github tektoncd/pipeline v1.0.2
Tekton Pipeline release v1.0.2 "Oriental Omnidroid"
on GitHub

latest releases: v1.11.1, v1.9.3, v1.6.2...
8 hours ago

-Docs @ v1.0.2
-Examples @ v1.0.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.0.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677afa1ff2410a8f5280de7f95a693172273a1c52b90177e7687fc72cf2607c8e332

Obtain the attestation: 

REKOR_UUID=108e9186e8c5677afa1ff2410a8f5280de7f95a693172273a1c52b90177e7687fc72cf2607c8e332
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file: 

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.0.2/release.yaml
REKOR_UUID=108e9186e8c5677afa1ff2410a8f5280de7f95a693172273a1c52b90177e7687fc72cf2607c8e332

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.0.2@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

⚠️ Security Fixes

  • GHSA-wjxp-xrpv-xpff / CVE-2026-40161 (HIGH): Git resolver API mode leaks system-configured API token to user-controlled serverURL. A user who can create TaskRuns can exfiltrate the system Git API token by pointing the resolver at an attacker-controlled server.

  • GHSA-94jr-7pqp-xhcq / CVE-2026-40938 (HIGH): Git resolver unsanitized revision parameter enables argument injection. A malicious revision value can inject arbitrary flags into the git CLI, potentially leading to remote code execution on the resolver pod.

  • GHSA-rx35-6rhx-7858 / CVE-2026-40923 (Medium): VolumeMount path restriction bypass via missing filepath normalization. Paths like /tekton/../sensitive bypass the /tekton/ prefix restriction check.

  • GHSA-rmx9-2pp3-xhcr / CVE-2026-25542 (Medium): VerificationPolicy regex pattern bypass via substring matching. Unanchored patterns allow partial matches, letting unsigned resources pass verification.

  • GHSA-m2cx-gpqf-qf74 / CVE-2026-40924 (Medium): HTTP resolver unbounded response body read enables OOM denial of service. A malicious URL returning a very large response can exhaust the resolver pod's memory. Response body is now limited to 1 MiB.

Fixes

  • 🐛 Sort PipelineRun childReferences to prevent spurious status updates
Check out latest releases or
releases around tektoncd/pipeline v1.0.2

Don't miss a new pipeline release

NewReleases is sending notifications on new releases.

Get notifications