Skip to content

triggers

v0.36.0 Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 5d Pipelines
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

pipelines tekton triggers

Affected surfaces

crypto_tls breaking_upgrade

ReleasePort's take

Moderate signal
editorial:auto 5d

Release v0.36.0 migrates metrics to OpenTelemetry and adds TLS profile support for core interceptors.

Why it matters: OpenTelemetry migration requires configuration changes; adopt before the next release deadline to avoid metric breakage.

Summary

AI summary

Migrated metrics from OpenCensus to OpenTelemetry, added TLS profile support for interceptors, and fixed an e2e failure due to owners file change.

Changes in this release

Breaking High

Migrates metrics from OpenCensus to OpenTelemetry, requiring configuration and metric name changes.

Migrates metrics from OpenCensus to OpenTelemetry, requiring configuration and metric name changes.

Source: llm_adapter@2026-05-29

Confidence: high
Feature Medium

Adds TLS security profile support for core interceptors via environment variables.

Adds TLS security profile support for core interceptors via environment variables.

Source: llm_adapter@2026-05-29

Confidence: high
Dependency Low

Bumps step-security/harden-runner from 2.19.0 to 2.19.3.

Bumps step-security/harden-runner from 2.19.0 to 2.19.3.

Source: llm_adapter@2026-05-29

Confidence: high
Dependency Low

Bumps github/codeql-action from 4.35.2 to 4.35.4.

Bumps github/codeql-action from 4.35.2 to 4.35.4.

Source: llm_adapter@2026-05-29

Confidence: high
Dependency Low

Bumps tektoncd/pipeline dependency from 1.11.0 to 1.11.1.

Bumps tektoncd/pipeline dependency from 1.11.0 to 1.11.1.

Source: llm_adapter@2026-05-29

Confidence: high
Dependency Low

Bumps go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.42.0 to 1.43.0.

Bumps go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.42.0 to 1.43.0.

Source: llm_adapter@2026-05-29

Confidence: high
Dependency Low

Bumps go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.42.0 to 1.43.0.

Bumps go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.42.0 to 1.43.0.

Source: llm_adapter@2026-05-29

Confidence: high
Bugfix Medium

Fixes e2e test failure caused by owners file change.

Fixes e2e test failure caused by owners file change.

Source: llm_adapter@2026-05-29

Confidence: high
Bugfix Low

Fixes intermittent panic in Test_UpdateCACertToClusterInterceptorCRD.

Fixes intermittent panic in Test_UpdateCACertToClusterInterceptorCRD.

Source: llm_adapter@2026-05-29

Confidence: high
Refactor Low

Replaces GCS release URLs with infra.tekton.dev distribution point.

Replaces GCS release URLs with infra.tekton.dev distribution point.

Source: llm_adapter@2026-05-29

Confidence: high
Full changelog

Tekton Triggers release v0.36.0 "Tekton Triggers"

-Docs @ v0.36.0
-Examples @ v0.36.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/triggers/previous/v0.36.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a6b2a69794ca92fea0d3bb45b80f923817fd184a39c84987cd53cee88dcf9dc5f

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a6b2a69794ca92fea0d3bb45b80f923817fd184a39c84987cd53cee88dcf9dc5f
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/triggers/previous/v0.36.0/release.yaml
INTERCEPTORS_FILE=https://infra.tekton.dev/tekton-releases/triggers/previous/${VERSION_TAG}/interceptors.yaml

REKOR_UUID=108e9186e8c5677a6b2a69794ca92fea0d3bb45b80f923817fd184a39c84987cd53cee88dcf9dc5f

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.36.0@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml
curl -L "$INTERCEPTORS_FILE" >> release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • :sparkles:Add TLS security profile support for core interceptors (#2019)

Core interceptors now honor the TLS security profile injected by the Tekton operator via TLS_MIN_VERSION, TLS_CIPHER_SUITES, and TLS_CURVE_PREFERENCES environment variables, allowing cluster-wide TLS policy enforcement on OpenShift.

  • :sparkles: feat(metrics): Migration from OpenCensus to OpenTelemetry (#1934)

Migrated metrics from OpenCensus to OpenTelemetry.

ACTION REQUIRED:

  1. Configuration key change
    Replace metrics.backend-destination with metrics-protocol in your config-observability-triggers ConfigMap.
    Prometheus export remains the default — no change needed if you were not customizing observability.

  2. Infrastructure metric renaming
    Infrastructure metrics (workqueue, K8s client) have been renamed from the
    tekton_triggers_controller_ prefix to standard Knative/OpenTelemetry namespaces.

    ┌──────────────────────────────────────────────────────────┬───────────────────────────────────────────────────┐
    │ Old Metric Name (OpenCensus) │ New Metric Name (OpenTelemetry) │
    ├──────────────────────────────────────────────────────────┼───────────────────────────────────────────────────┤
    │ tekton_triggers_controller_workqueue_depth │ kn_workqueue_depth │
    │ tekton_triggers_controller_workqueue_adds_total │ kn_workqueue_adds_total │
    │ tekton_triggers_controller_workqueue_queue_latency_* │ kn_workqueue_queue_duration_seconds_* │
    │ tekton_triggers_controller_workqueue_work_duration_* │ kn_workqueue_process_duration_seconds_* │
    │ tekton_triggers_controller_workqueue_unfinished_work_* │ kn_workqueue_unfinished_work_seconds │
    │ tekton_triggers_controller_workqueue_retries_total │ kn_workqueue_retries_total │
    │ tekton_triggers_controller_client_latency │ http_client_request_duration_seconds_* │
    │ tekton_triggers_controller_client_results │ kn_k8s_client_http_response_status_code_total │
    └──────────────────────────────────────────────────────────┴───────────────────────────────────────────────────┘

  3. Sink counter metrics renamed

    ┌──────────────────────────────────────────┬────────────────────────────────────────────┐
    │ Old Metric Name (OpenCensus) │ New Metric Name (OpenTelemetry) │
    ├──────────────────────────────────────────┼────────────────────────────────────────────┤
    │ eventlistener_event_received_count │ eventlistener_event_received_total │
    │ eventlistener_triggered_resources │ eventlistener_triggered_resources_total │
    └──────────────────────────────────────────┴────────────────────────────────────────────┘

  4. All other metric names are unchanged
    controller_eventlistener_count, controller_triggerbinding_count,
    controller_triggertemplate_count, controller_clustertriggerbinding_count,
    controller_clusterinterceptor_count, eventlistener_http_duration_seconds

Fixes

  • :bug: Fix e2e failure due to owners file change (#1970)

Misc

  • :hammer: cleanup: replace GCS release URLs with infra.tekton.dev (#1973)
  • :hammer: Bump step-security/harden-runner from 2.19.0 to 2.19.3 (#2033)
  • :hammer: Bump github/codeql-action from 4.35.2 to 4.35.4 (#2032)
  • :hammer: Bump the all group across 1 directory with 7 updates (#2031)
  • :hammer: Bump the pipelines dependency and other deps (#2020)
  • :hammer: Change release pipeline to use 'release-draft-oci' (#2018)
  • :hammer: Fix curl command to follow redirects for release file (#2017)
  • :hammer: Bump go.uber.org/zap from 1.27.1 to 1.28.0 in the all group (#2016)
  • :hammer: Bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 (#2007)
  • :hammer: Bump github.com/tektoncd/pipeline from 1.11.0 to 1.11.1 (#2005)
  • :hammer: Bump actions/cache from 5.0.4 to 5.0.5 (#2004)
  • :hammer: Bump step-security/harden-runner from 2.17.0 to 2.19.0 (#2003)
  • :hammer: Bump github/codeql-action from 4.35.1 to 4.35.2 (#2002)
  • :hammer: Bump the all group across 1 directory with 5 updates (#2001)
  • :hammer: Fix intermittent panic in Test_UpdateCACertToClusterInterceptorCRD (#2000)
  • :hammer: Bump github.com/moby/spdystream from 0.5.0 to 0.5.1 (#1999)
  • :hammer: ci: Fix zizmor security findings in GitHub Actions (#1998)
  • :hammer: Update release ko image to go1.25 (#1997)
  • :hammer: Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#1996)
  • :hammer: Bump step-security/harden-runner from 2.16.1 to 2.17.0 (#1995)
  • :hammer: Bump github.com/google/cel-go from 0.27.0 to 0.28.0 in the all group (#1994)
  • :hammer: Bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.42.0 to 1.43.0 (#1993)
  • :hammer: Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.42.0 to 1.43.0 (#1992)
  • :hammer: Bump step-security/harden-runner from 2.16.0 to 2.16.1 (#1991)
  • :hammer: Bump the all group with 4 updates (#1990)
  • :hammer: Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#1989)
  • :hammer: Bump github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5 (#1988)
  • :hammer: Bump tektoncd/pipeline to v1.11.0 and update vendor dependencies (#1986)
  • :hammer: Bump the all group across 1 directory with 7 updates (#1985)
  • :hammer: Bump actions/setup-go from 6.3.0 to 6.4.0 (#1984)
  • :hammer: Bump github/codeql-action from 4.34.1 to 4.35.1 (#1983)
  • :hammer: Bump github/codeql-action from 4.33.0 to 4.34.1 (#1980)
  • :hammer: Bump actions/cache from 5.0.3 to 5.0.4 (#1979)
  • :hammer: Bump github/codeql-action from 4.32.6 to 4.33.0 (#1976)
  • :hammer: Bump fgrosse/go-coverage-report from 1.2.0 to 1.3.0 (#1975)
  • :hammer: Bump step-security/harden-runner from 2.15.1 to 2.16.0 (#1974)
  • :hammer: Bump github/codeql-action from 4.32.5 to 4.32.6 (#1969)
  • :hammer: Bump step-security/harden-runner from 2.15.0 to 2.15.1 (#1968)
  • :hammer: Bump go version to 1.25.6 (#1966)
  • :hammer: Move inactive approvers to emeritus (#1965)
  • :hammer: Bump step-security/harden-runner from 2.14.2 to 2.15.0 (#1963)
  • :hammer: Bump github/codeql-action from 4.32.3 to 4.32.5 (#1962)
  • :hammer: Bump actions/setup-go from 6.2.0 to 6.3.0 (#1961)
  • :hammer: Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#1960)
  • :hammer: Bump the all group across 1 directory with 5 updates (#1959)
  • :hammer: Bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 (#1958)
  • :hammer: Consolidate CI workflows for build, lint, and e2e tests (#1957)
  • :hammer: Update releases.md for v0.35.0 (#1952)
  • :hammer: Bump github/codeql-action from 4.32.2 to 4.32.3 (#1951)
  • :hammer: Bump the all group with 6 updates (#1950)
  • :hammer: Update Release Cheat Sheet for release-draft-oci pipeline (#1948)
  • :hammer: Change precheck in release pipeline to OCI infra (#1947)
  • :hammer: fix: release cheat sheet doc typos (#1953)

Docs

Thanks

Thanks to these contributors who contributed to v0.36.0!

  • :heart: @ankrsinha
  • :heart: @app/dependabot
  • :heart: @infernus01
  • :heart: @jkhelil
  • :heart: @khrm
  • :heart: @ngelman1
  • :heart: @vdemeester

Extra shout-out for awesome release notes:

  • :heart_eyes: @infernus01
  • :heart_eyes: @jkhelil

Breaking Changes

  • Configuration key change: replace metrics.backend-destination with metrics-protocol in config-observability-triggers ConfigMap.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track triggers

Get notified when new releases ship.

Sign up free

About triggers

Event triggering with Tekton!

All releases →

Related context

Beta — feedback welcome: [email protected]