🎉 Squeezing more out of every pipeline: compressed results & timeout fixes 🎉

• Docs @ v1.13.0
• Examples @ v1.13.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.13.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677accee6fa1065e378221444c30175152ffea8d8c6f5c0d7d5890d31edeaa3ac031

Obtain the attestation:

REKOR_UUID=108e9186e8c5677accee6fa1065e378221444c30175152ffea8d8c6f5c0d7d5890d31edeaa3ac031
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.13.0/release.yaml
REKOR_UUID=108e9186e8c5677accee6fa1065e378221444c30175152ffea8d8c6f5c0d7d5890d31edeaa3ac031

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.13.0@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Upgrade Notices

• 🚨 Resolvers can only resolve Tekton objects (#9588)

Tekton Resolvers are now only permitted to resolve StepActions, Tasks, and Pipelines. Custom resolvers or ResolutionRequests which use the Resolver API for other object types will no longer function.

Changes

Features

• ✨ feat(tracing): add spans to TaskRun notifications controller (#9912)

Added OpenTelemetry tracing to the TaskRun notification reconciliation path.
Spans now cover ReconcileKind, ReconcileRunObject, and EmitCloudEvents,
enabling operators to trace CloudEvent delivery latency end-to-end.

• ✨ [TEP-0137] Activate formats field in config-events (#9776)

The formats field in config-events is now active. The default value is
tektonv1, which preserves existing behaviour. Setting an invalid or
unrecognised format value logs a warning and suppresses event emission
for that format.

• ✨ feat: compress termination messages to fit more results in 4KB limit (#9682)

Added optional termination message compression (alpha feature flag
enable-termination-message-compression) that uses flate compression to fit
approximately 5.7x more results in the 4KB Kubernetes termination message limit.
The parser auto-detects compressed messages for full backward compatibility.
Zero new dependencies — uses Go stdlib only.

Fixes

• 🐛 fix(events): reduce TaskRun notification identifier logging and document trace exposure (#10117)

Reduced default log verbosity in the TaskRun notification path introduced
by #9912. Identifier logs (TaskRun name/namespace) are now emitted at debug
level only. Added documentation warning that exported traces may include
Kubernetes resource identifiers and that trace backends should be treated
as trusted observability systems.

• 🐛 fix(resolvers): skip re-resolution when ResolutionRequest data is already present (#10114)

Skip re-resolution of ResolutionRequests when Status.Data is already present, preventing hundreds of redundant reconciliations under load.

• 🐛 fix: preserve previous condition context when TaskRun is cancelled or times out (#10076)

Preserve previous TaskRun condition context (reason + message) when a TaskRun is cancelled or times out due to a PipelineRun timeout, so diagnostic information like ExceededResourceQuota is no longer lost.

• 🐛 Fix gen-crd-api-reference-docs require to use fetchable version (#9999)

ix gen-crd-api-reference-docs go.mod require to use a fetchable upstream version (v0.3.0), fixing module resolution failures for downstream consumers.

• 🐛 fix(pipelinerun): use generateName for anonymous pipeline label (#9826)

Previously, TaskRuns' tekton.dev/pipeline label for anonymous Pipelines would use their PipelineRun's name in their tekton.dev/pipeline label and pipeline metrics tag. After this change, TaskRun and PipelineRun which are created from anonymous Pipelines now reference a sanitized metadata.generateName, when present, for the label tekton.dev/pipeline. Similarly, these TaskRruns and PipelineRuns will populate their respective metrics' pipeline tag with the sanitized generateName instead of using anonymous.

• 🐛 fix: truncate affinity assistant volume names to 63 characters (#9752)

Affinity assistant StatefulSet no longer fails when workspace volumeClaimTemplate names exceed 63 characters. Long volume names are now automatically truncated with a hash suffix to stay within the Kubernetes limit.

• 🐛 fix: allow finally tasks to run when tasks timeout is exceeded (#9709)

Fix a bug where finally tasks were not executed when the tasks timeout
(either explicit via timeouts.tasks or calculated as timeouts.pipeline - timeouts.finally) was exceeded. The PipelineRun was immediately marked as
Failed without giving finally tasks a chance to run. Now the pipeline
continues running with reason PipelineRunTimeoutRunningFinally until
finally tasks complete.

• 🐛 fix: respect per-resolver TTL override in cache (#9625)

Resolver cache now respects per-resolver TTL values set in individual
resolver ConfigMaps (e.g., bundleresolver-config, git-resolver-config),
instead of always using the global resolver-cache-config TTL.

• 🐛 fix(resolvers): validate data is Tekton object in resolver framework (#9588)

Fixes a bug which lets Tekton Resolvers resolve non-tekton objects and arbitrary data. After this change, resolving a non-tekton object causes the ResolutionRequest to fail.
Action Required: Tekton Resolvers are now only permitted to resolve StepActions, Tasks, and Pipelines. Custom resolvers or ResolutionRequest which use the Resolver API for other object types will no longer function.

• 🐛 fix: resolve goroutine leak from unbuffered channels in resolver reconciler (#10098)
• 🐛 Fix dependabot-regen workflow commit author and sign-off (#9958)
• 🐛 Fix dependabot-regen workflow push credentials (#9956)
• 🐛 Fix PipelineRun premature failure when TaskRun recovers after pod eviction (#9640)

Misc

• 🔨 build: bump go directive to 1.26 (#10026)
• 🔨 perf(taskrun): skip sidecar teardown when status shows no running sidecars (#9755) (#9760)
• 🔨 ci: Skip most e2e tests on draft PRs to save CI resources (#9708)
• 🔨 chore: bump OpenTelemetry semconv to match SDK version (#9697)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#10126)
• 🔨 build(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 (#10125)
• 🔨 build(deps): bump go.opentelemetry.io/otel/trace from 1.43.0 to 1.44.0 (#10118)
• 🔨 build(deps): bump golang.org/x/crypto from 0.51.0 to 0.52.0 (#10095)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#10085)
• 🔨 build(deps): bump github/codeql-action from 4.35.4 to 4.35.5 (#10084)
• 🔨 build(deps): bump step-security/harden-runner from 2.19.2 to 2.19.4 (#10083)
• 🔨 build(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6 (#10082)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.10.5 to 1.10.6 (#10081)
• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.6 to 1.15.0 (#10080)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.10.5 to 1.10.6 (#10060)
• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6 (#10058)
• 🔨 build(deps): bump github.com/sigstore/sigstore from 1.10.5 to 1.10.6 (#10057)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.10.5 to 1.10.6 (#10047)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#10039)
• 🔨 build(deps): bump step-security/harden-runner from 2.19.1 to 2.19.2 (#10038)
• 🔨 build(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0 (#10037)
• 🔨 build(deps): bump google.golang.org/grpc from 1.81.0 to 1.81.1 (#10036)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.35.4 to 0.35.5 (#10033)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.15.21 to 1.15.22 (#10032)
• 🔨 build(deps): bump github.com/google/cel-go from 0.28.0 to 0.28.1 (#10012)
• 🔨 build(deps): bump k8s.io/client-go from 0.35.4 to 0.35.5 (#10011)
• 🔨 build(deps): bump k8s.io/code-generator from 0.35.4 to 0.35.5 (#10010)
• 🔨 build(deps): bump k8s.io/client-go from 0.35.4 to 0.35.5 in /test/custom-task-ctrls/wait-task-beta (#10009)
• 🔨 build(deps): bump golang.org/x/crypto from 0.50.0 to 0.51.0 (#10005)
• 🔨 build(deps): bump github/codeql-action from 4.35.2 to 4.35.4 (#9992)
• 🔨 build(deps): bump chainguard/go from 7ec9277 to a4477c3 in /tekton in the all group (#9991)
• 🔨 build(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 (#9978)
• 🔨 build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.19 (#9977)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#9975)
• 🔨 Regenerate dependabot.yml configuration (#9960)
• 🔨 build(deps): bump google.golang.org/grpc from 1.80.0 to 1.81.0 (#9954)
• 🔨 build(deps): bump github.com/tektoncd/pipeline from 1.11.1 to 1.12.0 in /test/custom-task-ctrls/wait-task-beta (#9953)
• 🔨 build(deps): bump actions/setup-go from 5.2.0 to 6.4.0 (#9856)
• 🔨 build(deps): bump the all group across 1 directory with 4 updates (#9854)
• 🔨 ci: fix setup-go version comment in codeql-analysis.yml (#9695)

Docs

• 📖 chore(release docs): fix release cheat sheet instructions typo (#9966)
• 📖 docs: update releases.md for v1.12.0 (#9951)
• 📖 docs: clarify retry-count substitution requires taskSpec (#9820)
• 📖 docs: add testing best practices for t.Fatalf vs t.Errorf (#9688)

Thanks

Thanks to these contributors who contributed to v1.13.0!

• ❤️ @Paramesh324
• ❤️ @Umesh-Mallipudi
• ❤️ @aThorp96
• ❤️ @ab-ghosh
• ❤️ @afrittoli
• ❤️ @alliasgher
• ❤️ @aniruddhajadhav7
• ❤️ @app/dependabot
• ❤️ @infernus01
• ❤️ @mathur07
• ❤️ @ngelman1
• ❤️ @tekton-robot
• ❤️ @twoGiants
• ❤️ @vdemeester
• ❤️ @waveywaves

Extra shout-out for awesome release notes:

• 😍 @aThorp96
• 😍 @afrittoli
• 😍 @aniruddhajadhav7
• 😍 @mathur07
• 😍 @ngelman1
• 😍 @twoGiants
• 😍 @vdemeester
• 😍 @waveywaves