deprecated // +build directive from most files (#9118)
• 🔨 build(deps): bump tj-actions/changed-files from 6da3c88b60ebf09464ada9b06fba5b6f2d34bb94 to abdd2f68ea150cee8f236d4a9fb4e0f2491abf1b (#9196)
• 🔨 chore(release-pipeline): update references to oci bucket (#9189)
• 🔨 .github/workflows: fix e2e-matrix-extras (#9185)
• 🔨 build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#9181)
• 🔨 build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#9180)
• 🔨 build(deps): bump golangci/golangci-lint-action from 9.0.0 to 9.1.0 (#9179)
• 🔨 .github: add a dependabot configuration to monitor .ko.yaml (#9173)
• 🔨 feat: Add GitHub Actions cherry-pick slash command (#9172)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#9170)
• 🔨 build(deps): bump actions/dependency-review-action from 4.8.1 to 4.8.2 (#9169)
• 🔨 build(deps): bump actions/setup-go from 6.0.0 to 6.1.0 (#9168)
• 🔨 build(deps): bump tj-actions/changed-files from 70069877f29101175ed2b055d210fe8b1d54d7d7 to 6da3c88b60ebf09464ada9b06fba5b6f2d34bb94 (#9167)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.3 to 1.5.10 (#9166)
• 🔨 build(deps): bump github/codeql-action from 4.31.0 to 4.31.5 (#9165)
• 🔨 Fix commit SHA of actions/github-script in e2e-extras workflow (#9161)
• 🔨 Fix the e2e-extras slash command (#9160)
• 🔨 examples: make sure we use the same image for sidecar and step (#9139)
• 🔨 fix(ci): correct grep patterns in detect job (#9137)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#9134)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.7 to 1.5.8 (#9133)
• 🔨 build(deps): bump tj-actions/changed-files from 0ff001de0805038ff3f118de4875002200057732 to 70069877f29101175ed2b055d210fe8b1d54d7d7 (#9132)
• 🔨 build(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2 (#9131)
• 🔨 build(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.0.0 (#9130)
• 🔨 fix: label checker action reference (#9129)
• 🔨 Update releases.md after 1.6.0 release (#9127)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#9124)
• 🔨 build(deps): bump tj-actions/changed-files from dbf178ceecb9304128c8e0648591d71208c6e2c9 to 0ff001de0805038ff3f118de4875002200057732 (#9122)
• 🔨 feat: upload release manifests to oracle cloud (#9121)
• 🔨 test: reduce the number of examples tests running in parallel (#9114)
• 🔨 Run less e2e matrix by default (#9109)
• 🔨 ci: skip running builds and tests if no code changed (#8768)
• 🔨 fix: update tekton setup action (#9126)
• 🔨 build(deps): bump github.com/docker/docker from 26.1.5+incompatible to 28.0.0+incompatible in /test/resolver-with-timeout (#9182)

Thanks

Thanks to these contributors who contributed to v1.7.0!

• ❤️ @AlanGreene
• ❤️ @aThorp96
• ❤️ @anithapriyanatarajan
• ❤️ @dependabot[bot]
• ❤️ @divyansh42
• ❤️ @mathur07
• ❤️ @prad9192
• ❤️ @twoGiants
• ❤️ @vdemeester

Extra shout-out for awesome release notes:

• 😍 @mathur07
• 😍 @prad9192
• 😍 @vdemeester

Tekton Pipeline release v1.6.0 LTS "Sphynx Sentinels"

🎉 Resolvers caching, Pipeline in Pipeline, and better ARM64 support & tested releases 🎉

-Docs @ v1.6.0
-Examples @ v1.6.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a288ca8343f66259e4a615801fa37703480d82893d1c6a45a2935a6632beb4164

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a288ca8343f66259e4a615801fa37703480d82893d1c6a45a2935a6632beb4164
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.0/release.yaml
REKOR_UUID=108e9186e8c5677a288ca8343f66259e4a615801fa37703480d82893d1c6a45a2935a6632beb4164

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.6.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ feat: implement shared cache for bundle, git, and cluster resolvers (#9051)

Support caching for bundle, git, and cluster resolvers, reducing redundant fetches and improving pipeline performance.

Key Features:

• Automatic caching for immutable references (digest-based bundles, git SHAs)
• Three cache modes: always (cache everything), never (disable caching),auto (cache only immutable references - default)
• Configurable via ConfigMap: Set cache size and TTL without restarting controllers
• Per-task override: Tasks can override global cache settings using the cache parameter
• Observability: Cache hits/misses and timestamps added to resource annotations

This helps reduce external API calls, improves pipeline exec speed, and provides better resilience during remote resource resolution.

• ✨ feat: resolve array values in Input of When expressions (#9038)

Array values can now be resolved in the Input attribute of When expressions

• ✨ Issue 9032 - Add support for step display name (#9033)

add displayName field to Step.

• ✨ Implement Pipelines-in-Pipelines. (#8873 #8878 #8879)

A Pipeline can now execute embedded Pipelines (Pipelines-in-Pipelines) using the PipelineSpec field under tasks. Refer to the TEP-0056 for more details.

Fixes

• 🐛 fix: do not fail PipelineRun when TaskRef reconciles with retryable err (#9099)

With this change, unknown DryRunValidation errors during TaskRef and PipelineRef resolution no longer cause PipelineRuns and TaskRuns to fail. Explicit Validation errors will still cause the Run to fail.

• 🐛 Added signal handling in SidecarLog results to support Kubernetes-native sidecar functionality (#9095)

Added signal handling to SidecarLog to support Kubernetes-native sidecar functionality, preventing repeated restarts of the init container.

• 🐛 Pods for timed out TaskRuns should not be deleted when keep-pod-on-cancel feature flag is true (#9075)

If Feature flag "keep-pod-on-cancel" is set to true then pods corresponding to TaskRun will be not be deleted when TaskRun Times Out. Earlier pod was retained only if it taskrun was canceled.

• 🐛 fix(taskrun): ensure status steps are ordered correctly when using StepAction (#9039)

Binary file (standard input) matches

• 🐛 entrypoint: handle linux in pkgs/platforms (#9096)
• 🐛 test/e2e: remove data race on global variable requireAlphaFeatureFlag (#9067)
• 🐛 tests: pdate csi-node-driver-registrar image reference (#9089)
• 🐛 ci: Ensure e2e setup errors fail tests, add retries during e2e setup (#9082)
• 🐛 test/e2e: Fix TestLargerResultsSidecarLogs and TestWaitCustomTask_V1_PipelineRun flakyness (#9072)

Misc

• 🔨 e2e: migrate wait.PollImmediate deprecated functions (#9073)
• 🔨 chore: centralize ko base image configuration (#9110)
• 🔨 build(deps): bump k8s.io/code-generator from 0.32.8 to 0.32.9 (#9106)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#9105)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.3 to 1.5.7 (#9104)
• 🔨 build(deps): bump github/codeql-action from 4.30.9 to 4.31.0 (#9103)
• 🔨 build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#9102)
• 🔨 build(deps): bump tj-actions/changed-files from d03a93c0dbfac6d6dd6a0d8a5e7daff992b07449 to dbf178ceecb9304128c8e0648591d71208c6e2c9 (#9101)
• 🔨 build(deps): bump google.golang.org/protobuf from 1.36.8 to 1.36.10 (#9097)
• 🔨 e2e: tests against 1.34 as well (#9091)
• 🔨 ci/e2e: run one e2e on arm64 (#9090)
• 🔨 build(deps): bump github/codeql-action from 3.30.1 to 4.30.9 (#9088)
• 🔨 build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 (#9087)
• 🔨 build(deps): bump actions/dependency-review-action from 4.8.0 to 4.8.1 (#9086)
• 🔨 build(deps): bump golang.org/x/crypto from 0.41.0 to 0.43.0 (#9085)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#9081)
• 🔨 build(deps): bump actions/upload-artifact from 4.4.3 to 4.6.2 (#9079)
• 🔨 build(deps): bump actions/cache from 4.2.4 to 4.3.0 (#9078)
• 🔨 build(deps): bump peter-evans/create-or-update-comment from 4.0.0 to 5.0.0 (#9077)
• 🔨 build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 (#9076)
• 🔨 test/e2e: update kubernetes versions we test against (#9068)
• 🔨 Pin actions by commit SHA or image digest (#9061)
• 🔨 build(deps): bump tj-actions/changed-files from 2036da178f85576f1940fedb74bb93a36cd89ab7 to d03a93c0dbfac6d6dd6a0d8a5e7daff992b07449 (#9058)
• 🔨 build(deps): bump chainguard-dev/actions from 1.4.12 to 1.5.3 (#9057)
• 🔨 Add GitHub Actions workflow for go coverage job (#9055)
• 🔨 build(deps): bump actions/dependency-review-action from 4.7.2 to 4.8.0 (#9047)
• 🔨 build(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 (#9036)
• 🔨 build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 (#9027)
• 🔨 fix: fix %w formatting leak in user-facing error (#9003)
• 🔨 build(deps): bump the all group in /tekton with 3 updates (#8990)
• 🔨 build(deps): bump github.com/spiffe/go-spiffe/v2 from 2.5.0 to 2.6.0 (#8988)

Docs

• 📖 document the latest release - 1.5 (#9054)
• 📖 Remove broken example link from TaskRuns doc (#9023)

Thanks

Thanks to these contributors who contributed to v1.6.0!

• ❤️ @AlanGreene
• ❤️ @Maximilien-R
• ❤️ @aThorp96
• ❤️ @dependabot[bot]
• ❤️ @lcarva
• ❤️ @pramodbindal
• ❤️ @pritidesai
• ❤️ @twoGiants
• ❤️ @valAndre07
• ❤️ @vdemeester
• ❤️ @waveywaves
• ❤️ @yuzichen12123

Extra shout-out for awesome release notes:

• 😍 @Maximilien-R
• 😍 @aThorp96
• 😍 @lcarva
• 😍 @pramodbindal
• 😍 @pritidesai
• 😍 @twoGiants
• 😍 @valAndre07

Tekton Pipeline release v1.5.0 "Bombay Robbie"

🎉 Use managedBy to delegate pipelineRun and taskRun lifecycle control 🎉

-Docs @ v1.5.0
-Examples @ v1.5.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.5.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a657cc892687dc9dbf41be24c29f51d2f5fc1092446b0739ec5280bb6b0bc1b82

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a657cc892687dc9dbf41be24c29f51d2f5fc1092446b0739ec5280bb6b0bc1b82
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.5.0/release.yaml
REKOR_UUID=108e9186e8c5677a657cc892687dc9dbf41be24c29f51d2f5fc1092446b0739ec5280bb6b0bc1b82

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.5.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ Add Support for managedBy field in TaskRun and PipelineRun (#8965)

Added a "managedBy" field to delegate responsibility of controlling the lifecycle of PipelineRuns/TaskRuns.

The semantics of the field:

Whenever the value is set, and it does not point to the built-in controller, then we skip the reconciliation.

• The field is immutable
• The field is not defaulted

Fixes

Misc

• 🔨 GHA label checker (#9050)
• 🔨 build(deps): bump github/codeql-action from 3.29.10 to 3.30.1 (#9030)
• 🔨 Set the user-agent in the release name tool (#9016)
• 🔨 add khrm to reviewers in OWNERS_ALIASES (#9026)

Docs

• 📖 document 1.3.2 patch (#9022)
• 📖 Updates for release 1.4 (#9020)

Thanks

Thanks to these contributors who contributed to v1.5.0!

• ❤️ @afrittoli
• ❤️ @dependabot[bot]
• ❤️ @khrm
• ❤️ @pritidesai
• ❤️ @waveywaves

Extra shout-out for awesome release notes:

• 😍 @khrm

Tekton Pipeline release v1.4.0 "Kurilian K-2SO"

🎉 Improved remote resolution and timeout configuration 🎉

-Docs @ v1.4.0
-Examples @ v1.4.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.4.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a040c237838848039376864340e5217f6c7c23f294d61437c3d196cb1112b91f1

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a040c237838848039376864340e5217f6c7c23f294d61437c3d196cb1112b91f1
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.4.0/release.yaml
REKOR_UUID=108e9186e8c5677a040c237838848039376864340e5217f6c7c23f294d61437c3d196cb1112b91f1

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.4.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ feat: resolve steps referencing StepActions concurrently (#8925)

The resolution of StepActions within a TaskRun is now performed concurrently, which can significantly reduce the time it takes for a TaskRun to start, especially when using multiple remote StepActions.

• ✨ Do not fail PipelineRun if pvc creation error is because of exceeded quotas (#8903)

PipelineRun do not fail anymore if the pvc creation is due to an exceeded quota ; it will be requeued instead (until quota is available or it times out)

• ✨ feat: override task timeouts in pipelineruns (#8636)

feature: PipelineRun can now override individual task timeouts with spec.taskRunSpecs[].timeout

Fixes

• 🐛 check for the kubernetes sidecar implementation (#8986)

Updated the sidecar implementation to check the completion status of initContainers before marking the taskRun complete.

• 🐛 fix: exclude pending PipelineRuns from metric (#8951)

Fixed tekton_pipelines_controller_running_pipelineruns metric to exclude pending PipelineRuns, it now counts only running PipelineRuns

• 🐛 Fix tini-git image to be multi-arch (#8944)

Updating tini-git base image to be multi-platform, also fixing the resolvers image.

• 🐛 fix(#8940): token-authentication header typo in git resolver (#8937)

Bug fix: Before this change, there was a regression in which the git resolver was not authenticating with the provided gitToken and gitTokenKey, breaking the git resolver's http token-based auth. After this change, all git operations performed by the git resolver use the provided gitToken for remote authentication.

• 🐛 fix: allow finalizer updates on completed TaskRun and PipelineRuns (#9011)
• 🐛 fix nightly-build workflow to use kind setup action from allowed list (#8939)

Misc

• 🔨 [FIX] Remove the apt warning (#8624)
• 🔨 build(deps): bump chainguard-dev/actions from 1.4.10 to 1.4.12 (#8989)
• 🔨 build(deps): bump google.golang.org/protobuf from 1.36.7 to 1.36.8 (#8985)
• 🔨 build(deps): bump google.golang.org/grpc from 1.74.2 to 1.75.0 (#8984)
• 🔨 build(deps): bump the all group in /tekton with 3 updates (#8978)
• 🔨 build(deps): bump github/codeql-action from 3.29.8 to 3.29.10 (#8977)
• 🔨 build(deps): bump chainguard-dev/actions from 1.4.9 to 1.4.10 (#8976)
• 🔨 build(deps): bump tj-actions/changed-files from f963b3f3562b00b6d2dd25efc390eb04e51ef6c6 to 2036da178f85576f1940fedb74bb93a36cd89ab7 (#8975)
• 🔨 build(deps): bump actions/dependency-review-action from 4.7.1 to 4.7.2 (#8974)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.32.7 to 0.32.8 (#8973)
• 🔨 build(deps): bump tj-actions/changed-files from 055970845dd036d7345da7399b7e89f2e10f2b04 to f963b3f3562b00b6d2dd25efc390eb04e51ef6c6 (#8964)
• 🔨 build(deps): bump github/codeql-action from 3.29.3 to 3.29.8 (#8963)
• 🔨 build(deps): bump actions/checkout from 4 to 5 (#8962)
• 🔨 build(deps): bump the all group in /tekton with 3 updates (#8961)
• 🔨 build(deps): bump chainguard-dev/actions from 1.4.6 to 1.4.9 (#8960)
• 🔨 build(deps): bump actions/cache from 4.2.3 to 4.2.4 (#8959)
• 🔨 build(deps): bump google.golang.org/protobuf from 1.36.6 to 1.36.7 (#8956)
• 🔨 build(deps): bump golang.org/x/crypto from 0.39.0 to 0.41.0 (#8954)
• 🔨 .github/workflows/nightly-builds: only run on tektoncd org (#8950)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.32.6 to 0.32.7 (#8894)

Docs

• 📖 docs: Switch from deprecated Tekton Hub to ArtifactHub (#8967)

Update examples and documentation to use ArtifactHub instead of the deprecated Tekton Hub for resource discovery and management.

• 📖 release.md: update releases with 1.2.x and 1.3.x (#8952)

Thanks

Thanks to these contributors who contributed to v1.4.0!

• ❤️ @Maximilien-R
• ❤️ @aThorp96
• ❤️ @anithapriyanatarajan
• ❤️ @dependabot[bot]
• ❤️ @divyansh42
• ❤️ @infernus01
• ❤️ @khrm
• ❤️ @leshikus
• ❤️ @pritidesai
• ❤️ @vdemeester
• ❤️ @waveywaves

Extra shout-out for awesome release notes:

• 😍 @Maximilien-R
• 😍 @aThorp96
• 😍 @divyansh42
• 😍 @infernus01
• 😍 @pritidesai
• 😍 @vdemeester
• 😍 @waveywaves

Tekton Pipeline release v1.3.2 "Maine Coon Melfina"

-Docs @ v1.3.2
-Examples @ v1.3.2

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.3.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a00888046c319538ae57e1af2654be73472fb885d0554f5181b0736e1edb7c6ed

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a00888046c319538ae57e1af2654be73472fb885d0554f5181b0736e1edb7c6ed
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.3.2/release.yaml
REKOR_UUID=108e9186e8c5677a00888046c319538ae57e1af2654be73472fb885d0554f5181b0736e1edb7c6ed

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.3.2@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 [release-v1.3.x] check for kubernetes sidecar implementation (#8997)

Updated the sidecar implementation to check the completion status of initContainers before marking the taskRun complete.

• 🐛 [release-v1.3.x] Disable the Gitea e2e tests temporarily to unblock (#9014)

• 🐛 [release-v1.3.x] Do not fail PipelineRun if pvc creation error is because of exceeded quotas (#9000)

• 🐛 [release-v1.3.x] fix: exclude pending PipelineRuns from tekton_pipelines_controller_running_pipelineruns metric (#8980)

Fixed tekton_pipelines_controller_running_pipelineruns metric to exclude pending PipelineRuns, it now counts only running PipelineRuns

Thanks

Thanks to these contributors who contributed to v1.3.2!

• ❤️ @mbpavan
• ❤️ @divyansh42
• ❤️ @khrm
• ❤️ @pritidesai
• ❤️ @vdemeester
• ❤️ @tekton-robot

Extra shout-out for awesome release notes:

• 😍 @pritidesai
• 😍 @divyansh42
• 😍 @tekton-robot

Tekton Pipeline release v1.3.1 LTS "Maine Coon Melfina"

-Docs @ v1.3.1
-Examples @ v1.3.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.3.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a77b37b5b643558bf2653e7f5a4673c506372b8892e9c8634dc7cae29721d15de

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a77b37b5b643558bf2653e7f5a4673c506372b8892e9c8634dc7cae29721d15de
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.3.1/release.yaml
REKOR_UUID=108e9186e8c5677a77b37b5b643558bf2653e7f5a4673c506372b8892e9c8634dc7cae29721d15de

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.3.1@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 [release-v1.3.x] Fix tini-git image to be multi-arch (#8948)

pdating tini-git base image to be multi-platform, also fixing the resolvers image.

Misc

Docs

Thanks

Thanks to these contributors who contributed to v1.3.1!

• ❤️ @tekton-robot

Extra shout-out for awesome release notes:

• 😍 @tekton-robot

Tekton Pipeline release v1.3.0 LTS "Maine Coon Melfina"

-Docs @ v1.3.0
-Examples @ v1.3.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.3.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a690a6f48618080e44983b879f4ffb9b371b7107159bb3d4ab3052aa68e47dc74

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a690a6f48618080e44983b879f4ffb9b371b7107159bb3d4ab3052aa68e47dc74
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.3.0/release.yaml
REKOR_UUID=108e9186e8c5677a690a6f48618080e44983b879f4ffb9b371b7107159bb3d4ab3052aa68e47dc74

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.3.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ exponential backoff in controller (#8926)

Introduced exponential backoff retry mechanism for createPod function to improve robustness against transient webhook issues in a heavy cluster during resource creation.

• ✨ exponential backoff for and creation (#8902)

• Introduced exponential backoff retry mechanism for createTaskRun and createCustomRun functions.
• Retries are triggered only on mutating admission webhook timeouts (HTTP 500 with "timeout" in the error message).
• Non-retryable errors (e.g., HTTP 400, validation failures) continue to fail immediately.
• Feature is disabled by default. To enable, set enable-wait-exponential-backoff: "true" in the feature-flags ConfigMap.
• Backoff parameters (duration, factor, steps) are configurable via the wait-exponential-backoff ConfigMap.
• Improves robustness against transient webhook issues in a heavy cluster during resource creation.

• ✨ Feature: Allow THREADS_PER_CONTROLLER env var to override default threads-per-controller value (#8890)

Default threads-per-controller value can be override by THREADS_PER_CONTROLLER env var

• ✨ Add anti-affinity rules to controller's replicas (#8864)

As part of improving high availability (HA) for the Tekton Pipelines controller, this update adds a preferredDuringSchedulingIgnoredDuringExecution pod anti-affinity rule. This ensures that multiple replicas of the controller are preferably scheduled on different nodes, reducing the risk of service disruption in case of a node failure.

• ✨ PodTemplate param substitution on TaskRunSpecs to enable multi-arch builds with Matrix (#8599)

TaskRuns and TaskRunSpecs now support param substitution on podTemplate fields. This allows operability with Matrix.

Fixes

• 🐛 fix(pipeline): support variables in onError for pipeline v1beta1 (#8931)

fix(pipeline): support variables in onError for pipeline v1beta1

• 🐛 fix: ensure git shell-out inherits environment variables (#8908)

fix: The git resolver now respects environment variables on the pod

• 🐛 efficient polling in (#8901)

Binary file (standard input) matches

• 🐛 Use tini-git image for the resolvers deployment (#8895)

The resolvers deployment now uses the tini init system to make sure we don't end up with a lot of git process zombies.

• 🐛 Re-register metrics only during real update (#8863)

Misc

• 🔨 Resolvers: remove default TEKTON_HUB_API URI (#8861)

Removing the default value of TEKTON_HUB_API in the resolvers deployment as the public instance of tektoncd/hub (hub.tekton.dev) will be shutdown in September. It's still possible to set this environment variable to a value for users who self host an instance of tektoncd/hub

• 🔨 Remove linux/arm from platform we publish (#8657)

linux/arm images are not published anymore as part of the release. This means armv5, armv6 and armv7 are not supported anymore.

• 🔨 Stop emitting deprecated metrics (#8875)

BREAKING CHANGE:

This commit removes the following deprecated metrics that have been replaced
by newer, more descriptive metrics:

PipelineRun Metrics:

• pipelinerun_count → replaced by pipelinerun_total
• running_pipelineruns_count → replaced by running_pipelineruns
• running_pipelineruns_waiting_on_pipeline_resolution_count → replaced by running_pipelineruns_waiting_on_pipeline_resolution
• running_pipelineruns_waiting_on_task_resolution_count → replaced by running_pipelineruns_waiting_on_task_resolution

TaskRun Metrics:

• taskrun_count → replaced by taskrun_total
• running_taskruns_count → replaced by running_taskruns
• running_taskruns_throttled_by_quota_count → replaced by running_taskruns_throttled_by_quota
• running_taskruns_throttled_by_node_count → replaced by running_taskruns_throttled_by_node

The replacement metrics provide the same functionality with improved naming
conventions and are already being recorded in the codebase.

• 🔨 Make sure we do not validate ResolutionRequest on DELETE (#8857)

esolutionRequest are no more validated on DELETE, which is consistent with the rest of the pipeline's objects.

• 🔨 Move ConfigMap helpers to testing framework and cleanup 🧹 pipelinerun_test.go 🧹. (#8920)
• 🔨 Remove all reference to gcr.io tekton projects (#8885)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.15.1 to 1.15.4 (#8935)
• 🔨 build(deps): bump sigs.k8s.io/yaml from 1.5.0 to 1.6.0 (#8922)
• 🔨 refactor getSidecarLogPollingInterval() (#8909)
• 🔨 build(deps): bump google.golang.org/grpc from 1.73.0 to 1.74.2 (#8907)
• 🔨 build(deps): bump step-security/harden-runner from 2.12.2 to 2.13.0 (#8900)
• 🔨 build(deps): bump github/codeql-action from 3.29.2 to 3.29.3 (#8899)
• 🔨 build(deps): bump the all group in /tekton with 3 updates (#8898)
• 🔨 nightly builds with gh actions (#8897)
• 🔨 build(deps): bump k8s.io/client-go from 0.32.6 to 0.32.7 (#8896)
• 🔨 build(deps): bump k8s.io/code-generator from 0.32.6 to 0.32.7 (#8893)
• 🔨 build(deps): bump github.com/google/cel-go from 0.25.0 to 0.26.0 (#8892)
• 🔨 build(deps): bump k8s.io/api from 0.32.6 to 0.32.7 (#8888)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.14.59 to 1.15.1 (#8884)
• 🔨 build(deps): bump tj-actions/changed-files from cf79a64fed8a943fb1073260883d08fe0dfb4e56 to 055970845dd036d7345da7399b7e89f2e10f2b04 (#8883)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#8882)
• 🔨 Add Stanislav (twoGiants) as reviewer to Tekton Pipeline repository. (#8880)
• 🔨 build(deps): bump golang.org/x/sync from 0.15.0 to 0.16.0 (#8871)
• 🔨 build(deps): bump tj-actions/changed-files from e8772ff27de71367c2771ef3e8b5b2075b3f8282 to cf79a64fed8a943fb1073260883d08fe0dfb4e56 (#8867)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#8866)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.14.58 to 1.14.59 (#8865)
• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.12.0 to 1.12.4 (#8860)
• 🔨 build(deps): bump step-security/harden-runner from 2.12.1 to 2.12.2 (#8856)
• 🔨 build(deps): bump github/codeql-action from 3.29.0 to 3.29.2 (#8855)
• 🔨 build(deps): bump tj-actions/changed-files from d52d20fa3f981cb852b861fd8f55308b5fe29637 to e8772ff27de71367c2771ef3e8b5b2075b3f8282 (#8854)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#8853)
• 🔨 build(deps): bump sigs.k8s.io/yaml from 1.4.0 to 1.5.0 (#8852)
• 🔨 Update kubernetes version of the CI (#8758)
• 🔨 Add a tool to generate the release name (#8629)

Docs

• 📖 Document controller debugging configuration. (#8881)

Developer documentation in DEVELOPMENT.md contains a "Debugging" section explaining how to setup VSCode for debugging Tekton controllers running in a k8 cluster.

• 📖 docs: fix typo in pipelineruns.md (#8851)

Thanks

Thanks to these contributors who contributed to v1.3.0!

• ❤️ @aThorp96
• ❤️ @afrittoli
• ❤️ @anithapriyanatarajan
• ❤️ @dependabot[bot]
• ❤️ @dorzel
• ❤️ @jkhelil
• ❤️ @khrm
• ❤️ @l-qing
• ❤️ @pritidesai
• ❤️ @twoGiants
• ❤️ @valAndre07
• ❤️ @vdemeester

Extra shout-out for awesome release notes:

• 😍 @aThorp96
• 😍 @dorzel
• 😍 @jkhelil
• 😍 @khrm
• 😍 @l-qing
• 😍 @pritidesai
• 😍 @twoGiants
• 😍 @valAndre07
• 😍 @vdemeester

Tekton Pipeline release v1.2.0 "Dragon Li Dreadnought"

🎉 Bug fixes and documentation enhancements 🎉

-Docs @ v1.2.0
-Examples @ v1.2.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.2.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a754b4d7d26d7ac445cc63785908c6df49e449f3da28b067511a0f2298767d8be

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a754b4d7d26d7ac445cc63785908c6df49e449f3da28b067511a0f2298767d8be
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.2.0/release.yaml
REKOR_UUID=108e9186e8c5677a754b4d7d26d7ac445cc63785908c6df49e449f3da28b067511a0f2298767d8be

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.2.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 Do not propagate managed-by annotation to Pods (#8846)

od created by the Pipeline controller will now always have app.kubernetes.io/managed-by set to the default configuration. Prior to this change, it would be overriden by the value of that label set on TaskRun (or PipelineRun).

• 🐛 fix: Avoid errors in PVC handler if PVC is already deleted (#8811)

PVCs that have already been deleted will no longer cause errors during resource cleanup operations.

Misc

• 🔨 refactor: replace go-multierror with errors.Join for native error aggregation (#8791)

Replaced external go-multierror dependency with Go's built-in errors.Join for error aggregation, reducing dependencies and improving code maintainability.

• 🔨 fix: Remove direct usage of testify from pkg/spire/ (#8788)

Removed direct dependency on testify in pkg/spire to simplify testing and reduce external dependencies.

• 🔨 [TEP-0056]: Extract common status helper functions from pipelinerun_test.go. (#8850)
• 🔨 [TEP-0056]: Refactor names and fix typos. (#8806)
• 🔨 Move Step step action reference test to container_validation_test.go. (#8779)
• 🔨 Move Step Validate and ValidateError tests to container_validation_test.go. (#8778)
• 🔨 Move Step ResultRef and ArtifactsRef tests to container_validation_test.go. (#8777)
• 🔨 Move Step onError and API version tests to container_validation_test.go. (#8773)
• 🔨 Move Step ref tests to container_validation_test.go. (#8772)
• 🔨 Move Step artifacts flag tests to container_validation_test.go. (#8769)
• 🔨 Fix CRD Generation Errors (#8726)
• 🔨 build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.36.0 to 1.37.0 (#8848)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#8844)
• 🔨 build(deps): bump k8s.io/code-generator from 0.32.5 to 0.32.6 (#8842)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.32.5 to 0.32.6 (#8840)
• 🔨 build(deps): bump k8s.io/client-go from 0.32.5 to 0.32.6 (#8837)
• 🔨 build(deps): bump github.com/cloudevents/sdk-go/v2 from 2.16.0 to 2.16.1 (#8836)
• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.20.5 to 0.20.6 (#8835)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#8834)
• 🔨 build(deps): bump step-security/harden-runner from 2.12.0 to 2.12.1 (#8833)
• 🔨 build(deps): bump github/codeql-action from 3.28.19 to 3.29.0 (#8832)
• 🔨 build(deps): bump tj-actions/changed-files from 4140eb99d2cced9bfd78375c2088371853262f79 to d52d20fa3f981cb852b861fd8f55308b5fe29637 (#8831)
• 🔨 build(deps): bump github.com/sigstore/sigstore from 1.9.4 to 1.9.5 (#8826)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.9.4 to 1.9.5 (#8823)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.9.4 to 1.9.5 (#8822)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.9.4 to 1.9.5 (#8821)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.9.4 to 1.9.5 (#8820)
• 🔨 build(deps): bump github/codeql-action from 3.28.18 to 3.28.19 (#8819)
• 🔨 build(deps): bump tj-actions/changed-files from c6634ca281a9fc05b03bee224ba00910cb78ab6e to 4140eb99d2cced9bfd78375c2088371853262f79 (#8818)
• 🔨 build(deps): bump golang.org/x/sync from 0.14.0 to 0.15.0 (#8817)
• 🔨 build(deps): bump google.golang.org/grpc from 1.72.2 to 1.73.0 (#8816)
• 🔨 Fix the sed command with crane (#8812)
• 🔨 fix(lint): resolve golangci-lint errors in testing context (#8810)
• 🔨 build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 (#8808)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#8807)

Docs

• 📖 docs: clarify container entrypoint behavior (#8696)

docs: clarify container contract documentation to avoid ambiguity

• 📖 Update releases.md for 1.1.0 (#8814)
• 📖 fix(docs): remove duplicated block from artifacts.md (#8802)

Thanks

Thanks to these contributors who contributed to v1.2.0!

• ❤️ @afrittoli
• ❤️ @alex-cobas
• ❤️ @arthur-c
• ❤️ @dependabot[bot]
• ❤️ @fambelic
• ❤️ @infernus01
• ❤️ @l-qing
• ❤️ @tricktron
• ❤️ @twoGiants
• ❤️ @vdemeester

Extra shout-out for awesome release notes:

• 😍 @fambelic
• 😍 @infernus01
• 😍 @l-qing
• 😍 @vdemeester

Tekton Pipeline release v1.1.0 "Selkirk Rex Saul Tigh"

-Docs @ v1.1.0
-Examples @ v1.1.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.1.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a4abf3bb44246e552fdd917a58075df15b5f99ad1aa9e1da6ffd3c6aebc69689d

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a4abf3bb44246e552fdd917a58075df15b5f99ad1aa9e1da6ffd3c6aebc69689d
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.1.0/release.yaml
REKOR_UUID=108e9186e8c5677a4abf3bb44246e552fdd917a58075df15b5f99ad1aa9e1da6ffd3c6aebc69689d

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.1.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 fix: Ensure retryable errors during validation do not fail Runs (#8746)

Retryable errors during dry-run Task validation will no longer cause a PipelineRun to be failed.

• 🐛 Add oomkilled reason (#8709)

TaskRuns that fail due to Out of Memory (OOM) conditions will now show the termination reason in their failure message.

Misc

• 🔨 refactor: use os.UserHomeDir instead of go-homedir (#8774)
• 🔨 Remove temporary GOPATH generation in in update-codegen.sh and update-openapigen.sh. (#8719)
• 🔨 Refactor Step validation to implement apis.Validatable. (#8717)
• 🔨 Raise test coverage in task_validation.go and container_validation.go. (#8714)
• 🔨 Refactor sidecar validation to implement apis.Validatable. (#8710)
• 🔨 Move Steps and Sidecars validation to container_validation.go. (#8685)
• 🔨 build(deps): bump google.golang.org/grpc from 1.72.1 to 1.72.2 (#8801)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#8800)
• 🔨 build(deps): bump tj-actions/changed-files from 480f49412651059a414a6a5c96887abb1877de8a to c6634ca281a9fc05b03bee224ba00910cb78ab6e (#8799)
• 🔨 build(deps): bump go.opentelemetry.io/otel/trace from 1.35.0 to 1.36.0 (#8798)
• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.20.3 to 0.20.5 (#8796)
• 🔨 build(deps): bump go.opentelemetry.io/otel/sdk from 1.35.0 to 1.36.0 (#8794)
• 🔨 build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.35.0 to 1.36.0 (#8793)
• 🔨 Fix subpath capitalisation (#8790)
• 🔨 build(deps): bump k8s.io/code-generator from 0.32.4 to 0.32.5 (#8789)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#8787)
• 🔨 build(deps): bump actions/dependency-review-action from 4.7.0 to 4.7.1 (#8786)
• 🔨 build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 (#8785)
• 🔨 build(deps): bump k8s.io/client-go from 0.32.4 to 0.32.5 (#8783)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.32.4 to 0.32.5 (#8781)
• 🔨 build(deps): bump k8s.io/api from 0.32.4 to 0.32.5 (#8780)
• 🔨 build(deps): bump google.golang.org/grpc from 1.72.0 to 1.72.1 (#8771)
• 🔨 build(deps): bump actions/setup-go from 5.4.0 to 5.5.0 (#8766)
• 🔨 build(deps): bump actions/dependency-review-action from 4.6.0 to 4.7.0 (#8765)
• 🔨 build(deps): bump tj-actions/changed-files from 4168bb487d5b82227665ab4ec90b67ce02691741 to 480f49412651059a414a6a5c96887abb1877de8a (#8764)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#8763)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.32.1 to 0.32.4 (#8762)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.14.56 to 1.14.58 (#8754)
• 🔨 build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.34.0 to 1.35.0 (#8753)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.8.15 to 1.9.4 (#8752)
• 🔨 build(deps): bump github.com/google/cel-go from 0.24.1 to 0.25.0 (#8751)
• 🔨 build(deps): bump google.golang.org/grpc from 1.71.1 to 1.72.0 (#8749)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.8.15 to 1.9.4 (#8748)
• 🔨 build(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 (#8747)
• 🔨 Migration to golangci-lint v2… (#8745)
• 🔨 Add @waveywaves as a maintainer (#8743)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#8742)
• 🔨 build(deps): bump github/codeql-action from 3.28.16 to 3.28.17 (#8741)
• 🔨 build(deps): bump tj-actions/changed-files from 5426ecc3f5c2b10effaefbd374f0abdc6a571b2f to 4168bb487d5b82227665ab4ec90b67ce02691741 (#8739)
• 🔨 build(deps): bump github.com/cloudevents/sdk-go/v2 from 2.15.2 to 2.16.0 (#8737)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.8.15 to 1.9.4 (#8736)
• 🔨 build(deps): bump k8s.io/code-generator from 0.32.2 to 0.32.4 (#8735)
• 🔨 build(deps): bump go.opentelemetry.io/otel/sdk from 1.34.0 to 1.35.0 (#8734)
• 🔨 build(deps): bump code.gitea.io/sdk/gitea from 0.20.0 to 0.21.0 (#8733)
• 🔨 build(deps): bump k8s.io/client-go from 0.32.2 to 0.32.4 (#8732)
• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.11.2 to 1.12.0 (#8731)
• 🔨 build(deps): bump tj-actions/changed-files from c34c1c13a740b06851baff92ab9a653d93ad6ce7 to 5426ecc3f5c2b10effaefbd374f0abdc6a571b2f (#8730)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.8.15 to 1.9.4 (#8725)
• 🔨 build(deps): bump golang.org/x/net from 0.33.0 to 0.36.0 in /test/resolver-with-timeout (#8708)
• 🔨 build(deps): bump golang.org/x/crypto from 0.31.0 to 0.35.0 in /test/resolver-with-timeout (#8706)
• 🔨 build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0 in /test/custom-task-ctrls/wait-task-beta (#8588)

Docs

• 📖 docs: add more explicit language in the Pipelines in Pipelines docs (#8767)
• 📖 Update releases.md after v1.0.0 (#8761)
• 📖 fix(docs): correct documentation link errors related to sidecar-logs (#8744)
• 📖 Add ghcr.io migration banner to README.md. (#8693)

Thanks

Thanks to these contributors who contributed to v1.1.0!

• ❤️ @AlanGreene
• ❤️ @aThorp96
• ❤️ @afrittoli
• ❤️ @dependabot[bot]
• ❤️ @infernus01
• ❤️ @l-qing
• ❤️ @twoGiants
• ❤️ @vdemeester

Extra shout-out for awesome release notes:

• 😍 @aThorp96
• 😍 @infernus01