github tektoncd/pipeline v1.12.0
Tekton Pipeline release v1.12.0 "Exotic Shorthair Elektrobots LTS"
on GitHub

6 hours ago

🎉 TEP-0137 Notifications Controllers, Security Hardening & Performance 🎉

-Docs @ v1.12.0
-Examples @ v1.12.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a39f7d12f2628ed2d38cc94bc8d69e8fc8e629606157b65a2042cc796a84a81b2

Obtain the attestation: 

REKOR_UUID=108e9186e8c5677a39f7d12f2628ed2d38cc94bc8d69e8fc8e629606157b65a2042cc796a84a81b2
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file: 

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.0/release.yaml
REKOR_UUID=108e9186e8c5677a39f7d12f2628ed2d38cc94bc8d69e8fc8e629606157b65a2042cc796a84a81b2

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.12.0@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Upgrade Notices

🚨 TEP-0137: CloudEvents now sent by dedicated events controller (ACTION REQUIRED)

CloudEvents for PipelineRuns and TaskRuns are now sent by the dedicated tekton-events-controller and no longer by the PipelineRun/TaskRun controllers. Operators must ensure the tekton-events-controller Deployment is running.

New events added:

  • dev.tekton.event.pipelinerun.queued.v1 — sent when a PipelineRun is created but not yet processed
  • dev.tekton.event.taskrun.queued.v1 — sent when a TaskRun is created but not yet processed

CloudEvent delivery visibility is available via kubectl describe pipelinerun/taskrun (CloudEventSent/CloudEventFailed k8s Events).

🚨 TEP-0137: send-cloudevents-for-runs feature flag deprecated

The send-cloudevents-for-runs feature flag is deprecated and will be removed in a future release. Its default has changed from false to true: CloudEvents for CustomRuns are now sent by default whenever a sink is configured in config-events.

Users relying on the flag set to false to skip events for CustomRuns should be aware of this change.

Changes

Security Fixes

  • 🔒 fix: prevent git argument injection via revision parameter (GHSA-94jr-7pqp-xhcq) (#9660)
  • 🔒 Security: reject system API token with user-controlled serverURL (#9659)
  • 🔒 fix: limit HTTP resolver response body size to prevent OOM DoS (#9656)
  • 🔒 fix: normalize VolumeMount paths before /tekton/ restriction check (#9655)
  • 🔒 fix: strip resolver prefixes and use non-capturing group for pattern anchoring (#9654)
  • 🔒 fix: trim whitespace from source URI before pattern matching (#9653)

Features

  • ✨ [TEP-0137] Move PipelineRun notifications to events controller (#9677)

CloudEvents for PipelineRuns are now sent by the dedicated tekton-events-controller and no longer by the PipelineRun controller. A new dev.tekton.event.pipelinerun.queued.v1 event is sent when a PipelineRun is created but not yet processed by the core reconciler.

  • ✨ [TEP-0137] Move TaskRun notifications to events controller (#9674)

CloudEvents for TaskRuns are now sent by the dedicated tekton-events-controller and no longer by the TaskRun controller. A new dev.tekton.event.taskrun.queued.v1 event is sent when a TaskRun is created but not yet processed by the core reconciler.

  • ✨ [TEP-0137] Deprecate send-cloudevents-for-runs feature flag (#9774)

The feature flag default changed from false to true. CloudEvents for CustomRuns are now sent by default.

  • ✨ fix: surface specific TaskRun failure reasons when pod fails (#9368)

TaskRun failure reasons now distinguish between different pod-level failure types: PodEvicted, InitContainerOOM, InitContainerFailed, StepOOM, StepFailed, SidecarOOM, and SidecarFailed, replacing the generic "Failed" reason.

  • ✨ fix: surface clear errors when completed tasks miss referenced results (#9662)

Performance

  • ⚡ perf: reduce reconcile churn for completed PipelineRuns (#9919)
  • ⚡ perf: remove unnecessary SetDefaults from TaskRun done path (#9921)
  • ⚡ perf: use maps.Equal instead of reflect.DeepEqual for label/annotation comparison (#9776)

Bug Fixes

  • 🐛 Rework the events controller cache (#9738)

Deprecation Notices

  • 🚨 [TEP-0137] The send-cloudevents-for-runs feature flag is deprecated and will be removed in a future release. Its default has changed from false to true (#9774).

Misc

  • 🔨 tekton: add draft release creation to release pipeline (#9420)
  • 🔨 ci: remove compromised tj-actions/changed-files dependency (#9704)
  • 🔨 ci: Automate Dependabot configuration generation (#9862)
  • 🔨 Remove aws-sdk-go-v2 ECR replace directives (#9773)
  • 🔨 Simplify TestEmit by removing table-driven test structure (#9675)
  • 🔨 test: add e2e test for TaskRun pending status (#9681)
  • 🔨 Regenerate code after k8s.io/code-generator 0.35.3 bump (#9822)

Docs

  • 📖 docs: add bundle resolver configuration options default values (#9772)
  • 📖 docs: update metrics.md to reflect OpenTelemetry migration (#9641)
  • 📖 docs(examples): remove stale v1beta1 references from examples README (#9672)

Dependencies

  • 🔨 build(deps): bump k8s.io dependencies from 0.35.2 to 0.35.4 (#9848)
  • 🔨 build(deps): bump github.com/google/cel-go from 0.27.0 to 0.28.0 (#9824)
  • 🔨 build(deps): bump google.golang.org/grpc from 1.79.3 to 1.80.0 (#9715)
  • 🔨 build(deps): bump go.uber.org/zap from 1.27.1 to 1.28.0 (#9926)
  • 🔨 build(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 (#9757)
  • 🔨 build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5 (#9722)
  • 🔨 build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#9721)
  • 🔨 build(deps): bump github.com/sigstore/sigstore from 1.10.4 to 1.10.5 (#9711)

Thanks

Thanks to these contributors who contributed to v1.12.0!

Extra shout-out for awesome release notes:

Check out latest releases or
releases around tektoncd/pipeline v1.12.0

Don't miss a new pipeline release

NewReleases is sending notifications on new releases.

Get notifications