github tektoncd/pipeline v1.6.2
Tekton Pipeline release v1.6.2 "Sphynx Sentinels"
on GitHub

latest releases: v1.11.1, v1.9.3
8 hours ago

-Docs @ v1.6.2
-Examples @ v1.6.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a7755d52e49ce9ea7ccaf894ffae2779afa04cf7d882635593a2c220a5c7a0a26

Obtain the attestation: 

REKOR_UUID=108e9186e8c5677a7755d52e49ce9ea7ccaf894ffae2779afa04cf7d882635593a2c220a5c7a0a26
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file: 

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.2/release.yaml
REKOR_UUID=108e9186e8c5677a7755d52e49ce9ea7ccaf894ffae2779afa04cf7d882635593a2c220a5c7a0a26

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.6.2@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

⚠️ Security Fixes

  • GHSA-wjxp-xrpv-xpff / CVE-2026-40161 (HIGH): Git resolver API mode leaks system-configured API token to user-controlled serverURL. A user who can create TaskRuns can exfiltrate the system Git API token by pointing the resolver at an attacker-controlled server.

  • GHSA-94jr-7pqp-xhcq / CVE-2026-40938 (HIGH): Git resolver unsanitized revision parameter enables argument injection. A malicious revision value can inject arbitrary flags into the git CLI, potentially leading to remote code execution on the resolver pod.

  • GHSA-rx35-6rhx-7858 / CVE-2026-40923 (Medium): VolumeMount path restriction bypass via missing filepath normalization. Paths like /tekton/../sensitive bypass the /tekton/ prefix restriction check.

  • GHSA-rmx9-2pp3-xhcr / CVE-2026-25542 (Medium): VerificationPolicy regex pattern bypass via substring matching. Unanchored patterns allow partial matches, letting unsigned resources pass verification.

  • GHSA-m2cx-gpqf-qf74 / CVE-2026-40924 (Medium): HTTP resolver unbounded response body read enables OOM denial of service. A malicious URL returning a very large response can exhaust the resolver pod's memory. Response body is now limited to 1 MiB.

Fixes

  • 🐛 Pin registry image and relax log-based cache assertion
  • 🐛 Bump Go to 1.24.13 to fix CVE-2025-61728, CVE-2025-61726, CVE-2025-61729
  • 🐛 Fix TextParser struct usage for prometheus/common v0.62.0 compatibility
  • 🐛 Remove corrupted resolver cache entries on type error
  • 🐛 Resolve resolver cache race condition with singleflight
  • 🐛 Align resolver cache configstore with framework implementation
Check out latest releases or
releases around tektoncd/pipeline v1.6.2

Don't miss a new pipeline release

NewReleases is sending notifications on new releases.

Get notifications