🎉 🐱 TaskRun pending parity, multiple Git credentials, and PVC auto-cleanup 🤖 🎉

-Docs @ v1.11.0
-Examples @ v1.11.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.11.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677ae7cc1db0d04d478cc74a86ca458747f1ca41fe102d4ec5f14a6f8ec59c48facd

Obtain the attestation:

REKOR_UUID=108e9186e8c5677ae7cc1db0d04d478cc74a86ca458747f1ca41fe102d4ec5f14a6f8ec59c48facd
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.11.0/release.yaml
REKOR_UUID=108e9186e8c5677ae7cc1db0d04d478cc74a86ca458747f1ca41fe102d4ec5f14a6f8ec59c48facd

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.11.0@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ feat(webhook): Bump knative.dev/pkg to enable centrally managed WEBHOOK_* TLS for the webhook (#9466)

Bump knative.dev/pkg to enable centralized WEBHOOK_* TLS configuration for the webhook (min/max version, cipher suites, curves).
Webhook now inherits TLS policy from environment (operator/cluster); defaults remain TLS 1.3 when unset.

• ✨ Add multi-URL support and per-resolution url param to Hub Resolver (#9465)

dd multi-URL support and per-resolution url parameter to Hub Resolver, enabling ordered fallback across multiple hub instances and explicit URL targeting per resolution request.

• ✨ Add pending status support for TaskRun (parity with PipelineRun) (#9464)

TaskRun now supports spec.status: TaskRunPending to defer execution.
When pending, no Pod is created and status.startTime is not set.
Clearing spec.status starts execution, or setting TaskRunCancelled cancels without running.

• ✨ feat: add optional PVC auto-cleanup annotation for workspaces mode (#9354)

Add optional PVC auto-cleanup for workspaces mode via tekton.dev/auto-cleanup-pvc: "true" annotation. When set on a PipelineRun using coschedule: workspaces, PVCs created from volumeClaimTemplate workspaces are automatically deleted on completion. User-provided persistentVolumeClaim workspaces are never affected.

• ✨ Add Gitea e2e tests to CI (#9442)

Fixes

• 🐛 Fix: Add SSH Host aliases to support multiple SSH credentials on same host (#9643)

Fixed SSH credential matching to support multiple repositories on the same host with different SSH keys. Previously, when using multiple SSH auth secrets for different repositories on the same Git server (e.g., github.com/org/repo1 and github.com/org/repo2), SSH would use the first key for all repositories, causing authentication failures with deploy keys. SSH Host aliases and Git url.*.insteadOf rewriting now enable per-repository SSH key selection when the secret annotation URL includes a repo path.

• 🐛 fix: make step-init symlink creation idempotent (#9600)

ix entrypoint step-init to handle container restarts gracefully. Previously, if a container restarted within a pod (e.g. due to OOM or eviction), the init process would fail with "symlink: file exists" because symlinks from the previous run persisted on the shared volume.

• 🐛 fix: replace silent default namespace fallback with explicit error in GetNameAndNamespace (#9594)

eplace silent "default" namespace fallback in GetNameAndNamespace with an explicit error, preventing potential ResolutionRequest creation in wrong namespace.

• 🐛 fix: resolve context key collision and ownerRef nil panic in resolution framework (#9593)

ix context key collision in resolution framework where RequestName() silently returned the namespace value, and fix nil pointer panic in ownerRefsAreEqual when both Controller fields are nil.

• 🐛 fix: cluster resolver namespace access control whitespace and wildcard bugs (#9592)

ix cluster resolver namespace access control: trim whitespace in allowed/blocked namespace lists, fix wildcard (*) handling when combined with explicit entries, and reject empty default-namespace values.

• 🐛 fix: convert pod latency metric to histogram and remove pod label (#9530)

ction required: The tekton_pipelines_controller_taskruns_pod_latency_milliseconds metric has been converted from a Gauge to a Histogram and the pod label has been removed. Dashboards or alerts referencing this metric will need to be updated to use histogram_quantile() instead of direct value queries.

• 🐛 fix: use hashed volume names to prevent credential volume name collisions (#9528)

ix credential volume name collisions when namespaces have many (118+)
annotated secrets. Volume names now use deterministic SHA-256 hashing
instead of truncation with random suffix.

• 🐛 Fix running_taskruns metric overcounting TaskRuns with no condition (#9485)

Fixed overcounting in the running_taskruns metric for TaskRuns with no condition set yet.

• 🐛 fix: propagate PipelineRun tasks/finally timeout to child TaskRuns (#9419)

When spec.timeouts.tasks or spec.timeouts.finally on a PipelineRun exceeds the global default timeout, the value is now propagated to individual child TaskRuns that do not have an explicit per-task timeout. This prevents TaskRuns from being prematurely canceled at the global default (e.g., 1h) when the PipelineRun allows a longer duration.

• 🐛 Bugfix: deduplicate concurrent resolver cache requests with singleflight. (#9365)

Fix resolver cache race condition causing duplicate upstream pulls under concurrent load.

• 🐛 Fix: Add useHttpPath to support multiple Git credentials on same host (#9143)

Fixed Git credential matching to support multiple repositories on the same host with different credentials. Previously, when using multiple secrets for different repositories on the same Git server (e.g., github.com/org/repo1 and github.com/org/repo2), it incorrectly use the first credential for all repositories, causing authentication failures. Git credential contexts now include useHttpPath = true, enabling proper per-repository credential selection.

• 🐛 fix: record metrics for cancelled PipelineRuns (#9658)
• 🐛 Add explicit permissions blocks to workflows missing them (#9562)
• 🐛 fix: revert mistaken metadata changes in resolvers config-observability (#9468)
• 🐛 fix: update default tracing endpoint to http protobuf endpoint (#9141)
• 🐛 fix: Pin Ubuntu,Bash,Python, Node & Perl container images to digests in examples/v1/taskruns/step-script.yaml (#9618)
• 🐛 fix: Pin alpine-git-nonroot,alpine/git,busybox & nop container images to digests in examples/v1/taskruns (#9614)
• 🐛 fix: Pin Bash,Alpine & Busybox container images to digests in examples/v1/taskruns (#9610)
• 🐛 fix: Pin Ubuntu container images to digests in examples/v1/taskruns (#9607)

Misc

• 🔨 perf(pipelinerun): hoist VerificationPolicy list out of per-task loop in resolvePipelineState (#9601)

• 🔨 ci: fix GitHub Actions security issues found by zizmor (#9667)

• 🔨 Extract memberOfLookup from createChildResourceLabels to reduce nested loop (#9596)

• 🔨 cleanup: replace GCS release URLs with infra.tekton.dev (#9569)

• 🔨 fix: Upgrade Gitea test infrastructure from v1.17.1 to latest (#9568)

• 🔨 chore: bump knative.dev/pkg to main and k8s libs to 0.35.1 (#9470)

• 🔨 Update stale comment about storing TaskSpec in status (#9661)

• 🔨 build(deps): bump the all group in /tekton with 4 updates (#9652)

• 🔨 build(deps): bump github/codeql-action from 4.33.0 to 4.34.1 (#9651)

• 🔨 build(deps): bump actions/cache from 5.0.3 to 5.0.4 (#9650)

• 🔨 build(deps): bump chainguard-dev/actions from 1.6.8 to 1.6.9 (#9649)

• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.3 to 1.14.4 (#9648)

• 🔨 build(deps): bump k8s.io/apimachinery from 0.35.2 to 0.35.3 (#9639)

• 🔨 build(deps): bump k8s.io/client-go from 0.35.2 to 0.35.3 (#9638)

• 🔨 build(deps): bump k8s.io/api from 0.34.5 to 0.34.6 in /test/custom-task-ctrls/wait-task-beta (#9637)

• 🔨 build(deps): bump k8s.io/client-go from 0.34.5 to 0.34.6 in /test/custom-task-ctrls/wait-task-beta (#9634)

• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.1 to 1.14.3 (#9629)

• 🔨 build(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 (#9628)

• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.21.2 to 0.21.3 (#9627)

• 🔨 build(deps): bump github.com/tektoncd/pipeline from 1.10.0 to 1.10.2 in /test/custom-task-ctrls/wait-task-beta (#9626)

• 🔨 build(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0 (#9611)

• 🔨 build(deps): bump the all group in /tekton with 4 updates (#9587)

• 🔨 build(deps): bump github/codeql-action from 4.32.6 to 4.33.0 (#9586)

• 🔨 build(deps): bump fgrosse/go-coverage-report from 1.2.0 to 1.3.0 (#9585)

• 🔨 build(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 (#9584)

• 🔨 build(deps): bump chainguard-dev/actions from 1.6.7 to 1.6.8 (#9583)

• 🔨 Remove opencensus dependency from test files (#9553)

• 🔨 Update tj-actions/changed-files version comment to v47.0.5 (#9552)

• 🔨 build(deps): bump go.opentelemetry.io/otel/trace from 1.41.0 to 1.42.0 (#9549)

• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.21.1 to 0.21.2 (#9548)

• 🔨 build(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.2 (#9547)

• 🔨 build(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 (#9542)

• 🔨 build(deps): bump the all group in /tekton with 4 updates (#9541)

• 🔨 build(deps): bump tj-actions/changed-files from 47.0.4 to 47.0.5 (#9540)

• 🔨 build(deps): bump chainguard-dev/actions from 1.6.5 to 1.6.7 (#9539)

• 🔨 build(deps): bump github/codeql-action from 4.32.5 to 4.32.6 (#9538)

• 🔨 build(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 (#9536)

• 🔨 Nominate khrm and aThorp96 as pipeline approvers (#9519)

• 🔨 Move inactive approvers to alumni (#9518)

• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.35.1 to 0.35.2 (#9487)

• 🔨 build(deps): bump the all group in /tekton with 4 updates (#9483)

• 🔨 build(deps): bump github/codeql-action from 4.32.4 to 4.32.5 (#9482)

• 🔨 build(deps): bump step-security/harden-runner from 2.14.2 to 2.15.0 (#9481)

• 🔨 build(deps): bump actions/setup-go from 6.2.0 to 6.3.0 (#9480)

• 🔨 build(deps): bump chainguard-dev/actions from 1.6.4 to 1.6.5 (#9479)

• 🔨 build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (#9478)

• 🔨 build(deps): bump go.opentelemetry.io/otel/metric from 1.40.0 to 1.41.0 (#9477)

• 🔨 build(deps): bump k8s.io/apimachinery from 0.35.1 to 0.35.2 (#9476)

• 🔨 build(deps): bump k8s.io/client-go from 0.34.3 to 0.34.5 in /test/custom-task-ctrls/wait-task-beta (#9475)

• 🔨 build(deps): bump k8s.io/code-generator from 0.35.1 to 0.35.2 (#9473)

• 🔨 build(deps): bump k8s.io/api from 0.34.3 to 0.34.5 in /test/custom-task-ctrls/wait-task-beta (#9472)

• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.34.3 to 0.34.5 (#9455)

• 🔨 build(deps): bump github.com/tektoncd/pipeline from 1.9.1 to 1.10.0 in /test/custom-task-ctrls/wait-task-beta (#9453)

• 🔨 build(deps): bump k8s.io/client-go from 0.34.3 to 0.34.4 (#9447)

• 🔨 build(deps): bump go.opentelemetry.io/otel/trace from 1.39.0 to 1.40.0 (#9445)

• 🔨 fix: release cheat sheet doc typos (#9415)

Docs

• 📖 Re-enable pipeline-api.md generation (#9604)

Update the pipeline API published at https://tekton.dev/docs/pipelines/pipeline-api/

• 📖 docs(auth): clean stale TODO (#9504)

Clean up stale TODO in auth.md

• 📖 doc: Clarify scope of auth documentation (#9461)

Added auth doc scope to distinguish credentials for processes inside Steps from Kubernetes imagePullSecrets for pulling Step images.

• 📖 docs: update releases.md with security patch releases (#9616)
• 📖 docs: add 4 undocumented metrics to docs/metrics.md (#9512)
• 📖 docs: fix broken internal markdown links (#9507)
• 📖 docs: add README files for pipelinerun and taskrun examples (#9505)
• 📖 doc: Fix broken Tekton Bundles example link in taskruns.md (#9462)
• 📖 docs: update releases.md for v1.10.0 (#9448)

Thanks

Thanks to these contributors who contributed to v1.11.0!

• ❤️ @AiswaryaR6
• ❤️ @BizerNotNull
• ❤️ @ChinonsoNwakudu
• ❤️ @Goutham-AR
• ❤️ @Paramesh324
• ❤️ @ab-ghosh
• ❤️ @adityavshinde
• ❤️ @afrittoli
• ❤️ @anirudh242
• ❤️ @ankrsinha
• ❤️ @app/dependabot
• ❤️ @infernus01
• ❤️ @jkhelil
• ❤️ @jorqen
• ❤️ @khrm
• ❤️ @ngelman1
• ❤️ @sahilleth
• ❤️ @srivickynesh
• ❤️ @twoGiants
• ❤️ @vdemeester
• ❤️ @waveywaves

Extra shout-out for awesome release notes:

• 😍 @BizerNotNull
• 😍 @ab-ghosh
• 😍 @afrittoli
• 😍 @ankrsinha
• 😍 @infernus01
• 😍 @jkhelil
• 😍 @jorqen
• 😍 @sahilleth
• 😍 @twoGiants
• 😍 @vdemeester
• 😍 @waveywaves