Update module github.com/tektoncd/pipeline to v1.11.0 [SECURITY] (main)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/tektoncd/pipeline	v1.9.2 → v1.11.0

---

Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching

CVE-2026-25542 / GHSA-rmx9-2pp3-xhcr

More information

Details

Summary

The Trusted Resources verification system matches a resource source string (refSource.URI) against spec.resources[].pattern using Go's regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the input string. As a result, common unanchored patterns—including examples found in Tekton documentation—can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This may cause an unintended policy match and alter which verification mode or keys are applied.

Affected Component

• Repository: https://github.com/tektoncd/pipeline
• Commit: 0133513db03dadb3cb08301d6b0330badcb63830
• Call site: pkg/trustedresources/verify.go:118–137 (getMatchedPolicies)

Impact

An attacker can craft a Trusted Resources source string that embeds a trusted substring and still matches an unanchored VerificationPolicy spec.resources[].pattern, even if the policy is intended to constrain matches to a specific trusted source. This occurs because regexp.MatchString succeeds on substring matches. For example, a pattern such as https://github.com/tektoncd/catalog.git would match an attacker-controlled source like https://evil.com/?x=https://github.com/tektoncd/catalog.git.

Affected: Deployments using Trusted Resources verification with unanchored VerificationPolicy patterns, where an attacker can influence the refSource.URI value used for policy matching.

Not affected: Deployments that anchor all patterns (^...$) or otherwise enforce full-string matching; deployments where attackers cannot influence refSource.URI.

Reproduction

Canonical (Demonstrates Vulnerability)

unzip -q -o poc.zip -d /tmp/poc-tekton-regex-001
cd /tmp/poc-tekton-regex-001/poc-F-TEKTON-REGEX-001
bash ./run.sh canonical | tee /tmp/tekton-regex-001-canonical.log

• Expected (secure): Capability not reached; canonical does not emit vulnerability markers.
• Actual (vulnerable): Capability reached; canonical emits vulnerability markers.
• Canonical markers (mandatory): [CALLSITE_HIT] + [PROOF_MARKER]

Negative Control

bash ./run.sh control | tee /tmp/tekton-regex-001-control.log

• Expected: Capability not reached under the same harness; control emits the control marker and does not emit vulnerability markers.
• Control markers (mandatory): [CALLSITE_HIT] + [NC_MARKER]

Verification

grep -n '\[PROOF_MARKER\]' /tmp/tekton-regex-001-canonical.log \
  && grep -n '\[NC_MARKER\]' /tmp/tekton-regex-001-control.log \
  && ! grep -n '\[PROOF_MARKER\]' /tmp/tekton-regex-001-control.log

Suggested Fix

It is recommended to make matching safe-by-default by requiring full-string matches, or by validating patterns and clearly documenting substring semantics. Possible approaches include:

1. Anchor patterns before matching — e.g., wrap pattern as ^(?:pattern)$ when not already anchored.
2. Introduce a separate field for exact match vs. regex match semantics.
3. Document substring semantics explicitly and update all documentation examples to include anchors.

A fix is considered accepted when, under the same harness, the canonical test still hits [CALLSITE_HIT] but does not emit [PROOF_MARKER].

Workarounds

Anchor all VerificationPolicy resource patterns so they must match the full source string. For example:

pattern: "^https://github\\.com/tektoncd/catalog\\.git$"

Proof Bundle

• Bundle: poc.zip
• Convention: The zip extracts under a single top-level folder (poc-F-TEKTON-REGEX-001/) to avoid collisions.
• Contains: canonical.log, control.log, witness.txt
• Extracted paths: ./poc/poc-F-TEKTON-REGEX-001/canonical.log, ./poc/poc-F-TEKTON-REGEX-001/control.log, ./poc/poc-F-TEKTON-REGEX-001/witness.txt
• Integrity verification: Compare shasum -a 256 for canonical.log, control.log, fix.patch, and test source against witness.txt.

Note: If a supported integration uses verified HTTPS app-links or universal links only, provide the supported tag or branch and retesting on that pin can be arranged.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/tektoncd/pipeline/security/advisories/GHSA-rmx9-2pp3-xhcr
• https://github.com/tektoncd/pipeline/commit/2c398711e6e9e232180508f0648425a8ea34dc9e
• https://github.com/tektoncd/pipeline/releases/tag/v1.11.0
• https://github.com/advisories/GHSA-rmx9-2pp3-xhcr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

tektoncd/pipeline (github.com/tektoncd/pipeline)

v1.11.0: Tekton Pipeline release v1.11.0 "Javanese Jocasta"

Compare Source

🎉 🐱 TaskRun pending parity, multiple Git credentials, and PVC auto-cleanup 🤖 🎉

-Docs @​ v1.11.0
-Examples @​ v1.11.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.11.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677ae7cc1db0d04d478cc74a86ca458747f1ca41fe102d4ec5f14a6f8ec59c48facd

Obtain the attestation:

REKOR_UUID=108e9186e8c5677ae7cc1db0d04d478cc74a86ca458747f1ca41fe102d4ec5f14a6f8ec59c48facd
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.11.0/release.yaml
REKOR_UUID=108e9186e8c5677ae7cc1db0d04d478cc74a86ca458747f1ca41fe102d4ec5f14a6f8ec59c48facd

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.11.0@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ feat(webhook): Bump knative.dev/pkg to enable centrally managed WEBHOOK_* TLS for the webhook (#​9466)

Bump knative.dev/pkg to enable centralized WEBHOOK_* TLS configuration for the webhook (min/max version, cipher suites, curves).
Webhook now inherits TLS policy from environment (operator/cluster); defaults remain TLS 1.3 when unset.

• ✨ Add multi-URL support and per-resolution url param to Hub Resolver (#​9465)

dd multi-URL support and per-resolution url parameter to Hub Resolver, enabling ordered fallback across multiple hub instances and explicit URL targeting per resolution request.

• ✨ Add pending status support for TaskRun (parity with PipelineRun) (#​9464)

TaskRun now supports spec.status: TaskRunPending to defer execution.
When pending, no Pod is created and status.startTime is not set.
Clearing spec.status starts execution, or setting TaskRunCancelled cancels without running.

• ✨ feat: add optional PVC auto-cleanup annotation for workspaces mode (#​9354)

Add optional PVC auto-cleanup for workspaces mode via tekton.dev/auto-cleanup-pvc: "true" annotation. When set on a PipelineRun using coschedule: workspaces, PVCs created from volumeClaimTemplate workspaces are automatically deleted on completion. User-provided persistentVolumeClaim workspaces are never affected.

• ✨ Add Gitea e2e tests to CI (#​9442)

Fixes

• 🐛 Fix: Add SSH Host aliases to support multiple SSH credentials on same host (#​9643)

Fixed SSH credential matching to support multiple repositories on the same host with different SSH keys. Previously, when using multiple SSH auth secrets for different repositories on the same Git server (e.g., github.com/org/repo1 and github.com/org/repo2), SSH would use the first key for all repositories, causing authentication failures with deploy keys. SSH Host aliases and Git url.*.insteadOf rewriting now enable per-repository SSH key selection when the secret annotation URL includes a repo path.

• 🐛 fix: make step-init symlink creation idempotent (#​9600)

ix entrypoint step-init to handle container restarts gracefully. Previously, if a container restarted within a pod (e.g. due to OOM or eviction), the init process would fail with "symlink: file exists" because symlinks from the previous run persisted on the shared volume.

• 🐛 fix: replace silent default namespace fallback with explicit error in GetNameAndNamespace (#​9594)

eplace silent "default" namespace fallback in GetNameAndNamespace with an explicit error, preventing potential ResolutionRequest creation in wrong namespace.

• 🐛 fix: resolve context key collision and ownerRef nil panic in resolution framework (#​9593)

ix context key collision in resolution framework where RequestName() silently returned the namespace value, and fix nil pointer panic in ownerRefsAreEqual when both Controller fields are nil.

• 🐛 fix: cluster resolver namespace access control whitespace and wildcard bugs (#​9592)

ix cluster resolver namespace access control: trim whitespace in allowed/blocked namespace lists, fix wildcard (*) handling when combined with explicit entries, and reject empty default-namespace values.

• 🐛 fix: convert pod latency metric to histogram and remove pod label (#​9530)

ction required: The tekton_pipelines_controller_taskruns_pod_latency_milliseconds metric has been converted from a Gauge to a Histogram and the pod label has been removed. Dashboards or alerts referencing this metric will need to be updated to use histogram_quantile() instead of direct value queries.

• 🐛 fix: use hashed volume names to prevent credential volume name collisions (#​9528)

ix credential volume name collisions when namespaces have many (118+)
annotated secrets. Volume names now use deterministic SHA-256 hashing
instead of truncation with random suffix.

• 🐛 Fix running_taskruns metric overcounting TaskRuns with no condition (#​9485)

Fixed overcounting in the running_taskruns metric for TaskRuns with no condition set yet.

• 🐛 fix: propagate PipelineRun tasks/finally timeout to child TaskRuns (#​9419)

When spec.timeouts.tasks or spec.timeouts.finally on a PipelineRun exceeds the global default timeout, the value is now propagated to individual child TaskRuns that do not have an explicit per-task timeout. This prevents TaskRuns from being prematurely canceled at the global default (e.g., 1h) when the PipelineRun allows a longer duration.

• 🐛 Bugfix: deduplicate concurrent resolver cache requests with singleflight. (#​9365)

Fix resolver cache race condition causing duplicate upstream pulls under concurrent load.

• 🐛 Fix: Add useHttpPath to support multiple Git credentials on same host (#​9143)

Fixed Git credential matching to support multiple repositories on the same host with different credentials. Previously, when using multiple secrets for different repositories on the same Git server (e.g., github.com/org/repo1 and github.com/org/repo2), it incorrectly use the first credential for all repositories, causing authentication failures. Git credential contexts now include useHttpPath = true, enabling proper per-repository credential selection.

• 🐛 fix: record metrics for cancelled PipelineRuns (#​9658)
• 🐛 Add explicit permissions blocks to workflows missing them (#​9562)
• 🐛 fix: revert mistaken metadata changes in resolvers config-observability (#​9468)
• 🐛 fix: update default tracing endpoint to http protobuf endpoint (#​9141)
• 🐛 fix: Pin Ubuntu,Bash,Python, Node & Perl container images to digests in examples/v1/taskruns/step-script.yaml (#​9618)
• 🐛 fix: Pin alpine-git-nonroot,alpine/git,busybox & nop container images to digests in examples/v1/taskruns (#​9614)
• 🐛 fix: Pin Bash,Alpine & Busybox container images to digests in examples/v1/taskruns (#​9610)
• 🐛 fix: Pin Ubuntu container images to digests in examples/v1/taskruns (#​9607)

Misc

• 🔨 perf(pipelinerun): hoist VerificationPolicy list out of per-task loop in resolvePipelineState (#​9601)

• 🔨 ci: fix GitHub Actions security issues found by zizmor (#​9667)

• 🔨 Extract memberOfLookup from createChildResourceLabels to reduce nested loop (#​9596)

• 🔨 cleanup: replace GCS release URLs with infra.tekton.dev (#​9569)

• 🔨 fix: Upgrade Gitea test infrastructure from v1.17.1 to latest (#​9568)

• 🔨 chore: bump knative.dev/pkg to main and k8s libs to 0.35.1 (#​9470)

• 🔨 Update stale comment about storing TaskSpec in status (#​9661)

• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9652)

• 🔨 build(deps): bump github/codeql-action from 4.33.0 to 4.34.1 (#​9651)

• 🔨 build(deps): bump actions/cache from 5.0.3 to 5.0.4 (#​9650)

• 🔨 build(deps): bump chainguard-dev/actions from 1.6.8 to 1.6.9 (#​9649)

• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.3 to 1.14.4 (#​9648)

• 🔨 build(deps): bump k8s.io/apimachinery from 0.35.2 to 0.35.3 (#​9639)

• 🔨 build(deps): bump k8s.io/client-go from 0.35.2 to 0.35.3 (#​9638)

• 🔨 build(deps): bump k8s.io/api from 0.34.5 to 0.34.6 in /test/custom-task-ctrls/wait-task-beta (#​9637)

• 🔨 build(deps): bump k8s.io/client-go from 0.34.5 to 0.34.6 in /test/custom-task-ctrls/wait-task-beta (#​9634)

• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.1 to 1.14.3 (#​9629)

• 🔨 build(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 (#​9628)

• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.21.2 to 0.21.3 (#​9627)

• 🔨 build(deps): bump github.com/tektoncd/pipeline from 1.10.0 to 1.10.2 in /test/custom-task-ctrls/wait-task-beta (#​9626)

• 🔨 build(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0 (#​9611)

• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9587)

• 🔨 build(deps): bump github/codeql-action from 4.32.6 to 4.33.0 (#​9586)

• 🔨 build(deps): bump fgrosse/go-coverage-report from 1.2.0 to 1.3.0 (#​9585)

• 🔨 build(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 (#​9584)

• 🔨 build(deps): bump chainguard-dev/actions from 1.6.7 to 1.6.8 (#​9583)

• 🔨 Remove opencensus dependency from test files (#​9553)

• 🔨 Update tj-actions/changed-files version comment to v47.0.5 (#​9552)

• 🔨 build(deps): bump go.opentelemetry.io/otel/trace from 1.41.0 to 1.42.0 (#​9549)

• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.21.1 to 0.21.2 (#​9548)

• 🔨 build(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.2 (#​9547)

• 🔨 build(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 (#​9542)

• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9541)

• 🔨 build(deps): bump tj-actions/changed-files from 47.0.4 to 47.0.5 (#​9540)

• 🔨 build(deps): bump chainguard-dev/actions from 1.6.5 to 1.6.7 (#​9539)

• 🔨 build(deps): bump github/codeql-action from 4.32.5 to 4.32.6 (#​9538)

• 🔨 build(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 (#​9536)

• 🔨 Nominate khrm and aThorp96 as pipeline approvers (#​9519)

• 🔨 Move inactive approvers to alumni (#​9518)

• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.35.1 to 0.35.2 (#​9487)

• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9483)

• 🔨 build(deps): bump github/codeql-action from 4.32.4 to 4.32.5 (#​9482)

• 🔨 build(deps): bump step-security/harden-runner from 2.14.2 to 2.15.0 (#​9481)

• 🔨 build(deps): bump actions/setup-go from 6.2.0 to 6.3.0 (#​9480)

• 🔨 build(deps): bump chainguard-dev/actions from 1.6.4 to 1.6.5 (#​9479)

• 🔨 build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (#​9478)

• 🔨 build(deps): bump go.opentelemetry.io/otel/metric from 1.40.0 to 1.41.0 (#​9477)

• 🔨 build(deps): bump k8s.io/apimachinery from 0.35.1 to 0.35.2 (#​9476)

• 🔨 build(deps): bump k8s.io/client-go from 0.34.3 to 0.34.5 in /test/custom-task-ctrls/wait-task-beta (#​9475)

• 🔨 build(deps): bump k8s.io/code-generator from 0.35.1 to 0.35.2 (#​9473)

• 🔨 build(deps): bump k8s.io/api from 0.34.3 to 0.34.5 in /test/custom-task-ctrls/wait-task-beta (#​9472)

• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.34.3 to 0.34.5 (#​9455)

• 🔨 build(deps): bump github.com/tektoncd/pipeline from 1.9.1 to 1.10.0 in /test/custom-task-ctrls/wait-task-beta (#​9453)

• 🔨 build(deps): bump k8s.io/client-go from 0.34.3 to 0.34.4 (#​9447)

• 🔨 build(deps): bump go.opentelemetry.io/otel/trace from 1.39.0 to 1.40.0 (#​9445)

• 🔨 fix: release cheat sheet doc typos (#​9415)

Docs

• 📖 Re-enable pipeline-api.md generation (#​9604)

Update the pipeline API published at https://tekton.dev/docs/pipelines/pipeline-api/

• 📖 docs(auth): clean stale TODO (#​9504)

Clean up stale TODO in auth.md

• 📖 doc: Clarify scope of auth documentation (#​9461)

Added auth doc scope to distinguish credentials for processes inside Steps from Kubernetes imagePullSecrets for pulling Step images.

• 📖 docs: update releases.md with security patch releases (#​9616)
• 📖 docs: add 4 undocumented metrics to docs/metrics.md (#​9512)
• 📖 docs: fix broken internal markdown links (#​9507)
• 📖 docs: add README files for pipelinerun and taskrun examples (#​9505)
• 📖 doc: Fix broken Tekton Bundles example link in taskruns.md (#​9462)
• 📖 docs: update releases.md for v1.10.0 (#​9448)

Thanks

Thanks to these contributors who contributed to v1.11.0!

• ❤️ @​AiswaryaR6
• ❤️ @​BizerNotNull
• ❤️ @​ChinonsoNwakudu
• ❤️ @​Goutham-AR
• ❤️ @​Paramesh324
• ❤️ @​ab-ghosh
• ❤️ @​adityavshinde
• ❤️ @​afrittoli
• ❤️ @​anirudh242
• ❤️ @​ankrsinha
• ❤️ @​app/dependabot
• ❤️ @​infernus01
• ❤️ @​jkhelil
• ❤️ @​jorqen
• ❤️ @​khrm
• ❤️ @​ngelman1
• ❤️ @​sahilleth
• ❤️ @​srivickynesh
• ❤️ @​twoGiants
• ❤️ @​vdemeester
• ❤️ @​waveywaves

Extra shout-out for awesome release notes:

• 😍 @​BizerNotNull
• 😍 @​ab-ghosh
• 😍 @​afrittoli
• 😍 @​ankrsinha
• 😍 @​infernus01
• 😍 @​jkhelil
• 😍 @​jorqen
• 😍 @​sahilleth
• 😍 @​twoGiants
• 😍 @​vdemeester
• 😍 @​waveywaves

v1.10.2: Tekton Pipeline release v1.10.2 "LaPerm Little Helper"

Compare Source

-Docs @​ v1.10.2
-Examples @​ v1.10.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.10.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a104b9492904b91b09e714ee02dae9637eee78dfd892d6ca7cab46ce0208fd387

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a104b9492904b91b09e714ee02dae9637eee78dfd892d6ca7cab46ce0208fd387
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.10.2/release.yaml
REKOR_UUID=108e9186e8c5677a104b9492904b91b09e714ee02dae9637eee78dfd892d6ca7cab46ce0208fd387

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.10.2@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

⚠️ Security Fixes

• GHSA-j5q5-j9gm-2w5c (Critical): Path traversal in git resolver allows reading arbitrary files from the resolver pod. Fixed by validating the pathInRepo parameter to prevent directory traversal.

• GHSA-cv4x-93xx-wgfj / CVE-2026-33022 (Medium): Controller panic via long resolver name in TaskRun/PipelineRun. A user with permission to create TaskRuns or PipelineRuns could crash the controller into a restart loop by setting a resolver name of 31+ characters, causing denial of service cluster-wide. Thanks to @​1seal for reporting this vulnerability.

Thanks

Thanks to these contributors who contributed to v1.10.2!

• ❤️ @​vdemeester
• ❤️ @​1seal

v1.10.1: Tekton Pipeline release v1.10.1 "LaPerm Little Helper"

Compare Source

-Docs @​ v1.10.1
-Examples @​ v1.10.1

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.10.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a8754062aee1bb73b992fe19d8c70544f16dd0bd502e19006c984c56928e9df4f

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a8754062aee1bb73b992fe19d8c70544f16dd0bd502e19006c984c56928e9df4f
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.10.1/release.yaml
REKOR_UUID=108e9186e8c5677a8754062aee1bb73b992fe19d8c70544f16dd0bd502e19006c984c56928e9df4f

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.10.1@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 [cherry-pick: release-v1.10.x] fix: revert mistaken metadata changes in resolvers config-observability (#​9469)

Misc

Docs

Thanks

Thanks to these contributors who contributed to v1.10.1!

• ❤️ @​tekton-robot

Extra shout-out for awesome release notes:

v1.10.0: Tekton Pipeline release v1.10.0 "LaPerm Little Helper"

Compare Source

🎉 Observability, evolved: Tekton Pipelines migrates to OpenTelemetry 🎉

-Docs @​ v1.10.0
-Examples @​ v1.10.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.10.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a94dd58f7cfb4996ccce2c937681486ef690dab5e560e66c6c34aa9b446f32651

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a94dd58f7cfb4996ccce2c937681486ef690dab5e560e66c6c34aa9b446f32651
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.10.0/release.yaml
REKOR_UUID=108e9186e8c5677a94dd58f7cfb4996ccce2c937681486ef690dab5e560e66c6c34aa9b446f32651

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.10.0@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Upgrade Notices

• 🚨 Metrics migration from OpenCensus to OpenTelemetry (#​9043)

  ACTION REQUIRED: Infrastructure metrics (Go runtime, Workqueue, K8s Client) have been renamed from the tekton_pipelines_controller_ prefix to standard OpenTelemetry/Knative namespaces. The reason label has been added to duration metrics (pipelinerun_duration_seconds, taskrun_duration_seconds). The reconcile_count and reconcile_latency metrics have been removed.

  Upgrade actions:

  1. Update Config: Ensure your config-observability ConfigMap uses metrics-protocol: prometheus (or grpc/http) instead of the old metrics.backend-destination. If prometheus was already being used, no changes are needed.
  2. Update Dashboards:
     • Replace tekton_pipelines_controller_workqueue_* queries with kn_workqueue_*
     • Replace tekton_pipelines_controller_go_* queries with standard go_* metrics
     • Check aggregations on pipelinerun_duration_seconds to account for the new reason label

  See the full migration table in PR #​9043 for complete details.

Changes

Features

• ✨ feat: Add SHA-256 support for Git resolver revision validation (#​9278)

  Git resolver now supports SHA-256 commit hashes for revision validation.

• ✨ feat(metrics): Migrate from OpenCensus to OpenTelemetry (#​9043)

  Migrated PipelineRun and TaskRun metrics to OpenTelemetry instruments (histograms, counters, gauges). Updated Knative to 1.19. See Upgrade Notices for breaking changes and required actions.

• ✨ ci: add /rebase slash command workflow (#​9375)

Fixes

• 🐛 fix: Remove redundant shortNames from ResolutionRequest CRD (#​9398)

  Remove redundant shortNames from ResolutionRequest CRD that caused ShortNamesConflict on Kubernetes 1.33+

• 🐛 fix(pipelines): allow pipeline param defaults to use non-param variables (#​9386)

  Fixed a bug which caused PipelineRun validation to fail when a pipeline parameter's default value referenced a non-parameter variable (e.g. $(context.pipelineRun.name))

• 🐛 fix: pipeline-level results not recorded from failed tasks (#​9367)

  Pipeline-level results now include results from failed, cancelled, and timed-out tasks, fixing cases where results referencing non-successful task outputs were left as unresolved variable strings.

• 🐛 ci: replace e2e-only fan-in with unified CI summary job (#​9394)

• 🐛 fix: Align cache configstore with framework implementation (#​9282)

• 🐛 accept featureFlags.EnableTektonOCIBundles to fix unknown field error (#​8996)

Misc

• 🔨 build(deps): bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /test/resolver-with-timeout (#​9426)
• 🔨 Move v0.68 LTS to End of Life releases (#​9434)
• 🔨 Assess several new gosec findings (#​9405)
• 🔨 ci: Update cherry-pick command to latest plumbing (#​9400)
• 🔨 build(deps): bump opentelemetry exporter packages to v1.39.0 (#​9332)
• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.21.0 to 0.21.1 (#​9433)
• 🔨 build(deps): bump github/codeql-action from 4.32.3 to 4.32.4 (#​9431)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9430)
• 🔨 build(deps): bump tj-actions/changed-files from 47.0.2 to 47.0.4 (#​9429)
• 🔨 build(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3 (#​9428)
• 🔨 build(deps): bump chainguard-dev/actions from 1.6.1 to 1.6.4 (#​9427)
• 🔨 build(deps): bump github.com/sigstore/sigstore from 1.8.4 to 1.10.4 in /test/resolver-with-timeout (#​9425)
• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.20.7 to 0.21.0 (#​9418)
• 🔨 build(deps): bump github.com/tektoncd/pipeline from 1.9.0 to 1.9.1 in /test/custom-task-ctrls/wait-task-beta (#​9417)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9397)
• 🔨 build(deps): bump github/codeql-action from 4.32.2 to 4.32.3 (#​9396)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.16 to 1.6.1 (#​9395)
• 🔨 build(deps): bump google.golang.org/grpc from 1.79.0 to 1.79.1 (#​9392)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.15.16 to 1.15.17 (#​9391)
• 🔨 build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.0 (#​9389)
• 🔨 build(deps): bump k8s.io/code-generator from 0.32.11 to 0.32.12 (#​9388)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.32.11 to 0.32.12 (#​9385)
• 🔨 build(deps): bump k8s.io/apimachinery from 0.33.7 to 0.33.8 (#​9384)
• 🔨 build(deps): bump k8s.io/client-go from 0.32.11 to 0.32.12 (#​9383)
• 🔨 build(deps): bump k8s.io/client-go from 0.32.11 to 0.32.12 in /test/custom-task-ctrls/wait-task-beta (#​9382)
• 🔨 build(deps): bump k8s.io/api from 0.32.11 to 0.32.12 in /test/custom-task-ctrls/wait-task-beta (#​9381)
• 🔨 build(deps): bump k8s.io/apimachinery from 0.33.7 to 0.33.8 in /test/custom-task-ctrls/wait-task-beta (#​9380)
• 🔨 build(deps): bump github/codeql-action from 4.32.1 to 4.32.2 (#​9374)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9373)
• 🔨 build(deps): bump step-security/harden-runner from 2.14.1 to 2.14.2 (#​9372)
• 🔨 build(deps): bump tj-actions/changed-files from 47.0.1 to 47.0.2 (#​9371)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.14 to 1.5.16 (#​9370)
• 🔨 build(deps): bump golang.org/x/crypto from 0.47.0 to 0.48.0 (#​9369)
• 🔨 build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.39.0 to 1.40.0 (#​9363)
• 🔨 fix(ci): simplify e2e test health status result (#​9361)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9352)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.13 to 1.5.14 (#​9351)
• 🔨 build(deps): bump github/codeql-action from 4.32.0 to 4.32.1 (#​9350)
• 🔨 build(deps): bump actions/cache from 4.2.3 to 5.0.3 (#​9348)
• 🔨 build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.37.0 to 1.40.0 (#​9345)
• 🔨 build(deps): bump github.com/tektoncd/pipeline from 1.7.0 to 1.9.0 in /test/custom-task-ctrls/wait-task-beta (#​9340)
• 🔨 build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0 (#​9337)
• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.0 to 1.14.1 (#​9336)
• 🔨 build(deps): bump sigstore/sigstore from 1.9.5 to 1.10.4 (#​9331)
• 🔨 build(deps): bump github.com/tektoncd/pipeline to v1.7.0 in wait-task-beta (#​9329)

Docs

• 📖 docs: clarify flag availability across controller binaries (#​9390)
• 📖 docs: update releases.md for v1.9.0 LTS (#​9339)
• 📖 docs: Document roadmap project board workflows and best practices (#​9311)
• 📖 Update examples in docs for changes in apiVersion v1 (#​9042)

Thanks

Thanks to these contributors who contributed to v1.10.0!

• ❤️ @​7h3-3mp7y-m4n
• ❤️ @​SaschaSchwarze0
• ❤️ @​aThorp96
• ❤️ @​anithapriyanatarajan
• ❤️ @​dependabot[bot]
• ❤️ @​johankok
• ❤️ @​khrm
• ❤️ @​lusqua
• ❤️ @​softho0n
• ❤️ @​vdemeester
• ❤️ @​waveywaves
• ❤️ @​wilderbridge
• ❤️ @​wmypku

Extra shout-out for awesome release notes:

• 😍 @​7h3-3mp7y-m4n
• 😍 @​aThorp96
• 😍 @​dependabot[bot]
• 😍 @​khrm
• 😍 @​lusqua
• 😍 @​vdemeester
• 😍 @​waveywaves
• 😍 @​wmypku

v1.9.3: Tekton Pipeline release v1.9.3 "Devon Rex Dreadnought"

Compare Source

-Docs @​ v1.9.3
-Examples @​ v1.9.3

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.3/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a7943c77b03fff46f83c0876773ae3dcc84e6dcb29d64ca605afb3cbc0ff77ecb

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a7943c77b03fff46f83c0876773ae3dcc84e6dcb29d64ca605afb3cbc0ff77ecb
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.3/release.yaml
REKOR_UUID=108e9186e8c5677a7943c77b03fff46f83c0876773ae3dcc84e6dcb29d64ca605afb3cbc0ff77ecb

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.9.3@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

⚠️ Security Fixes

• GHSA-wjxp-xrpv-xpff / CVE-2026-40161 (HIGH): Git resolver API mode leaks system-configured API token to user-controlled serverURL. A user who can create TaskRuns can exfiltrate the system Git API token by pointing the resolver at an attacker-controlled server.

• GHSA-94jr-7pqp-xhcq / CVE-2026-40938 (HIGH): Git resolver unsanitized revision parameter enables argument injection. A malicious revision value can inject arbitrary flags into the git CLI, potentially leading to remote code execution on the resolver pod.

• GHSA-rx35-6rhx-7858 / CVE-2026-40923 (Medium): VolumeMount path restriction bypass via missing filepath normalization. Paths like /tekton/../sensitive bypass the /tekton/ prefix restriction check.

• GHSA-rmx9-2pp3-xhcr / CVE-2026-25542 (Medium): VerificationPolicy regex pattern bypass via substring matching. Unanchored patterns allow partial matches, letting unsigned resources pass verification.

• GHSA-m2cx-gpqf-qf74 / CVE-2026-40924 (Medium): HTTP resolver unbounded response body read enables OOM denial of service. A malicious URL returning a very large response can exhaust the resolver pod's memory. Response body is now limited to 1 MiB.

Fixes

• 🐛 Fix running_taskruns metric overcounting TaskRuns with no condition
• 🐛 Pin registry image and relax log-based cache assertion
• 🐛 Bump Go to 1.24.13 to fix CVE-2025-61728, CVE-2025-61726, CVE-2025-61729
• 🐛 Fix TextParser struct usage for prometheus/common v0.62.0 compatibility
• 🐛 Remove corrupted resolver cache entries on type error
• 🐛 Resolve resolver cache race condition with singleflight
• 🐛 Align resolver cache configstore with framework implementation

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
github.com/evanphx/json-patch/v5	v5.9.0 -> v5.9.11
gomodules.xyz/jsonpatch/v2	v2.4.0 -> v2.5.0
knative.dev/pkg	v0.0.0-20250117084104-c43477f0052b -> v0.0.0-20250415155312-ed3e2158b883

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
github.com/evanphx/json-patch/v5	v5.9.0 -> v5.9.11
gomodules.xyz/jsonpatch/v2	v2.4.0 -> v2.5.0
knative.dev/pkg	v0.0.0-20250117084104-c43477f0052b -> v0.0.0-20250415155312-ed3e2158b883

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: acceptance/go.sum

Command failed: go mod tidy
go: downloading github.com/onsi/ginkgo v1.16.5
go: downloading github.com/onsi/gomega v1.38.2
go: downloading github.com/yudai/pp v2.0.1+incompatible
go: downloading gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
go: downloading github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399
go: downloading go.uber.org/goleak v1.3.0
go: downloading gotest.tools/v3 v3.5.2
go: downloading gotest.tools v2.2.0+incompatible
go: downloading github.com/go-openapi/testify/v2 v2.4.1
go: downloading github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d
go: downloading github.com/otiai10/mint v1.5.1
go: downloading github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb
go: downloading github.com/elazarl/goproxy v1.7.2
go: downloading github.com/creack/pty v1.1.24
go: downloading github.com/hashicorp/go-hclog v1.6.3
go: downloading github.com/onsi/ginkgo/v2 v2.27.2
go: downloading k8s.io/apiserver v0.35.2
go: downloading k8s.io/component-base v0.35.2
go: downloading github.com/tektoncd/triggers v0.35.0
go: downloading github.com/sassoftware/relic/v7 v7.6.2
go: downloading github.com/go-quicktest/qt v1.101.0
go: downloading golang.org/x/tools v0.43.0
go: downloading github.com/nxadm/tail v1.4.11
go: downloading github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5
go: downloading github.com/go-openapi/testify/enable/yaml/v2 v2.4.1
go: downloading github.com/google/trillian v1.7.2
go: downloading github.com/go-sql-driver/mysql v1.9.3
go: downloading github.com/jackc/pgx/v5 v5.7.5
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.4
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.4
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.4
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.4
go: downloading github.com/tink-crypto/tink-go-awskms/v2 v2.1.0
go: downloading github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0
go: downloading github.com/tink-crypto/tink-go-hcvault/v2 v2.4.0
go: downloading github.com/tink-crypto/tink-go/v2 v2.6.0
go: downloading go.step.sm/crypto v0.75.0
go: downloading github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
go: downloading github.com/gliderlabs/ssh v0.3.8
go: downloading github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6
go: downloading github.com/go-rod/rod v0.116.2
go: downloading k8s.io/cli-runtime v0.34.2
go: downloading knative.dev/serving v0.39.4
go: downloading github.com/blendle/zapdriver v1.3.1
go: downloading software.sslmate.com/src/go-pkcs12 v0.4.0
go: downloading github.com/cloudevents/sdk-go/v2 v2.16.2
go: downloading github.com/google/gofuzz v1.2.0
go: downloading github.com/lib/pq v1.10.9
go: downloading github.com/hashicorp/go-uuid v1.0.3
go: downloading gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7
go: downloading github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
go: downloading google.golang.org/api v0.271.0
go: downloading github.com/kylelemons/godebug v1.1.0
go: downloading filippo.io/edwards25519 v1.1.1
go: downloading github.com/jackc/pgpassfile v1.0.0
go: downloading github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761
go: downloading github.com/jmhodges/clock v1.2.0
go: downloading github.com/aws/aws-sdk-go-v2 v1.41.4
go: downloading github.com/aws/aws-sdk-go-v2/config v1.32.12
go: downloading github.com/aws/aws-sdk-go-v2/service/kms v1.49.5
go: downloading github.com/jellydator/ttlcache/v3 v3.4.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
go: downloading github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
go: downloading github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0
go: downloading cloud.google.com/go/kms v1.25.0
go: downloading github.com/hashicorp/vault/api v1.22.0
go: downloading github.com/aws/aws-sdk-go v1.55.8
go: downloading github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be
go: downloading github.com/moby/sys/atomicwriter v0.1.0
go: downloading github.com/ysmood/goob v0.4.0
go: downloading github.com/ysmood/got v0.40.0
go: downloading github.com/ysmood/gson v0.7.3
go: downloading github.com/ysmood/fetchup v0.2.3
go: downloading github.com/ysmood/leakless v0.9.0
go: downloading github.com/Masterminds/semver/v3 v3.4.0
go: downloading github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
go: downloading go.etcd.io/etcd/client/pkg/v3 v3.6.5
go: downloading go.etcd.io/etcd/client/v3 v3.6.5
go: downloading go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0
go: downloading github.com/google/btree v1.1.3
go: downloading github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de
go: downloading knative.dev/eventing v0.30.3
go: downloading knative.dev/networking v0.0.0-20231017124814-2a7676e912b7
go: downloading github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef
go: downloading github.com/zalando/go-keyring v0.2.3
go: downloading github.com/kelseyhightower/envconfig v1.4.0
go: downloading github.com/fsnotify/fsnotify v1.9.0
go: downloading cloud.google.com/go/auth v0.18.2
go: downloading cloud.google.com/go v0.123.0
go: downloading github.com/golang/protobuf v1.5.4
go: downloading github.com/hashicorp/golang-lru/v2 v2.0.7
go: downloading github.com/aws/smithy-go v1.24.2
go: downloading github.com/aws/aws-sdk-go-v2/credentials v1.19.12
go: downloading github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20
go: downloading github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6
go: downloading github.com/aws/aws-sdk-go-v2/service/signin v1.0.8
go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.30.13
go: downloading github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17
go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.41.9
go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20
go: downloading github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2
go: downloading github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0
go: downloading cloud.google.com/go/iam v1.5.3
go: downloading cloud.google.com/go/longrunning v0.8.0
go: downloading github.com/googleapis/gax-go/v2 v2.17.0
go: downloading github.com/hashicorp/errwrap v1.1.0
go: downloading github.com/hashicorp/go-multierror v1.1.1
go: downloading github.com/hashicorp/go-rootcerts v1.0.2
go: downloading github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0
go: downloading github.com/hashicorp/go-secure-stdlib/strutil v0.1.2
go: downloading github.com/hashicorp/hcl v1.0.1-vault-7
go: downloading github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c
go: downloading github.com/shoenig/test v0.6.4
go: downloading github.com/go-task/slim-sprig/v3 v3.0.0
go: downloading github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0
go: downloading sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2
go: downloading go.etcd.io/etcd/api/v3 v3.6.5
go: downloading github.com/coreos/go-systemd/v22 v22.7.0
go: downloading github.com/coreos/go-semver v0.3.1
go: downloading github.com/danieljoos/wincred v1.2.3
go: downloading github.com/godbus/dbus/v5 v5.1.0
go: downloading cuelabs.dev/go/oci/ociregistry v0.0.0-20251212221603-3adeb8663819
go: downloading github.com/pelletier/go-toml/v2 v2.2.4
go: downloading cloud.google.com/go/compute/metadata v0.9.0
go: downloading cloud.google.com/go/compute v1.54.0
go: downloading cloud.google.com/go/auth/oauth2adapt v0.2.8
go: downloading github.com/google/s2a-go v0.1.9
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20
go: downloading github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20
go: downloading github.com/hashicorp/go-sockaddr v1.0.7
go: downloading github.com/ryanuber/go-glob v1.0.0
go: downloading github.com/natefinch/atomic v1.0.1
go: downloading github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24
go: downloading github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading github.com/emicklei/proto v1.14.3
go: downloading github.com/protocolbuffers/txtpbfmt v0.0.0-20260217160748-a481f6a22f94
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.14
go: downloading gonum.org/v1/gonum v0.16.0
go: downloading github.com/jackc/puddle/v2 v2.2.2
go: downloading github.com/golang-jwt/jwt/v5 v5.3.0
go: downloading github.com/mitchellh/go-wordwrap v1.0.1
go: finding module for package knative.dev/pkg/metrics
go: downloading knative.dev/pkg v0.0.0-20260422015212-ec452872dcc1
go: finding module for package knative.dev/pkg/tracing/config
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/metrics: module knative.dev/pkg@latest found (v0.0.0-20260422015212-ec452872dcc1), but does not contain package knative.dev/pkg/metrics
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/tracing/config: module knative.dev/pkg@latest found (v0.0.0-20260422015212-ec452872dcc1), but does not contain package knative.dev/pkg/tracing/config