Skip to content

v0.39.6

Choose a tag to compare

View all tags
@tekton-pac-bottekton-pac-bot released this 08 Jun 14:41
· 386 commits to main since this release
Immutable release. Only release title and notes can be modified.
v0.39.6
af48fc8

Pipelines as Code version v0.39.6

Tekton Pipelines as Code v0.39.6 has been released 🥳

This is a security and stability patch release for the v0.39.x stream, backporting fixes from v0.48.0 along with dependency updates addressing multiple CVEs.

🐛 Bug Fixes

  • Prevent GitHub Enterprise host header hijacking: Validate GitHub App webhook payloads before minting tokens and derive the enterprise host from the repository URL instead of trusting the request header. Also scopes GitHub App installation tokens to the triggering repository for remote task resolution.
  • Redact incoming webhook query strings from logs: URL-based ?secret= values are no longer written to controller stdout.
  • Fix gRPC CVE-2026-33186: Update google.golang.org/grpc to v1.79.3 to address a critical HTTP/2 :path validation flaw that allows bypassing authorization rules in gRPC interceptors.
  • Fix go-jose GHSA-78h2-9frx-2jm8: Update go-jose v3 and v4 to patch a security vulnerability in JWE and JWS handling.
  • Fix Tekton Pipeline CVE-2026-40161: Bump tektoncd/pipeline to v1.6.2 to address a high-severity vulnerability where the git resolver API mode leaks system-configured API tokens to user-controlled endpoints.
  • Skip watcher status updates: Prevent forbidden errors on clusters where the watcher only has metadata and spec-level PipelineRun permissions by disabling generated status synchronization.
  • Gitea nil-safety and Forgejo compatibility: Guard against nil Sender, Repository.Owner, PullRequest.Head, and other nested webhook payload fields that can cause panics when Forgejo delivers webhooks with missing sub-objects.

✨ Major changes and Features

  • Reduce informer cache memory usage: Add cache transform functions for Repository and PipelineRun informers, stripping large unnecessary fields before objects enter the cache. Benchmarks show 89% size reduction for Repository objects and 94% for PipelineRun objects.

⚙️ Chores

  • Pin golangci toolchain: Download the branch-compatible golangci-lint binary and pin GOTOOLCHAIN for consistent linting.
  • Bump go-jose v4 to v4.1.4: Dependency update.
  • Rewrite e2e script for main's CI matrix: Add support for gitea_1/2/3, github_ghe_1/2/3, and other modern matrix targets so pull_request_target runs succeed.
  • Skip TLS verification for gosmee in e2e tests: Work around cert timing issue where gosmee starts before minica certs are generated.
  • Rename bitbucket DC env vars to match main: Update TEST_BITBUCKET_SERVER_* references to TEST_BITBUCKET_DATA_CENTER_* for pull_request_target compatibility.

Installation

To install this version you can install the release.yaml with kubectl for your platform :

Openshift

kubectl apply -f https://github.com/tektoncd/pipelines-as-code/releases/download/v0.39.6/release.yaml

Kubernetes

kubectl apply -f https://github.com/tektoncd/pipelines-as-code/releases/download/v0.39.6/release.k8s.yaml

Documentation

The documentation for this release is available here :

https://docs.pipelinesascode.com/v0.39.6

Changelog

Contributors

chmouel, theakshaypant, and 2 other contributors
Assets 21
Loading