🎉 Provenance Beta, Resilient Affinity Assistant and Array Params in Matrix 🎉

-Docs @ v0.48.0
-Examples @ v0.48.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.48.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77aadae6008428d822bb60159ae252ba66b61d276e7836b724a5cd7c7402aeb0527

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77aadae6008428d822bb60159ae252ba66b61d276e7836b724a5cd7c7402aeb0527
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.48.0/release.yaml
REKOR_UUID=24296fb24b8ad77aadae6008428d822bb60159ae252ba66b61d276e7836b724a5cd7c7402aeb0527

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.48.0@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ [TEP-0091] use VerificationResult in verify (#6673)

VerificationResult is the return value for instead of error for VerifyTask and VerifyPipeline.

• ✨ feat: support to produce results from a failed task (#6510)

PipelineRun can produce task results from the failed tasks, and the final task can reference those results.

• ✨ Promote the provenance field in status (#6495)

Promote provenance field to beta by setting the existing feature flag enable-provenance-in-status to be true by default with the installation of Tekton Pipeline. This feature flag will be completely removed once we consider this as a stable feature. That said, users can choose to opt out this by setting this feature flag to false.

• ✨ [TEP-0091] add VerificationResult (#6663)
• ✨ [TEP-0089] Inject SpireControllerAPIClient into the Taskrun controller and reconciler. (#6627)
• ✨ [TEP-0089] SPIRE for non-falsifiable provenance. Setup the test environment. (#6553)
• ✨ [TEP-0089] Add CSI volumes to the Pods which provide the SPIRE workload API (#6539)
• ✨ Add matrix support for using references to entire PipelineRun array parameters (#6516)

Fixes

• 🐛 Bug Fixes: Update Status for Matrixed PipelineTask (#6661)

Bug Fix: A matrixed pipelineTask will accurately reflect the status of isStarted(), isScheduled(), IsBeforeFirstTaskRun(), IsConditionStatusFalse() with the correct start time based on it's TaskRuns or custom RunObjects.

• 🐛 Sync pipelinerun validation between v1beta1 and v1 (#6656)

Sync pipelinerun validation between v1beta1 and v1

• 🐛 Split array param indexing validation between reconciler and webhook (#6652)

bug fix: always perform validation of array parameter index bounds checking

• 🐛 remove beta flag check for v1beta1 object param,results and array result (#6644)

Remove beta feature flag check for v1beta1 object param, results and array result. Object param, results and array result will be enabled if the enable-api-fields feature flag is not alpha for v1beta1 CRDs (e.g. Tasks and Pipelines)

• 🐛 Add validation for array indexing in finally when expressions (#6638)

Bug fix: add validation for out-of-bounds indexing into array parameters referenced in pipeline.spec.finally.when.inputs

• 🐛 Don't mark done PipelineRuns as timed out (#6622)

Completed PipelineRuns are not anymore changed to PipelineRunTimeout status

• 🐛 Support context variable replacements in custom tasks (#6620)

A user can now define context variables in inline pipeline specs for custom tasks.

• 🐛 check beta feature flag for v1 TaskSpec's ValidateParamArrayIndex (#6613)

check beta feature flag for v1 TaskSpec's ValidateParamArrayIndex instead of alpha flag, since array indexing is beta feature

• 🐛 Fix conversion of non-object results declared in Tasks (#6606)

Fix conversion bug preventing tasks with non-object results and parameters successfully round-tripping between api versions

• 🐛 update affinity assistant creation implementation (#6596)

Resilient Affinity Assistant - make sure the Affinity Assistant pod is always on a healthy node during the entire life cycle of the pipelineRun

• 🐛 Allow references to ClusterTasks in v1 Pipeline Tasks (#6588)

Continue to allow v1beta1 ClusterTasks (deprecated) to be referenced in v1 Pipelines

• 🐛 Custom task without api version return validation error (#6505)

Custom task without api version returns validation error

• 🐛 don't return validation error when taskrun failed/skipped (#6395)

If taskrun fails and task results not emitted, pipelinerun fails because of taskrun fails rather than results validation error.

• 🐛 Remove enable-api-fields validation for array index replacements (#6646)
• 🐛 Keeps Deprecated Fields in Step and StepTemplate When Switching Versions (#6623)
• 🐛 Refactor Sidecar Containers Construction If Script Exists (#6619)
• 🐛 Add Unit Tests for Array Results using [] notation (#6577)

Misc

• 🔨 Clean up Task parameter validation logic (#6650)

Some functions in pkg/substitution have been removed or renamed.

• 🔨 Run events controller as separate binary (#6529)

The cloudevents controller for Run has been moved to its own binary, with dedicated deployment, service, pod, service account, roles and role bindings. No functional change, no configuration change.

• 🔨 Add results-from feature flag to config-feature-flags.yaml (#6692)
• 🔨 Cleanup context-based validation of propagated params/workspaces (#6684)
• 🔨 Test refactor: separate Task validation tests for propagation (#6677)
• 🔨 Cleanup: Remove "substituted context" task validation (#6671)
• 🔨 Refactor validation of propagated parameters and workspaces (#6660)
• 🔨 Rename function that replaces variables in When Expressions (#6658)
• 🔨 Refactor substituting variables in Parameter values (#6657)
• 🔨 Split Pipeline validation tests into separate test classes (#6653)
• 🔨 Refactor ResolvedPipelineTask and remove redundant fields (#6649)
• 🔨 Refactor SequentialTasks & SequentialRuns Tests (#6648)
• 🔨 Simplify + add docstrings for PipelineRun resolution (#6643)
• 🔨 Refactor validation functions for indexing into array params (#6642)
• 🔨 Cleanp - Adding a single variable for default configmaps. (#6639)
• 🔨 Remove docstrings indicating that there is a 24h limit on timeouts (#6585)
• 🔨 Bump github.com/sigstore/sigstore from 1.6.2 to 1.6.4 (#6629)
• 🔨 move trusted resources verification after we resolve the remote resources (#6621)
• 🔨 Clean up metrics code slightly. (#6609)
• 🔨 Bump github.com/tektoncd/pipeline from 0.46.0 to 0.47.0 in /test/custom-task-ctrls/wait-task-beta (#6582)
• 🔨 Bump github.com/spiffe/spire-api-sdk from 1.6.2 to 1.6.3 (#6544)

Docs

• 📖 Docs update: CSI + projected workspaces are beta (#6700)
• 📖 Fix code blocks in the Tasks page (#6676)
• 📖 Update documentation to reflect stability levels and deprecations (#6568)

Thanks

Thanks to these contributors who contributed to v0.48.0!

• ❤️ @EmmaMunley
• ❤️ @SaschaSchwarze0
• ❤️ @XinruZhang
• ❤️ @Yongxuanzhang
• ❤️ @afrittoli
• ❤️ @chitrangpatel
• ❤️ @chuangw6
• ❤️ @dependabot[bot]
• ❤️ @ijschwabacher
• ❤️ @jagathprakash
• ❤️ @jerop
• ❤️ @lbernick
• ❤️ @pritidesai
• ❤️ @rh-hectormartinezdev

Extra shout-out for awesome release notes:

• 😍 @EmmaMunley
• 😍 @SaschaSchwarze0
• 😍 @Yongxuanzhang
• 😍 @afrittoli
• 😍 @chitrangpatel
• 😍 @chuangw6
• 😍 @lbernick
• 😍 @pritidesai