Tekton Pipeline release v1.6.3 "Sphynx Sentinels"

-Docs @ v1.6.3
-Examples @ v1.6.3

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.3/release.yaml

Attestation

The Rekor UUID for this release is 4b8b8d888cc1fadcb217eeb2ef34dfe243a80690c5d4386b066c473df10ac848

Obtain the attestation:

REKOR_UUID=4b8b8d888cc1fadcb217eeb2ef34dfe243a80690c5d4386b066c473df10ac848
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.3/release.yaml
REKOR_UUID=4b8b8d888cc1fadcb217eeb2ef34dfe243a80690c5d4386b066c473df10ac848

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.6.3@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 [cherry-pick: release-v1.6.x] fix(resolvers): Allow ResolutionRequests to resolve all Tekton kinds (#10254)

efore this change, ResolutionRequests could only resolve Pipelines, Tasks, and StepActions. After this change, ResolutionRequests can resolve PipelineRuns, Pipelines, TaskRuns, Tasks, Runs, CustomRuns, and StepActions.

• 🐛 [cherry-pick: release-v1.6.x] Fix cross-arch platform command lookup in entrypoint (#10162)

ix entrypoint command lookup when controller and worker nodes run on different CPU architectures (e.g., ARM controller with AMD64 workloads). The controller's CPU variant was leaking into TEKTON_PLATFORM_COMMANDS keys via platforms.NewPlatform(), causing "could not find command for platform" errors on worker nodes of a different architecture.

• 🐛 [cherry-pick: release-v1.6.x] fix(resolvers): validate data is Tekton object in resolver framework (#9962)

Fixes a bug which lets Tekton Resolvers resolve non-tekton objects and arbitrary data. After this change, resolving a non-tekton object causes the ResolutionRequest to fail.
Action Required: Tekton Resolvers are now only permitted to resolve StepActions, Tasks, and Pipelines. Custom resolvers or ResolutionRequest which use the Resolver API for other object types will no longer function.

• 🐛 [cherry-pick: release-v1.6.x] fix: bump google.golang.org/grpc to 1.80.0 (CVE-2026-33186) (#9909)

ump google.golang.org/grpc from 1.75.0 to 1.80.0 to fix CVE-2026-33186 (gRPC-Go authorization bypass via missing leading slash in :path header).

• 🐛 [release-v1.6.x] fix: add automated draft release support to release pipeline (#10213)
• 🐛 [Cherry-pick release-v1.6.x] fix: resolve goroutine leak from unbuffered channels in resolver reconcilers (#10111)
• 🐛 [Cherry-pick Release-v1.6.x] fix: convert pod latency metric to histogram and remove pod label (#10109)
• 🐛 [Cherry-pick Release-v1.6.x] fix(pipelinerun): use generateName for anonymous pipeline label (#10107)

Misc

• 🔨 build(deps): bump the all group in /tekton with 4 updates (#10261)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#10231)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#10196)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#10132)
• 🔨 build(deps): bump tj-actions/changed-files from 6b924b1775b8688e12ffb9b5cb5e968e1eb682ec to 934b2d2c7e653bb8c968afed5a0428617f09aa24 (#10087)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#10086)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#10045)
• 🔨 build(deps): bump tj-actions/changed-files from 7dc4d75b6aa91041857e522f1426c3d1ac5d13b6 to 6b924b1775b8688e12ffb9b5cb5e968e1eb682ec (#10042)
• 🔨 build(deps): bump tj-actions/changed-files from 778ca51dd262f0b33085d14089d652a53707f25b to 7dc4d75b6aa91041857e522f1426c3d1ac5d13b6 (#9987)
• 🔨 build(deps): bump the all group across 1 directory with 4 updates (#9980)
• 🔨 build(deps): bump tj-actions/changed-files from 5f4a0b68ac816d8cb4a52bd88b460549197b7ff1 to 778ca51dd262f0b33085d14089d652a53707f25b (#9947)
• 🔨 build(deps): bump actions/checkout from 5.0.0 to 5.0.1 (#9946)
• 🔨 build(deps): bump google.golang.org/grpc from 1.75.0 to 1.75.1 (#9931)
• 🔨 build(deps): bump go.uber.org/zap from 1.27.0 to 1.27.1 (#9928)
• 🔨 build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5 (#9918)
• 🔨 build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11 (#9915)
• 🔨 build(deps): bump github.com/google/cel-go from 0.26.0 to 0.26.1 (#9914)
• 🔨 build(deps): bump github/codeql-action from 4.31.0 to 4.31.11 (#9898)
• 🔨 build(deps): bump actions/dependency-review-action from 4.8.1 to 4.8.3 (#9897)
• 🔨 build(deps): bump chainguard-dev/actions from 1.5.7 to 1.5.16 (#9896)
• 🔨 build(deps): bump step-security/harden-runner from 2.13.1 to 2.13.3 (#9895)
• 🔨 build(deps): bump tj-actions/changed-files from dbf178ceecb9304128c8e0648591d71208c6e2c9 to 5f4a0b68ac816d8cb4a52bd88b460549197b7ff1 (#9894)
• 🔨 build(deps): bump github.com/tektoncd/pipeline from 0.53.1 to 0.53.9 in /test/custom-task-ctrls/wait-task-beta (#9888)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.32.8 to 0.32.13 (#9882)
• 🔨 build(deps): bump the all group across 1 directory with 4 updates (#9867)
• 🔨 build(deps): bump github.com/cloudevents/sdk-go/v2 from 2.16.1 to 2.16.2 (#9866)

Docs

Thanks

Thanks to these contributors who contributed to v1.6.3!

• ❤️ @app/dependabot
• ❤️ @infernus01
• ❤️ @tekton-robot
• ❤️ @vdemeester
• ❤️ @waveywaves

Extra shout-out for awesome release notes:

• 😍 @tekton-robot
• 😍 @waveywaves