v0.37.8

Pipelines as Code version v0.37.8

Tekton Pipelines as Code v0.37.8 has been released 🥳

This is a security and stability patch release for the v0.37.x stream, backporting fixes from v0.48.0 along with dependency updates addressing multiple CVEs.

🐛 Bug Fixes

• Backport app token safeguards: Derive enterprise host from repo spec URL instead of trusting the X-GitHub-Enterprise-Host header, validate webhook signature before minting GitHub App tokens, and scope tokens to the triggering repository ID.
  • Link: 4081397
• Deep-copy cached remote resources: Prevent cross-run mutation where the first PipelineRun applying its task annotation could leak that task into subsequent runs sharing the same remote resource.
  • Link: 9b2afcb
• Redact query string from incoming webhook log: Prevent URL-based secret values from being written to stdout.
  • Link: 7eb5613
• Restore relative task path resolution: Fix regression from commit 6e36620 that broke relative task path resolution for repository file paths by only allowing HTTP(S) URLs, causing paths containing '..' to be rejected by the GitHub API.
  • Link: ecd2945

⚙️ Chores

• Update grpc and tektoncd/pipeline: Upgrade google.golang.org/grpc to v1.79.3 to fix CVE-2026-33186 and upgrade github.com/tektoncd/pipeline to v1.0.1 to address CVE-2026-33211.
  • Link: c281cf5
• Update go-jose: Patch security vulnerability GHSA-78h2-9frx-2jm8 in JWE and JWS handling.
  • Link: 80ad3e9
• Update tektoncd/pipeline to v1.0.2: Fix CVE-2026-40161, a high-severity credential exposure flaw in the git resolver API mode.
  • Link: 24f2c55
• Harden container workflow actions: Pin GitHub Actions to full commit SHAs, disable persist-credentials, and prevent script injection by replacing context expressions with environment variables.
  • Link: a913a1d
• Skip TLS verification for gosmee client in e2e tests: Fix gosmee starting before minica certs are generated in CI.
  • Link: 0dcb5f7
• Pin golangci toolchain: Pin golangci-lint to v2.12.2 and GOTOOLCHAIN to go1.24.2 for consistent CI and local lint results.
  • Link: bb7f4aa
• Rewrite e2e script for main's matrix: Add support for all targets in main's e2e matrix with gotestsum support and gosmee log collection.
  • Link: 668ef2b
• Rename bitbucket DC env vars to match main: Update TEST_BITBUCKET_SERVER_* to TEST_BITBUCKET_DATA_CENTER_* to fix e2e test failures.
  • Link: bdd5380

Installation

To install this version you can install the release.yaml with kubectl for your platform :

Openshift

kubectl apply -f https://github.com/openshift-pipelines/pipelines-as-code/releases/download/v0.37.8/release.yaml

Kubernetes

kubectl apply -f https://github.com/openshift-pipelines/pipelines-as-code/releases/download/v0.37.8/release.k8s.yaml

Documentation

The documentation for this release is available here :

https://release-v0-37-8.pipelines-as-code.pages.dev

Changelog

• 0c7a343: Release yaml generated from 6e36620 for release v0.37.7 ( <>)
• bb7f4aa: build(lint): pin golangci toolchain (@theakshaypant)
• 80ad3e9: chore(deps): update go-jose to fix GHSA-78h2-9frx-2jm8 (@theakshaypant)
• c281cf5: chore(deps): update grpc and tektoncd/pipeline (@theakshaypant)
• 24f2c55: chore(deps): update tektoncd/pipeline to v1.0.2 (@theakshaypant)
• a913a1d: ci: harden container workflow actions (@theakshaypant)
• 668ef2b: ci: rewrite e2e script for main's matrix (@theakshaypant)
• 0dcb5f7: fix(ci): skip TLS verification for gosmee client in e2e tests (@zakisk)
• 9b2afcb: fix(resolve): deep-copy cached remote resources to prevent cross-run mutation (@theakshaypant)
• ecd2945: fix(resolve): restore relative task path resolution for repository paths (@theakshaypant)
• 4081397: fix(security): backport app token safeguards (@theakshaypant)
• 7eb5613: fix(security): redact query string from incoming webhook log (@infernus01)