redhat-renovate-bot
commented
2 weeks ago ⚠️ Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: go.sum
Command failed: go get -d -t ./...
go: knative.dev/pkg@v0.0.0-20230221152827-2d84369c105d: unrecognized import path "knative.dev/pkg": https fetch: Get "https://knative.dev/pkg?go-get=1": EOF
kubevirt-bot
sonarcloud[bot]
openshift-ci[bot]
This PR contains the following updates:
v0.41.2->v0.52.1Pipelines do not validate child UIDs
CVE-2023-37264 / GHSA-w2h3-vvvq-3m53 / GO-2023-1901
More information
#### Details ##### Summary Pipelines do not validate child UIDs, which means that a user that has access to create TaskRuns can create their own Tasks that the Pipelines controller will accept as the child Task. We should add UID to PipelineRun status and validate that child Run status/results only come from Runs matching the same UID. ##### Details While we [store and validate the PipelineRun's (api version, kind, name, uid) in the child Run's OwnerReference](https://togithub.com/tektoncd/pipeline/blob/2d38f5fa840291395178422d34b36b1bc739e2a2/pkg/reconciler/pipelinerun/pipelinerun.go#L1358-L1372), we only store (api version, kind, name) in the [ChildStatusReference](https://pkg.go.dev/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1#ChildStatusReference) . This means that if a client had access to create TaskRuns on a cluster, they could create a child TaskRun for a pipeline with the same name + owner reference, and the Pipeline controller picks it up as if it was the original TaskRun. This is problematic since it can let users modify the config of Pipelines at runtime, which violates SLSA L2 Service Generated / Non-falsifiable requirements. I believe this is also true for [TaskRuns -> Pods since it looks like we only lookup by name](https://togithub.com/tektoncd/pipeline/blob/0b8349b770a76877051c9c790c94bf9ed897c75c/test/pipelinerun_test.go#L992), though I haven't tested this. If you have update permissions on tekton resources, you could also perform a similar bypass like this (because it's difficult to distinguish this from a Task retry). For now, I think relying on RBAC is fine and treat update as a privileged role (though we should perhaps update docs to stress this). Create is the most problematic for now. SPIFFE/SPIRE might be able to help with ensuring that only the controller can modify state long term (e.g. sign the expected UIDs?) ##### PoC ```yaml apiVersion: [tekton.dev/v1beta1](http://tekton.dev/v1beta1) kind: PipelineRun metadata: name: hello-pr spec: pipelineSpec: tasks: - name: task1 taskSpec: steps: - name: echo image: [distroless.dev/alpine-base](http://distroless.dev/alpine-base) script: | sleep 60 - name: task2 runAfter: [task1] taskSpec: steps: - name: echo image: [distroless.dev/alpine-base](http://distroless.dev/alpine-base) script: | echo "asdf" > $(results.foo.path) results: - name: foo results: - name: foo value: $(tasks.task2.results.foo) ``` Once this is running, grab the PR UID: ```sh $ k get pr hello-pr -o json | jq .metadata.uid -r ``` While pipeline is running task 1, start fake task 2: ```yaml apiVersion: [tekton.dev/v1beta1](http://tekton.dev/v1beta1) kind: TaskRun metadata: annotations: labels: [app.kubernetes.io/managed-by](http://app.kubernetes.io/managed-by): tekton-pipelines [tekton.dev/memberOf](http://tekton.dev/memberOf): tasks [tekton.dev/pipeline](http://tekton.dev/pipeline): hello-pr [tekton.dev/pipelineRun](http://tekton.dev/pipelineRun): hello-pr [tekton.dev/pipelineTask](http://tekton.dev/pipelineTask): task2 name: hello-pr-task2 namespace: default ownerReferences: - apiVersion: [tekton.dev/v1beta1](http://tekton.dev/v1beta1) blockOwnerDeletion: true controller: true kind: PipelineRun name: hello-pr uid: af549647-4532-468b-90c5-29122a408f8d <--- this should be UID of PR fetched in last step spec: serviceAccountName: default taskSpec: results: - name: foo type: string steps: - image: [distroless.dev/alpine-base](http://distroless.dev/alpine-base) name: echo resources: {} script: | echo "zxcv" > $(results.foo.path) ``` Get pipeline results - it shows the output of the 2nd injected TaskRun ``` $ k get pr -o json hello-pr | jq .status.pipelineResults [ { "name": "foo", "value": "zxcv\n" } ] ``` ##### Impact This can be used to trick the Pipeline controller into associating unrelated Runs to the Pipeline, feeding its data through the rest of the Pipeline. This requires access to create TaskRuns, so impact may vary depending on your Tekton setup. **If users already have unrestricted access to create any Task/PipelineRun, this does not grant any additional capabilities**. Worst case example would be a supply chain attack where a malicious TaskRun triggered from Triggers/Workflows intercepts and replaces a task in a trusted Pipeline. #### Severity - CVSS Score: 3.7 / 10 (Low) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N` #### References - [https://github.com/tektoncd/pipeline/security/advisories/GHSA-w2h3-vvvq-3m53](https://togithub.com/tektoncd/pipeline/security/advisories/GHSA-w2h3-vvvq-3m53) - [https://nvd.nist.gov/vuln/detail/CVE-2023-37264](https://nvd.nist.gov/vuln/detail/CVE-2023-37264) - [https://github.com/tektoncd/pipeline](https://togithub.com/tektoncd/pipeline) - [https://github.com/tektoncd/pipeline/blob/2d38f5fa840291395178422d34b36b1bc739e2a2/pkg/reconciler/pipelinerun/pipelinerun.go#L1358-L1372](https://togithub.com/tektoncd/pipeline/blob/2d38f5fa840291395178422d34b36b1bc739e2a2/pkg/reconciler/pipelinerun/pipelinerun.go#L1358-L1372) - [https://pkg.go.dev/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1#ChildStatusReference](https://pkg.go.dev/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1#ChildStatusReference) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-w2h3-vvvq-3m53) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
tektoncd/pipeline (github.com/tektoncd/pipeline)
### [`v0.52.1`](https://togithub.com/tektoncd/pipeline/releases/tag/v0.52.1): Tekton Pipeline release v0.52.1 "California Spangled Optimus" [Compare Source](https://togithub.com/tektoncd/pipeline/compare/v0.52.0...v0.52.1) \-[Docs @ v0.52.1](https://togithub.com/tektoncd/pipeline/tree/v0.52.1/docs) \-[Examples @ v0.52.1](https://togithub.com/tektoncd/pipeline/tree/v0.52.1/examples) #### Installation one-liner ```shell kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.52.1/release.yaml ``` #### Attestation The Rekor UUID for this release is `24296fb24b8ad77a97c22594268cc45d986246339ada304b7587b205b59cf5d59df2650d24b14825` Obtain the attestation: ```shell REKOR_UUID=24296fb24b8ad77a97c22594268cc45d986246339ada304b7587b205b59cf5d59df2650d24b14825 rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq . ``` Verify that all container images in the attestation are in the release file: ```shell RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.52.1/release.yaml REKOR_UUID=24296fb24b8ad77a97c22594268cc45d986246339ada304b7587b205b59cf5d59df2650d24b14825 ### Obtains the list of images with sha from the attestation REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.52.1@sha256:" + .digest.sha256') ### Download the release file curl "$RELEASE_FILE" > release.yaml ### For each image in the attestation, match it to the release file for image in $REKOR_ATTESTATION_IMAGES; do printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match"; done ``` #### Changes ##### Fixes - :bug: \[release-v0.52.x] Regression: fix results with out of order tasks ([#7174](https://togithub.com/tektoncd/pipeline/issues/7174)) Fix regression where a different order of task definition may cause result resolution to break #### Thanks Thanks to these contributors who contributed to v0.52.1! - :heart: [@afrittoli](https://togithub.com/afrittoli) - :heart: [@tekton-robot](https://togithub.com/tekton-robot) Extra shout-out for awesome release notes: - :heart_eyes: [@afrittoli](https://togithub.com/afrittoli) - :heart_eyes: [@tekton-robot](https://togithub.com/tekton-robot) ### [`v0.52.0`](https://togithub.com/tektoncd/pipeline/releases/tag/v0.52.0): Tekton Pipeline release v0.52.0 "California Spangled Optimus" [Compare Source](https://togithub.com/tektoncd/pipeline/compare/v0.51.0...v0.52.0) ### 🎉 Task and Pipeline Resolver Metrics, API Specifications for pipelines-in-pipelines 🎉 \-[Docs @ v0.52.0](https://togithub.com/tektoncd/pipeline/tree/v0.52.0/docs) \-[Examples @ v0.52.0](https://togithub.com/tektoncd/pipeline/tree/v0.52.0/examples) #### Installation one-liner ```shell kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.52.0/release.yaml ``` #### Attestation The Rekor UUID for this release is `24296fb24b8ad77aede6ff3c84da87cdeda75e9dcf779abc736bf5423b8a4151bad8193f0c76dd15` Obtain the attestation: ```shell REKOR_UUID=24296fb24b8ad77aede6ff3c84da87cdeda75e9dcf779abc736bf5423b8a4151bad8193f0c76dd15 rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq . ``` Verify that all container images in the attestation are in the release file: ```shell RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.52.0/release.yaml REKOR_UUID=24296fb24b8ad77aede6ff3c84da87cdeda75e9dcf779abc736bf5423b8a4151bad8193f0c76dd15 ### Obtains the list of images with sha from the attestation REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.52.0@sha256:" + .digest.sha256') ### Download the release file curl "$RELEASE_FILE" > release.yaml ### For each image in the attestation, match it to the release file for image in $REKOR_ATTESTATION_IMAGES; do printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match"; done ``` #### Changes ### Features - :sparkles: Add taskrun/pipelinerun gauge metrics around resolving respective tasks/pipelines ([#7094](https://togithub.com/tektoncd/pipeline/issues/7094)) New gauge metrics are introduced that count the number of TaskRuns waiting for resolution of any Tasks they reference, as well as count the number of PipelineRuns waiting on Pipeline resolution, and lastly count the number of PipelineRuns waiting on Task resolution for their underlying TaskRuns. - :sparkles: \[TEP-0056]: Initial set of API refactors pertinent to Pipelines in Pipelines ([#7055](https://togithub.com/tektoncd/pipeline/issues/7055)) Added PipelineRef and PipelineSpec fields to PipelineTask, in lieu of TEP-0056 ##### Fixes - :bug: fix: clean results when taskrun retries ([#7126](https://togithub.com/tektoncd/pipeline/issues/7126)) The taskrun will clean up the last task results before retrying. - :bug: Validate beta features for inline pipelines and tasks ([#7079](https://togithub.com/tektoncd/pipeline/issues/7079)) Bug fix: validate beta features in inline tasks/pipelines in the same way as referenced tasks/pipelines - :bug: Remove results annotations filtering ([#7108](https://togithub.com/tektoncd/pipeline/issues/7108)) - :bug: fix an issue with `InvalidMatrixParameterTypes` along with updating the matrix example with additional validations ([#7064](https://togithub.com/tektoncd/pipeline/issues/7064)) ##### Misc - :hammer: Add configmap for tracing config ([#6897](https://togithub.com/tektoncd/pipeline/issues/6897)) Tracing endpoint configuration is now moved from environment variable to the configmap `config-tracing`. Tracing can be now configured dynamically without needing to restart the controller. Refer the example configuration provided as part of the ConfigMap for the configuration options and format. - :hammer: Clean up getting substitution expressions ([#7121](https://togithub.com/tektoncd/pipeline/issues/7121)) - :hammer: DEVELOPMENT: missing newline escape on shell example ([#7107](https://togithub.com/tektoncd/pipeline/issues/7107)) - :hammer: Cleanup: Move PipelineRun Reasons to pkg/apis ([#7102](https://togithub.com/tektoncd/pipeline/issues/7102)) - :hammer: cleaning up provenance from pipelineRun ([#7091](https://togithub.com/tektoncd/pipeline/issues/7091)) - :hammer: eventForObjectWithCondition -> EventForObjectWithCondition ([#7052](https://togithub.com/tektoncd/pipeline/issues/7052)) - :hammer: remove GetUnsignedPipeline helper function and use var in each file ([#6800](https://togithub.com/tektoncd/pipeline/issues/6800)) - :hammer: Bump github.com/containerd/containerd from 1.7.3 to 1.7.6 ([#7130](https://togithub.com/tektoncd/pipeline/issues/7130)) - :hammer: Bump github.com/spiffe/spire-api-sdk from 1.7.1 to 1.7.2 ([#7129](https://togithub.com/tektoncd/pipeline/issues/7129)) - :hammer: Bump k8s.io/apimachinery from 0.27.1 to 0.27.6 in /test/custom-task-ctrls/wait-task-beta ([#7119](https://togithub.com/tektoncd/pipeline/issues/7119)) - :hammer: Bump k8s.io/client-go from 0.27.1 to 0.27.6 in /test/custom-task-ctrls/wait-task-beta ([#7118](https://togithub.com/tektoncd/pipeline/issues/7118)) - :hammer: Bump k8s.io/api from 0.27.1 to 0.27.6 in /test/custom-task-ctrls/wait-task-beta ([#7117](https://togithub.com/tektoncd/pipeline/issues/7117)) - :hammer: Bump k8s.io/api from 0.26.7 to 0.26.9 in /test/custom-task-ctrls/wait-task-beta ([#7114](https://togithub.com/tektoncd/pipeline/issues/7114)) - :hammer: Bump k8s.io/client-go from 0.25.11 to 0.25.14 in /test/custom-task-ctrls/wait-task-beta ([#7112](https://togithub.com/tektoncd/pipeline/issues/7112)) - :hammer: Bump google.golang.org/grpc from 1.56.2 to 1.58.1 ([#7111](https://togithub.com/tektoncd/pipeline/issues/7111)) - :hammer: Bump github.com/jenkins-x/go-scm from 1.13.13 to 1.14.14 ([#7089](https://togithub.com/tektoncd/pipeline/issues/7089)) - :hammer: Bump github.com/sigstore/sigstore from 1.7.1 to 1.7.3 ([#7087](https://togithub.com/tektoncd/pipeline/issues/7087)) - :hammer: Bump github.com/tektoncd/pipeline from 0.49.0 to 0.51.0 in /test/custom-task-ctrls/wait-task-beta ([#7061](https://togithub.com/tektoncd/pipeline/issues/7061)) - :hammer: Bump google.golang.org/protobuf from 1.30.0 to 1.31.0 ([#6913](https://togithub.com/tektoncd/pipeline/issues/6913)) ##### Docs - :book: add docs for emitting object results ([#7120](https://togithub.com/tektoncd/pipeline/issues/7120)) - :book: fix docs and add max-result-size optional feature flag ([#7110](https://togithub.com/tektoncd/pipeline/issues/7110)) - :book: Fix the link to alpha-features in docs ([#7075](https://togithub.com/tektoncd/pipeline/issues/7075)) #### Thanks Thanks to these contributors who contributed to v0.52.0! - :heart: [@Yongxuanzhang](https://togithub.com/Yongxuanzhang) - :heart: [@bhujangr](https://togithub.com/bhujangr) - :heart: [@cugykw](https://togithub.com/cugykw) - :heart: [@dependabot](https://togithub.com/dependabot)\[bot] - :heart: [@gabemontero](https://togithub.com/gabemontero) - :heart: [@jerop](https://togithub.com/jerop) - :heart: [@khrm](https://togithub.com/khrm) - :heart: [@kmjayadeep](https://togithub.com/kmjayadeep) - :heart: [@lbernick](https://togithub.com/lbernick) - :heart: [@lvnvn](https://togithub.com/lvnvn) - :heart: [@melnikalex](https://togithub.com/melnikalex) - :heart: [@pritidesai](https://togithub.com/pritidesai) - :heart: [@vbatts](https://togithub.com/vbatts) Extra shout-out for awesome release notes: - :heart_eyes: [@bhujangr](https://togithub.com/bhujangr) - :heart_eyes: [@cugykw](https://togithub.com/cugykw) - :heart_eyes: [@gabemontero](https://togithub.com/gabemontero) - :heart_eyes: [@kmjayadeep](https://togithub.com/kmjayadeep) - :heart_eyes: [@lbernick](https://togithub.com/lbernick) ### [`v0.51.0`](https://togithub.com/tektoncd/pipeline/releases/tag/v0.51.0): Tekton Pipeline release v0.51.0 "Havana Brown Demerzel" [Compare Source](https://togithub.com/tektoncd/pipeline/compare/v0.50.6...v0.51.0) ### 🎉 Co-schedule option and bugfixes 🎉 \-[Docs @ v0.51.0](https://togithub.com/tektoncd/pipeline/tree/v0.51.0/docs) \-[Examples @ v0.51.0](https://togithub.com/tektoncd/pipeline/tree/v0.51.0/examples) #### Installation one-liner ```shell kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.51.0/release.yaml ``` #### Attestation The Rekor UUID for this release is `24296fb24b8ad77af0123195ea84840480151ea9735ca9e2f869d262e403dad6fa6c42c32bc04193` Obtain the attestation: ```shell REKOR_UUID=24296fb24b8ad77af0123195ea84840480151ea9735ca9e2f869d262e403dad6fa6c42c32bc04193 rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq . ``` Verify that all container images in the attestation are in the release file: ```shell RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.51.0/release.yaml REKOR_UUID=24296fb24b8ad77af0123195ea84840480151ea9735ca9e2f869d262e403dad6fa6c42c32bc04193 ### Obtains the list of images with sha from the attestation REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.51.0@sha256:" + .digest.sha256') ### Download the release file curl "$RELEASE_FILE" > release.yaml ### For each image in the attestation, match it to the release file for image in $REKOR_ATTESTATION_IMAGES; do printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match"; done ``` #### Upgrade Notices **With this release, the minimun Kubernetes version supported is now 1.25.** #### Changes ### Features - :sparkles: \[TEP-0135] Coschedule per (Isolated) PipelineRun e2e support ([#6927](https://togithub.com/tektoncd/pipeline/issues/6927)) \[TEP-0135]: Support `coschedule: pipelineruns` and `coschedule: isolate-pipelinerun` coschedule modes. Users can now opt in this new feature to schedule all the pods in the same node and to optionally enforce one running pipelinerun in a node at the same time. - :sparkles: Add service for Resolvers - metrics, probes and tracing ([#6973](https://togithub.com/tektoncd/pipeline/issues/6973)) ### Deprecation Notices - 🚨 Mark disable-affinity-assistant as deprecated ([#6991](https://togithub.com/tektoncd/pipeline/issues/6991)) The `disable-affinity-assistant` feature flag is deprecated in favour of the new `coschedule` feature flag. The `disable-affinity-assistant` feature flag will be removed in 9 months. ##### Fixes - :bug: Fix release pipeline (publish-to-bucket) ([#7044](https://togithub.com/tektoncd/pipeline/issues/7044)) Binary file (standard input) matches - :bug: Make sure we use the correct namespace for remote Pipeline validation ([#7017](https://togithub.com/tektoncd/pipeline/issues/7017)) ix validation errors when using the cluster resolver - :bug: Create a separate role for Events Controller ([#7016](https://togithub.com/tektoncd/pipeline/issues/7016)) The role for Events Controller is now `tekton-events-controller`, and the Rolebinding is now `tekton-pipelines-events-controller.` - :bug: fix: add taskRunTemplate field validation ([#6983](https://togithub.com/tektoncd/pipeline/issues/6983)) Validate forbidden envs in TaskRunTemplate.PodTemplate. - :bug: Fail fast on invalid image ([#6982](https://togithub.com/tektoncd/pipeline/issues/6982)) The Pod reason InvalidImageName is treated now as a permanent issue, so that TaskRuns that include a step with an invalid image reference are failed immediately and the corresponding Pod is deleted. - :bug: Sync checksum between trusted resources and cluster resolver ([#6964](https://togithub.com/tektoncd/pipeline/issues/6964)) Cluster resolver now computes the checksum of the pre-processed Tekton object instead of just the spec. - :bug: Fix Taskrun Failure for Preempted Pod of Taskrun ([#6962](https://togithub.com/tektoncd/pipeline/issues/6962)) This fixes the Taskrun failure for Preempted Pod of Taskrun which uses PVC. - :bug: fix: refine error resean with invalid pipelinename in taskrunspecs ([#6957](https://togithub.com/tektoncd/pipeline/issues/6957)) When the taskRunSpecs of the pipelineRun contains an invalid pipeline task name, the cause of the `InvalidTaskRunSpecs` error is displayed. - :bug: Fix enforce-nonfalsifiability feature flag in configmap ([#6937](https://togithub.com/tektoncd/pipeline/issues/6937)) ##### Misc - :hammer: Mark disable-affinity-assistant as deprecated ([#6991](https://togithub.com/tektoncd/pipeline/issues/6991)) action required: The `disable-affinity-assistant` feature flag is deprecated in favour of the new `coschedule` feature flag. The `disable-affinity-assistant` feature flag will be removed in 9 months. The Affinity Assistant behaviour should now be configured by the `coschedule` feature flag. - :hammer: Bump knative/pkg to 1.11 ([#6975](https://togithub.com/tektoncd/pipeline/issues/6975)) Bump knative.dev/pkg to 1.11 so the Kubernetes min version is now 1.25 - :hammer: Add webhook validation for remote Tasks ([#6942](https://togithub.com/tektoncd/pipeline/issues/6942)) Remote tasks are now validated by any validating admission webhooks. - :hammer: \[TEP-0135] Refactor CreatePVCsForWorkspaces ([#6921](https://togithub.com/tektoncd/pipeline/issues/6921)) - :hammer: Bump github.com/golangci/golangci-lint from 1.54.1 to 1.54.2 in /tools ([#7057](https://togithub.com/tektoncd/pipeline/issues/7057)) - :hammer: Bump github.com/golangci/golangci-lint from 1.54.0 to 1.54.1 in /tools ([#7047](https://togithub.com/tektoncd/pipeline/issues/7047)) - :hammer: Bump github.com/golangci/golangci-lint from 1.53.3 to 1.54.0 in /tools ([#7039](https://togithub.com/tektoncd/pipeline/issues/7039)) - :hammer: Bump github.com/hashicorp/golang-lru from 0.5.4 to 1.0.2 ([#7031](https://togithub.com/tektoncd/pipeline/issues/7031)) - :hammer: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 ([#7026](https://togithub.com/tektoncd/pipeline/issues/7026)) - :hammer: Bump github.com/google/go-containerregistry from 0.15.2 to 0.16.1 ([#7021](https://togithub.com/tektoncd/pipeline/issues/7021)) - :hammer: Bump go.uber.org/zap from 1.24.0 to 1.25.0 ([#7018](https://togithub.com/tektoncd/pipeline/issues/7018)) - :hammer: Bump github.com/containerd/containerd from 1.6.19 to 1.7.3 ([#7002](https://togithub.com/tektoncd/pipeline/issues/7002)) - :hammer: Bump github.com/spiffe/spire-api-sdk from 1.7.0 to 1.7.1 ([#6997](https://togithub.com/tektoncd/pipeline/issues/6997)) - :hammer: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.8.1 ([#6980](https://togithub.com/tektoncd/pipeline/issues/6980)) - :hammer: Add E2E Testing for Matrix ([#6944](https://togithub.com/tektoncd/pipeline/issues/6944)) ##### Docs - :book: docs: Update references to examples from v1beta1 to v1 ([#7050](https://togithub.com/tektoncd/pipeline/issues/7050)) - :book: Fix typos and formatting in TaskRuns doc ([#7020](https://togithub.com/tektoncd/pipeline/issues/7020)) - :book: Update Matrix Documentation for Results ([#7012](https://togithub.com/tektoncd/pipeline/issues/7012)) - :book: \[TEP-0135] Improve workspace related documentation ([#6994](https://togithub.com/tektoncd/pipeline/issues/6994)) - :book: Remove warnings about matrix being non-functional ([#6986](https://togithub.com/tektoncd/pipeline/issues/6986)) - :book: Add v0.50 to releases.md ([#6967](https://togithub.com/tektoncd/pipeline/issues/6967)) - :book: \[TEP-0135] Update Affinity Assistant documentation ([#6892](https://togithub.com/tektoncd/pipeline/issues/6892)) #### Thanks Thanks to these contributors who contributed to v0.51.0! - :heart: [@AlanGreene](https://togithub.com/AlanGreene) - :heart: [@EmmaMunley](https://togithub.com/EmmaMunley) - :heart: [@HamzaMateen](https://togithub.com/HamzaMateen) - :heart: [@QuanZhang-William](https://togithub.com/QuanZhang-William) - :heart: [@afrittoli](https://togithub.com/afrittoli) - :heart: [@chitrangpatel](https://togithub.com/chitrangpatel) - :heart: [@cugykw](https://togithub.com/cugykw) - :heart: [@dependabot](https://togithub.com/dependabot)\[bot] - :heart: [@khrm](https://togithub.com/khrm) - :heart: [@lbernick](https://togithub.com/lbernick) - :heart: [@vdemeester](https://togithub.com/vdemeester) Extra shout-out for awesome release notes: - :heart_eyes: [@QuanZhang-William](https://togithub.com/QuanZhang-William) - :heart_eyes: [@afrittoli](https://togithub.com/afrittoli) - :heart_eyes: [@chitrangpatel](https://togithub.com/chitrangpatel) - :heart_eyes: [@cugykw](https://togithub.com/cugykw) - :heart_eyes: [@khrm](https://togithub.com/khrm) - :heart_eyes: [@lbernick](https://togithub.com/lbernick) - :heart_eyes: [@vdemeester](https://togithub.com/vdemeester) ### [`v0.50.6`](https://togithub.com/tektoncd/pipeline/releases/tag/v0.50.6): Tekton Pipeline release v0.50.6 "Russian Blue Daneel Olivaw" [Compare Source](https://togithub.com/tektoncd/pipeline/compare/v0.50.5...v0.50.6) \-[Docs @ v0.50.6](https://togithub.com/tektoncd/pipeline/tree/v0.50.6/docs) \-[Examples @ v0.50.6](https://togithub.com/tektoncd/pipeline/tree/v0.50.6/examples) #### Installation one-liner ```shell kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.6/release.yaml ``` #### Attestation The Rekor UUID for this release is `24296fb24b8ad77ab39f94a9c6627f1ae85c428863d0dbdbea4c9481976f30c00d5f9f712a117720` Obtain the attestation: ```shell REKOR_UUID=24296fb24b8ad77ab39f94a9c6627f1ae85c428863d0dbdbea4c9481976f30c00d5f9f712a117720 rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq . ``` Verify that all container images in the attestation are in the release file: ```shell RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.6/release.yaml REKOR_UUID=24296fb24b8ad77ab39f94a9c6627f1ae85c428863d0dbdbea4c9481976f30c00d5f9f712a117720 ### Obtains the list of images with sha from the attestation REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.50.6@sha256:" + .digest.sha256') ### Download the release file curl "$RELEASE_FILE" > release.yaml ### For each image in the attestation, match it to the release file for image in $REKOR_ATTESTATION_IMAGES; do printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match"; done ``` #### Changes ### Features ##### Fixes - :bug: \[release-v0.50.x] Remove conversion configuration for ([#7798](https://togithub.com/tektoncd/pipeline/issues/7798)) emove conversion webhook configuration from the ClusterTask CRD, it doesn't need it. - :bug: \[release-v0.50.x] fix: ensure clustertask annotations are synced to taskrun ([#7656](https://togithub.com/tektoncd/pipeline/issues/7656)) ix: ensure `ClusterTask` annotations and labels are synced to `TaskRun` - :bug: \[release-v0.50.x] Fix validations for Sidecars to be consistent ([#7451](https://togithub.com/tektoncd/pipeline/issues/7451)) idecars are now validated at admission webhook - :bug: \[release-v0.50.x] don't return validation error when final tasks failed/skipped ([#7485](https://togithub.com/tektoncd/pipeline/issues/7485)) - \[release-v0.50.x] chore(deps): Migrate to github.com/go-jose/go-jose/v3 ([#7858](https://togithub.com/tektoncd/pipeline/issues/7858)) - \[release-v0.50.x] Update go-git/v5 for CVE-2023-49569 ([#7839](https://togithub.com/tektoncd/pipeline/issues/7839)) ##### Misc ##### Docs #### Thanks Thanks to these contributors who contributed to v0.50.6! - :heart: [@tekton-robot](https://togithub.com/tekton-robot) - :heart: [@vdemeester](https://togithub.com/vdemeester) Extra shout-out for awesome release notes: - :heart_eyes: [@tekton-robot](https://togithub.com/tekton-robot) - :heart_eyes: [@vdemeester](https://togithub.com/vdemeester) ### [`v0.50.5`](https://togithub.com/tektoncd/pipeline/releases/tag/v0.50.5): Tekton Pipeline release v0.50.5 "Russian Blue Daneel Olivaw" [Compare Source](https://togithub.com/tektoncd/pipeline/compare/v0.50.4...v0.50.5) \-[Docs @ v0.50.5](https://togithub.com/tektoncd/pipeline/tree/v0.50.5/docs) \-[Examples @ v0.50.5](https://togithub.com/tektoncd/pipeline/tree/v0.50.5/examples) #### Installation one-liner ```shell kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.5/release.yaml ``` #### Attestation The Rekor UUID for this release is `24296fb24b8ad77a6931938578b4916b2944efdb45cd531e1913f85b8bc9c0a4e73512edcfbb86b5` Obtain the attestation: ```shell REKOR_UUID=24296fb24b8ad77a6931938578b4916b2944efdb45cd531e1913f85b8bc9c0a4e73512edcfbb86b5 rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq . ``` Verify that all container images in the attestation are in the release file: ```shell RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.5/release.yaml REKOR_UUID=24296fb24b8ad77a6931938578b4916b2944efdb45cd531e1913f85b8bc9c0a4e73512edcfbb86b5 ### Obtains the list of images with sha from the attestation REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.50.5@sha256:" + .digest.sha256') ### Download the release file curl "$RELEASE_FILE" > release.yaml ### For each image in the attestation, match it to the release file for image in $REKOR_ATTESTATION_IMAGES; do printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match"; done ``` #### Changes ##### Misc - :hammer: \[release-v0.50.x] Fix the controller and webhook images to use stable alpine ([#7370](https://togithub.com/tektoncd/pipeline/issues/7370)) The Tekton controller images are now based on a distroless base image which is built on top of Alpine 3.18 #### Thanks Thanks to these contributors who contributed to v0.50.5! - :heart: [@afrittoli](https://togithub.com/afrittoli) Extra shout-out for awesome release notes: - :heart_eyes: [@afrittoli](https://togithub.com/afrittoli) ### [`v0.50.4`](https://togithub.com/tektoncd/pipeline/releases/tag/v0.50.4): Tekton Pipeline release v0.50.4 "Russian Blue Daneel Olivaw" [Compare Source](https://togithub.com/tektoncd/pipeline/compare/v0.50.3...v0.50.4) \-[Docs @ v0.50.4](https://togithub.com/tektoncd/pipeline/tree/v0.50.4/docs) \-[Examples @ v0.50.4](https://togithub.com/tektoncd/pipeline/tree/v0.50.4/examples) #### Installation one-liner ```shell kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.4/release.yaml ``` #### Attestation The Rekor UUID for this release is `24296fb24b8ad77a71dafca6c5f27aec2842996255eeda41ddd2b1cec5ca920da82d7239d7007e7a` Obtain the attestation: ```shell REKOR_UUID=24296fb24b8ad77a71dafca6c5f27aec2842996255eeda41ddd2b1cec5ca920da82d7239d7007e7a rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq . ``` Verify that all container images in the attestation are in the release file: ```shell RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.4/release.yaml REKOR_UUID=24296fb24b8ad77a71dafca6c5f27aec2842996255eeda41ddd2b1cec5ca920da82d7239d7007e7a ### Obtains the list of images with sha from the attestation REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.50.4@sha256:" + .digest.sha256') ### Download the release file curl "$RELEASE_FILE" > release.yaml ### For each image in the attestation, match it to the release file for image in $REKOR_ATTESTATION_IMAGES; do printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match"; done ``` #### Changes ##### Misc - :hammer: \[release-v0.50.x] Pin the distroless base image to a stable alpine ([#7362](https://togithub.com/tektoncd/pipeline/issues/7362)) The Tekton images are now based on a distroless base image which is built on top of Alpine 3.18 #### Thanks Thanks to these contributors who contributed to v0.50.4! - :heart: [@afrittoli](https://togithub.com/afrittoli) Extra shout-out for awesome release notes: - :heart_eyes: [@afrittoli](https://togithub.com/afrittoli) ### [`v0.50.3`](https://togithub.com/tektoncd/pipeline/releases/tag/v0.50.3): Tekton Pipeline release v0.50.3 "Rusian Blue Daneel Olivaw" [Compare Source](https://togithub.com/tektoncd/pipeline/compare/v0.50.2...v0.50.3) \-[Docs @ v0.50.3](https://togithub.com/tektoncd/pipeline/tree/v0.50.3/docs) \-[Examples @ v0.50.3](https://togithub.com/tektoncd/pipeline/tree/v0.50.3/examples) #### Installation one-liner ```shell kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.3/release.yaml ``` #### Attestation The Rekor UUID for this release is `24296fb24b8ad77a8e347216bc80c82074f1721dbcfb1e10e487a0a2e5925d27cf46898c53bf6f5a` Obtain the attestation: ```shell REKOR_UUID=24296fb24b8ad77a8e347216bc80c82074f1721dbcfb1e10e487a0a2e5925d27cf46898c53bf6f5a rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq . ``` Verify that all container images in the attestation are in the release file: ```shell RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.3/release.yaml REKOR_UUID=24296fb24b8ad77a8e347216bc80c82074f1721dbcfb1e10e487a0a2e5925d27cf46898c53bf6f5a ### Obtains the list of images with sha from the attestation REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.50.3@sha256:" + .digest.sha256') ### Download the release file curl "$RELEASE_FILE" > release.yaml ### For each image in the attestation, match it to the release file for image in $REKOR_ATTESTATION_IMAGES; do printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match"; done ``` #### Changes ### Features ##### Fixes - \[v0.50.x] Bump GRPC Go to 1.56.3 to fix CVE ([#7234](https://togithub.com/tektoncd/pipeline/issues/7234)) This addresses https://github.com/advisories/GHSA-qppj-fm5r-hxr3 by not allowing more server handlers to be run than the HTTP/2 MAX_CONCURRENT_STREAMS setting. ##### Misc ##### Docs #### Thanks Thanks to these contributors who contributed to v0.50.3! - :heart: [@khrm](https://togithub.com/khrm) Extra shout-out for awesome release notes: - :heart_eyes: [@khrm](https://togithub.com/khrm) ### [`v0.50.2`](https://togithub.com/tektoncd/pipeline/releases/tag/v0.50.2): Tekton Pipeline release v0.50.2 "Russian Blue Daneel Olivaw" [Compare Source](https://togithub.com/tektoncd/pipeline/compare/v0.50.1...v0.50.2) \-[Docs @ v0.50.2](https://togithub.com/tektoncd/pipeline/tree/v0.50.2/docs) \-[Examples @ v0.50.2](https://togithub.com/tektoncd/pipeline/tree/v0.50.2/examples) #### Installation one-liner ```shell kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.2/release.yaml ``` #### Attestation The Rekor UUID for this release is `24296fb24b8ad77a6726958468f17410d57decea33a20cc1c61cae727201991da57f788c4095926b` Obtain the attestation: ```shell REKOR_UUID=24296fb24b8ad77a6726958468f17410d57decea33a20cc1c61cae727201991da57f788c4095926b rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq . ``` Verify that all container images in the attestation are in the release file: ```shell RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.2/release.yaml REKOR_UUID=24296fb24b8ad77a6726958468f17410d57decea33a20cc1c61cae727201991da57f788c4095926b ### Obtains the list of images with sha from the attestation REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.50.2@sha256:" + .digest.sha256') ### Download the release file curl "$RELEASE_FILE" > release.yaml ### For each image in the attestation, match it to the release file for image in $REKOR_ATTESTATION_IMAGES; do printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match"; done ``` #### Changes ##### Fixes - :bug: \[release-v0.50.x] Regression: fix results with out of order tasks ([#7173](https://togithub.com/tektoncd/pipeline/issues/7173)) Fix regression where a different order of task definition may cause result resolution to break - :bug: \[release-v0.50.x] Validate beta features for inline pipelines and tasks ([#7080](https://togithub.com/tektoncd/pipeline/issues/7080)) Bug fix: validate beta features in inline tasks/pipelines in the same way as referenced tasks/pipelines - :bug: \[release-v0.50.x] Fix release pipeline (publish-to-bucket) ([#7045](https://togithub.com/tektoncd/pipeline/issues/7045)) Fixed the release pipeline invalid spec. - :bug: \[release-v0.50.x] Remove results annotations filtering ([#7131](https://togithub.com/tektoncd/pipeline/issues/7131)) - :bug: \[v0.50.x] Update knative/pkg 1.10 to address CVE-2023-44487 ([#7211](https://togithub.com/tektoncd/pipeline/issues/7211)) ##### Misc - :hammer: Increase the publish timeout ([#7215](https://togithub.com/tektoncd/pipeline/issues/7215)) ##### Docs - :book: \[release-v0.50.x] docs: Update references to examples from v1beta1 to v1 ([#7202](https://togithub.com/tektoncd/pipeline/issues/7202)) #### Thanks Thanks to these contributors who contributed to v0.50.2! - :heart: [@afrittoli](https://togithub.com/afrittoli) - :heart: [@khrm](https://togithub.com/khrm) - :heart: [@tekton-robot](https://togithub.com/tekton-robot) Extra shout-out for awesome release notes: - :heart_eyes: [@tekton-robot](https://togithub.com/tekton-robot) ### [`v0.50.1`](https://togithub.com/tektoncd/pipeline/releases/tag/v0.50.1): Tekton Pipeline release v0.50.1 "Russian Blue Daneel Olivaw" [Compare Source](https://togithub.com/tektoncd/pipeline/compare/v0.50.0...v0.50.1) \-[Docs @ v0.50.1](https://togithub.com/tektoncd/pipeline/tree/v0.50.1/docs) \-[Examples @ v0.50.1](https://togithub.com/tektoncd/pipeline/tree/v0.50.1/examples) #### Installation one-liner ```shell kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.1/release.yaml ``` #### Attestation The Rekor UUID for this release is `24296fb24b8ad77a1b02a57c8f75368d54f3f986188b3692201557a51808b4bc4e8acc1fcb835e38` Obtain the attestation: ```shell REKOR_UUID=24296fb24b8ad77a1b02a57c8f75368d54f3f986188b3692201557a51808b4bc4e8acc1fcb835e38 rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq . ``` Verify that all container images in the attestation are in the release file: ```shell RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.1/release.yaml REKOR_UUID=24296fb24b8ad77a1b02a57c8f75368d54f3f986188b3692201557a51808b4bc4e8acc1fcb835e38 ### Obtains the list of images with sha from the attestation REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.50.1@sha256:" + .digest.sha256') ### Download the release file curl "$RELEASE_FILE" > release.yaml ### For each image in the attestation, match it to the release file for image in $REKOR_ATTESTATION_IMAGES; do printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match"; done ``` #### Changes ### Features ##### Fixes - :bug: \[release-v0.50.x] Make sure we use the correct namespace for remote Pipeline validation ([#7023](https://togithub.com/tektoncd/pipeline/issues/7023)) ix validation errors when using the cluster resolver - :bug: \[release-v0.50.x] Fix Taskrun Failure for Preempted Pod of Taskrun ([#7009](https://togithub.com/tektoncd/pipeline/issues/7009)) his fixes the Taskrun failure for Preempted Pod of Taskrun which uses PVC. ##### Misc ##### Docs #### Thanks Thanks to these contributors who contributed to v0.50.1! - :heart: [@tekton-robot](https://togithub.com/tekton-robot) Extra shout-out for awesome release notes: - :heart_eyes: [@tekton-robot](https://togithub.com/tekton-robot) ### [`v0.50.0`](https://togithub.com/tektoncd/pipeline/releases/tag/v0.50.0): Tekton Pipeline release v0.50.0 "Russian Blue Daneel Olivaw" [Compare Source](https://togithub.com/tektoncd/pipeline/compare/v0.49.0...v0.50.0) ### 🎉 v1beta1 deprecation (1 year support still) 🎉 \-[Docs @ v0.50.0](https://togithub.com/tektoncd/pipeline/tree/v0.50.0/docs) \-[Examples @ v0.50.0](https://togithub.com/tektoncd/pipeline/tree/v0.50.0/examples) #### Installation one-liner ```shell kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.0/release.yaml ``` #### Attestation The Rekor UUID for this release is `24296fb24b8ad77a1665fb7556e457413b181806c513eeea26f12c0bd118bcf14912ee6bbee395d9` Obtain the attestation: ```shell REKOR_UUID=24296fb24b8ad77a1665fb7556e457413b181806c513eeea26f12c0bd118bcf14912ee6bbee395d9 rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq . ``` Verify that all container images in the attestation are in the release file: ```shell RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.50.0/release.yaml REKOR_UUID=24296fb24b8ad77a1665fb7556e457413b181806c513eeea26f12c0bd118bcf14912ee6bbee395d9 ### Obtains the list of images with sha from the attestation REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.50.0@sha256:" + .digest.sha256') ### Download the release file curl "$RELEASE_FILE" > release.yaml ### For each image in the attestation, match it to the release file for image in $REKOR_ATTESTATION_IMAGES; do printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match"; done ``` #### Changes ### Features - :sparkles: Update Stability Level for CSI and Projected Volume Workspaces ([#6954](https://togithub.com/tektoncd/pipeline/issues/6954)) csi and projected volume workspaces are stable. - :sparkles: \[TEP-0029] Isolated steps and sidecar workspaces to beta ([#6922](https://togithub.com/tektoncd/pipeline/issues/6922)) The "isolated workspaces" feature allows users to share a workspace with dedicated steps and sidecars, instead of the whole TaskRun. The feature has been promoted to "beta". - :sparkles: \[TEP-0135] Revert PVC creation ([#6893](https://togithub.com/tektoncd/pipeline/issues/6893)) TEP-0135: Revert the owner of `PVCs` created by `pipelinerun VolumeClaimTemplate` back to `pipelinerun`. The `PVCs` bounded to the `pipelinerun` is now in `bounded` state when the `pipelinerun` is completed but not deleted. - :sparkles: \[TEP-0137] Add events config map ([#6883](https://togithub.com/tektoncd/pipeline/issues/6883)) action required: The `default-cloud-events-sink` setting in the `config-defaults` config map is deprecated. The CloudEvents sink shall be configured now through the `sink` settings in the new `config-events` config map. - :sparkles: TEP-0135: Introduce coschedule feature flags ([#6790](https://togithub.com/tektoncd/pipeline/issues/6790)) tep-0135: introduce `coschedule` feature flag - :sparkles: Add support for consuming whole array results in matrix ([#6603](https://togithub.com/tektoncd/pipeline/issues/6603)) TEP-0090: Pipeline Tasks may now reference whole array results in a Matrix. See https://github.com/tektoncd/pipeline/blob/09d422cff057f67170b4c2f76097ac6ffded33ef/docs/matrix.md?specifying-results-in-a-matrix#specifying-results-in-a-matrix docs for more information. - :sparkles: \[TEP-0135] Purge finalizer and delete PVC ([#6940](https://togithub.com/tektoncd/pipeline/issues/6940)) - :sparkles: \[TEP-0135] coschedule isolate pipelinerun ([#6929](https://togithub.com/tektoncd/pipeline/issues/6929)) - :sparkles: TEP-0135: implement per-pipelinerun coscheduling ([#6819](https://togithub.com/tektoncd/pipeline/issues/6819)) - :sparkles: Change ordering of ResolveResultRefs/ApplyTaskResults ([#6792](https://togithub.com/tektoncd/pipeline/issues/6792)) ##### Fixes - :bug: Add validation for feature-flags configmap to webhook ([#6935](https://togithub.com/tektoncd/pipeline/issues/6935)) Added validation for feature-flags configmap - :bug: Fix units for metric taskrun_pod_latency ([#6891](https://togithub.com/tektoncd/pipeline/issues/6891)) Bug fix: taskruns_pod_latency metric renamed to taskruns_pod_latency_milliseconds and units corrected - :bug: Perform webhook validation for remote pipelines ([#6887](https://togithub.com/tektoncd/pipeline/issues/6887)) bug fix: Remote Pipelines do not support propagated parameters and workspaces - :bug: Fix PipelineRun reconciler panic for computed timeouts ([#6886](https://togithub.com/tektoncd/pipeline/issues/6886)) bug fix: Avoid controller panics for computed timeouts - :bug: Fail PipelineRun when it can't create Runs ([#6866](https://togithub.com/tektoncd/pipeline/issues/6866)) bug fix: PipelineRun marked as failed when it cannot create TaskRuns or CustomRuns for a non-retryable reason - :bug: Use the same validation for all taskrefs ([#6854](https://togithub.com/tektoncd/pipeline/issues/6854)) bug fix: Disallow taskref.name with taskref.resolver in pipeline tasks - :bug: merge podTemplates instead of overriding ([#6850](https://togithub.com/tektoncd/pipeline/issues/6850)) Merge podTemplate specified in pipelineRun.spec.taskRunSpecs\[].podTemplate along with pipelineRun.spec.podTemplate instead of only considering the one specified at the taskRunSpecs. - :bug: Fix workingdirinit step for Windows tasks ([#6820](https://togithub.com/tektoncd/pipeline/issues/6820)) Fixed an issue where Windows tasks would fail if one or more steps were configured with a custom working directory. - :bug: Fail upgrade tests when test script fails ([#6871](https://togithub.com/tektoncd/pipeline/issues/6871)) - :bug: Restore Upgrade Test Scenario2 by creating simple Task and Pipeline resources ([#6855](https://togithub.com/tektoncd/pipeline/issues/6855)) - :bug: Fix release pipeline ([#6849](https://togithub.com/tektoncd/pipeline/issues/6849)) - :bug: Fix flake of TestPipelineTaskTimeout ([#6955](https://togithub.com/tektoncd/pipeline/issues/6955)) - :bug: Fix flaky Affinity Assistant test ([#6925](https://togithub.com/tektoncd/pipeline/issues/6925)) ##### Misc - :hammer: Move feature flags testing functions into testing package ([#6933](https://togithub.com/tektoncd/pipeline/issues/6933)) Some exported functions moved from pkg/apis/config to pkg/apis/config/testing - :hammer: cleaning up config-artifact-\* ([#6902](https://togithub.com/tektoncd/pipeline/issues/6902)) config-artifact-pvc and config-artifact-bucket are deleted as resources from the tekton-pipelines-controller role. CONFIG_ARTIFACT_PVC_NAME and CONFIG_ARTIFACT_BUCKET_NAME are deleted from the tekton-pipelines-controller deployment. - :hammer: Bump knative/pkg to 1.10 ([#6907](https://togithub.com/tektoncd/pipeline/issues/6907)) native/pkg is updated to v1.10 - :hammer: \[TEP-0137] Rename customrun package ([#6884](https://togithub.com/tektoncd/pipeline/issues/6884)) The `CustomRun` events controller has been moved to the `pkg/reconciler/notifications` package. - :hammer: Replace redundant function CheckAlphaOrBetaFields ([#6934](https://togithub.com/tektoncd/pipeline/issues/6934)) - :hammer: Delete .ko.yaml ([#6931](https://togithub.com/tektoncd/pipeline/issues/6931)) - :hammer: Fix typo in AffinityAssistantBehavior ([#6930](https://togithub.com/tektoncd/pipeline/issues/6930)) - :hammer: Deduplicate examples tests between v1 and v1beta1 ([#6908](https://togithub.com/tektoncd/pipeline/issues/6908)) - :hammer: Reduce spam in integration test logs ([#6873](https://togithub.com/tektoncd/pipeline/issues/6873)) - :hammer: Remove yaml tests ([#6872](https://togithub.com/tektoncd/pipeline/issues/6872)) - :hammer: Add Testing: Failed Matrix PipelineRun for Out Of Bounds Array Indexing Results ([#6852](https://togithub.com/tektoncd/pipeline/issues/6852)) - :hammer: Refactor failure logic in pipelinerun resolution ([#6801](https://togithub.com/tektoncd/pipeline/issues/6801)) - :hammer: Bump k8s.io/api from 0.26.6 to 0.26.7 in /test/custom-task-ctrls/wait-task-beta ([#6951](https://togithub.com/tektoncd/pipeline/issues/6951)) - :hammer: Fix logger Fatalf message ([#6946](https://togithub.com/tektoncd/pipeline/issues/6946)) - :hammer: Do not require enable-api-fields=alpha for spire ([#6939](https://togithub.com/tektoncd/pipeline/issues/6939)) - :hammer: Bump github.com/sigstore/sigstore from 1.6.5 to 1.7.1 ([#6912](https://togithub.com/tektoncd/pipeline/issues/6912)) - :hammer: Bump github.com/spiffe/spire-api-sdk from 1.6.3 to 1.7.0 ([#6911](https://togithub.com/tektoncd/pipeline/issues/6911)) - :hammer: Bump github.com/opencontainers/image-spec from 1.1.0-rc3 to 1.1.0-rc4 ([#6910](https://togithub.com/tektoncd/pipeline/issues/6910)) - :hammer: Bump google.golang.org/grpc from 1.55.0 to 1.56.2 ([#6904](https://togithub.com/tektoncd/pipeline/issues/6904)) - :hammer: Ignore SA in assertion ([#6898](https://togithub.com/tektoncd/pipeline/issues/6898)) - :hammer: Add upgrade test against previous server version to prevent regressions ([#6896](https://togithub.com/tektoncd/pipeline/issues/6896)) - :hammer: Bump golang.org/x/sync from 0.2.0 to 0.3.0 ([#6880](https://togithub.com/tektoncd/pipeline/issues/6880)) - :hammer: Bump github.com/tektoncd/pipeline from 0.48.0 to 0.49.0 in /test/custom-task-ctrls/wait-task-beta ([#6853](https://togithub.com/tektoncd/pipeline/issues/6853)) - :hammer: Bump k8s.io/api from 0.26.5 to 0.26.6 in /test/custom-task-ctrls/wait-task-beta ([#6835](https://togithub.com/tektoncd/pipeline/issues/6835)) - :hammer: Bump k8s.io/client-go from 0.25.10 to 0.25.11 in /test/custom-task-ctrls/wait-task-beta ([#6834](https://togithub.com/tektoncd/pipeline/issues/6834)) - :hammer: Improve taskref_test coverage with more error test cases ([#6813](https://togithub.com/tektoncd/pipeline/issues/6813)) - :hammer: formating error ([#6795](https://togithub.com/tektoncd/pipeline/issues/6795)) ##### Docs - :book: \[RFC] Increase support window for v1beta1 CRDs to 1 year ([#6923](https://togithub.com/tektoncd/pipeline/issues/6923)) Support window for beta CRDs increased to 1 year - :book: Mark v1beta1 apis as deprecated ([#6876](https://togithub.com/tektoncd/pipeline/issues/6876)) action required: v1beta1 Task, TaskRun, Pipeline, and PipelineRun APIs are deprecated and will be removed. Please migrate to the v1 versions of these APIs following the migration guide at https://github.com/tektoncd/pipeline/blob/main/docs/migrating-v1beta1-to-v1.md. - :book: Document that Workspaces can be unused ([#6917](https://togithub.com/tektoncd/pipeline/issues/6917)) - :book: documenting the latest patch release - v0.44.4 ([#6895](https://togithub.com/tektoncd/pipeline/issues/6895)) - :book: updating releases with 0.47.3 ([#6875](https://togithub.com/tektoncd/pipeline/issues/6875)) - :book: Add set-security-context to feature flags docs ([#6865](https://togithub.com/tektoncd/pipeline/issues/6865)) - :book: Add compatibility policy for ResolutionRequests ([#6864](https://togithub.com/tektoncd/pipeline/issues/6864)) - :book: Update releases.md ([#6851](https://togithub.com/tektoncd/pipeline/issues/6851)) - :book: Add instructions for picking commit in the release ([#6735](https://togithub.com/tektoncd/pipeline/issues/6735)) #### Thanks Thanks to these contributors who contributed to v0.50.0! - :heart: [@EmmaMunley](https://togithub.com/EmmaMunley) - :heart: [@JeromeJu](https://togithub.com/JeromeJu) - :heart: [@QuanZhang-William](https://togithub.com/QuanZhang-William) - :heart: [@afrittoli](https://togithub.com/afrittoli) - :heart: [@aiden-deloryn](https://togithub.com/aiden-deloryn) - :heart: [@amisskii](https://togithub.com/amisskii) - :heart: [@bhujangr](https://togithub.com/bhujangr) - :heart: [@chuangw6](https://togithub.com/chuangw6) - :heart: [@dependabot](https://togithub.com/dependabot)\[bot] - :heart: [@imjasonh](https://togithub.com/imjasonh) - :heart: [@jimmyjones2](https://togithub.com/jimmyjones2) - :heart: [@lbernick](https://togithub.com/lbernick) - :heart: [@piyush-garg](https://togithub.com/piyush-garg) - :heart: [@pritidesai](https://togithub.com/pritidesai) - :heart: [@vdemeester](https://togithub.com/vdemeester) Extra shout-out for awesome release notes: - :heart_eyes: [@EmmaMunley](https://togithub.com/EmmaMunley) - :heart_eyes: [@JeromeJu](https://togithub.com/JeromeJu) - :heart_eyes: [@QuanZhang-William](https://togithub.com/QuanZhang-William) - :heart_eyes: [@afrittoli](https://togithub.com/afrittoli) - :heart_eyes: [@aiden-deloryn](https://togithub.com/aiden-deloryn) - :heart_eyes: [@lbernick](https://togithub.com/lbernick) - :heart_eyes: [@pritidesai](https://togithub.com/pritidesai) - :heart_eyes: [@vdemeester](https://togithub.comConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.