Bump the backend group with 14 updates

[dependabot]

Bumps the backend group with 14 updates:

Package	From	To
github.com/aquasecurity/trivy	0.67.2	0.69.0
github.com/coreos/go-oidc	2.4.0+incompatible	2.5.0+incompatible
github.com/go-chi/chi/v5	5.2.3	5.2.4
github.com/go-git/go-git/v5	5.16.3	5.16.4
github.com/google/go-containerregistry	0.20.6	0.20.7
github.com/open-policy-agent/opa	1.9.0	1.11.0
github.com/operator-framework/api	0.35.0	0.38.0
github.com/spf13/cobra	1.10.1	1.10.2
github.com/tektoncd/pipeline	1.5.0	1.9.0
golang.org/x/crypto	0.43.0	0.46.0
golang.org/x/oauth2	0.32.0	0.34.0
golang.org/x/text	0.30.0	0.32.0
google.golang.org/api	0.252.0	0.260.0
helm.sh/helm/v3	3.19.0	3.19.2

Updates github.com/aquasecurity/trivy from 0.67.2 to 0.69.0

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.69.0

👉 Trivy v0.69.0 release notes (click here)

⬇️ Download Trivy

• MacOS Apple Silicon
• MacOS Intel
• Linux Intel
• Linux ARM
• Windows Intel

🐳 New Docker Install option

• docker pull get.trivy.dev/image/trivy:0.69.0

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0690-2026-01-30

v0.68.2

Changelog

• 0c40a8d4b9b943f1b679a20f8ba3cb61c94831de release: v0.68.2 [release/v0.68] (#9950)
• db2894561daa20301eb144cad467d75d8a3d2647 fix(deps): bump alpine from 3.22.1 to 3.23.0 [backport: release/v0.68] (#9949)

v0.68.1

👉 Trivy v0.68.1 release notes (click here)

[!NOTE]
v0.68.0 was skipped due to issues with the release.

⬇️ Download Trivy

• MacOS Apple Silicon
• MacOS Intel
• Linux Intel
• Linux ARM
• Windows Intel

🐳 Docker Install

• docker pull get.trivy.dev/image/trivy:0.68.1

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0680-2025-12-02

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.69.0 (2026-01-30)

⚠ BREAKING CHANGES

• misconf: use ID instead of AVDID for providers mapping (#9752)

Features

• activestate: add support ActiveState images (#10081) (676709d)
• add AnalyzedBy field to track which analyzer detected packages (#10059) (1953824)
• cloudformation: add support for Fn::ForEach (#9508) (d65b504)
• debian: detect third-party packages using maintainer list (#9917) (effc1c0)
• flag: add JSON Schema for trivy.yaml configuration file (#9971) (4caf731)
• helm: add sslCertDir parameter (#9697) (879e4fc)
• julia: enable vulnerability scanning for the Julia language ecosystem (#9800) (c2f82ad)
• misconf: add action block to Terraform schema (#10035) (b06ef6d)
• misconf: initial ansible scanning support (#9332) (9275e15)
• misconf: support for ARM resources defined as an object (#9959) (92d3465)
• misconf: support for azurerm_*_web_app (#9944) (37b5da8)
• misconf: Update Azure Database schema (#9811) (48dfede)
• misconf: use Terraform plan configuration to partially restore schema (#9623) (5fced3a)
• nodejs: parse licenses from package-lock.json file (#9983) (b64d5ad)
• php: add support for dev dependencies in Composer (#9910) (56b59e8)
• report: add Trivy version to JSON output (#10065) (fe7d20a)
• rocky: enable modular package vulnerability detection (#10069) (31c4780)
• rootio: Update trivy db to support usage of Severity from root.io feed (#9930) (d3096e7)
• sbom: exclude PEP 770 SBOMs in .dist-info/sboms/ (#10033) (07ff788)
• secret: add detection for Symfony default secret key (#9892) (34baef2)
• vex: support per-repo tls configuration (#10030) (f809066)
• vuln: skip vulnerability scanning for third-party packages in Debian/Ubuntu (#9932) (74819bf)

Bug Fixes

• docker: fix non-det scan results for images with embedded SBOM (#9866) (7f71b57)
• go: use ldflags version for all pseudo-versions (#10037) (3c0ab97)
• image: race condition in image artifact inspection (#9966) (18acf4f)
• java: add hash of GAV+root pom file path for pkgID for packages from pom.xml files (#9880) (809db46)
• java: correctly inherit properties from parent fields for pom.xml files (#9111) (2933b01)
• java: correctly propagate repositories from upper POMs to dependencies (#10077) (b9415a3)
• license: normalize licenses for PostAnalyzers (#9941) (11dd3fa)
• misconf: correct typos in block and attribute names (#9993) (ac061f8)
• misconf: respect .yml files when Helm charts are detected (#9912) (18ecf75)
• misconf: safely parse rotation_period in google_kms_crypto_key (#9980) (a0ecc8e)
• move enum into items for array-type fields in JSON Schema (#10039) (4e06c3d)
• remove trailing tab in statefulset template (#9889) (9db123c)
• repo: return a nil interface for gitAuth if missing (#10097) (036c05b)
• rust: add cargo workspace members glob support (#10032) (d2dc46a)
• rust: implement version inheritance for Cargo mono repos (#10011) (47d3103)

... (truncated)

Commits

• 8fb9191 release: v0.69.0 [main] (#9886)
• ba9feb6 chore: bump trivy-checks to v2 (#9875)
• f00f8de chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.1 to 2.4.1...
• 036c05b fix(repo): return a nil interface for gitAuth if missing (#10097)
• 2933b01 fix(java): correctly inherit properties from parent fields for pom.xml files ...
• 47d3103 fix(rust): implement version inheritance for Cargo mono repos (#10011)
• 676709d feat(activestate): add support ActiveState images (#10081)
• f809066 feat(vex): support per-repo tls configuration (#10030)
• f97ac7e refactor: allow per-request transport options override (#10083)
• 8b46122 chore(deps): bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 (#10084)
• Additional commits viewable in compare view

Updates github.com/coreos/go-oidc from 2.4.0+incompatible to 2.5.0+incompatible

Release notes

Sourced from github.com/coreos/go-oidc's releases.

v2.5.0

What's Changed

• *: format all files using newer Go versions by @​ericchiang in coreos/go-oidc#472
• *: add sanity check to avoid JWT over-allocation by @​ericchiang in coreos/go-oidc#473

Full Changelog: coreos/go-oidc@v2.4.0...v2.5.0

Commits

• 153fc73 *: add sanity check to avoid JWT over-allocation
• eb183a9 *: format all files using newer Go versions
• See full diff in compare view

Updates github.com/go-chi/chi/v5 from 5.2.3 to 5.2.4

Commits

• 6eb3588 middleware: harden RedirectSlashes handler (#1044)
• de0d16e Update comment about min Go version (#1023)
• 9fb4a15 update reverseMethodMap in RegisterMethod (#1022)
• 51c977c Refactor to use atomic type (#1019)
• 563ab11 Refactor graceful shutdown example (#994)
• a52c582 Bump minimum Go and use new features (#1017)
• See full diff in compare view

Updates github.com/go-git/go-git/v5 from 5.16.3 to 5.16.4

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.16.4

What's Changed

• backport plumbing: format/idxfile, prevent panic by @​swills in go-git/go-git#1732
• [backport] build: test, Fix build on Windows. by @​pjbgf in go-git/go-git#1734
• build: Update module golang.org/x/net to v0.38.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1742
• build: Update module github.com/cloudflare/circl to v1.6.1 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1741
• build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1743

Full Changelog: go-git/go-git@v5.16.3...v5.16.4

Commits

• de8ecc3 Merge pull request #1743 from go-git/renovate/releases/v5.x-go-github.com-go-...
• 3e752f0 build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY]
• 3a31754 Merge pull request #1741 from go-git/renovate/releases/v5.x-go-github.com-clo...
• acc28f1 build: Update module github.com/cloudflare/circl to v1.6.1 [SECURITY]
• 95f3880 Merge pull request #1742 from go-git/renovate/releases/v5.x-go-golang.org-x-n...
• 329f926 build: Update module golang.org/x/net to v0.38.0 [SECURITY]
• 399e04b Merge pull request #1734 from pjbgf/fix-ci
• 2025eae build: test, Fix build on Windows.
• fb6806f Merge pull request #1732 from swills/find-hash-panic-fix-backport
• 382530f plumbing: format/idxfile, prevent panic
• See full diff in compare view

Updates github.com/google/go-containerregistry from 0.20.6 to 0.20.7

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.20.7

What's Changed

• Fix ArgsEscaped lint directive by @​Subserial in google/go-containerregistry#2137
• transport: Fix broken links to distribution docs by @​guzalv in google/go-containerregistry#2136
• fix(remote): using customized retry predicate func if provided by @​derekhjray in google/go-containerregistry#2135
• Adding docker file by @​HassanJasim in google/go-containerregistry#2138
• crane: Add timestamp to flatten layer by @​Stephanie0829 in google/go-containerregistry#2117
• feat(remote): pass retryBackoff option to transport by @​aslafy-z in google/go-containerregistry#1628
• Expose clobber refusal error by @​pjbgf in google/go-containerregistry#2146
• Build artifacts for riscv64 by @​ffgan in google/go-containerregistry#2159
• Update dependencies and deprecate DockerVersion field by @​Subserial in google/go-containerregistry#2164

New Contributors

• @​guzalv made their first contribution in google/go-containerregistry#2136
• @​derekhjray made their first contribution in google/go-containerregistry#2135
• @​HassanJasim made their first contribution in google/go-containerregistry#2138
• @​Stephanie0829 made their first contribution in google/go-containerregistry#2117
• @​pjbgf made their first contribution in google/go-containerregistry#2146
• @​ffgan made their first contribution in google/go-containerregistry#2159

Full Changelog: google/go-containerregistry@v0.20.6...v0.20.7

Commits

• e075f20 go mod tidy on dependabot update (#2171)
• 45aacf4 Bump the actions group across 1 directory with 3 updates (#2170)
• 073b936 Update dependencies and deprecate DockerVersion field (#2164)
• 390dacd Bump golang.org/x/crypto from 0.38.0 to 0.45.0 in /cmd/krane (#2163)
• ca44d47 Bump golang.org/x/crypto from 0.38.0 to 0.45.0 in /pkg/authn/k8schain (#2162)
• 999cc1f Bump github.com/docker/docker (#2161)
• d1809c8 Build artifacts for riscv64 (#2159)
• 7471efd Bump the auxiliary-deps group across 3 directories with 4 updates (#2156)
• 2bb5bb0 Bump the actions group with 5 updates (#2155)
• 16371c1 Remove manual vendor setting for dependabot (#2151)
• Additional commits viewable in compare view

Updates github.com/open-policy-agent/opa from 1.9.0 to 1.11.0

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.11.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• More efficient connection management in the http.send built-in function
• More performant loading of large bundles containing multiple Rego files

Immutable Releases

Starting with this release, OPA releases are immutable for increased security.

Runtime, SDK, Tooling

• v1/ast: Fix Call parsing Text attribute including an extra character (#7989) authored by @​schmitd
• ast: Export built-in deprecated field (#7912) authored by @​colinjlacy
• ast: Intern common var values + some parser improvements (#8028) authored by @​anderseknert
• ast: Support custom builtins in CompileModulesWithOpt (#8061) authored by @​sspaink
• bundle: Concurrent Rego parsing in bundle loader (#8067) authored by @​anderseknert
• cmd: Support --ignore in eval cmd when using bundle flag (--bundle) (#8062) authored by @​sspaink
• storage/inmem: Allow passing triggers (AST) data without conversion (#7958) authored by @​anderseknert

Compiler, Topdown and Rego

• topdown: Avoid unnecessary use of custom http.Transport in http.send built-in (#7927) authored by @​sykesm
• topdown: New custom SemVer implementation (#8010) authored by @​anderseknert
• topdown: Use sync.Pool for eval func objects (#8054) authored by @​anderseknert

Docs, Website, Ecosystem

• docs: Add example for Compile API's table mapping (#8017) authored by @​srenatus
• docs: Address pages with similar titles (#8046) authored by @​charlieegan3
• docs: Address some broken links (#8022) authored by @​charlieegan3
• docs: Bump glob dep (CVE-2025-64756) (#8056) authored by @​srenatus
• docs: Improve ground value and assignment docs (#8047) authored by @​charlieegan3
• docs: Make iteration content flow better (#8064) authored by @​charlieegan3
• docs: Note package repos are community maintained (#8053) authored by @​charlieegan3
• docs: Update terraform guide with notes about plan (#8043) authored by @​charlieegan3
• docs: Update the archive to have an edge link (#8011) authored by @​charlieegan3
• docs: Update the policy language intro (#8050) authored by @​charlieegan3
• docs/ocp: Datasource example uses wrong AWS S3 URL (#8039) authored by @​SuchSkill
• docs/regal: Replicate sidebar fixes (#8036) authored by @​charlieegan3
• website: Various fixes and improvements by @​charlieegan3

Miscellaneous

• Bump golangci-lint, more gocritic linters (#8052) authored by @​anderseknert
• Tidy up and unify sync pool handling (#8068) authored by @​anderseknert
• builtins: Add StringOperandByteSlice helper (#8048) authored by @​anderseknert
• test: Add test cases for consistent cache behavior (#8015) authored by @​DFrenkel
• util/performance: Remove math.Log10, remove unused KeysCount (#8041) authored by @​srenatus
• workflow: Add Benchmarks workflow (#8072) authored by @​srenatus

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

Decision Logs dropped (introduced in OPA v1.9.0)

When the decision logs buffer was uploaded, the buffer limit inadvertently got reset to the default upload limit (32kb). This causes logs to be dropped that shouldn't have been dropped.

This default is overridden by the configuration value decision_logs.reporting.upload_size_limit_bytes, see the docs on decision logs.

There's a Prometheus metric for dropped events, counter_decision_logs_dropped_buffer_size_limit_bytes_exceeded, and you can check that for unexpectedly high counts.

Reported by @​johanneslarsson #8123, fixed by @​sspaink.

The release is otherwise identical to v1.11.0.

1.11.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• More efficient connection management in the http.send built-in function
• More performant loading of large bundles containing multiple Rego files

Immutable Releases

Starting with this release, OPA releases are immutable for increased security.

Runtime, SDK, Tooling

• v1/ast: Fix Call parsing Text attribute including an extra character (#7989) authored by @​schmitd
• ast: Export built-in deprecated field (#7912) authored by @​colinjlacy
• ast: Intern common var values + some parser improvements (#8028) authored by @​anderseknert
• ast: Support custom builtins in CompileModulesWithOpt (#8061) authored by @​sspaink
• bundle: Concurrent Rego parsing in bundle loader (#8067) authored by @​anderseknert
• cmd: Support --ignore in eval cmd when using bundle flag (--bundle) (#8062) authored by @​sspaink
• storage/inmem: Allow passing triggers (AST) data without conversion (#7958) authored by @​anderseknert

Compiler, Topdown and Rego

• topdown: Avoid unnecessary use of custom http.Transport in http.send built-in (#7927) authored by @​sykesm
• topdown: New custom SemVer implementation (#8010) authored by @​anderseknert
• topdown: Use sync.Pool for eval func objects (#8054) authored by @​anderseknert

Docs, Website, Ecosystem

• docs: Add example for Compile API's table mapping (#8017) authored by @​srenatus
• docs: Address pages with similar titles (#8046) authored by @​charlieegan3
• docs: Address some broken links (#8022) authored by @​charlieegan3
• docs: Bump glob dep (CVE-2025-64756) (#8056) authored by @​srenatus
• docs: Improve ground value and assignment docs (#8047) authored by @​charlieegan3
• docs: Make iteration content flow better (#8064) authored by @​charlieegan3

... (truncated)

Commits

• 45cbfa1 Prepare v1.11.0 release (#8076)
• 36590cd deps: bump wasmtime-go v37 -> v39
• 545de92 workflow: add 'Benchmarks' workflow
• 6341217 ast: Export built-in deprecated field (#8069)
• d82c21c cmd: Support --ignore in eval cmd when using bundle flag (-b) (#8062)
• dd2ccc7 Tidy up and unify sync pool handling (#8068)
• 51a50ca Concurrent Rego parsing in bundle loader (#8067)
• 3882d81 build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /e2e (#8066)
• d198154 build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#8065)
• 015175c docs: Make iteration content flow better (#8064)
• Additional commits viewable in compare view

Updates github.com/operator-framework/api from 0.35.0 to 0.38.0

Release notes

Sourced from github.com/operator-framework/api's releases.

v0.38.0

What's Changed

• Bump the k8s-dependencies group with 4 updates by @​dependabot[bot] in operator-framework/api#461
• Bump actions/cache from 4 to 5 by @​dependabot[bot] in operator-framework/api#462
• Update to golang 1.25 by @​tmshort in operator-framework/api#464
• Migrate away from ioutil by @​perdasilva in operator-framework/api#463
• 🌱 Upgrade controller-gen from v0.18.0 to v0.20.0 by @​camilamacedo86 in operator-framework/api#466
• Bump github.com/sirupsen/logrus from 1.9.3 to 1.9.4 by @​dependabot[bot] in operator-framework/api#467

Full Changelog: operator-framework/api@v0.37.0...v0.38.0

v0.37.0

Significant Features

• #454 provides a new optional release field allowing bundle authors to express packaging-specific versioning for CSVs which is backwards- and forwards-compatible. Validators are updated to ensure correct use of this field. For more information, please see the brief and rfc.

What's Changed

• Bump sigs.k8s.io/controller-runtime from 0.22.3 to 0.22.4 in the k8s-dependencies group by @​dependabot[bot] in operator-framework/api#456
• add general agents info by @​grokspawn in operator-framework/api#457
• Bump the k8s-dependencies group with 4 updates by @​dependabot[bot] in operator-framework/api#458
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in operator-framework/api#459
• Bump github.com/spf13/cobra from 1.10.1 to 1.10.2 by @​dependabot[bot] in operator-framework/api#460
• add Release version as an optional field in the CSV by @​grokspawn in operator-framework/api#454

Full Changelog: operator-framework/api@v0.36.0...v0.37.0

v0.36.0

What's Changed

• Bump sigs.k8s.io/controller-runtime from 0.22.1 to 0.22.2 in the k8s-dependencies group by @​dependabot[bot] in operator-framework/api#452
• Bump sigs.k8s.io/controller-runtime from 0.22.2 to 0.22.3 in the k8s-dependencies group by @​dependabot[bot] in operator-framework/api#453
• bump go version to fix GO-2025-3956 by @​grokspawn in operator-framework/api#455

Full Changelog: operator-framework/api@v0.35.0...v0.36.0

Commits

• 2dc4fea Bump github.com/sirupsen/logrus from 1.9.3 to 1.9.4 (#467)
• 5fff887 🌱 Upgrade controller-gen from v0.18.0 to v0.20.0 (#466)
• 5367cbd Migrate away from ioutil (#463)
• dfd6338 Update to golang 1.25 (#464)
• aa24971 Bump actions/cache from 4 to 5 (#462)
• 78e2ba7 Bump the k8s-dependencies group with 4 updates (#461)
• f65ea7e add Release version as an optional field in the CSV (#454)
• 4efa173 Bump github.com/spf13/cobra from 1.10.1 to 1.10.2 (#460)
• ebdb4e0 Bump actions/checkout from 5 to 6 (#459)
• 500bb71 Bump the k8s-dependencies group with 4 updates (#458)
• Additional commits viewable in compare view

Updates github.com/spf13/cobra from 1.10.1 to 1.10.2

Release notes

Sourced from github.com/spf13/cobra's releases.

v1.10.2

🔧 Dependencies

• chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 by @​dims in spf13/cobra#2336 - the gopkg.in/yaml.v3 package has been deprecated for some time: this should significantly cleanup dependency/supply-chains for consumers of spf13/cobra

📈 CI/CD

• Fix linter and allow CI to pass by @​marckhouzam in spf13/cobra#2327
• fix: actions/setup-go v6 by @​jpmcb in spf13/cobra#2337

🔥✍🏼 Docs

• Add documentation for repeated flags functionality by @​rvergis in spf13/cobra#2316

🍂 Refactors

• refactor: replace several vars with consts by @​htoyoda18 in spf13/cobra#2328
• refactor: change minUsagePadding from var to const by @​ssam18 in spf13/cobra#2325

🤗 New Contributors

• @​rvergis made their first contribution in spf13/cobra#2316
• @​htoyoda18 made their first contribution in spf13/cobra#2328
• @​ssam18 made their first contribution in spf13/cobra#2325
• @​dims made their first contribution in spf13/cobra#2336

Full Changelog: spf13/cobra@v1.10.1...v1.10.2

Thank you to our amazing contributors!!!!! 🐍 🚀

Commits

• 88b30ab chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 (#2336)
• 346d408 fix: actions/setup-go v6 (#2337)
• fc81d20 refactor: change minUsagePadding from var to const (#2325)
• 117698a refactor: replace several vars with consts (#2328)
• e2dd29d Add documentation for repeated flags functionality (#2316)
• 0629892 Fix linter (#2327)
• See full diff in compare view

Updates github.com/tektoncd/pipeline from 1.5.0 to 1.9.0

Release notes

Sourced from github.com/tektoncd/pipeline's releases.

Tekton Pipeline release v1.9.0 LTS "Devon Rex Dreadnought"

🎉 hostUsers support and digest validation for http resolver 🎉

-Docs @ v1.9.0 -Examples @ v1.9.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a692b1410db6e04e5e4a25aec2e361118647fe42c5ad8d7ef3e087b5cd11463d6

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a692b1410db6e04e5e4a25aec2e361118647fe42c5ad8d7ef3e087b5cd11463d6
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.0/release.yaml
REKOR_UUID=108e9186e8c5677a692b1410db6e04e5e4a25aec2e361118647fe42c5ad8d7ef3e087b5cd11463d6
Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.9.0@sha256:" + .digest.sha256')
Download the release file
curl -L "$RELEASE_FILE" > release.yaml
For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ feat: add ServiceAccount inheritance to Affinity Assistants (#9253)

... (truncated)

Changelog

Sourced from github.com/tektoncd/pipeline's changelog.

Tekton Pipeline Releases

Release Frequency

Tekton Pipelines follows the Tekton community [release policy][release-policy] as follows:

• Versions are numbered according to semantic versioning: vX.Y.Z
• A new release is produced on a monthly basis
• Four releases a year are chosen for long term support (LTS). All remaining releases are supported for approximately 1 month (until the next release is produced)
  • LTS releases take place in January, April, July and October every year
  • The first Tekton Pipelines LTS release will be v0.41.0 in October 2022
  • Releases happen towards the middle of the month, between the 13th and the 20th, depending on week-ends and readiness

Tekton Pipelines produces nightly builds, publicly available on gcr.io/tekton-nightly.

Transition Process

Before release v0.41 Tekton Pipelines has worked on the basis of an undocumented support period of four months, which will be maintained for the releases between v0.37 and v0.40.

Release Process

Tekton Pipeline releases are made of YAML manifests and container images. Manifests are published to cloud object-storage as well as [GitHub][tekton-pipeline-releases]. Container images are signed by [Sigstore][sigstore] via [Tekton Chains][tekton-chains]; signatures can be verified through the [public key][chains-public-key] hosted by the Tekton Chains project.

Further documentation available:

• The Tekton Pipeline [release process][tekton-releases-docs]
• [Installing Tekton][tekton-installation]
• Standard for [release notes][release-notes-standards]

Release

v1.7

• Latest Release: [v1.7.0][v1.7-0] (2025-12-03) ([docs][v1.7-0-docs], [examples][v1.7-0-examples])
• Initial Release: [v1.7.0][v1.7-0] (2025-12-03)
• End of Life: 2025-12-31
• Patch Releases: [v1.7.0][v1.7-0]

v1.6 (LTS)

... (truncated)

Commits

• 0cc7987 fix: validate taskRef.apiVersion format for custom tasks
• 13a014c build(deps): bump go.uber.org/zap from 1.27.0 to 1.27.1
• 80ce1d5Description has been truncated