Update tektoncd pipelines to v1.12.2 (main) - autoclosed

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/tektoncd/pipeline	v1.12.0 → v1.12.2

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

tektoncd/pipeline (github.com/tektoncd/pipeline)

v1.12.2: Tekton Pipeline release v1.12.2 "Exotic Shorthair Elektrobots LTS"

Compare Source

-Docs @​ v1.12.2
-Examples @​ v1.12.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.2/release.yaml

Attestation

The Rekor UUID for this release is cb0a4d44223cf8dd164d8eec84c25d204f7a37a023c2d28f1f8dcde79ca3c187

Obtain the attestation:

REKOR_UUID=cb0a4d44223cf8dd164d8eec84c25d204f7a37a023c2d28f1f8dcde79ca3c187
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.2/release.yaml
REKOR_UUID=cb0a4d44223cf8dd164d8eec84c25d204f7a37a023c2d28f1f8dcde79ca3c187

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.12.2@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

Misc

• 🔨 build(deps): bump k8s.io/client-go from 0.35.5 to 0.35.6 (#​10289)

Docs

Thanks

Thanks to these contributors who contributed to v1.12.2!

• ❤️ @​app/dependabot

Extra shout-out for awesome release notes:

v1.12.1: Tekton Pipeline release v1.12.1 "Exotic Shorthair Elektrobots LTS"

Compare Source

-Docs @​ v1.12.1
-Examples @​ v1.12.1

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a9cfc575e256441da4223e4767ebb840a62e4b5ad18ed6219842a81686a4a8586

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a9cfc575e256441da4223e4767ebb840a62e4b5ad18ed6219842a81686a4a8586
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.1/release.yaml
REKOR_UUID=108e9186e8c5677a9cfc575e256441da4223e4767ebb840a62e4b5ad18ed6219842a81686a4a8586

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.12.1@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 [cherry-pick: release-v1.12.x] fix(resolvers): Allow ResolutionRequests to resolve all Tekton kinds (#​10252)

efore this change, ResolutionRequests could only resolve Pipelines, Tasks, and StepActions. After this change, ResolutionRequests can resolve PipelineRuns, Pipelines, TaskRuns, Tasks, Runs, CustomRuns, and StepActions.

• 🐛 [cherry-pick: release-v1.12.x] fix: TaskRun stuck in Running when init container is OOMKilled with enableKubernetesSidecar (#​10186)

ix: TaskRun no longer gets stuck in Running when an init container (e.g. prepare) is OOMKilled while enableKubernetesSidecar is enabled. The TaskRun is now correctly marked as Failed immediately.

• 🐛 [cherry-pick: release-v1.12.x] Fix cross-arch platform command lookup in entrypoint (#​10164)

ix entrypoint command lookup when controller and worker nodes run on different CPU architectures (e.g., ARM controller with AMD64 workloads). The controller's CPU variant was leaking into TEKTON_PLATFORM_COMMANDS keys via platforms.NewPlatform(), causing "could not find command for platform" errors on worker nodes of a different architecture.

• 🐛 [cherry-pick: release-v1.12.x] fix: truncate affinity assistant volume names to 63 characters (#​10137)

ffinity assistant StatefulSet no longer fails when workspace volumeClaimTemplate names exceed 63 characters. Long volume names are now automatically truncated with a hash suffix to stay within the Kubernetes limit.

• 🐛 [cherry-pick: release-v1.12.x] fix(pipelinerun): use generateName for anonymous pipeline label (#​10079)

Previously, TaskRuns' tekton.dev/pipeline label for anonymous Pipelines would use their PipelineRun's name in their tekton.dev/pipeline label and pipeline metrics tag. After this change, TaskRun and PipelineRun which are created from anonymous Pipelines now reference a sanitized metadata.generateName, when present, for the label tekton.dev/pipeline. Similarly, these TaskRruns and PipelineRuns will populate their respective metrics' pipeline tag with the sanitized generateName instead of using anonymous.

• 🐛 [release-v1.12.x] Fix gen-crd-api-reference-docs require to use fetchable version (#​10001)

ix gen-crd-api-reference-docs go.mod require to use a fetchable upstream version, fixing module resolution failures for downstream consumers.

• 🐛 [cherry-pick: release-v1.12.x] fix(resolvers): validate data is Tekton object in resolver framework (#​9963)

Fixes a bug which lets Tekton Resolvers resolve non-tekton objects and arbitrary data. After this change, resolving a non-tekton object causes the ResolutionRequest to fail.
Action Required: Tekton Resolvers are now only permitted to resolve StepActions, Tasks, and Pipelines. Custom resolvers or ResolutionRequest which use the Resolver API for other object types will no longer function.

• 🐛 [release-v1.12.x] fix: replace symlinks with subpath params and fix Rekor UUID in release pipeline (#​10216)
• 🐛 [cherry-pick: release-v1.12.x] Fix PipelineRun premature failure when TaskRun recovers after pod eviction (#​10161)

Misc

• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10265)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10234)
• 🔨 build(deps): bump chainguard-dev/actions from 1.6.21 to 1.6.22 (#​10229)
• 🔨 build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#​10200)
• 🔨 build(deps): bump chainguard-dev/actions from 1.6.19 to 1.6.21 (#​10199)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10194)
• 🔨 build(deps): bump github.com/sigstore/sigstore from 1.10.6 to 1.10.8 (#​10168)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.10.6 to 1.10.8 (#​10150)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.10.6 to 1.10.8 (#​10149)
• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.6 to 1.14.7 (#​10148)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.10.6 to 1.10.8 (#​10147)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.10.6 to 1.10.8 (#​10146)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10130)
• 🔨 build(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 (#​10129)
• 🔨 build(deps): bump the all group across 1 directory with 4 updates (#​10094)
• 🔨 build(deps): bump step-security/harden-runner from 2.19.2 to 2.19.4 (#​10093)
• 🔨 build(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6 (#​10092)
• 🔨 build(deps): bump github/codeql-action from 4.35.4 to 4.35.5 (#​10091)
• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6 (#​10070)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.10.5 to 1.10.6 (#​10065)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.10.5 to 1.10.6 (#​10064)
• 🔨 build(deps): bump github.com/sigstore/sigstore from 1.10.5 to 1.10.6 (#​10063)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.10.5 to 1.10.6 (#​10062)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.10.5 to 1.10.6 (#​10061)
• 🔨 build(deps): bump step-security/harden-runner from 2.19.1 to 2.19.2 (#​10046)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10041)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.35.4 to 0.35.5 (#​10034)
• 🔨 build(deps): bump k8s.io/client-go from 0.35.4 to 0.35.5 in /test/custom-task-ctrls/wait-task-beta (#​10023)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.15.21 to 1.15.22 (#​10018)
• 🔨 build(deps): bump github.com/google/cel-go from 0.28.0 to 0.28.1 (#​10017)
• 🔨 build(deps): bump github/codeql-action from 4.35.2 to 4.35.4 (#​9994)
• 🔨 build(deps): bump chainguard/go from 7ec9277 to a4477c3 in /tekton in the all group (#​9993)
• 🔨 build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.19 (#​9983)
• 🔨 build(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 (#​9981)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9976)

Docs

Thanks

Thanks to these contributors who contributed to v1.12.1!

• ❤️ @​app/dependabot
• ❤️ @​tekton-robot
• ❤️ @​vdemeester
• ❤️ @​waveywaves

Extra shout-out for awesome release notes:

• 😍 @​tekton-robot
• 😍 @​vdemeester
• 😍 @​waveywaves

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux]

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
github.com/secure-systems-lab/go-securesystemslib	v0.10.0 -> v0.11.0
github.com/sigstore/sigstore	v1.10.5 -> v1.10.8
github.com/google/cel-go	v0.28.0 -> v0.28.1
github.com/letsencrypt/boulder	v0.20260223.0 -> v0.20260309.0

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 18 additional dependencies were updated

Details:

Package	Change
github.com/secure-systems-lab/go-securesystemslib	v0.10.0 -> v0.11.0
github.com/sigstore/sigstore	v1.10.5 -> v1.10.8
github.com/aws/aws-sdk-go-v2	v1.41.4 -> v1.41.7
github.com/aws/aws-sdk-go-v2/config	v1.32.12 -> v1.32.17
github.com/aws/aws-sdk-go-v2/credentials	v1.19.12 -> v1.19.16
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.18.20 -> v1.18.23
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.4.20 -> v1.4.23
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.7.20 -> v2.7.23
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.4.21 -> v1.4.24
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.13.7 -> v1.13.9
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.13.20 -> v1.13.23
github.com/aws/aws-sdk-go-v2/service/signin	v1.0.8 -> v1.0.11
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.13 -> v1.30.17
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.35.17 -> v1.35.21
github.com/aws/aws-sdk-go-v2/service/sts	v1.41.9 -> v1.42.1
github.com/aws/smithy-go	v1.24.2 -> v1.25.1
github.com/google/cel-go	v0.28.0 -> v0.28.1
github.com/letsencrypt/boulder	v0.20260223.0 -> v0.20260309.0

File name: tools/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 22 additional dependencies were updated

Details:

Package	Change
github.com/aws/aws-sdk-go-v2	v1.41.4 -> v1.41.7
github.com/aws/aws-sdk-go-v2/config	v1.32.12 -> v1.32.17
github.com/aws/aws-sdk-go-v2/credentials	v1.19.12 -> v1.19.16
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.18.20 -> v1.18.23
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.4.20 -> v1.4.23
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.7.20 -> v2.7.23
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.4.21 -> v1.4.24
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.13.7 -> v1.13.9
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.13.20 -> v1.13.23
github.com/aws/aws-sdk-go-v2/service/signin	v1.0.8 -> v1.0.11
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.13 -> v1.30.17
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.35.17 -> v1.35.21
github.com/aws/aws-sdk-go-v2/service/sts	v1.41.9 -> v1.42.1
github.com/aws/smithy-go	v1.24.2 -> v1.25.1
github.com/google/cel-go	v0.28.0 -> v0.28.1
github.com/letsencrypt/boulder	v0.20260223.0 -> v0.20260309.0
github.com/secure-systems-lab/go-securesystemslib	v0.10.0 -> v0.11.0
github.com/sigstore/sigstore	v1.10.5 -> v1.10.8
github.com/sigstore/sigstore/pkg/signature/kms/aws	v1.10.5 -> v1.10.8
github.com/sigstore/sigstore/pkg/signature/kms/azure	v1.10.5 -> v1.10.8
github.com/sigstore/sigstore/pkg/signature/kms/gcp	v1.10.5 -> v1.10.8
github.com/sigstore/sigstore/pkg/signature/kms/hashivault	v1.10.5 -> v1.10.8

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 1:25 AM UTC · Completed 1:32 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

Looks good to me

---

Labels: Dependency version bump PR updating Go modules — adding dependencies and go labels.

[fullsend-ai-retro]

🤖 Finished Retro · ✅ Success · Started 9:56 PM UTC · Completed 10:01 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-retro]

Retro: PR #3373 — Update tektoncd pipelines to v1.12.2

Timeline:

1. red-hat-konflux[bot] opened PR #3373 at 01:22 UTC to bump github.com/tektoncd/pipeline from v1.12.0 to v1.12.2 (with transitive dep updates across 3 go.mod files).
2. The review agent (run 28342843269) approved at 01:32 UTC with "Looks good to me" and applied the ready-for-merge label.
3. CI checks failed with multiple breaking errors: undefined symbols in downloader.go (due to goci.Transport/ghttp.Transport API changes), type errors in attestation.go (sigstore/cosign v3 interface change), missing go.sum entries for tektoncd/cli, and Go version mismatches.
4. red-hat-konflux[bot] autoclosed the PR at 21:53 UTC.
5. The retro agent was dispatched at 21:56 UTC on the autoclosed PR.

Key observations:

• The review agent approved and labeled ready-for-merge before CI results were available. The dependency update introduced breaking API changes that static review missed.
• A retro was dispatched on an autoclosed bot-authored dependency PR — low-value analysis that consumes tokens.

No new proposals — all findings covered by existing issues:

• Review agent approving without CI check → #369, #1424, #2667
• Review agent missing breaking API changes in dep bumps → #1778
• Retro dispatched on autoclosed bot PR → #2461
• Lightweight review path for trivial bot dep bumps → #1358, #2639