Skip to content

Update module github.com/tektoncd/pipeline to v1.12.2 (main)#3369

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-patch-tektoncd-pipelines
Open

Update module github.com/tektoncd/pipeline to v1.12.2 (main)#3369
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-patch-tektoncd-pipelines

Conversation

@renovate

@renovate renovate Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/tektoncd/pipeline v1.12.0v1.12.2 age adoption passing confidence

Release Notes

tektoncd/pipeline (github.com/tektoncd/pipeline)

v1.12.2: Tekton Pipeline release v1.12.2 "Exotic Shorthair Elektrobots LTS"

Compare Source

-Docs @​ v1.12.2
-Examples @​ v1.12.2

Installation one-liner
kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.2/release.yaml
Attestation

The Rekor UUID for this release is cb0a4d44223cf8dd164d8eec84c25d204f7a37a023c2d28f1f8dcde79ca3c187

Obtain the attestation:

REKOR_UUID=cb0a4d44223cf8dd164d8eec84c25d204f7a37a023c2d28f1f8dcde79ca3c187
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.2/release.yaml
REKOR_UUID=cb0a4d44223cf8dd164d8eec84c25d204f7a37a023c2d28f1f8dcde79ca3c187

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.12.2@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done
Changes
Features
Fixes
Misc
  • 🔨 build(deps): bump k8s.io/client-go from 0.35.5 to 0.35.6 (#​10289)
Docs
Thanks

Thanks to these contributors who contributed to v1.12.2!

Extra shout-out for awesome release notes:

v1.12.1: Tekton Pipeline release v1.12.1 "Exotic Shorthair Elektrobots LTS"

Compare Source

-Docs @​ v1.12.1
-Examples @​ v1.12.1

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a9cfc575e256441da4223e4767ebb840a62e4b5ad18ed6219842a81686a4a8586

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a9cfc575e256441da4223e4767ebb840a62e4b5ad18ed6219842a81686a4a8586
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.1/release.yaml
REKOR_UUID=108e9186e8c5677a9cfc575e256441da4223e4767ebb840a62e4b5ad18ed6219842a81686a4a8586

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.12.1@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes
  • 🐛 [cherry-pick: release-v1.12.x] fix(resolvers): Allow ResolutionRequests to resolve all Tekton kinds (#​10252)

efore this change, ResolutionRequests could only resolve Pipelines, Tasks, and StepActions. After this change, ResolutionRequests can resolve PipelineRuns, Pipelines, TaskRuns, Tasks, Runs, CustomRuns, and StepActions.

  • 🐛 [cherry-pick: release-v1.12.x] fix: TaskRun stuck in Running when init container is OOMKilled with enableKubernetesSidecar (#​10186)

ix: TaskRun no longer gets stuck in Running when an init container (e.g. prepare) is OOMKilled while enableKubernetesSidecar is enabled. The TaskRun is now correctly marked as Failed immediately.

  • 🐛 [cherry-pick: release-v1.12.x] Fix cross-arch platform command lookup in entrypoint (#​10164)

ix entrypoint command lookup when controller and worker nodes run on different CPU architectures (e.g., ARM controller with AMD64 workloads). The controller's CPU variant was leaking into TEKTON_PLATFORM_COMMANDS keys via platforms.NewPlatform(), causing "could not find command for platform" errors on worker nodes of a different architecture.

  • 🐛 [cherry-pick: release-v1.12.x] fix: truncate affinity assistant volume names to 63 characters (#​10137)

ffinity assistant StatefulSet no longer fails when workspace volumeClaimTemplate names exceed 63 characters. Long volume names are now automatically truncated with a hash suffix to stay within the Kubernetes limit.

  • 🐛 [cherry-pick: release-v1.12.x] fix(pipelinerun): use generateName for anonymous pipeline label (#​10079)

Previously, TaskRuns' tekton.dev/pipeline label for anonymous Pipelines would use their PipelineRun's name in their tekton.dev/pipeline label and pipeline metrics tag. After this change, TaskRun and PipelineRun which are created from anonymous Pipelines now reference a sanitized metadata.generateName, when present, for the label tekton.dev/pipeline. Similarly, these TaskRruns and PipelineRuns will populate their respective metrics' pipeline tag with the sanitized generateName instead of using anonymous.

  • 🐛 [release-v1.12.x] Fix gen-crd-api-reference-docs require to use fetchable version (#​10001)

ix gen-crd-api-reference-docs go.mod require to use a fetchable upstream version, fixing module resolution failures for downstream consumers.

  • 🐛 [cherry-pick: release-v1.12.x] fix(resolvers): validate data is Tekton object in resolver framework (#​9963)

Fixes a bug which lets Tekton Resolvers resolve non-tekton objects and arbitrary data. After this change, resolving a non-tekton object causes the ResolutionRequest to fail.
Action Required: Tekton Resolvers are now only permitted to resolve StepActions, Tasks, and Pipelines. Custom resolvers or ResolutionRequest which use the Resolver API for other object types will no longer function.

  • 🐛 [release-v1.12.x] fix: replace symlinks with subpath params and fix Rekor UUID in release pipeline (#​10216)
  • 🐛 [cherry-pick: release-v1.12.x] Fix PipelineRun premature failure when TaskRun recovers after pod eviction (#​10161)
Misc
  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10265)
  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10234)
  • 🔨 build(deps): bump chainguard-dev/actions from 1.6.21 to 1.6.22 (#​10229)
  • 🔨 build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#​10200)
  • 🔨 build(deps): bump chainguard-dev/actions from 1.6.19 to 1.6.21 (#​10199)
  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10194)
  • 🔨 build(deps): bump github.com/sigstore/sigstore from 1.10.6 to 1.10.8 (#​10168)
  • 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.10.6 to 1.10.8 (#​10150)
  • 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.10.6 to 1.10.8 (#​10149)
  • 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.6 to 1.14.7 (#​10148)
  • 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.10.6 to 1.10.8 (#​10147)
  • 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.10.6 to 1.10.8 (#​10146)
  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10130)
  • 🔨 build(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 (#​10129)
  • 🔨 build(deps): bump the all group across 1 directory with 4 updates (#​10094)
  • 🔨 build(deps): bump step-security/harden-runner from 2.19.2 to 2.19.4 (#​10093)
  • 🔨 build(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6 (#​10092)
  • 🔨 build(deps): bump github/codeql-action from 4.35.4 to 4.35.5 (#​10091)
  • 🔨 build(deps): bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6 (#​10070)
  • 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.10.5 to 1.10.6 (#​10065)
  • 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.10.5 to 1.10.6 (#​10064)
  • 🔨 build(deps): bump github.com/sigstore/sigstore from 1.10.5 to 1.10.6 (#​10063)
  • 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.10.5 to 1.10.6 (#​10062)
  • 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.10.5 to 1.10.6 (#​10061)
  • 🔨 build(deps): bump step-security/harden-runner from 2.19.1 to 2.19.2 (#​10046)
  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10041)
  • 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.35.4 to 0.35.5 (#​10034)
  • 🔨 build(deps): bump k8s.io/client-go from 0.35.4 to 0.35.5 in /test/custom-task-ctrls/wait-task-beta (#​10023)
  • 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.15.21 to 1.15.22 (#​10018)
  • 🔨 build(deps): bump github.com/google/cel-go from 0.28.0 to 0.28.1 (#​10017)
  • 🔨 build(deps): bump github/codeql-action from 4.35.2 to 4.35.4 (#​9994)
  • 🔨 build(deps): bump chainguard/go from 7ec9277 to a4477c3 in /tekton in the all group (#​9993)
  • 🔨 build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.19 (#​9983)
  • 🔨 build(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 (#​9981)
  • 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9976)
Docs

Thanks

Thanks to these contributors who contributed to v1.12.1!

Extra shout-out for awesome release notes:


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge June 27, 2026 02:05
@renovate

renovate Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/google/cel-go v0.28.0 -> v0.28.1
File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/google/cel-go v0.28.0 -> v0.28.1

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 27, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:07 AM UTC · Completed 2:13 AM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 27, 2026

Copy link
Copy Markdown

Review of #3369 — Update module github.com/tektoncd/pipeline to v1.12.2

Verdict: ✅ Approve

Summary

Mechanical dependency version bump generated by Renovate bot. Updates github.com/tektoncd/pipeline from v1.12.0 to v1.12.2 (patch) and transitive dependency github.com/google/cel-go from v0.28.0 to v0.28.1 (patch), across both the root and acceptance/ Go modules.

Review dimensions

Dimension Result
Correctness ✅ No issues. Patch-level semver bumps; API surface (used via pkg/remote/oci and pkg/apis/pipeline/v1) is stable. Both root and acceptance modules updated in lockstep. No test files modified.
Security ✅ No issues. No secrets, injection patterns, permission changes, or supply-chain concerns. Checksums in go.sum provide build-time integrity verification.
Intent & coherence ✅ Authorization implicit from mechanical nature of change (Renovate bot, value-only diff).
Style & conventions ✅ No issues. Version strings follow existing go.mod patterns.
Documentation currency ✅ No staleness. No documentation in the repo references specific Go module versions for these dependencies.
Cross-repo contracts ✅ Not applicable. No exported interfaces, schemas, or APIs modified.

Notes

  • The tools/go.mod module also depends on tektoncd/pipeline v1.12.0 (indirectly via tektoncd/chains) but is not updated in this PR. This is expected — it is a separate Go module and may be updated in a separate Renovate PR.
Previous run

Review — ✅ Approve

PR: Update github.com/tektoncd/pipeline v1.12.0 → v1.12.2 (patch bump)
Author: renovate[bot]

Summary

This is a standard automated Renovate dependency update bumping tektoncd/pipeline from v1.12.0 to v1.12.2, a patch-level update within the same LTS line ("Exotic Shorthair Elektrobots LTS"). The change is confined to go.mod and go.sum files in both the root module and the acceptance/ module — no source code changes.

Analysis

Correctness

  • The primary update (tektoncd/pipeline v1.12.0 → v1.12.2) is a patch bump. The upstream release notes confirm only bug fixes and dependency bumps with no API changes or breaking changes.
  • This project uses tektoncd/pipeline for stable v1 APIs (pkg/apis/pipeline/v1), OCI remote operations (pkg/remote/oci), and Tekton client sets — all unchanged in patch releases.
  • The go.mod and go.sum files are internally consistent across both modules.

Transitive dependency changes:

  • go-securesystemslib v0.10.0 → v0.11.0 (minor bump; used for DSSE envelope verification in VSA validation) — the dsse package APIs used by this project are stable.
  • sigstore/sigstore v1.10.5 → v1.10.8 (patch bump)
  • google/cel-go v0.28.0 → v0.28.1 (patch bump)
  • letsencrypt/boulder date-based bump
  • Various aws/aws-sdk-go-v2 sub-packages: patch bumps
  • aws/smithy-go v1.24.2 → v1.25.1
  • New transitive dependency: github.com/youmark/pkcs8 (PKCS#8 key handling, pulled in by go-securesystemslib v0.11.0)
  • Removed unused indirect deps: aws/aws-sdk-go-v2/internal/ini from go.mod; aws/aws-sdk-go-v2 and aws/aws-sdk-go-v2/config from acceptance/go.mod

Security

  • All updates move to newer versions — security positive.
  • sigstore/sigstore and go-securesystemslib are security-sensitive libraries; updating them to latest patches is beneficial.
  • No known CVEs introduced.

Intent & scope

  • Standard Renovate bot PR matching the repo's established dependency update workflow.
  • Appropriately scoped to dependency manifest files only.

Upstream release highlights (v1.12.1 & v1.12.2):

  • Fix: TaskRun stuck in Running when init container is OOMKilled
  • Fix: Cross-arch platform command lookup in entrypoint
  • Fix: Truncate affinity assistant volume names to 63 characters
  • Fix: PipelineRun premature failure when TaskRun recovers after pod eviction
  • Fix: ResolutionRequests can now resolve all Tekton kinds
  • Misc: dependency bumps (k8s client-go, sigstore, cel-go)

No findings.

Previous run (2)

Review

Verdict: approve ✅

Summary

Automated Renovate dependency update bumping github.com/tektoncd/pipeline from v1.12.0 to v1.12.2 (patch release). Changes are confined to go.mod and go.sum in both the root module and the acceptance/ module — no source code is modified.

Changes reviewed

  • Primary dependency: github.com/tektoncd/pipeline v1.12.0 → v1.12.2 — an LTS patch release containing only bug fixes (OOMKilled TaskRun handling, cross-architecture platform command lookup, volume name truncation, ResolutionRequest kind validation) and dependency bumps. No breaking changes or deprecations documented.
  • Transitive dependency bumps (all patch/minor):
    • go-securesystemslib v0.10.0 → v0.11.0
    • sigstore/sigstore v1.10.5 → v1.10.8 (and KMS sub-packages)
    • google/cel-go v0.28.0 → v0.28.1
    • letsencrypt/boulder date bump
    • miekg/dns v1.1.61 → v1.1.62
    • Various AWS SDK v2 patch bumps
    • aws/smithy-go v1.24.2 → v1.25.1
  • New transitive dependency: youmark/pkcs8 — PKCS#8 key handling library, pulled in transitively.
  • Removed: aws-sdk-go-v2/internal/ini from root go.mod (cleanup, no longer needed).

Assessment

Dimension Status
Correctness ✅ No logic changes; go.sum hashes are consistent
Security ✅ Security libraries updated to newer patches
Intent & coherence ✅ Standard automated dependency update, properly scoped
Style & conventions ✅ go.mod/go.sum only
Documentation ✅ No code changes that would affect docs
Cross-repo contracts ✅ No API or interface changes

No findings.

Previous run (3)

Review — approve

Summary

Routine Renovate bot dependency update bumping github.com/tektoncd/pipeline from v1.12.0 → v1.12.2 (patch). Changes are exclusively in go.mod and go.sum across both the root and acceptance/ modules. No source code changes.

Dependency changes

Package Old New Type
tektoncd/pipeline v1.12.0 v1.12.2 direct, patch
sigstore/sigstore v1.10.5 v1.10.8 direct, patch
secure-systems-lab/go-securesystemslib v0.10.0 v0.11.0 direct, minor
google/cel-go v0.28.0 v0.28.1 indirect, patch
letsencrypt/boulder 0.20260223.0 0.20260309.0 indirect, date
miekg/dns v1.1.61 v1.1.62 indirect, patch
aws/aws-sdk-go-v2 (+ sub-packages) various various indirect, patch/minor
aws/smithy-go v1.24.2 v1.25.1 indirect, minor
youmark/pkcs8 v0.0.0-20240726 new indirect

Analysis

  • Correctness: The primary update is a patch version bump (v1.12.0 → v1.12.2), which per semver should contain only bug fixes. Transitive dependency updates are consistent with the updated dependency tree. The go.sum hash changes are expected. No API surface or source code is affected.
  • Security: Several security-adjacent libraries are updated (sigstore, go-securesystemslib, letsencrypt/boulder), which may include security fixes. The new youmark/pkcs8 indirect dependency is a PKCS#8 key handling library, likely pulled in by the updated dependency chain — this is a well-known cryptographic utility package.
  • Coherence: Standard automated dependency update, consistent with the project's Renovate configuration. Both the root module and acceptance/ module are updated in sync.
  • go-securesystemslib minor bump (v0.10.0 → v0.11.0): This is a minor version change on an indirect dependency. Minor versions may introduce new APIs but should not break existing ones. The consuming direct dependencies (sigstore, tektoncd/pipeline) have been tested against this version.
  • Removed indirect deps: aws/aws-sdk-go-v2/internal/ini is removed from go.mod — it's no longer needed in the updated dependency tree. In acceptance/go.mod, aws/aws-sdk-go-v2 and aws/aws-sdk-go-v2/config are removed from the indirect section as they're no longer transitive requirements of the acceptance module.

Verdict

No blocking findings. This is a low-risk, automated patch-level dependency update with no source code changes. CI validation (tests, lint) should confirm compatibility.

Previous run (4)

Review — Approve ✅

Summary

Automated Renovate bot dependency update bumping github.com/tektoncd/pipeline from v1.12.0 → v1.12.2 (patch version, LTS release). Changes are confined to go.mod and go.sum files in both the root and acceptance/ modules — no source code modifications.

Change analysis

Primary update:

  • github.com/tektoncd/pipeline v1.12.0 → v1.12.2

Transitive dependency updates:

  • github.com/secure-systems-lab/go-securesystemslib v0.10.0 → v0.11.0
  • github.com/sigstore/sigstore (+ KMS sub-packages) v1.10.5 → v1.10.8
  • github.com/google/cel-go v0.28.0 → v0.28.1
  • github.com/letsencrypt/boulder v0.20260223.0 → v0.20260309.0
  • github.com/miekg/dns v1.1.61 → v1.1.62
  • Various AWS SDK v2 packages (patch bumps)
  • New indirect: github.com/youmark/pkcs8

Upstream release notes

v1.12.1 contains several bug fixes including resolver validation tightening (Resolvers now only resolve StepActions, Tasks, and Pipelines), OOMKill handling improvements, cross-architecture platform command lookup fixes, and affinity assistant volume name truncation. v1.12.2 is a build-only dependency bump (k8s.io/client-go 0.35.5 → 0.35.6).

Risk assessment

  • No source code changes — only dependency metadata files modified
  • All version bumps are patch or minor within the same major version
  • The go.sum entries are internally consistent
  • The upstream v1.12.1 resolver validation change (restricting to Tekton object types only) is a security hardening that aligns with this project's supply chain verification goals
  • Renovate automerge is enabled for this PR, indicating team trust in this update pattern

No findings above the severity threshold.

Previous run (5)

Review

Outcome: Approve

Summary

Automated Renovate dependency update bumping github.com/tektoncd/pipeline from v1.12.0 to v1.12.2 (patch). Changes are exclusively in go.mod and go.sum files (root and acceptance/). No source code modifications.

Direct dependency changes

Package From To Bump
github.com/tektoncd/pipeline v1.12.0 v1.12.2 patch
github.com/secure-systems-lab/go-securesystemslib v0.10.0 v0.11.0 minor
github.com/sigstore/sigstore v1.10.5 v1.10.8 patch

Notable transitive dependency changes

  • AWS SDK v2 packages updated to newer patch versions; internal/ini removed from go.mod
  • youmark/pkcs8 added as new indirect dependency (PKCS#8 key handling)
  • google/cel-go v0.28.0 → v0.28.1 (patch)
  • letsencrypt/boulder v0.20260223.0 → v0.20260309.0
  • miekg/dns v1.1.61 → v1.1.62 (patch)
  • aws/aws-sdk-go-v2 and aws/aws-sdk-go-v2/config removed from acceptance/go.mod (no longer needed as direct indirect deps)

Upstream release analysis

Tekton Pipeline v1.12.1 includes substantive bug fixes:

  • Security improvement: Resolvers now validate data is a Tekton object, preventing resolution of arbitrary data via the Resolver API
  • Fix for TaskRun stuck in Running when init container is OOMKilled with enableKubernetesSidecar
  • Fix for cross-arch platform command lookup in entrypoint
  • Fix for affinity assistant volume name truncation to 63 characters
  • Fix for PipelineRun premature failure after pod eviction recovery

Tekton Pipeline v1.12.2 contains only a transitive dependency bump (k8s.io/client-go 0.35.5 → 0.35.6).

Risk assessment

  • go-securesystemslib minor bump (v0.10 → v0.11): The project imports dsse and encrypted sub-packages. This is a transitive requirement from the tektoncd/pipeline upgrade. Renovate ran go mod tidy successfully, and the Go module system would catch compilation-breaking API changes.
  • No source code changes means no new logic or behavioral changes beyond what the updated dependencies introduce internally.
  • All updated packages are well-maintained, widely-used projects with proper semver adherence.

Verdict

No blocking findings. This is a standard automated patch-level dependency update with beneficial upstream bug fixes (including a security-relevant resolver validation fix). The changes are confined to module manifests and checksums.


Labels: Automated dependency update via Renovate — go.mod/go.sum only

Previous run (6)

Review

Outcome: Approve

Summary

This is a Renovate-generated patch-level dependency update of github.com/tektoncd/pipeline from v1.12.0 to v1.12.2 (LTS line), along with accompanying transitive dependency updates across both the root and acceptance Go modules.

Changes reviewed (4 files):

  • go.mod / go.sum — root module
  • acceptance/go.mod / acceptance/go.sum — acceptance test module

No source code (.go files) is modified. All changes are version bumps and hash updates in dependency manifests.

Analysis

Correctness: No issues. Both modules are updated consistently. The Tekton Pipeline v1.12.1/v1.12.2 patch releases contain only bug fixes (ResolutionRequest resolution, OOMKilled TaskRun handling, cross-arch platform lookup, volume name truncation) and dependency bumps — no public API changes. All tektoncd/pipeline API surface used by this codebase (pkg/apis/pipeline/v1, pkg/remote/oci, pkg/client/clientset) remains backward-compatible. The go-securesystemslib v0.10.0→v0.11.0 minor bump only adds a new VerifyAndDecode() method and optimizes PAE() internals — all existing API surface is unchanged. Dependency removals (aws/aws-sdk-go-v2/internal/ini, AWS SDK entries from acceptance indirect deps) are consistent with go mod tidy after transitive dependency restructuring.

Security: No issues. This update is security-positive — it brings in patches for sigstore v1.10.8 (includes fix for path traversal in legacy TUF client) and Tekton Pipeline bug fixes. The new transitive dependency github.com/youmark/pkcs8 is a well-established PKCS#8 key format library. No permission manifests, RBAC definitions, or workflow files are changed. No secrets, injection patterns, or suspicious content detected.

Scope: Mechanical Renovate dependency update — authorization is implicit from the automated nature of the change.

Style/Conventions: All changes follow established go.mod/go.sum patterns. No deviations.

Documentation: No source code changes, so no documentation staleness risk.

Cross-repo contracts: No exported interfaces or public APIs are modified.

Verdict

Clean dependency update with no blocking findings. The patch bump is within the LTS release line and brings security and stability improvements.

Previous run (7)

Review — approve

Summary

Automated Renovate patch update of github.com/tektoncd/pipeline from v1.12.0 → v1.12.2 (LTS line). Changes are confined to go.mod and go.sum files in both the root and acceptance/ modules. No source code changes.

Upstream Changes

The upstream v1.12.1 release includes several notable bug fixes:

  • Resolver validation — ResolutionRequests can now resolve all Tekton kinds (PipelineRuns, TaskRuns, Runs, CustomRuns, StepActions), and non-Tekton objects are properly rejected
  • OOMKill handling — TaskRuns no longer get stuck in Running when an init container is OOMKilled with enableKubernetesSidecar
  • Cross-arch platform fix — Entrypoint command lookup no longer leaks the controller's CPU variant into platform keys
  • Affinity assistant — Volume names exceeding 63 characters are now truncated with a hash suffix
  • PipelineRun eviction — Fixed premature failure when TaskRun recovers after pod eviction

The v1.12.2 release is a k8s.io/client-go dependency bump only.

Transitive Dependency Changes

All transitive updates are consistent with the primary dependency bump:

  • sigstore/sigstore v1.10.5 → v1.10.8 (patch)
  • secure-systems-lab/go-securesystemslib v0.10.0 → v0.11.0 (minor, indirect)
  • google/cel-go v0.28.0 → v0.28.1 (patch)
  • letsencrypt/boulder date-version bump (patch)
  • AWS SDK v2 components: patch-level bumps
  • miekg/dns v1.1.61 → v1.1.62 (patch)
  • New transitive dependency: youmark/pkcs8 (PKCS#8 key handling, pulled in by sigstore chain)
  • Removed unused indirect AWS SDK entries from acceptance/go.mod (go mod tidy cleanup)

Findings

No findings at low severity or above. All changes are mechanical dependency version bumps with no source code impact.

Previous run (8)

Review

Verdict: Approve ✅

Summary

This is a routine patch version bump of github.com/tektoncd/pipeline from v1.12.0 → v1.12.2, generated by Renovate bot. The change is confined to dependency manifests (go.mod and go.sum) in both the root module and the acceptance/ sub-module. No source code is modified.

Changes reviewed

  • Primary dependency: github.com/tektoncd/pipeline v1.12.0 → v1.12.2 (patch bump)
  • Transitive dependency updates: aws-sdk-go-v2 family, sigstore/sigstore v1.10.5 → v1.10.8, secure-systems-lab/go-securesystemslib v0.10.0 → v0.11.0, google/cel-go v0.28.0 → v0.28.1, letsencrypt/boulder date bump
  • New indirect dependency: github.com/youmark/pkcs8 (PKCS#8 key parsing library, well-established)
  • Removed indirect dependencies: aws-sdk-go-v2/internal/ini (no longer needed in transitive graph)

Review dimensions

Dimension Result Notes
Correctness ✅ No findings Both modules updated consistently; go.sum provides integrity verification
Security ✅ No findings No secrets, no permission changes; upgrade is security-positive (v1.12.1 includes resolver validation fix)
Intent & coherence ✅ Implicit authorization Mechanical dependency bump by Renovate bot; no architectural review required
Style & conventions ✅ No findings Value-only changes follow existing go.mod patterns
Documentation ✅ No findings No source code changes; no documentation impact
Cross-repo contracts ⏭ Skipped No exported interfaces or API surfaces modified

Notable upstream fixes included

The tektoncd/pipeline v1.12.1 → v1.12.2 releases include several bug fixes:

  • Resolver framework now validates Tekton objects, preventing resolution of arbitrary non-Tekton data
  • TaskRun no longer stuck in Running when init container is OOMKilled
  • Cross-arch platform command lookup fix for entrypoint
  • Affinity assistant volume name truncation for long workspace names
  • PipelineRun premature failure fix after pod eviction
Previous run (9)

Review — approve

PR: #3369 — Update module github.com/tektoncd/pipeline to v1.12.2 (main)

Summary

This is a mechanical dependency update from Renovate that bumps github.com/tektoncd/pipeline from v1.12.0 to v1.12.2 (patch release), along with associated transitive dependency updates in both the root module and the acceptance/ test module.

Files changed: go.mod, go.sum, acceptance/go.mod, acceptance/go.sum

Review dimensions

Dimension Result
Correctness ✅ All tektoncd/pipeline APIs used in the codebase are stable v1 types (Task, TaskRun, Param, Pipeline, OCI constants, client factory). Patch release — no API breakage expected. No test files modified.
Security ✅ No source code, workflow, or permission changes. Only go.mod/go.sum modifications with checksums verified by the Go checksum database. No known CVEs motivate this bump (v1.12.0 already includes all prior CVE fixes).
Intent & coherence ✅ Mechanical Renovate dependency bump — scope authorization implicit.
Style & conventions ✅ No style-relevant changes — early exit.
Documentation ✅ No source code changes — no documentation staleness possible.
Cross-repo contracts ✅ No exported APIs modified — skipped.

Transitive dependency changes

  • AWS SDK v2 sub-modules: patch bumps (e.g., v1.41.4 → v1.41.7)
  • sigstore/sigstore: v1.10.5 → v1.10.8 (patch)
  • secure-systems-lab/go-securesystemslib: v0.10.0 → v0.11.0 (minor, pre-1.0; API surface used is stable)
  • google/cel-go: v0.28.0 → v0.28.1 (patch)
  • letsencrypt/boulder: date bump
  • New transitive dep: youmark/pkcs8 (PKCS#8 key handling, already present in tools module)
  • Removed indirect entries: aws-sdk-go-v2/internal/ini (folded into other modules)

Notes

  • The tools/go.mod module also depends on tektoncd/pipeline v1.12.0 (indirect) but is not updated in this PR. This is acceptable — it is a separate Go module and the dependency is indirect.
  • CI build and test success should confirm no API incompatibilities from the bump.

No blocking findings. This is a clean, low-risk patch-level dependency update.


Labels: Dependency version bump in go.mod/go.sum

Previous run (10)

Review — Approve ✅

PR: Update module github.com/tektoncd/pipeline to v1.12.2 (main)
Author: renovate[bot]
Risk: Low

Summary

This is an automated Renovate dependency update bumping github.com/tektoncd/pipeline from v1.12.0 → v1.12.2 (patch release). Only go.mod and go.sum files are changed (4 files total) — no source code modifications.

Analysis

Primary dependency:

  • github.com/tektoncd/pipeline v1.12.0 → v1.12.2 — a patch-level LTS release containing bug fixes only (OOMKilled TaskRun handling, cross-arch entrypoint lookup, volume name truncation, anonymous pipeline label fix, resolver validation hardening). No breaking changes or deprecations.

Transitive dependency changes (all indirect):

  • go-securesystemslib v0.10.0 → v0.11.0 (minor bump; used for dsse and encrypted subpackages — stable interfaces)
  • sigstore/sigstore v1.10.5 → v1.10.8 (patch)
  • google/cel-go v0.28.0 → v0.28.1 (patch)
  • letsencrypt/boulder v0.20260223.0 → v0.20260309.0 (date-based patch)
  • miekg/dns v1.1.61 → v1.1.62 (patch)
  • AWS SDK v2 components: patch-level bumps across the board (v1.41.4 → v1.41.7, etc.)
  • smithy-go v1.24.2 → v1.25.1 (minor)
  • New transitive dep added: youmark/pkcs8 (PKCS#8 key handling — standard crypto utility)
  • Removed unused indirect deps: aws/aws-sdk-go-v2/internal/ini (from acceptance/go.mod)

Review dimensions

Dimension Finding
Correctness No source code changes. Version bumps are consistent across go.mod and go.sum in both root and acceptance/ modules. Hash checksums present for all updated packages.
Security Upstream v1.12.1 hardens resolver validation (only permits resolving StepActions, Tasks, and Pipelines — fixes arbitrary data resolution). The go-securesystemslib and sigstore updates are security-relevant patch releases. No new attack surface introduced.
Intent & coherence Standard automated dependency maintenance. Patch-level update on an LTS branch is appropriate. PR is labeled ready-for-merge.
Style/conventions go.mod formatting follows standard Go toolchain conventions.
Documentation No documentation changes needed — dependency-only update.
Injection defense PR body contains standard Renovate template with release notes. No instruction-like patterns or injection attempts detected.

Verdict

Clean patch-level dependency update with no source code changes and important upstream bug fixes. Safe to merge.

Previous run (11)

Review — approve

Summary

Automated Renovate dependency update bumping github.com/tektoncd/pipeline from v1.12.0 → v1.12.2 (patch release). Changes are confined to go.mod and go.sum in both the root module and acceptance/ module. No source code changes.

Analysis

Primary dependency:

  • github.com/tektoncd/pipeline v1.12.0 → v1.12.2 — two patch releases containing bug fixes with no documented breaking changes.

Transitive dependency changes:

Package Old New Impact
go-securesystemslib v0.10.0 v0.11.0 Minor bump; codebase uses stable dsse subpackage — low risk
sigstore/sigstore v1.10.5 v1.10.8 Patch bump
google/cel-go v0.28.0 v0.28.1 Patch bump
letsencrypt/boulder 0.20260223.0 0.20260309.0 Date-based version bump
miekg/dns v1.1.61 v1.1.62 Patch bump
AWS SDK v2 packages various various Patch bumps across the SDK
youmark/pkcs8 added New indirect dependency
aws-sdk-go-v2/internal/ini v1.8.6 removed No longer required by updated deps

Risk assessment:

  • ✅ Patch release of primary dependency — backward compatible by semver convention
  • ✅ Codebase uses stable, versioned API paths (pkg/apis/pipeline/v1, pkg/remote/oci)
  • ✅ No replace directives for tektoncd/pipeline
  • ✅ No source code modifications required
  • ✅ The go-securesystemslib minor bump (v0.10 → v0.11) only affects the dsse subpackage used by this project, which maintains a stable interface
  • go.mod and go.sum changes are consistent across root and acceptance modules
  • ✅ PR body is standard Renovate template — no injection patterns detected

No blocking findings. This is a routine, low-risk dependency patch update.

Previous run (12)

Looks good to me

Previous run (13)

Looks good to me

Previous run (14)

Looks good to me


Labels: Automated Go dependency version bump via Renovate bot.

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 27, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-tektoncd-pipelines branch from 8f9097a to 30ac2ee Compare July 1, 2026 14:38
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 1, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:41 PM UTC · Completed 2:47 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 1, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-tektoncd-pipelines branch from 30ac2ee to 38c10aa Compare July 1, 2026 19:52
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 1, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 7:55 PM UTC · Completed 8:01 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 1, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-tektoncd-pipelines branch from 38c10aa to b04bba7 Compare July 6, 2026 09:42
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 6, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 9:47 AM UTC · Completed 9:50 AM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 6, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-tektoncd-pipelines branch from b04bba7 to 332e4be Compare July 6, 2026 13:00
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 6, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:04 PM UTC · Completed 1:07 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot removed the ready-for-merge All reviewers approved — ready to merge label Jul 6, 2026
@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 9, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-tektoncd-pipelines branch from 3800e40 to 221e345 Compare July 13, 2026 19:21
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 13, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 7:22 PM UTC · Completed 7:26 PM UTC
Commit: 87c4a29 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 13, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-tektoncd-pipelines branch from 221e345 to 22836ed Compare July 14, 2026 12:16
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 12:17 PM UTC · Completed 12:21 PM UTC
Commit: 87c4a29 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 14, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-tektoncd-pipelines branch from 22836ed to db4b2ff Compare July 14, 2026 12:52
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 12:53 PM UTC · Completed 12:56 PM UTC
Commit: 87c4a29 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 14, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-tektoncd-pipelines branch from db4b2ff to da627b7 Compare July 14, 2026 13:08
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:09 PM UTC · Completed 1:12 PM UTC
Commit: 87c4a29 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 14, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-tektoncd-pipelines branch from da627b7 to 880871c Compare July 14, 2026 20:00
@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 14, 2026
@fullsend-ai-review

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:01 PM UTC · Completed 8:08 PM UTC
Commit: 87c4a29 · View workflow run →

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code main ready-for-merge All reviewers approved — ready to merge renovate size: XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants