Tekton Pipeline release v1.14.0 "Chartreux Cait Sith"

🎉 🐱 Pipelines in Pipelines by ref, leaner controllers & sturdier reconcilers 🤖 🎉

• Docs @ v1.14.0
• Examples @ v1.14.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.14.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677aa9d0ba4d268af76a6ffef1ad43d8ad6966ceef7663859284b3163eddafaa94ab

Obtain the attestation:

REKOR_UUID=108e9186e8c5677aa9d0ba4d268af76a6ffef1ad43d8ad6966ceef7663859284b3163eddafaa94ab
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.14.0/release.yaml
REKOR_UUID=108e9186e8c5677aa9d0ba4d268af76a6ffef1ad43d8ad6966ceef7663859284b3163eddafaa94ab

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.14.0@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ feat(tracing): record errors on TaskRun createPod and update spans (#10273)

Errors creating a Pod or updating a TaskRun are now recorded on the TaskRun reconciler trace spans, so failures are visible in distributed traces.

• ✨ feat(tracing): record errors on createTaskRun and createCustomRun spans (#10272)

Errors creating a child TaskRun or CustomRun are now recorded on the PipelineRun reconciler trace spans, so failures are visible in distributed traces.

• ✨ feat(tracing): add spans to PipelineRun cancel and timeout paths (#10269)

Add tracing spans to the PipelineRun cancel and timeout code paths, so cancellation and timeout of a run and its children are visible in distributed traces.

• ✨ feat(tracing): inject traceID and spanID into structured log output (#10140)

Inject traceID and spanID into structured log output for TaskRun and PipelineRun reconcilers when tracing is enabled, enabling log-to-trace correlation in observability platforms.

• ✨ feat(notifications): add tracing spans to CustomRun reconciler (#10097)

[ENHANCEMENT] notifications: add OTel tracing spans to CustomRun reconciler (ReconcileKind, ReconcileRunObject, EmitCloudEvents)

• ✨ feat(notifications): add tracing spans to PipelineRun notifications reconciler (#10266)
• ✨ feat(tracing): add spans to TaskRun validation functions (#9907)

Fixes

• 🐛 fix: bump Go to 1.26.4 for CVEs (#10338)

Bump Go to 1.26.4 for CVE remediation.

• 🐛 fix(taskrun): prevent concurrent map writes when resolving StepAction refs (#10324)

Fixed a controller crash ("concurrent map writes") that could occur while resolving multiple StepAction references when the Task uses an object parameter with both a default and a TaskRun-provided value.

• 🐛 fix: extract correct full Rekor EntryID from API response (#10315)

Fix Rekor EntryID extraction in release pipeline to publish correct 80-char EntryIDs instead of truncated 64-char hashes.

• 🐛 fix(resolvers): Allow ResolutionRequests to resolve all Tekton kinds (#10242)

Before this change, ResolutionRequests could only resolve Pipelines, Tasks, and StepActions. After this change, ResolutionRequests can resolve PipelineRuns, Pipelines, TaskRuns, Tasks, Runs, CustomRuns, and StepActions.

• 🐛 Fix cross-arch platform command lookup in entrypoint (#10077)

Fix entrypoint command lookup when controller and worker nodes run on different CPU architectures (e.g., ARM controller with AMD64 workloads). The controller's CPU variant was leaking into TEKTON_PLATFORM_COMMANDS keys via platforms.NewPlatform(), causing "could not find command for platform" errors on worker nodes of a different architecture.

• 🐛 Fix #7756 - Validate variable references in Pipeline task params (#10050)

Pipeline validation now rejects invalid variable references like $(new_image) in task parameters with a clear error message, instead of silently accepting them or crashing the webhook. Users who accidentally use $() (Tekton variable syntax) instead of ${} (shell variable syntax) in Pipeline param values will now receive a helpful validation error indicating the valid prefixes (params, tasks, finally, context, workspaces).

• 🐛 fix issue #8255 - seperating step level and task level validation. Va… (#10007)

Fix validation error when a Task uses both spec.results and spec.steps[].results in the same step script

• 🐛 fix: override OCI labels in ko publish task (#9965)

Fix incorrect OCI image labels (title, url, description) inherited from base image in published pipeline images

• 🐛 ci: add missing issues:write permission to cherry-pick workflow (#10257)
• 🐛 fix: replace symlinks with subpath params in create-draft-release (#10203)
• 🐛 Fix race condition in TestStepTimeout (#10188)
• 🐛 fix: correct alpine/k8s image reference in release pipeline (#10143)
• 🐛 test: use mirror.gcr.io/busybox in step_when_test to avoid Docker Hub flakes (#10327)

Misc

• 🔨 chore: move patch release cron from Thursday to Tuesday (#10278)
• 🔨 test(resolvers): cover resolved resource validation kinds (#10250)
• 🔨 chore: switch base image to ghcr.io/tektoncd/plumbing/static-base (#10240)
• 🔨 build(deps): bump tektoncd/pipeline to v1.13.0 in test modules (#10225)
• 🔨 [TEP-0056] Reuse fixture in PinP parent-not-found test (#10207)
• 🔨 chore: remove stale TODOs referencing closed issues #4723 and #6097 (#10187)
• 🔨 chore: remove stale TODO referencing closed issue #4546 (#10171)
• 🔨 build(deps): bump knative.dev/pkg to release-1.22 (#10158)
• 🔨 refactor: remove placeholder URL workaround in hub resolver Validate() (#10048)
• 🔨 ci: scope workflow permissions to least privilege (#9922)
• 🔨 fix: replace kodata LICENSE symlinks with actual files (#10358)
• 🔨 build(deps): bump github.com/spiffe/go-spiffe/v2 from 2.7.0 to 2.8.1 (#10356)
• 🔨 build(deps): bump actions/checkout from 6.0.3 to 7.0.0 (#10354)
• 🔨 build(deps): bump chainguard-dev/actions/setup-kind from 1.6.22 to 1.6.24 (#10347)
• 🔨 build(deps): bump chainguard-dev/actions/kind-diag from 1.6.22 to 1.6.24 (#10346)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#10345)
• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.21.6 to 0.21.7 (#10332)
• 🔨 build(deps): bump the all group in /tekton with 3 updates (#10316)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#10306)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.15.28 to 1.15.30 (#10304)
• 🔨 build(deps): bump github.com/prometheus/common from 0.68.1 to 0.69.0 (#10301)
• 🔨 chore: group Dependabot updates by dependency family (#10298)
• 🔨 build(deps): bump k8s.io/code-generator from 0.35.5 to 0.35.6 (#10284)
• 🔨 build(deps): bump k8s.io/api from 0.35.5 to 0.35.6 in /test/custom-task-ctrls/wait-task-beta (#10283)
• 🔨 build(deps): bump k8s.io/client-go from 0.35.5 to 0.35.6 in /test/custom-task-ctrls/wait-task-beta (#10282)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.35.5 to 0.35.6 (#10281)
• 🔨 build(deps): bump github.com/tektoncd/pipeline from 1.13.0 to 1.13.1 in /test/custom-task-ctrls/wait-task-beta (#10279)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.15.22 to 1.15.28 (#10270)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#10264)
• 🔨 build(deps): bump github.com/spiffe/go-spiffe/v2 from 2.6.0 to 2.7.0 (#10260)
• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.15.0 to 1.15.1 (#10244)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.10.6 to 1.10.8 (#10243)
• 🔨 build(deps): bump chainguard-dev/actions from 1.6.21 to 1.6.22 (#10232)
• 🔨 build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#10230)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#10228)
• 🔨 build(deps): bump golang.org/x/crypto from 0.52.0 to 0.53.0 (#10227)
• 🔨 build(deps): bump github.com/sigstore/sigstore from 1.10.6 to 1.10.8 (#10226)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.10.6 to 1.10.8 (#10220)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.10.6 to 1.10.8 (#10205)
• 🔨 build(deps): bump chainguard-dev/actions from 1.6.19 to 1.6.21 (#10193)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#10192)
• 🔨 build(deps): bump github/codeql-action from 4.36.0 to 4.36.2 (#10191)
• 🔨 build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#10190)
• 🔨 build(deps): bump github.com/prometheus/common from 0.67.5 to 0.68.1 (#10167)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.10.6 to 1.10.8 (#10145)
• 🔨 build(deps): bump github.com/tektoncd/pipeline from 1.12.0 to 1.13.0 in /test/custom-task-ctrls/wait-task-beta (#10144)
• 🔨 build(deps): bump github/codeql-action from 4.35.5 to 4.36.0 (#10124)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.10.5 to 1.10.6 (#10059)

Docs

• 📖 chore(docs): fix "pipeline" typo in examples (#10344)
• 📖 Remove duplicate step from release cheat sheet (#10204)
• 📖 docs: update releases.md for v1.13.0 (#10142)
• 📖 Add agent workflow context (#10139)

Thanks

Thanks to these contributors who contributed to v1.14.0!

• ❤️ @AlanGreene
• ❤️ @MateSousa
• ❤️ @aThorp96
• ❤️ @app/dependabot
• ❤️ @begs
• ❤️ @cdeekshith11
• ❤️ @danielfbm
• ❤️ @khrm
• ❤️ @l-qing
• ❤️ @ngelman1
• ❤️ @ogulcanaydogan
• ❤️ @rajnish-jais
• ❤️ @romanisb
• ❤️ @srivickynesh
• ❤️ @vdemeester
• ❤️ @waveywaves

Extra shout-out for awesome release notes:

• 😍 @aThorp96
• 😍 @l-qing
• 😍 @ngelman1
• 😍 @ogulcanaydogan
• 😍 @rajnish-jais
• 😍 @romanisb
• 😍 @vdemeester
• 😍 @waveywaves