🎉 hostUsers support and digest validation for http resolver 🎉

-Docs @ v1.9.0
-Examples @ v1.9.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a692b1410db6e04e5e4a25aec2e361118647fe42c5ad8d7ef3e087b5cd11463d6

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a692b1410db6e04e5e4a25aec2e361118647fe42c5ad8d7ef3e087b5cd11463d6
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.0/release.yaml
REKOR_UUID=108e9186e8c5677a692b1410db6e04e5e4a25aec2e361118647fe42c5ad8d7ef3e087b5cd11463d6

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.9.0@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ feat: add ServiceAccount inheritance to Affinity Assistants (#9253)

• ✨ Add hostUsers field support to PodTemplate (#9227)

• ✨ feat: Add digest validation support to HTTP resolver (#9171)

• ✨ taskrun: include actual result size in error when exceeding maxResultSize (#8869)

Fixes

• 🐛 fix(pipelinerun): fix the issue of massive invalid status updates caused by unordered arrays, which will greatly impact the resource load and stability of the apiserver. (#9295)

• 🐛 Fix parameter resolution for defaults with references (#9271)

• 🐛 Fix duplicated protobuf tag in pod.Template struct (#9229)

• 🐛 fix: Prevent excessive reconciliation when timeout disabled (#9202)

• 🐛 fix: Detect pod configuration errors early instead of timeout (#9197)

• 🐛 chore(ci): update cherry-pick workflow to fix multi-commit PRs (#9320)

• 🐛 fix: validate taskRef.apiVersion format for custom tasks (#9045)

• 🐛 test(e2e): move flaky retry/matrix tests to no-ci temporarily (#9242)

• 🐛 fix(e2e): improve dind-sidecar probe configuration for reliability (#9241)

Misc

• 🔨 fix: reduce CRD size by shortening verbose descriptions (#9252)
• 🔨 ci: add KOCACHE to speed up ko builds in GitHub Actions (#9319)
• 🔨 Improve code consistency and fix missing test annotation (#9266)
• 🔨 Remove the GHCR migration notice from the readme (#9237)
• 🔨 fix: release pipeline feedback (#9210)
• 🔨 build(deps): bump go.uber.org/zap from 1.27.0 to 1.27.1 (#9333)
• 🔨 build(deps): bump github.com/google/cel-go from 0.26.0 to 0.27.0 (#9330)
• 🔨 build(deps): bump github/codeql-action from 4.31.9 to 4.32.0 (#9310)
• 🔨 build(deps): bump the all group in /tekton with 3 updates (#9309)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.12 to 1.5.13 (#9308)
• 🔨 build(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#9307)
• 🔨 build(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1 (#9306)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#9299)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.11 to 1.5.12 (#9298)
• 🔨 build(deps): bump actions/setup-go from 6.1.0 to 6.2.0 (#9297)
• 🔨 build(deps): bump actions/cache from 5.0.1 to 5.0.2 (#9296)
• 🔨 build(deps): bump golang.org/x/sync from 0.18.0 to 0.19.0 (#9293)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#9291)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.10 to 1.5.11 (#9290)
• 🔨 build(deps): bump github.com/hashicorp/go-version from 1.7.0 to 1.8.0 (#9288)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.32.8 to 0.32.11 (#9286)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#9281)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#9268)
• 🔨 build(deps): bump chainguard/go from 2f71c4d to 0cd4986 in /tekton in the all group (#9264)
• 🔨 build(deps): bump peter-evans/slash-command-dispatch from 5.0.1 to 5.0.2 (#9263)
• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.12.4 to 1.14.0 (#9261)
• 🔨 build(deps): bump go.opentelemetry.io/otel/sdk from 1.38.0 to 1.39.0 (#9259)
• 🔨 build(deps): bump github.com/cloudevents/sdk-go/v2 from 2.16.1 to 2.16.2 (#9258)
• 🔨 build(deps): bump k8s.io/client-go from 0.32.8 to 0.32.11 (#9256)
• 🔨 build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11 (#9254)
• 🔨 .github/workflows: Add a comment to main for plumbing's shared workflows (#9248)
• 🔨 build(deps): bump github/codeql-action from 4.31.8 to 4.31.9 (#9247)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#9246)
• 🔨 build(deps): bump go.opentelemetry.io/otel/trace from 1.37.0 to 1.39.0 (#9245)
• 🔨 build(deps): bump k8s.io/apimachinery from 0.33.3 to 0.33.7 (#9244)
• 🔨 fix(codegen): Correct JSON tags for streaming lists (#9240)
• 🔨 Fix golangci-lint action step for large diff (#9239)
• 🔨 Fix: CI job incorrectly skipped by file change detection (#9238)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#9236)
• 🔨 build(deps): bump step-security/harden-runner from 2.13.3 to 2.14.0 (#9235)
• 🔨 build(deps): bump github/codeql-action from 4.31.7 to 4.31.8 (#9234)
• 🔨 build(deps): bump actions/cache from 4.3.0 to 5.0.1 (#9233)
• 🔨 build(deps): bump tj-actions/changed-files from abdd2f68ea150cee8f236d4a9fb4e0f2491abf1b to e0021407031f5be11a464abee9a0776171c79891 (#9232)
• 🔨 build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 (#9231)
• 🔨 Add twoGiants as pipeline maintainers (#9230)
• 🔨 fix: Add permissions to cherry-pick workflow (#9225)
• 🔨 Proposal: test: implement parallel/serial test categorization system (#9224)
• 🔨 github/workflows: use cherry-pick workflows from plumbing (#9222)
• 🔨 .github/workflows: fixing go-coverage token issues (#9221)
• 🔨 build(deps): bump the all group across 1 directory with 4 updates (#9220)
• 🔨 build(deps): bump actions/checkout from 6.0.0 to 6.0.1 (#9219)
• 🔨 build(deps): bump golangci/golangci-lint-action from 9.1.0 to 9.2.0 (#9218)
• 🔨 build(deps): bump peter-evans/slash-command-dispatch from 4.0.0 to 5.0.1 (#9217)
• 🔨 build(deps): bump step-security/harden-runner from 2.13.2 to 2.13.3 (#9216)
• 🔨 build(deps): bump github/codeql-action from 4.31.6 to 4.31.7 (#9215)
• 🔨 chore: enhance cherry-pick PR format with original context (#9214)
• 🔨 Fix commit SHA of github-script action (#9203)
• 🔨 test: limit examples test parallelism to 2 to prevent timeouts (#9200)
• 🔨 .github/workflows: use CHATOPS_TOKEN for coverage comments (#9198)
• 🔨 build(deps): bump actions/github-script from 7.0.1 to 8.0.0 (#9195)
• 🔨 build(deps): bump github/codeql-action from 4.31.5 to 4.31.6 (#9194)
• 🔨 .github/workflows: use plumbing workflow for chatops_retest (#9192)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.15.4 to 1.15.16 (#9183)
• 🔨 build(deps): bump google.golang.org/grpc from 1.75.0 to 1.77.0 (#9177)

Docs

• 📖 chore: fix YAML indentation in release cheat sheet (#9226)
• 📖 Remove beta note from projected workspaces and csi as they are stable (#9208)
• 📖 Update releases.md for 1.7 (#9205)

Thanks

Thanks to these contributors who contributed to v1.9.0!

• ❤️ @AlanGreene
• ❤️ @BastiaanN
• ❤️ @Pangjiping
• ❤️ @SarthakPandey2002
• ❤️ @a-ateek
• ❤️ @ab-ghosh
• ❤️ @afrittoli
• ❤️ @anithapriyanatarajan
• ❤️ @dependabot[bot]
• ❤️ @infernus01
• ❤️ @khrm
• ❤️ @twoGiants
• ❤️ @vdemeester
• ❤️ @waveywaves
• ❤️ @zakisk

Extra shout-out for awesome release notes:

• 😍 @Pangjiping
• 😍 @SarthakPandey2002
• 😍 @a-ateek
• 😍 @ab-ghosh
• 😍 @khrm
• 😍 @twoGiants
• 😍 @vdemeester
• 😍 @zakisk