🚨 Update module github.com/tektoncd/pipeline to v1 [SECURITY] (main)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/tektoncd/pipeline	v0.70.0 → v1.0.1

GitHub Vulnerability Alerts

CVE-2026-33022

Summary

A user with permission to create or update a TaskRun or PipelineRun can crash the Tekton Pipelines controller by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31 characters or more, causing a denial of service for all reconciliation.

Details

The controller panics in GenerateDeterministicNameFromSpec when building a deterministic ResolutionRequest name. The generated name has the format {resolver}-{hash} and, when the resolver name is long enough, the result exceeds the DNS-1123 label limit of 63 characters.

The truncation logic attempts to find a word boundary using strings.LastIndex(name, " "). Since the generated name never contains spaces (it is composed of the resolver name, a dash, and a hex-encoded hash), LastIndex returns -1, which is then used as a slice bound:

return name[:strings.LastIndex(name[:maxLength], " ")], nil
// strings.LastIndex returns -1 → panic: slice bounds out of range [:-1]

The panic crashes the controller. Because the offending TaskRun or PipelineRun is re-reconciled on restart, the controller enters a CrashLoopBackOff, blocking all TaskRun and PipelineRun reconciliation cluster-wide until the offending resource is manually deleted.

Built-in resolvers use short names (git, cluster, bundles, hub) and are not affected under normal usage. The vulnerability is exploitable by any user who can create TaskRuns or PipelineRuns with a custom resolver name.

Impact

Denial of service — A single malicious TaskRun or PipelineRun with a long resolver name is sufficient to crash the Tekton Pipelines controller into a restart loop, blocking all CI/CD reconciliation cluster-wide until the resource is removed.

Patches

Fixed in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, 1.10.2.

The fix computes the hash first, then truncates only the prefix (resolver name) to fit within the DNS-1123 label limit, preserving the full hash to maintain determinism and uniqueness of ResolutionRequest names.

Workarounds

Restrict who can create TaskRun and PipelineRun resources via Kubernetes RBAC. There is no validation-side workaround without patching.

Affected Versions

All releases from v0.60.0 through v1.10.0.

The vulnerable truncation logic was introduced in commit ea1fa7ad1fdc ("Remote Resolution Refactor"), first released in v0.60.0 (2024-05-22).

Currently supported affected releases:

• v1.10.x (latest)
• v1.9.x (LTS, EOL 2027-01-30)
• v1.6.x (LTS, EOL 2026-10-31)
• v1.3.x (LTS, EOL 2026-08-04)
• v1.0.x (LTS, EOL 2026-04-29)

Releases prior to v0.60.0 are not affected — the truncation code did not exist.

Acknowledgments

This vulnerability was reported by Oleh Konko (@​1seal), who provided a thorough vulnerability analysis, proof-of-concept, and review of the fix. Thank you!

References

• Fix (main): 5eead3f859b9
• Fix (v1.10.x): 01673237c464
• Fix (v1.9.x): edc64bbf2232
• Fix (v1.6.x): 0fa2d66cff81
• Fix (v1.3.x): 5e4905fb6754
• Fix (v1.0.x): ebc197e2b973
• Introduced in: ea1fa7ad1fdc ("Remote Resolution Refactor")

---

Release Notes

tektoncd/pipeline (github.com/tektoncd/pipeline)

v1.0.1: Tekton Pipeline release v1.0.1 "Oriental Omnidroid"

Compare Source

-Docs @​ v1.0.1
-Examples @​ v1.0.1

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.0.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677ac065838c723ea199e9f0cc152e2c53d2430fb164dfe15d3e59766eef70923f9f

Obtain the attestation:

REKOR_UUID=108e9186e8c5677ac065838c723ea199e9f0cc152e2c53d2430fb164dfe15d3e59766eef70923f9f
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.0.1/release.yaml
REKOR_UUID=108e9186e8c5677ac065838c723ea199e9f0cc152e2c53d2430fb164dfe15d3e59766eef70923f9f

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.0.1@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

⚠️ Security Fixes

• GHSA-j5q5-j9gm-2w5c (Critical): Path traversal in git resolver allows reading arbitrary files from the resolver pod. Fixed by validating the pathInRepo parameter to prevent directory traversal.

• GHSA-cv4x-93xx-wgfj / CVE-2026-33022 (Medium): Controller panic via long resolver name in TaskRun/PipelineRun. A user with permission to create TaskRuns or PipelineRuns could crash the controller into a restart loop by setting a resolver name of 31+ characters, causing denial of service cluster-wide. Thanks to @​1seal for reporting this vulnerability.

Fixes

• 🐛 fix: panic in v1beta1 matrix validation for invalid result refs (#​9212) — Resolved an issue where Pipelines with invalid result references in matrix parameters would cause a panic during validation (v1beta1 API)
• 🐛 fix(#​8940): Fix token-authentication header in git resolver (#​8947) — Before this change, there was a regression in which the git resolver was not authenticating with the provided gitToken and gitTokenKey, breaking the git resolver's http token-based auth. After this change, all git operations performed by the git resolver use the provided gitToken for remote authentication.
• 🐛 fix: ensure git shell-out inherits environment variables (#​8923) — The git resolver now respects environment variables on the pod
• 🐛 fix(pipeline): support variables in onError for pipeline v1beta1 (#​8932)
• 🐛 fix: exclude pending PipelineRuns from tekton_pipelines_controller_running_pipelineruns metric (#​8979) — Fixed metric to count only running PipelineRuns
• 🐛 fix: allow finalizer updates on completed TaskRun and PipelineRuns (#​9024)
• 🐛 fix(ci): pin GitHub Actions to commit SHAs (#​9305)

Misc

• 🔨 The log results sidecar has been optimized to significantly reduce CPU utilization. Operators can tune the system for their environment—using a higher interval to reduce CPU load in production, or a lower interval for faster feedback in development (#​8913)
• 🔨 ci: add CI summary fan-in job for branch protection (#​9410)
• 🔨 build: bump Go version to 1.24.0 and fix e2e test infrastructure (#​9318)
• 🔨 tekton: update plumbing ref to latest commit (#​9411)
• 🔨 tekton: update plumbing ref to include full image references fix (#​9404)
• 🔨 Docs: Switch from deprecated Tekton Hub to ArtifactHub, remove all references to gcr.io (#​8918)

Thanks

Thanks to these contributors who contributed to v1.0.1!

• ❤️ @​1seal
• ❤️ @​tekton-robot
• ❤️ @​vdemeester

v1.0.0: Tekton Pipeline release v1.0.0 "Oriental Omnidroid" LTS

Compare Source

🎉 1.0.0 is live 🎉 StepActions are GA and Git resolvers enhancements 🎉

-Docs @​ v1.0.0
-Examples @​ v1.0.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.0.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a3c232a877172a3c7967bdcb84afa4bc0a3819fe35e8796e324bbc364356d4349

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a3c232a877172a3c7967bdcb84afa4bc0a3819fe35e8796e324bbc364356d4349
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.0.0/release.yaml
REKOR_UUID=108e9186e8c5677a3c232a877172a3c7967bdcb84afa4bc0a3819fe35e8796e324bbc364356d4349

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.0.0@​sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ fix: resolve Git Anonymous Resolver excessive memory usage (#​8677)

RemoteResolutions using the Git Resolver now use the git binary instead of the Golang library go-git to shallow-clone, shallow-fetch, then checkout the provided repository at the given revision. This reduces resolution time and memory significantly. Some git providers such as Gitea may not support fetching revisions if the revision is a SHA which is not reachable via a ref or is not at a ref/head. In general, no user action is required.

See also: https://git-scm.com/docs/protocol-capabilities#_allow_reachable_sha1_in_want

Resolves #​8652

• ✨ feat(pipeline): allow variable substitution in pipeline.tasks[].onError (#​8600)

feat(pipeline): allow variable substitution in pipeline.tasks[].onError

• ✨ Add configuration for custom bundle resolver backoff (#​8574)

Enables the configuration of backoffs for a bundle resolver requests.

• ✨ feat: promote StepActions to GA (#​8546)

StepActions promoted to GA and is available by default. The enable-step-actions feature flag exists as a no-op flag to ensure that existing user workflows which might rely on this flag are not disabled. This flag will be removed completely in a later release.

• ✨ feat: add support for authenticated git clone (#​8537)

n optional token can now be passed to the git clone method (using go-git library) to
bypass token limit when using the API.

Fixes

• 🐛 fix: add stepaction as a valid kind in the hub resolver (#​8635)

the hub resolver now validates StepActions as a valid kind

• 🐛 fix: avoid fan out matrix task failed due to result ref (#​8487)

fix: avoid fan out matrix task failed due to result ref

• 🐛 fix: handle subPath directory creation errors gracefully (#​8683)

Misc

• 🔨 cleanup: [TEP-0135] remove deprecated disable-affinity-assistant feature flag (#​8603)

Binary file (standard input) matches

• 🔨 cleanup: remove clustertask support (#​8601)

Remove ClusterTask support completely

• 🔨 Bump go.mod and tools/go.mod to go 1.23 (#​8482)

Updating go to 1.23

• 🔨 misc: promote to beta (#​8343)

keep-pod-on-cancel feature flag will be enabled in default

• 🔨 build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 (#​8729)
• 🔨 build(deps): bump step-security/harden-runner from 2.11.1 to 2.12.0 (#​8728)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​8727)
• 🔨 build(deps): bump github.com/sigstore/sigstore from 1.8.15 to 1.9.4 (#​8724)
• 🔨 build(deps): bump k8s.io/apimachinery from 0.32.2 to 0.32.4 (#​8723)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#​8722)
• 🔨 build(deps): bump tj-actions/changed-files from be393a9 to c34c1c1 (#​8721)
• 🔨 build(deps): bump github/codeql-action from 3.28.14 to 3.28.15 (#​8705)
• 🔨 build(deps): bump tj-actions/changed-files from 6abeaa5 to be393a9 (#​8704)
• 🔨 build(deps): bump ko-build/setup-ko from 0.8 to 0.9 (#​8703)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​8702)
• 🔨 build(deps): bump github/codeql-action from 3.28.13 to 3.28.14 (#​8690)
• 🔨 build(deps): bump tj-actions/changed-files from 27ae6b3 to 6abeaa5 (#​8689)
• 🔨 build(deps): bump actions/dependency-review-action from 4.5.0 to 4.6.0 (#​8688)
• 🔨 build(deps): bump step-security/harden-runner from 2.11.0 to 2.11.1 (#​8687)
• 🔨 build(deps): bump the all group in /tekton with 2 updates (#​8686)
• 🔨 build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#​8680)
• 🔨 build(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 (#​8678)
• 🔨 build(deps): bump go.opentelemetry.io/otel from 1.34.0 to 1.35.0 (#​8676)
• 🔨 Consume release pipeline images and task bundles from GHCR (#​8674)
• 🔨 build(deps): bump k8s.io/code-generator from 0.31.6 to 0.31.7 (#​8645)

Docs

• 📖 Add v0.70 to the releases doc and fix dates of v0.64 and v0.69 releases (#​8699)
• 📖 Move Step when expressions documentation from StepActions to Tasks documetnation. (#​8672)
• 📖 Update link to section on overriding task requests (#​8650)
• 📖 chore: param enum usage example for stepaction (#​8605)

Thanks

Thanks to these contributors who contributed to v1.0.0!

• ❤️ @​AlanGreene
• ❤️ @​aThorp96
• ❤️ @​arewm
• ❤️ @​chengjoey
• ❤️ @​chmouel
• ❤️ @​dependabot[bot]
• ❤️ @​l-qing
• ❤️ @​samdoran
• ❤️ @​twoGiants
• ❤️ @​vdemeester
• ❤️ @​waveywaves

Extra shout-out for awesome release notes:

• 😍 @​aThorp96
• 😍 @​arewm
• 😍 @​chengjoey
• 😍 @​chmouel
• 😍 @​l-qing
• 😍 @​vdemeester
• 😍 @​waveywaves

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
github.com/evanphx/json-patch/v5	v5.9.0 -> v5.9.11
gomodules.xyz/jsonpatch/v2	v2.4.0 -> v2.5.0
knative.dev/pkg	v0.0.0-20250117084104-c43477f0052b -> v0.0.0-20250415155312-ed3e2158b883

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
github.com/evanphx/json-patch/v5	v5.9.0 -> v5.9.11
gomodules.xyz/jsonpatch/v2	v2.4.0 -> v2.5.0
knative.dev/pkg	v0.0.0-20250117084104-c43477f0052b -> v0.0.0-20250415155312-ed3e2158b883