Pipelines as Code version v0.42.1

Tekton Pipelines as Code v0.42.1 has been released 🥳

This is a security and stability patch release for the v0.42.x stream, backporting fixes from v0.48.0 along with dependency updates addressing multiple CVEs.

🐛 Bug Fixes

• Prevent GitHub Enterprise host header hijacking: Validate GitHub App webhook payloads before minting tokens and derive the enterprise host from the repository URL instead of trusting the request header. Also scopes GitHub App installation tokens to the triggering repository for remote task resolution and deep-copies cached remote Pipeline/Task resources before inlining.
  • Link: ac6fded
• Redact incoming webhook query strings from logs: URL-based ?secret= values are no longer written to controller stdout.
  • Link: 238103c
• Fix gRPC CVE-2026-33186: Update google.golang.org/grpc to v1.79.3 to address a critical HTTP/2 :path validation flaw that allows bypassing authorization rules in gRPC interceptors.
  • Link: 6708eaa
• Fix Tekton Pipeline CVE-2026-33211: Upgrade tektoncd/pipeline to v1.9.2 to address a path traversal in the git resolver that could expose ServiceAccount tokens.
  • Link: 6708eaa
• Bump Tekton Pipeline to v1.9.3: Additional dependency update for the pipeline component.
  • Link: 47ac873
• Fix go-jose GHSA-78h2-9frx-2jm8: Update go-jose v3 to v3.0.5 and v4 to v4.1.4 to patch a security vulnerability in JWE and JWS handling.
  • Link: 339c30f
• Map GitLab skipped status correctly: Use gitlab.Skipped state instead of gitlab.Canceled when the conclusion is skipped, so that GitLab pipelines show the correct status.
  • Link: 8300a0f

⚙️ Chores

• Pin golangci toolchain: Download the branch-compatible golangci-lint binary and pin GOTOOLCHAIN for consistent linting.
  • Link: 989b55a
• Skip TLS verification for gosmee in e2e tests: Work around cert timing issue where gosmee starts before minica certs are generated.
  • Link: a295846
• Rename bitbucket DC env vars to match main: Update TEST_BITBUCKET_SERVER_* references to TEST_BITBUCKET_DATA_CENTER_* for pull_request_target compatibility.
  • Link: 8219dd5
• Split GHE e2e tests across three matrix slots: Add chunked splitting for github_ghe_1/2/3 targets matching main's CI matrix.
  • Link: d4044f2

Installation

To install this version you can install the release.yaml with kubectl for your platform :

Openshift

kubectl apply -f https://github.com/tektoncd/pipelines-as-code/releases/download/v0.42.1/release.yaml

Kubernetes

kubectl apply -f https://github.com/tektoncd/pipelines-as-code/releases/download/v0.42.1/release.k8s.yaml

Documentation

The documentation for this release is available here :

https://docs.pipelinesascode.com/v0.42.1

Changelog

• e0a6d09: Release yaml generated from d077c37 for release v0.42.0 ( <>)
• 989b55a: build(lint): pin golangci toolchain (@chmouel)
• 339c30f: chore(deps): bump go-jose v3 to v3.0.5 (@chmouel)
• 0741470: chore(deps): bump go-jose v4 to v4.1.4 (@chmouel)
• 47ac873: chore(deps): bump tekton pipeline to v1.9.3 (@chmouel)
• 6708eaa: chore(deps): update grpc and tektoncd/pipeline (@theakshaypant)
• a295846: fix(ci): skip TLS verification for gosmee client in e2e tests (@zakisk)
• d4044f2: fix(ci): split GHE e2e tests across three matrix slots (@theakshaypant)
• 8300a0f: fix(gitlab): map skipped status correctly (@theakshaypant)
• ac6fded: fix(security): backport app token safeguards (@chmouel)
• 238103c: fix(security): redact query string from incoming webhook log (@infernus01)