github tektoncd/pipeline v1.9.4
Tekton Pipeline release v1.9.4 "Devon Rex Dreadnought"
on GitHub

latest releases: v1.13.1, v1.12.1, v1.10.3...
9 hours ago

-Docs @ v1.9.4
-Examples @ v1.9.4

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.4/release.yaml

Attestation

The Rekor UUID for this release is a2ff48e25353fcd4916b0ad9f9fad2793c11e0d68ac0c038c9187e8ce95eecf8

Obtain the attestation: 

REKOR_UUID=a2ff48e25353fcd4916b0ad9f9fad2793c11e0d68ac0c038c9187e8ce95eecf8
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file: 

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.4/release.yaml
REKOR_UUID=a2ff48e25353fcd4916b0ad9f9fad2793c11e0d68ac0c038c9187e8ce95eecf8

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.9.4@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

  • 🐛 [cherry-pick: release-v1.9.x] fix(resolvers): Allow ResolutionRequests to resolve all Tekton kinds (#10253)

efore this change, ResolutionRequests could only resolve Pipelines, Tasks, and StepActions. After this change, ResolutionRequests can resolve PipelineRuns, Pipelines, TaskRuns, Tasks, Runs, CustomRuns, and StepActions.

  • 🐛 [cherry-pick: release-v1.9.x] Fix cross-arch platform command lookup in entrypoint (#10163)

ix entrypoint command lookup when controller and worker nodes run on different CPU architectures (e.g., ARM controller with AMD64 workloads). The controller's CPU variant was leaking into TEKTON_PLATFORM_COMMANDS keys via platforms.NewPlatform(), causing "could not find command for platform" errors on worker nodes of a different architecture.

  • 🐛 [release-v1.9.x] fix: surface clear errors when completed tasks miss referenced results (#9973)

ipelineRun status now shows which specific results were missing when tasks are skipped due to uninitialized result references from completed tasks. A Warning event with reason ResultValidationFailed is also emitted for consistency with other failure modes.

  • 🐛 [cherry-pick: release-v1.9.x] fix(resolvers): validate data is Tekton object in resolver framework (#9961)

Fixes a bug which lets Tekton Resolvers resolve non-tekton objects and arbitrary data. After this change, resolving a non-tekton object causes the ResolutionRequest to fail.
Action Required: Tekton Resolvers are now only permitted to resolve StepActions, Tasks, and Pipelines. Custom resolvers or ResolutionRequest which use the Resolver API for other object types will no longer function.

  • 🐛 [cherry-pick: release-v1.9.x] fix: bump google.golang.org/grpc to 1.79.3 (CVE-2026-33186) (#9908)

ump google.golang.org/grpc from 1.77.0 to 1.79.3 to fix CVE-2026-33186 (gRPC-Go authorization bypass via missing leading slash in :path header).

  • 🐛 [release-v1.9.x] fix: add automated draft release support to release pipeline (#10214)
  • 🐛 [Cherry-pick release-v1.9.x] fix: resolve goroutine leak from unbuffered channels in resolver reconcilers (#10112)
  • 🐛 [Cherry-pick release-v1.9.x] fix: convert pod latency metric to histogram and remove pod label (#10110)
  • 🐛 [Cherry-pick Release-v1.9.x] fix(pipelinerun): use generateName for anonymous pipeline label (#10108)

Misc

  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#10262)
  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#10239)
  • 🔨 build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#10198)
  • 🔨 build(deps): bump the all group across 1 directory with 4 updates (#10197)
  • 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.6 to 1.14.7 (#10151)
  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#10131)
  • 🔨 build(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 (#10128)
  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#10088)
  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#10043)
  • 🔨 build(deps): bump k8s.io/apimachinery from 0.33.11 to 0.33.12 (#10015)
  • 🔨 build(deps): bump the all group across 1 directory with 4 updates (#9988)
  • 🔨 build(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3 (#9984)
  • 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.0 to 1.14.6 (#9929)
  • 🔨 build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5 (#9917)
  • 🔨 build(deps): bump k8s.io/apimachinery from 0.33.7 to 0.33.11 (#9916)
  • 🔨 build(deps): bump github.com/google/go-containerregistry from 0.20.6 to 0.20.8 (#9886)
  • 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.32.11 to 0.32.13 (#9884)
  • 🔨 build(deps): bump k8s.io/api from 0.32.11 to 0.32.13 (#9879)
  • 🔨 build(deps): bump k8s.io/client-go from 0.32.11 to 0.32.13 (#9876)
  • 🔨 build(deps): bump github/codeql-action from 4.32.0 to 4.32.6 (#9863)
  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#9862)
  • 🔨 build(deps): bump tj-actions/changed-files from 47.0.1 to 47.0.6 (#9860)
  • 🔨 build(deps): bump step-security/harden-runner from 2.14.1 to 2.14.2 (#9859)
  • 🔨 build(deps): bump github.com/tektoncd/pipeline from 0.53.1 to 0.53.9 in /test/custom-task-ctrls/wait-task-beta (#9858)
  • 🔨 build(deps): bump chainguard-dev/actions from 1.5.13 to 1.5.16 (#9857)
  • 🔨 build(deps): bump actions/cache from 4.2.3 to 4.2.4 (#9855)

Docs

Thanks

Thanks to these contributors who contributed to v1.9.4!

Extra shout-out for awesome release notes:

Check out latest releases or
releases around tektoncd/pipeline v1.9.4

Don't miss a new pipeline release

NewReleases is sending notifications on new releases.

Get notifications