Update module github.com/tektoncd/pipeline to v1.13.1 (main)

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/tektoncd/pipeline	v1.12.0 → v1.13.1

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

tektoncd/pipeline (github.com/tektoncd/pipeline)

v1.13.1: Tekton Pipeline release v1.13.1 "Pixie-bob Project 2501"

Compare Source

-Docs @​ v1.13.1
-Examples @​ v1.13.1

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.13.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a85ce425ccafc0d84ae54b26fb57ec6dce775f05aa9b92b99e84371ddcbad2a77

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a85ce425ccafc0d84ae54b26fb57ec6dce775f05aa9b92b99e84371ddcbad2a77
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.13.1/release.yaml
REKOR_UUID=108e9186e8c5677a85ce425ccafc0d84ae54b26fb57ec6dce775f05aa9b92b99e84371ddcbad2a77

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.13.1@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 [cherry-pick: release-v1.13.x] fix(resolvers): Allow ResolutionRequests to resolve all Tekton kinds (#​10251)

Before this change, ResolutionRequests could only resolve Pipelines, Tasks, and StepActions. After this change, ResolutionRequests can resolve PipelineRuns, Pipelines, TaskRuns, Tasks, Runs, CustomRuns, and StepActions.

• 🐛 [cherry-pick: release-v1.13.x] fix: TaskRun stuck in Running when init container is OOMKilled with enableKubernetesSidecar (#​10183)

Fix: TaskRun no longer gets stuck in Running when an init container (e.g. prepare) is OOMKilled while enableKubernetesSidecar is enabled. The TaskRun is now correctly marked as Failed immediately.

• 🐛 [cherry-pick: release-v1.13.x] fix: avoid spurious termination parse warning (#​10182)

Fixed spurious step log warnings about parsing existing termination messages when termination message compression is disabled.

• 🐛 [cherry-pick: release-v1.13.x] fix: make internal container resources opt-in (#​10173)

Action required: Tekton no longer applies default resource requests or limits to internal containers (prepare, place-scripts, working-dir-initializer, and sidecar-tekton-log-results) when default-container-resource-requirements is unset. Clusters that rely on these defaults for ResourceQuota compatibility must configure explicit internal container resources in the config-defaults ConfigMap.

• 🐛 [release-v1.13.x] fix: replace symlinks with subpath params and fix Rekor UUID in release pipeline (#​10217)

Misc

Docs

Thanks

Thanks to these contributors who contributed to v1.13.1!

• ❤️ @​tekton-robot
• ❤️ @​vdemeester
• ❤️ @​waveywaves

Extra shout-out for awesome release notes:

• 😍 @​tekton-robot
• 😍 @​waveywaves

v1.13.0: Tekton Pipeline release v1.13.0 "Pixie-bob Project 2501"

Compare Source

🎉 Squeezing more out of every pipeline: compressed results & timeout fixes 🎉

• Docs @​ v1.13.0
• Examples @​ v1.13.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.13.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677accee6fa1065e378221444c30175152ffea8d8c6f5c0d7d5890d31edeaa3ac031

Obtain the attestation:

REKOR_UUID=108e9186e8c5677accee6fa1065e378221444c30175152ffea8d8c6f5c0d7d5890d31edeaa3ac031
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.13.0/release.yaml
REKOR_UUID=108e9186e8c5677accee6fa1065e378221444c30175152ffea8d8c6f5c0d7d5890d31edeaa3ac031

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.13.0@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Upgrade Notices

• 🚨 Resolvers can only resolve Tekton objects (#​9588)

Tekton Resolvers are now only permitted to resolve StepActions, Tasks, and Pipelines. Custom resolvers or ResolutionRequests which use the Resolver API for other object types will no longer function.

Changes

Features

• ✨ feat(tracing): add spans to TaskRun notifications controller (#​9912)

Added OpenTelemetry tracing to the TaskRun notification reconciliation path.
Spans now cover ReconcileKind, ReconcileRunObject, and EmitCloudEvents,
enabling operators to trace CloudEvent delivery latency end-to-end.

• ✨ [TEP-0137] Activate formats field in config-events (#​9776)

The formats field in config-events is now active. The default value is
tektonv1, which preserves existing behaviour. Setting an invalid or
unrecognised format value logs a warning and suppresses event emission
for that format.

• ✨ feat: compress termination messages to fit more results in 4KB limit (#​9682)

Added optional termination message compression (alpha feature flag
enable-termination-message-compression) that uses flate compression to fit
approximately 5.7x more results in the 4KB Kubernetes termination message limit.
The parser auto-detects compressed messages for full backward compatibility.
Zero new dependencies — uses Go stdlib only.

Fixes

• 🐛 fix(events): reduce TaskRun notification identifier logging and document trace exposure (#​10117)

Reduced default log verbosity in the TaskRun notification path introduced
by #​9912. Identifier logs (TaskRun name/namespace) are now emitted at debug
level only. Added documentation warning that exported traces may include
Kubernetes resource identifiers and that trace backends should be treated
as trusted observability systems.

• 🐛 fix(resolvers): skip re-resolution when ResolutionRequest data is already present (#​10114)

Skip re-resolution of ResolutionRequests when Status.Data is already present, preventing hundreds of redundant reconciliations under load.

• 🐛 fix: preserve previous condition context when TaskRun is cancelled or times out (#​10076)

Preserve previous TaskRun condition context (reason + message) when a TaskRun is cancelled or times out due to a PipelineRun timeout, so diagnostic information like ExceededResourceQuota is no longer lost.

• 🐛 Fix gen-crd-api-reference-docs require to use fetchable version (#​9999)

ix gen-crd-api-reference-docs go.mod require to use a fetchable upstream version (v0.3.0), fixing module resolution failures for downstream consumers.

• 🐛 fix(pipelinerun): use generateName for anonymous pipeline label (#​9826)

Previously, TaskRuns' tekton.dev/pipeline label for anonymous Pipelines would use their PipelineRun's name in their tekton.dev/pipeline label and pipeline metrics tag. After this change, TaskRun and PipelineRun which are created from anonymous Pipelines now reference a sanitized metadata.generateName, when present, for the label tekton.dev/pipeline. Similarly, these TaskRruns and PipelineRuns will populate their respective metrics' pipeline tag with the sanitized generateName instead of using anonymous.

• 🐛 fix: truncate affinity assistant volume names to 63 characters (#​9752)

Affinity assistant StatefulSet no longer fails when workspace volumeClaimTemplate names exceed 63 characters. Long volume names are now automatically truncated with a hash suffix to stay within the Kubernetes limit.

• 🐛 fix: allow finally tasks to run when tasks timeout is exceeded (#​9709)

Fix a bug where finally tasks were not executed when the tasks timeout
(either explicit via timeouts.tasks or calculated as timeouts.pipeline - timeouts.finally) was exceeded. The PipelineRun was immediately marked as
Failed without giving finally tasks a chance to run. Now the pipeline
continues running with reason PipelineRunTimeoutRunningFinally until
finally tasks complete.

• 🐛 fix: respect per-resolver TTL override in cache (#​9625)

Resolver cache now respects per-resolver TTL values set in individual
resolver ConfigMaps (e.g., bundleresolver-config, git-resolver-config),
instead of always using the global resolver-cache-config TTL.

• 🐛 fix(resolvers): validate data is Tekton object in resolver framework (#​9588)

Fixes a bug which lets Tekton Resolvers resolve non-tekton objects and arbitrary data. After this change, resolving a non-tekton object causes the ResolutionRequest to fail.
Action Required: Tekton Resolvers are now only permitted to resolve StepActions, Tasks, and Pipelines. Custom resolvers or ResolutionRequest which use the Resolver API for other object types will no longer function.

• 🐛 fix: resolve goroutine leak from unbuffered channels in resolver reconciler (#​10098)
• 🐛 Fix dependabot-regen workflow commit author and sign-off (#​9958)
• 🐛 Fix dependabot-regen workflow push credentials (#​9956)
• 🐛 Fix PipelineRun premature failure when TaskRun recovers after pod eviction (#​9640)

Misc

• 🔨 build: bump go directive to 1.26 (#​10026)
• 🔨 perf(taskrun): skip sidecar teardown when status shows no running sidecars (#​9755) (#​9760)
• 🔨 ci: Skip most e2e tests on draft PRs to save CI resources (#​9708)
• 🔨 chore: bump OpenTelemetry semconv to match SDK version (#​9697)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10126)
• 🔨 build(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 (#​10125)
• 🔨 build(deps): bump go.opentelemetry.io/otel/trace from 1.43.0 to 1.44.0 (#​10118)
• 🔨 build(deps): bump golang.org/x/crypto from 0.51.0 to 0.52.0 (#​10095)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10085)
• 🔨 build(deps): bump github/codeql-action from 4.35.4 to 4.35.5 (#​10084)
• 🔨 build(deps): bump step-security/harden-runner from 2.19.2 to 2.19.4 (#​10083)
• 🔨 build(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6 (#​10082)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.10.5 to 1.10.6 (#​10081)
• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.6 to 1.15.0 (#​10080)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.10.5 to 1.10.6 (#​10060)
• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6 (#​10058)
• 🔨 build(deps): bump github.com/sigstore/sigstore from 1.10.5 to 1.10.6 (#​10057)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.10.5 to 1.10.6 (#​10047)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10039)
• 🔨 build(deps): bump step-security/harden-runner from 2.19.1 to 2.19.2 (#​10038)
• 🔨 build(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0 (#​10037)
• 🔨 build(deps): bump google.golang.org/grpc from 1.81.0 to 1.81.1 (#​10036)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.35.4 to 0.35.5 (#​10033)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.15.21 to 1.15.22 (#​10032)
• 🔨 build(deps): bump github.com/google/cel-go from 0.28.0 to 0.28.1 (#​10012)
• 🔨 build(deps): bump k8s.io/client-go from 0.35.4 to 0.35.5 (#​10011)
• 🔨 build(deps): bump k8s.io/code-generator from 0.35.4 to 0.35.5 (#​10010)
• 🔨 build(deps): bump k8s.io/client-go from 0.35.4 to 0.35.5 in /test/custom-task-ctrls/wait-task-beta (#​10009)
• 🔨 build(deps): bump golang.org/x/crypto from 0.50.0 to 0.51.0 (#​10005)
• 🔨 build(deps): bump github/codeql-action from 4.35.2 to 4.35.4 (#​9992)
• 🔨 build(deps): bump chainguard/go from 7ec9277 to a4477c3 in /tekton in the all group (#​9991)
• 🔨 build(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 (#​9978)
• 🔨 build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.19 (#​9977)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9975)
• 🔨 Regenerate dependabot.yml configuration (#​9960)
• 🔨 build(deps): bump google.golang.org/grpc from 1.80.0 to 1.81.0 (#​9954)
• 🔨 build(deps): bump github.com/tektoncd/pipeline from 1.11.1 to 1.12.0 in /test/custom-task-ctrls/wait-task-beta (#​9953)
• 🔨 build(deps): bump actions/setup-go from 5.2.0 to 6.4.0 (#​9856)
• 🔨 build(deps): bump the all group across 1 directory with 4 updates (#​9854)
• 🔨 ci: fix setup-go version comment in codeql-analysis.yml (#​9695)

Docs

• 📖 chore(release docs): fix release cheat sheet instructions typo (#​9966)
• 📖 docs: update releases.md for v1.12.0 (#​9951)
• 📖 docs: clarify retry-count substitution requires taskSpec (#​9820)
• 📖 docs: add testing best practices for t.Fatalf vs t.Errorf (#​9688)

Thanks

Thanks to these contributors who contributed to v1.13.0!

• ❤️ @​Paramesh324
• ❤️ @​Umesh-Mallipudi
• ❤️ @​aThorp96
• ❤️ @​ab-ghosh
• ❤️ @​afrittoli
• ❤️ @​alliasgher
• ❤️ @​aniruddhajadhav7
• ❤️ @​app/dependabot
• ❤️ @​infernus01
• ❤️ @​mathur07
• ❤️ @​ngelman1
• ❤️ @​tekton-robot
• ❤️ @​twoGiants
• ❤️ @​vdemeester
• ❤️ @​waveywaves

Extra shout-out for awesome release notes:

• 😍 @​aThorp96
• 😍 @​afrittoli
• 😍 @​aniruddhajadhav7
• 😍 @​mathur07
• 😍 @​ngelman1
• 😍 @​twoGiants
• 😍 @​vdemeester
• 😍 @​waveywaves

v1.12.1: Tekton Pipeline release v1.12.1 "Exotic Shorthair Elektrobots LTS"

Compare Source

-Docs @​ v1.12.1
-Examples @​ v1.12.1

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a9cfc575e256441da4223e4767ebb840a62e4b5ad18ed6219842a81686a4a8586

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a9cfc575e256441da4223e4767ebb840a62e4b5ad18ed6219842a81686a4a8586
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.1/release.yaml
REKOR_UUID=108e9186e8c5677a9cfc575e256441da4223e4767ebb840a62e4b5ad18ed6219842a81686a4a8586

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.12.1@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 [cherry-pick: release-v1.12.x] fix(resolvers): Allow ResolutionRequests to resolve all Tekton kinds (#​10252)

efore this change, ResolutionRequests could only resolve Pipelines, Tasks, and StepActions. After this change, ResolutionRequests can resolve PipelineRuns, Pipelines, TaskRuns, Tasks, Runs, CustomRuns, and StepActions.

• 🐛 [cherry-pick: release-v1.12.x] fix: TaskRun stuck in Running when init container is OOMKilled with enableKubernetesSidecar (#​10186)

ix: TaskRun no longer gets stuck in Running when an init container (e.g. prepare) is OOMKilled while enableKubernetesSidecar is enabled. The TaskRun is now correctly marked as Failed immediately.

• 🐛 [cherry-pick: release-v1.12.x] Fix cross-arch platform command lookup in entrypoint (#​10164)

ix entrypoint command lookup when controller and worker nodes run on different CPU architectures (e.g., ARM controller with AMD64 workloads). The controller's CPU variant was leaking into TEKTON_PLATFORM_COMMANDS keys via platforms.NewPlatform(), causing "could not find command for platform" errors on worker nodes of a different architecture.

• 🐛 [cherry-pick: release-v1.12.x] fix: truncate affinity assistant volume names to 63 characters (#​10137)

ffinity assistant StatefulSet no longer fails when workspace volumeClaimTemplate names exceed 63 characters. Long volume names are now automatically truncated with a hash suffix to stay within the Kubernetes limit.

• 🐛 [cherry-pick: release-v1.12.x] fix(pipelinerun): use generateName for anonymous pipeline label (#​10079)

Previously, TaskRuns' tekton.dev/pipeline label for anonymous Pipelines would use their PipelineRun's name in their tekton.dev/pipeline label and pipeline metrics tag. After this change, TaskRun and PipelineRun which are created from anonymous Pipelines now reference a sanitized metadata.generateName, when present, for the label tekton.dev/pipeline. Similarly, these TaskRruns and PipelineRuns will populate their respective metrics' pipeline tag with the sanitized generateName instead of using anonymous.

• 🐛 [release-v1.12.x] Fix gen-crd-api-reference-docs require to use fetchable version (#​10001)

ix gen-crd-api-reference-docs go.mod require to use a fetchable upstream version, fixing module resolution failures for downstream consumers.

• 🐛 [cherry-pick: release-v1.12.x] fix(resolvers): validate data is Tekton object in resolver framework (#​9963)

Fixes a bug which lets Tekton Resolvers resolve non-tekton objects and arbitrary data. After this change, resolving a non-tekton object causes the ResolutionRequest to fail.
Action Required: Tekton Resolvers are now only permitted to resolve StepActions, Tasks, and Pipelines. Custom resolvers or ResolutionRequest which use the Resolver API for other object types will no longer function.

• 🐛 [release-v1.12.x] fix: replace symlinks with subpath params and fix Rekor UUID in release pipeline (#​10216)
• 🐛 [cherry-pick: release-v1.12.x] Fix PipelineRun premature failure when TaskRun recovers after pod eviction (#​10161)

Misc

• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10265)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10234)
• 🔨 build(deps): bump chainguard-dev/actions from 1.6.21 to 1.6.22 (#​10229)
• 🔨 build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#​10200)
• 🔨 build(deps): bump chainguard-dev/actions from 1.6.19 to 1.6.21 (#​10199)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10194)
• 🔨 build(deps): bump github.com/sigstore/sigstore from 1.10.6 to 1.10.8 (#​10168)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.10.6 to 1.10.8 (#​10150)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.10.6 to 1.10.8 (#​10149)
• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.6 to 1.14.7 (#​10148)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.10.6 to 1.10.8 (#​10147)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.10.6 to 1.10.8 (#​10146)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10130)
• 🔨 build(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 (#​10129)
• 🔨 build(deps): bump the all group across 1 directory with 4 updates (#​10094)
• 🔨 build(deps): bump step-security/harden-runner from 2.19.2 to 2.19.4 (#​10093)
• 🔨 build(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6 (#​10092)
• 🔨 build(deps): bump github/codeql-action from 4.35.4 to 4.35.5 (#​10091)
• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6 (#​10070)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.10.5 to 1.10.6 (#​10065)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.10.5 to 1.10.6 (#​10064)
• 🔨 build(deps): bump github.com/sigstore/sigstore from 1.10.5 to 1.10.6 (#​10063)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.10.5 to 1.10.6 (#​10062)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.10.5 to 1.10.6 (#​10061)
• 🔨 build(deps): bump step-security/harden-runner from 2.19.1 to 2.19.2 (#​10046)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10041)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.35.4 to 0.35.5 (#​10034)
• 🔨 build(deps): bump k8s.io/client-go from 0.35.4 to 0.35.5 in /test/custom-task-ctrls/wait-task-beta (#​10023)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.15.21 to 1.15.22 (#​10018)
• 🔨 build(deps): bump github.com/google/cel-go from 0.28.0 to 0.28.1 (#​10017)
• 🔨 build(deps): bump github/codeql-action from 4.35.2 to 4.35.4 (#​9994)
• 🔨 build(deps): bump chainguard/go from 7ec9277 to a4477c3 in /tekton in the all group (#​9993)
• 🔨 build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.19 (#​9983)
• 🔨 build(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 (#​9981)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9976)

Docs

Thanks

Thanks to these contributors who contributed to v1.12.1!

• ❤️ @​app/dependabot
• ❤️ @​tekton-robot
• ❤️ @​vdemeester
• ❤️ @​waveywaves

Extra shout-out for awesome release notes:

• 😍 @​tekton-robot
• 😍 @​vdemeester
• 😍 @​waveywaves

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: acceptance/go.sum

Command failed: go mod tidy
go: downloading github.com/go-openapi/testify/v2 v2.4.1
go: downloading github.com/otiai10/mint v1.5.1
go: downloading k8s.io/apiserver v0.35.5
go: downloading k8s.io/component-base v0.35.5
go: downloading golang.org/x/tools v0.45.0
go: downloading github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5
go: downloading github.com/go-openapi/testify/enable/yaml/v2 v2.4.1
go: downloading github.com/google/trillian v1.7.2
go: downloading github.com/jackc/pgx/v5 v5.7.5
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.5
go: downloading go.step.sm/crypto v0.75.0
go: downloading k8s.io/cli-runtime v0.34.2
go: downloading google.golang.org/api v0.271.0
go: downloading filippo.io/edwards25519 v1.1.1
go: downloading github.com/aws/aws-sdk-go-v2 v1.41.4
go: downloading github.com/aws/aws-sdk-go-v2/config v1.32.12
go: downloading github.com/aws/aws-sdk-go-v2/service/kms v1.50.1
go: downloading cloud.google.com/go/kms v1.26.0
go: downloading go.etcd.io/etcd/client/pkg/v3 v3.6.5
go: downloading go.etcd.io/etcd/client/v3 v3.6.5
go: downloading github.com/aws/smithy-go v1.24.2
go: downloading github.com/aws/aws-sdk-go-v2/credentials v1.19.12
go: downloading github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20
go: downloading github.com/aws/aws-sdk-go-v2/service/signin v1.0.8
go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.30.13
go: downloading github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17
go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.41.9
go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20
go: downloading cloud.google.com/go/iam v1.5.3
go: downloading cloud.google.com/go/longrunning v0.8.0
go: downloading github.com/googleapis/gax-go/v2 v2.17.0
go: downloading google.golang.org/genproto v0.0.0-20260128011058-8636f8732409
go: downloading cloud.google.com/go/auth v0.18.2
go: downloading github.com/shoenig/test v0.6.4
go: downloading go.etcd.io/etcd/api/v3 v3.6.5
go: downloading github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20
go: downloading github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6
go: finding module for package knative.dev/pkg/tracing/config
go: finding module for package knative.dev/pkg/metrics
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/metrics: module knative.dev/pkg@latest found (v0.0.0-20260622140654-39ebae2ee2dc), but does not contain package knative.dev/pkg/metrics
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/tracing/config: module knative.dev/pkg@latest found (v0.0.0-20260622140654-39ebae2ee2dc), but does not contain package knative.dev/pkg/tracing/config

File name: tools/go.sum

Command failed: go mod tidy
go: downloading github.com/mattn/go-shellwords v1.0.12
go: downloading github.com/distribution/distribution/v3 v3.0.0
go: downloading github.com/DATA-DOG/go-sqlmock v1.5.2
go: downloading github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/redis/go-redis/v9 v9.17.2
go: downloading github.com/bshuster-repo/logrus-logstash-hook v1.0.0
go: downloading github.com/docker/go-metrics v0.0.1
go: downloading github.com/gorilla/handlers v1.5.2
go: downloading github.com/mattn/go-sqlite3 v1.14.28
go: downloading github.com/hinshun/vt10x v0.0.0-20220228203356-1ab2cad5fd82
go: downloading gopkg.in/h2non/gock.v1 v1.1.2
go: downloading github.com/tink-crypto/tink-go-hcvault/v2 v2.3.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2
go: downloading cloud.google.com/go/pubsub v1.50.1
go: downloading github.com/gorilla/mux v1.8.1
go: downloading github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c
go: downloading github.com/redis/go-redis/extra/redisotel/v9 v9.5.3
go: downloading go.opentelemetry.io/contrib/exporters/autoexport v0.57.0
go: downloading github.com/poy/onpar v1.1.2
go: downloading github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f
go: downloading github.com/alecthomas/assert/v2 v2.11.0
go: downloading github.com/alecthomas/repr v0.5.2
go: downloading github.com/gostaticanalysis/testutil v0.5.0
go: downloading go-simpler.org/assert v0.9.0
go: downloading golang.org/x/tools/go/expect v0.1.1-deprecated
go: downloading github.com/matryer/is v1.4.0
go: downloading github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542
go: downloading github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1
go: downloading github.com/google/go-replayers/grpcreplay v1.3.0
go: downloading github.com/google/go-replayers/httpreplay v1.2.0
go: downloading cloud.google.com/go/pubsub/v2 v2.3.0
go: downloading github.com/hashicorp/golang-lru/arc/v2 v2.0.5
go: downloading github.com/redis/go-redis/extra/rediscmd/v9 v9.5.3
go: downloading go.opentelemetry.io/contrib/bridges/prometheus v0.57.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0
go: downloading go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0
go: downloading go.opentelemetry.io/otel/sdk/log v0.8.0
go: downloading golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated
go: downloading github.com/go-toolsmith/pkgload v1.2.2
go: downloading github.com/tenntenn/modver v1.0.1
go: downloading github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3
go: downloading github.com/ActiveState/vt10x v1.3.1
go: downloading github.com/keybase/go-keychain v0.0.1
go: downloading github.com/jcmturner/goidentity/v6 v6.0.1
go: downloading go.opentelemetry.io/otel/log v0.8.0
go: downloading github.com/dave/jennifer v1.7.1
go: downloading github.com/kr/pty v1.1.8
go: downloading github.com/jmespath/go-jmespath/internal/testify v1.5.1
go: finding module for package knative.dev/pkg/tracing/config
go: finding module for package knative.dev/pkg/metrics
go: github.com/conforma/cli/tools imports
	github.com/tektoncd/cli/cmd/tkn imports
	github.com/tektoncd/cli/pkg/cmd imports
	github.com/tektoncd/cli/pkg/cmd/clustertriggerbinding tested by
	github.com/tektoncd/cli/pkg/cmd/clustertriggerbinding.test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/metrics: module knative.dev/pkg@latest found (v0.0.0-20260622140654-39ebae2ee2dc), but does not contain package knative.dev/pkg/metrics
go: github.com/conforma/cli/tools imports
	github.com/tektoncd/cli/cmd/tkn imports
	github.com/tektoncd/cli/pkg/cmd imports
	github.com/tektoncd/cli/pkg/cmd/clustertriggerbinding tested by
	github.com/tektoncd/cli/pkg/cmd/clustertriggerbinding.test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/tracing/config: module knative.dev/pkg@latest found (v0.0.0-20260622140654-39ebae2ee2dc), but does not contain package knative.dev/pkg/tracing/config

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 3:12 AM UTC · Completed 3:19 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

Review

Findings

Medium

• [Version consistency] go.mod:3 — The PR bumps the Go directive in the root go.mod from go 1.25.8 to go 1.26, but the sub-modules acceptance/go.mod and tools/go.mod remain at go 1.25.8 despite also bumping tektoncd/pipeline to v1.13.1 in this same PR. Since tektoncd/pipeline v1.13.1 likely requires go 1.26 (triggering the root module bump), the sub-modules that also depend on it should have their go directives updated as well. Note: tools/kubectl/go.mod does NOT depend on tektoncd/pipeline and may not need this bump.
  Remediation: Run go mod tidy in the acceptance/ and tools/ directories (with Go 1.26 installed) to let the toolchain update the go directive automatically.

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 is not available on the deployment. Using no findings for this dimension.

Previous run

Looks good to me

[fullsend-ai-retro]

🤖 Finished Retro · ✅ Success · Started 3:00 PM UTC · Completed 3:04 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-retro]

Retro: PR #3352

What happened: An automated Renovate/MintMaker PR bumped github.com/tektoncd/pipeline from v1.12.0 to v1.13.1. The bot itself posted a warning 3 seconds after opening the PR: go mod tidy failed due to missing knative.dev/pkg/metrics and knative.dev/pkg/tracing/config packages, with the explicit note "You probably do not want to merge this PR as-is." Despite this, the review agent started 3 minutes later, ran for ~6 minutes, and approved with "Looks good to me" — also applying the ready-for-merge label. The PR was eventually autoclosed ~12 hours later without merging.

Issues identified (all covered by existing proposals):

1. Review agent ignored bot artifact-failure warning — The review agent did not read or weigh the bot's warning comment about failed go mod tidy. This is directly covered by #1406 ("Review agent should weigh bot warning comments on dependency PRs") and related issues #369 ("Review agent should check CI status before approving PRs") and #1424 ("Review bot applies ready-for-merge label without checking CI status").

2. Retro dispatched on autoclosed bot PR — This retro run itself is wasteful since the PR was autoclosed with no merge and no meaningful agent-human interaction beyond the review. This is directly covered by #2461 ("Skip retro dispatch for autoclosed bot-authored PRs") and #1630 ("Skip retro dispatch for bot-authored PRs with review-only agent interaction").

No new proposals filed — all identified improvements are already tracked upstream.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 3:21 AM UTC · Completed 3:28 AM UTC
Commit: 47d3320 · View workflow run →