Tekton Pipeline release v1.12.0 "Exotic Shorthair Elektrobots LTS"

🎉 TEP-0137 Notifications Controllers, Security Hardening & Performance 🎉

-Docs @ v1.12.0
-Examples @ v1.12.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a39f7d12f2628ed2d38cc94bc8d69e8fc8e629606157b65a2042cc796a84a81b2

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a39f7d12f2628ed2d38cc94bc8d69e8fc8e629606157b65a2042cc796a84a81b2
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.0/release.yaml
REKOR_UUID=108e9186e8c5677a39f7d12f2628ed2d38cc94bc8d69e8fc8e629606157b65a2042cc796a84a81b2

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.12.0@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Upgrade Notices

:rotating_light: TEP-0137: CloudEvents now sent by dedicated events controller (ACTION REQUIRED)

CloudEvents for PipelineRuns and TaskRuns are now sent by the dedicated tekton-events-controller and no longer by the PipelineRun/TaskRun controllers. Operators must ensure the tekton-events-controller Deployment is running.

New events added:

• dev.tekton.event.pipelinerun.queued.v1 — sent when a PipelineRun is created but not yet processed
• dev.tekton.event.taskrun.queued.v1 — sent when a TaskRun is created but not yet processed

CloudEvent delivery visibility is available via kubectl describe pipelinerun/taskrun (CloudEventSent/CloudEventFailed k8s Events).

:rotating_light: TEP-0137: send-cloudevents-for-runs feature flag deprecated

The send-cloudevents-for-runs feature flag is deprecated and will be removed in a future release. Its default has changed from false to true: CloudEvents for CustomRuns are now sent by default whenever a sink is configured in config-events.

Users relying on the flag set to false to skip events for CustomRuns should be aware of this change.

Changes

Security Fixes

• :lock: fix: prevent git argument injection via revision parameter (GHSA-94jr-7pqp-xhcq) (#9660)
• :lock: Security: reject system API token with user-controlled serverURL (#9659)
• :lock: fix: limit HTTP resolver response body size to prevent OOM DoS (#9656)
• :lock: fix: normalize VolumeMount paths before /tekton/ restriction check (#9655)
• :lock: fix: strip resolver prefixes and use non-capturing group for pattern anchoring (#9654)
• :lock: fix: trim whitespace from source URI before pattern matching (#9653)

Features

• :sparkles: [TEP-0137] Move PipelineRun notifications to events controller (#9677)

CloudEvents for PipelineRuns are now sent by the dedicated tekton-events-controller and no longer by the PipelineRun controller. A new dev.tekton.event.pipelinerun.queued.v1 event is sent when a PipelineRun is created but not yet processed by the core reconciler.

• :sparkles: [TEP-0137] Move TaskRun notifications to events controller (#9674)

CloudEvents for TaskRuns are now sent by the dedicated tekton-events-controller and no longer by the TaskRun controller. A new dev.tekton.event.taskrun.queued.v1 event is sent when a TaskRun is created but not yet processed by the core reconciler.

• :sparkles: [TEP-0137] Deprecate send-cloudevents-for-runs feature flag (#9774)

The feature flag default changed from false to true. CloudEvents for CustomRuns are now sent by default.

• :sparkles: fix: surface specific TaskRun failure reasons when pod fails (#9368)

TaskRun failure reasons now distinguish between different pod-level failure types: PodEvicted, InitContainerOOM, InitContainerFailed, StepOOM, StepFailed, SidecarOOM, and SidecarFailed, replacing the generic "Failed" reason.

• :sparkles: fix: surface clear errors when completed tasks miss referenced results (#9662)

Performance

• :zap: perf: reduce reconcile churn for completed PipelineRuns (#9919)
• :zap: perf: remove unnecessary SetDefaults from TaskRun done path (#9921)
• :zap: perf: use maps.Equal instead of reflect.DeepEqual for label/annotation comparison (#9776)

Bug Fixes

• :bug: Rework the events controller cache (#9738)

Deprecation Notices

• :rotating_light: [TEP-0137] The send-cloudevents-for-runs feature flag is deprecated and will be removed in a future release. Its default has changed from false to true (#9774).

Misc

• :hammer: tekton: add draft release creation to release pipeline (#9420)
• :hammer: ci: remove compromised tj-actions/changed-files dependency (#9704)
• :hammer: ci: Automate Dependabot configuration generation (#9862)
• :hammer: Remove aws-sdk-go-v2 ECR replace directives (#9773)
• :hammer: Simplify TestEmit by removing table-driven test structure (#9675)
• :hammer: test: add e2e test for TaskRun pending status (#9681)
• :hammer: Regenerate code after k8s.io/code-generator 0.35.3 bump (#9822)

Docs

• :book: docs: add bundle resolver configuration options default values (#9772)
• :book: docs: update metrics.md to reflect OpenTelemetry migration (#9641)
• :book: docs(examples): remove stale v1beta1 references from examples README (#9672)

Dependencies

• :hammer: build(deps): bump k8s.io dependencies from 0.35.2 to 0.35.4 (#9848)
• :hammer: build(deps): bump github.com/google/cel-go from 0.27.0 to 0.28.0 (#9824)
• :hammer: build(deps): bump google.golang.org/grpc from 1.79.3 to 1.80.0 (#9715)
• :hammer: build(deps): bump go.uber.org/zap from 1.27.1 to 1.28.0 (#9926)
• :hammer: build(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 (#9757)
• :hammer: build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5 (#9722)
• :hammer: build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#9721)
• :hammer: build(deps): bump github.com/sigstore/sigstore from 1.10.4 to 1.10.5 (#9711)

Thanks

Thanks to these contributors who contributed to v1.12.0!

• :heart: @Retr0-XD
• :heart: @afrittoli
• :heart: @app/dependabot
• :heart: @gonmmarques
• :heart: @infernus01
• :heart: @ogulcanaydogan
• :heart: @vdemeester
• :heart: @waveywaves

Extra shout-out for awesome release notes:

• :heart_eyes: @afrittoli
• :heart_eyes: @vdemeester
• :heart_eyes: @waveywaves

-Docs @ v1.11.1
-Examples @ v1.11.1

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.11.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a51c33e77fb56b7f99fdf192905340ce9abdc60589cba2da3451c60ad738768c2

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a51c33e77fb56b7f99fdf192905340ce9abdc60589cba2da3451c60ad738768c2
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.11.1/release.yaml
REKOR_UUID=108e9186e8c5677a51c33e77fb56b7f99fdf192905340ce9abdc60589cba2da3451c60ad738768c2

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.11.1@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

:warning: Security Fixes

• GHSA-wjxp-xrpv-xpff / CVE-2026-40161 (HIGH): Git resolver API mode leaks system-configured API token to user-controlled serverURL. A user who can create TaskRuns can exfiltrate the system Git API token by pointing the resolver at an attacker-controlled server.

• GHSA-94jr-7pqp-xhcq / CVE-2026-40938 (HIGH): Git resolver unsanitized revision parameter enables argument injection. A malicious revision value can inject arbitrary flags into the git CLI, potentially leading to remote code execution on the resolver pod.

• GHSA-rx35-6rhx-7858 / CVE-2026-40923 (Medium): VolumeMount path restriction bypass via missing filepath normalization. Paths like /tekton/../sensitive bypass the /tekton/ prefix restriction check.

• GHSA-rmx9-2pp3-xhcr / CVE-2026-25542 (Medium): VerificationPolicy regex pattern bypass via substring matching. Unanchored patterns allow partial matches, letting unsigned resources pass verification.

• GHSA-m2cx-gpqf-qf74 / CVE-2026-40924 (Medium): HTTP resolver unbounded response body read enables OOM denial of service. A malicious URL returning a very large response can exhaust the resolver pod's memory. Response body is now limited to 1 MiB.

Fixes

• :bug: Bump google.golang.org/grpc from 1.79.3 to 1.80.0

-Docs @ v1.9.3
-Examples @ v1.9.3

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.3/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a7943c77b03fff46f83c0876773ae3dcc84e6dcb29d64ca605afb3cbc0ff77ecb

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a7943c77b03fff46f83c0876773ae3dcc84e6dcb29d64ca605afb3cbc0ff77ecb
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.3/release.yaml
REKOR_UUID=108e9186e8c5677a7943c77b03fff46f83c0876773ae3dcc84e6dcb29d64ca605afb3cbc0ff77ecb

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.9.3@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

:warning: Security Fixes

• GHSA-wjxp-xrpv-xpff / CVE-2026-40161 (HIGH): Git resolver API mode leaks system-configured API token to user-controlled serverURL. A user who can create TaskRuns can exfiltrate the system Git API token by pointing the resolver at an attacker-controlled server.

• GHSA-94jr-7pqp-xhcq / CVE-2026-40938 (HIGH): Git resolver unsanitized revision parameter enables argument injection. A malicious revision value can inject arbitrary flags into the git CLI, potentially leading to remote code execution on the resolver pod.

• GHSA-rx35-6rhx-7858 / CVE-2026-40923 (Medium): VolumeMount path restriction bypass via missing filepath normalization. Paths like /tekton/../sensitive bypass the /tekton/ prefix restriction check.

• GHSA-rmx9-2pp3-xhcr / CVE-2026-25542 (Medium): VerificationPolicy regex pattern bypass via substring matching. Unanchored patterns allow partial matches, letting unsigned resources pass verification.

• GHSA-m2cx-gpqf-qf74 / CVE-2026-40924 (Medium): HTTP resolver unbounded response body read enables OOM denial of service. A malicious URL returning a very large response can exhaust the resolver pod's memory. Response body is now limited to 1 MiB.

Fixes

• :bug: Fix running_taskruns metric overcounting TaskRuns with no condition
• :bug: Pin registry image and relax log-based cache assertion
• :bug: Bump Go to 1.24.13 to fix CVE-2025-61728, CVE-2025-61726, CVE-2025-61729
• :bug: Fix TextParser struct usage for prometheus/common v0.62.0 compatibility
• :bug: Remove corrupted resolver cache entries on type error
• :bug: Resolve resolver cache race condition with singleflight
• :bug: Align resolver cache configstore with framework implementation

-Docs @ v1.6.2
-Examples @ v1.6.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a7755d52e49ce9ea7ccaf894ffae2779afa04cf7d882635593a2c220a5c7a0a26

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a7755d52e49ce9ea7ccaf894ffae2779afa04cf7d882635593a2c220a5c7a0a26
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.2/release.yaml
REKOR_UUID=108e9186e8c5677a7755d52e49ce9ea7ccaf894ffae2779afa04cf7d882635593a2c220a5c7a0a26

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.6.2@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

:warning: Security Fixes

• GHSA-wjxp-xrpv-xpff / CVE-2026-40161 (HIGH): Git resolver API mode leaks system-configured API token to user-controlled serverURL. A user who can create TaskRuns can exfiltrate the system Git API token by pointing the resolver at an attacker-controlled server.

• GHSA-94jr-7pqp-xhcq / CVE-2026-40938 (HIGH): Git resolver unsanitized revision parameter enables argument injection. A malicious revision value can inject arbitrary flags into the git CLI, potentially leading to remote code execution on the resolver pod.

• GHSA-rx35-6rhx-7858 / CVE-2026-40923 (Medium): VolumeMount path restriction bypass via missing filepath normalization. Paths like /tekton/../sensitive bypass the /tekton/ prefix restriction check.

• GHSA-rmx9-2pp3-xhcr / CVE-2026-25542 (Medium): VerificationPolicy regex pattern bypass via substring matching. Unanchored patterns allow partial matches, letting unsigned resources pass verification.

• GHSA-m2cx-gpqf-qf74 / CVE-2026-40924 (Medium): HTTP resolver unbounded response body read enables OOM denial of service. A malicious URL returning a very large response can exhaust the resolver pod's memory. Response body is now limited to 1 MiB.

Fixes

• :bug: Pin registry image and relax log-based cache assertion
• :bug: Bump Go to 1.24.13 to fix CVE-2025-61728, CVE-2025-61726, CVE-2025-61729
• :bug: Fix TextParser struct usage for prometheus/common v0.62.0 compatibility
• :bug: Remove corrupted resolver cache entries on type error
• :bug: Resolve resolver cache race condition with singleflight
• :bug: Align resolver cache configstore with framework implementation

-Docs @ v1.3.4
-Examples @ v1.3.4

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.3.4/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a4ad3488e768c0153380fdd13824857ded5bc190b3515f255aab2cf6911228d5b

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a4ad3488e768c0153380fdd13824857ded5bc190b3515f255aab2cf6911228d5b
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.3.4/release.yaml
REKOR_UUID=108e9186e8c5677a4ad3488e768c0153380fdd13824857ded5bc190b3515f255aab2cf6911228d5b

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.3.4@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

:warning: Security Fixes

• GHSA-wjxp-xrpv-xpff / CVE-2026-40161 (HIGH): Git resolver API mode leaks system-configured API token to user-controlled serverURL. A user who can create TaskRuns can exfiltrate the system Git API token by pointing the resolver at an attacker-controlled server.

• GHSA-94jr-7pqp-xhcq / CVE-2026-40938 (HIGH): Git resolver unsanitized revision parameter enables argument injection. A malicious revision value can inject arbitrary flags into the git CLI, potentially leading to remote code execution on the resolver pod.

• GHSA-rx35-6rhx-7858 / CVE-2026-40923 (Medium): VolumeMount path restriction bypass via missing filepath normalization. Paths like /tekton/../sensitive bypass the /tekton/ prefix restriction check.

• GHSA-rmx9-2pp3-xhcr / CVE-2026-25542 (Medium): VerificationPolicy regex pattern bypass via substring matching. Unanchored patterns allow partial matches, letting unsigned resources pass verification.

• GHSA-m2cx-gpqf-qf74 / CVE-2026-40924 (Medium): HTTP resolver unbounded response body read enables OOM denial of service. A malicious URL returning a very large response can exhaust the resolver pod's memory. Response body is now limited to 1 MiB.

Fixes

• :bug: Fix running_taskruns metric overcounting TaskRuns with no condition
• :bug: Bump Go to 1.24.13 to fix CVE-2025-61728, CVE-2025-61726, CVE-2025-61729
• :bug: Add signal handling in sidecarlogresults for native Kubernetes sidecars

-Docs @ v1.0.2
-Examples @ v1.0.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.0.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677afa1ff2410a8f5280de7f95a693172273a1c52b90177e7687fc72cf2607c8e332

Obtain the attestation:

REKOR_UUID=108e9186e8c5677afa1ff2410a8f5280de7f95a693172273a1c52b90177e7687fc72cf2607c8e332
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.0.2/release.yaml
REKOR_UUID=108e9186e8c5677afa1ff2410a8f5280de7f95a693172273a1c52b90177e7687fc72cf2607c8e332

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.0.2@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

:warning: Security Fixes

• GHSA-wjxp-xrpv-xpff / CVE-2026-40161 (HIGH): Git resolver API mode leaks system-configured API token to user-controlled serverURL. A user who can create TaskRuns can exfiltrate the system Git API token by pointing the resolver at an attacker-controlled server.

• GHSA-94jr-7pqp-xhcq / CVE-2026-40938 (HIGH): Git resolver unsanitized revision parameter enables argument injection. A malicious revision value can inject arbitrary flags into the git CLI, potentially leading to remote code execution on the resolver pod.

• GHSA-rx35-6rhx-7858 / CVE-2026-40923 (Medium): VolumeMount path restriction bypass via missing filepath normalization. Paths like /tekton/../sensitive bypass the /tekton/ prefix restriction check.

• GHSA-rmx9-2pp3-xhcr / CVE-2026-25542 (Medium): VerificationPolicy regex pattern bypass via substring matching. Unanchored patterns allow partial matches, letting unsigned resources pass verification.

• GHSA-m2cx-gpqf-qf74 / CVE-2026-40924 (Medium): HTTP resolver unbounded response body read enables OOM denial of service. A malicious URL returning a very large response can exhaust the resolver pod's memory. Response body is now limited to 1 MiB.

Fixes

• :bug: Sort PipelineRun childReferences to prevent spurious status updates

🎉 Bug fixes, stability improvements and dependency updates 🎉

-Docs @ v1.7.0
-Examples @ v1.7.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.7.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a0af3ff47db2d68605b227b75af0aa40d87262257e2b9295f35454fe3d050ed38

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a0af3ff47db2d68605b227b75af0aa40d87262257e2b9295f35454fe3d050ed38
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.7.0/release.yaml
REKOR_UUID=108e9186e8c5677a0af3ff47db2d68605b227b75af0aa40d87262257e2b9295f35454fe3d050ed38

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.7.0@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Fixes

• :bug: fix: Populate step statuses before TaskRun timeout handling (#9184)

Fix a race condition on timeout that would result in a TaskRun status without steps statuses.

• :bug: fix: panic in v1beta1 matrix validation for invalid result refs (#9135)

Resolved an issue where Pipelines with invalid result references in matrix parameters would cause a panic during validation (v1beta1 API)

• :bug: Use patch instead of update to replace sidecars with nop image (#9128)

Fixed race condition causing TaskRuns to fail with 409 conflict error when stopping sidecars.
StopSidecars now uses Patch instead of Update to avoid conflicts with concurrent kubelet pod status updates.

• :bug: fix: Add missing comma in slash commands workflow (#9157)
• :bug: Fix tekton/publish sed for combined-based-image digest replacement (#9119)
• :bug: examples: reduce the size of the matrix to reduce flakiness (#9187)

Misc

• :hammer: Migrate tests images out of dockerhub. (#9158)
• :hammer: refactor: add clock injection to cache for testing (#9142)
• :hammer: Remove deprecated // +build directive from most files (#9118)
• :hammer: build(deps): bump tj-actions/changed-files from 6da3c88b60ebf09464ada9b06fba5b6f2d34bb94 to abdd2f68ea150cee8f236d4a9fb4e0f2491abf1b (#9196)
• :hammer: chore(release-pipeline): update references to oci bucket (#9189)
• :hammer: .github/workflows: fix e2e-matrix-extras (#9185)
• :hammer: build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#9181)
• :hammer: build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#9180)
• :hammer: build(deps): bump golangci/golangci-lint-action from 9.0.0 to 9.1.0 (#9179)
• :hammer: .github: add a dependabot configuration to monitor .ko.yaml (#9173)
• :hammer: feat: Add GitHub Actions cherry-pick slash command (#9172)
• :hammer: build(deps): bump the all group in /tekton with 4 updates (#9170)
• :hammer: build(deps): bump actions/dependency-review-action from 4.8.1 to 4.8.2 (#9169)
• :hammer: build(deps): bump actions/setup-go from 6.0.0 to 6.1.0 (#9168)
• :hammer: build(deps): bump tj-actions/changed-files from 70069877f29101175ed2b055d210fe8b1d54d7d7 to 6da3c88b60ebf09464ada9b06fba5b6f2d34bb94 (#9167)
• :hammer: build(deps): bump chainguard-dev/actions from 1.5.3 to 1.5.10 (#9166)
• :hammer: build(deps): bump github/codeql-action from 4.31.0 to 4.31.5 (#9165)
• :hammer: Fix commit SHA of actions/github-script in e2e-extras workflow (#9161)
• :hammer: Fix the e2e-extras slash command (#9160)
• :hammer: examples: make sure we use the same image for sidecar and step (#9139)
• :hammer: fix(ci): correct grep patterns in detect job (#9137)
• :hammer: build(deps): bump the all group in /tekton with 4 updates (#9134)
• :hammer: build(deps): bump chainguard-dev/actions from 1.5.7 to 1.5.8 (#9133)
• :hammer: build(deps): bump tj-actions/changed-files from 0ff001de0805038ff3f118de4875002200057732 to 70069877f29101175ed2b055d210fe8b1d54d7d7 (#9132)
• :hammer: build(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2 (#9131)
• :hammer: build(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.0.0 (#9130)
• :hammer: fix: label checker action reference (#9129)
• :hammer: Update releases.md after 1.6.0 release (#9127)
• :hammer: build(deps): bump the all group in /tekton with 4 updates (#9124)
• :hammer: build(deps): bump tj-actions/changed-files from dbf178ceecb9304128c8e0648591d71208c6e2c9 to 0ff001de0805038ff3f118de4875002200057732 (#9122)
• :hammer: feat: upload release manifests to oracle cloud (#9121)
• :hammer: test: reduce the number of examples tests running in parallel (#9114)
• :hammer: Run less e2e matrix by default (#9109)
• :hammer: ci: skip running builds and tests if no code changed (#8768)
• :hammer: fix: update tekton setup action (#9126)
• :hammer: build(deps): bump github.com/docker/docker from 26.1.5+incompatible to 28.0.0+incompatible in /test/resolver-with-timeout (#9182)

Thanks

Thanks to these contributors who contributed to v1.7.0!

• :heart: @AlanGreene
• :heart: @aThorp96
• :heart: @anithapriyanatarajan
• :heart: @dependabot[bot]
• :heart: @divyansh42
• :heart: @mathur07
• :heart: @prad9192
• :heart: @twoGiants
• :heart: @vdemeester

Extra shout-out for awesome release notes:

• :heart_eyes: @mathur07
• :heart_eyes: @prad9192
• :heart_eyes: @vdemeester