Tekton Triggers release v0.36.0 "Tekton Triggers"

-Docs @ v0.36.0
-Examples @ v0.36.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/triggers/previous/v0.36.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a6b2a69794ca92fea0d3bb45b80f923817fd184a39c84987cd53cee88dcf9dc5f

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a6b2a69794ca92fea0d3bb45b80f923817fd184a39c84987cd53cee88dcf9dc5f
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/triggers/previous/v0.36.0/release.yaml
INTERCEPTORS_FILE=https://infra.tekton.dev/tekton-releases/triggers/previous/${VERSION_TAG}/interceptors.yaml

REKOR_UUID=108e9186e8c5677a6b2a69794ca92fea0d3bb45b80f923817fd184a39c84987cd53cee88dcf9dc5f

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.36.0@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
curl -L "$INTERCEPTORS_FILE" >> release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨Add TLS security profile support for core interceptors (#2019)

Core interceptors now honor the TLS security profile injected by the Tekton operator via TLS_MIN_VERSION, TLS_CIPHER_SUITES, and TLS_CURVE_PREFERENCES environment variables, allowing cluster-wide TLS policy enforcement on OpenShift.

• ✨ feat(metrics): Migration from OpenCensus to OpenTelemetry (#1934)

Migrated metrics from OpenCensus to OpenTelemetry.

ACTION REQUIRED:

1. Configuration key change
   Replace metrics.backend-destination with metrics-protocol in your config-observability-triggers ConfigMap.
   Prometheus export remains the default — no change needed if you were not customizing observability.

2. Infrastructure metric renaming
   Infrastructure metrics (workqueue, K8s client) have been renamed from the
   tekton_triggers_controller_ prefix to standard Knative/OpenTelemetry namespaces.

   ┌──────────────────────────────────────────────────────────┬───────────────────────────────────────────────────┐
   │ Old Metric Name (OpenCensus) │ New Metric Name (OpenTelemetry) │
   ├──────────────────────────────────────────────────────────┼───────────────────────────────────────────────────┤
   │ tekton_triggers_controller_workqueue_depth │ kn_workqueue_depth │
   │ tekton_triggers_controller_workqueue_adds_total │ kn_workqueue_adds_total │
   │ tekton_triggers_controller_workqueue_queue_latency_* │ kn_workqueue_queue_duration_seconds_* │
   │ tekton_triggers_controller_workqueue_work_duration_* │ kn_workqueue_process_duration_seconds_* │
   │ tekton_triggers_controller_workqueue_unfinished_work_* │ kn_workqueue_unfinished_work_seconds │
   │ tekton_triggers_controller_workqueue_retries_total │ kn_workqueue_retries_total │
   │ tekton_triggers_controller_client_latency │ http_client_request_duration_seconds_* │
   │ tekton_triggers_controller_client_results │ kn_k8s_client_http_response_status_code_total │
   └──────────────────────────────────────────────────────────┴───────────────────────────────────────────────────┘

3. Sink counter metrics renamed

   ┌──────────────────────────────────────────┬────────────────────────────────────────────┐
   │ Old Metric Name (OpenCensus) │ New Metric Name (OpenTelemetry) │
   ├──────────────────────────────────────────┼────────────────────────────────────────────┤
   │ eventlistener_event_received_count │ eventlistener_event_received_total │
   │ eventlistener_triggered_resources │ eventlistener_triggered_resources_total │
   └──────────────────────────────────────────┴────────────────────────────────────────────┘

4. All other metric names are unchanged
   controller_eventlistener_count, controller_triggerbinding_count,
   controller_triggertemplate_count, controller_clustertriggerbinding_count,
   controller_clusterinterceptor_count, eventlistener_http_duration_seconds

Fixes

• 🐛 Fix e2e failure due to owners file change (#1970)

Misc

• 🔨 cleanup: replace GCS release URLs with infra.tekton.dev (#1973)
• 🔨 Bump step-security/harden-runner from 2.19.0 to 2.19.3 (#2033)
• 🔨 Bump github/codeql-action from 4.35.2 to 4.35.4 (#2032)
• 🔨 Bump the all group across 1 directory with 7 updates (#2031)
• 🔨 Bump the pipelines dependency and other deps (#2020)
• 🔨 Change release pipeline to use 'release-draft-oci' (#2018)
• 🔨 Fix curl command to follow redirects for release file (#2017)
• 🔨 Bump go.uber.org/zap from 1.27.1 to 1.28.0 in the all group (#2016)
• 🔨 Bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 (#2007)
• 🔨 Bump github.com/tektoncd/pipeline from 1.11.0 to 1.11.1 (#2005)
• 🔨 Bump actions/cache from 5.0.4 to 5.0.5 (#2004)
• 🔨 Bump step-security/harden-runner from 2.17.0 to 2.19.0 (#2003)
• 🔨 Bump github/codeql-action from 4.35.1 to 4.35.2 (#2002)
• 🔨 Bump the all group across 1 directory with 5 updates (#2001)
• 🔨 Fix intermittent panic in Test_UpdateCACertToClusterInterceptorCRD (#2000)
• 🔨 Bump github.com/moby/spdystream from 0.5.0 to 0.5.1 (#1999)
• 🔨 ci: Fix zizmor security findings in GitHub Actions (#1998)
• 🔨 Update release ko image to go1.25 (#1997)
• 🔨 Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#1996)
• 🔨 Bump step-security/harden-runner from 2.16.1 to 2.17.0 (#1995)
• 🔨 Bump github.com/google/cel-go from 0.27.0 to 0.28.0 in the all group (#1994)
• 🔨 Bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.42.0 to 1.43.0 (#1993)
• 🔨 Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.42.0 to 1.43.0 (#1992)
• 🔨 Bump step-security/harden-runner from 2.16.0 to 2.16.1 (#1991)
• 🔨 Bump the all group with 4 updates (#1990)
• 🔨 Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#1989)
• 🔨 Bump github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5 (#1988)
• 🔨 Bump tektoncd/pipeline to v1.11.0 and update vendor dependencies (#1986)
• 🔨 Bump the all group across 1 directory with 7 updates (#1985)
• 🔨 Bump actions/setup-go from 6.3.0 to 6.4.0 (#1984)
• 🔨 Bump github/codeql-action from 4.34.1 to 4.35.1 (#1983)
• 🔨 Bump github/codeql-action from 4.33.0 to 4.34.1 (#1980)
• 🔨 Bump actions/cache from 5.0.3 to 5.0.4 (#1979)
• 🔨 Bump github/codeql-action from 4.32.6 to 4.33.0 (#1976)
• 🔨 Bump fgrosse/go-coverage-report from 1.2.0 to 1.3.0 (#1975)
• 🔨 Bump step-security/harden-runner from 2.15.1 to 2.16.0 (#1974)
• 🔨 Bump github/codeql-action from 4.32.5 to 4.32.6 (#1969)
• 🔨 Bump step-security/harden-runner from 2.15.0 to 2.15.1 (#1968)
• 🔨 Bump go version to 1.25.6 (#1966)
• 🔨 Move inactive approvers to emeritus (#1965)
• 🔨 Bump step-security/harden-runner from 2.14.2 to 2.15.0 (#1963)
• 🔨 Bump github/codeql-action from 4.32.3 to 4.32.5 (#1962)
• 🔨 Bump actions/setup-go from 6.2.0 to 6.3.0 (#1961)
• 🔨 Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#1960)
• 🔨 Bump the all group across 1 directory with 5 updates (#1959)
• 🔨 Bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 (#1958)
• 🔨 Consolidate CI workflows for build, lint, and e2e tests (#1957)
• 🔨 Update releases.md for v0.35.0 (#1952)
• 🔨 Bump github/codeql-action from 4.32.2 to 4.32.3 (#1951)
• 🔨 Bump the all group with 6 updates (#1950)
• 🔨 Update Release Cheat Sheet for release-draft-oci pipeline (#1948)
• 🔨 Change precheck in release pipeline to OCI infra (#1947)
• 🔨 fix: release cheat sheet doc typos (#1953)

Docs

Thanks

Thanks to these contributors who contributed to v0.36.0!

• ❤️ @ankrsinha
• ❤️ @app/dependabot
• ❤️ @infernus01
• ❤️ @jkhelil
• ❤️ @khrm
• ❤️ @ngelman1
• ❤️ @vdemeester

Extra shout-out for awesome release notes:

• 😍 @infernus01
• 😍 @jkhelil