Update tektoncd pipelines to v1.12.2 (main)

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/tektoncd/pipeline	v1.12.0 → v1.12.2

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

tektoncd/pipeline (github.com/tektoncd/pipeline)

v1.12.2: Tekton Pipeline release v1.12.2 "Exotic Shorthair Elektrobots LTS"

Compare Source

-Docs @​ v1.12.2
-Examples @​ v1.12.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.2/release.yaml

Attestation

The Rekor UUID for this release is cb0a4d44223cf8dd164d8eec84c25d204f7a37a023c2d28f1f8dcde79ca3c187

Obtain the attestation:

REKOR_UUID=cb0a4d44223cf8dd164d8eec84c25d204f7a37a023c2d28f1f8dcde79ca3c187
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.2/release.yaml
REKOR_UUID=cb0a4d44223cf8dd164d8eec84c25d204f7a37a023c2d28f1f8dcde79ca3c187

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.12.2@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

Misc

• 🔨 build(deps): bump k8s.io/client-go from 0.35.5 to 0.35.6 (#​10289)

Docs

Thanks

Thanks to these contributors who contributed to v1.12.2!

• ❤️ @​app/dependabot

Extra shout-out for awesome release notes:

v1.12.1: Tekton Pipeline release v1.12.1 "Exotic Shorthair Elektrobots LTS"

Compare Source

-Docs @​ v1.12.1
-Examples @​ v1.12.1

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.1/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a9cfc575e256441da4223e4767ebb840a62e4b5ad18ed6219842a81686a4a8586

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a9cfc575e256441da4223e4767ebb840a62e4b5ad18ed6219842a81686a4a8586
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.1/release.yaml
REKOR_UUID=108e9186e8c5677a9cfc575e256441da4223e4767ebb840a62e4b5ad18ed6219842a81686a4a8586

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.12.1@​sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

• 🐛 [cherry-pick: release-v1.12.x] fix(resolvers): Allow ResolutionRequests to resolve all Tekton kinds (#​10252)

efore this change, ResolutionRequests could only resolve Pipelines, Tasks, and StepActions. After this change, ResolutionRequests can resolve PipelineRuns, Pipelines, TaskRuns, Tasks, Runs, CustomRuns, and StepActions.

• 🐛 [cherry-pick: release-v1.12.x] fix: TaskRun stuck in Running when init container is OOMKilled with enableKubernetesSidecar (#​10186)

ix: TaskRun no longer gets stuck in Running when an init container (e.g. prepare) is OOMKilled while enableKubernetesSidecar is enabled. The TaskRun is now correctly marked as Failed immediately.

• 🐛 [cherry-pick: release-v1.12.x] Fix cross-arch platform command lookup in entrypoint (#​10164)

ix entrypoint command lookup when controller and worker nodes run on different CPU architectures (e.g., ARM controller with AMD64 workloads). The controller's CPU variant was leaking into TEKTON_PLATFORM_COMMANDS keys via platforms.NewPlatform(), causing "could not find command for platform" errors on worker nodes of a different architecture.

• 🐛 [cherry-pick: release-v1.12.x] fix: truncate affinity assistant volume names to 63 characters (#​10137)

ffinity assistant StatefulSet no longer fails when workspace volumeClaimTemplate names exceed 63 characters. Long volume names are now automatically truncated with a hash suffix to stay within the Kubernetes limit.

• 🐛 [cherry-pick: release-v1.12.x] fix(pipelinerun): use generateName for anonymous pipeline label (#​10079)

Previously, TaskRuns' tekton.dev/pipeline label for anonymous Pipelines would use their PipelineRun's name in their tekton.dev/pipeline label and pipeline metrics tag. After this change, TaskRun and PipelineRun which are created from anonymous Pipelines now reference a sanitized metadata.generateName, when present, for the label tekton.dev/pipeline. Similarly, these TaskRruns and PipelineRuns will populate their respective metrics' pipeline tag with the sanitized generateName instead of using anonymous.

• 🐛 [release-v1.12.x] Fix gen-crd-api-reference-docs require to use fetchable version (#​10001)

ix gen-crd-api-reference-docs go.mod require to use a fetchable upstream version, fixing module resolution failures for downstream consumers.

• 🐛 [cherry-pick: release-v1.12.x] fix(resolvers): validate data is Tekton object in resolver framework (#​9963)

Fixes a bug which lets Tekton Resolvers resolve non-tekton objects and arbitrary data. After this change, resolving a non-tekton object causes the ResolutionRequest to fail.
Action Required: Tekton Resolvers are now only permitted to resolve StepActions, Tasks, and Pipelines. Custom resolvers or ResolutionRequest which use the Resolver API for other object types will no longer function.

• 🐛 [release-v1.12.x] fix: replace symlinks with subpath params and fix Rekor UUID in release pipeline (#​10216)
• 🐛 [cherry-pick: release-v1.12.x] Fix PipelineRun premature failure when TaskRun recovers after pod eviction (#​10161)

Misc

• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10265)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10234)
• 🔨 build(deps): bump chainguard-dev/actions from 1.6.21 to 1.6.22 (#​10229)
• 🔨 build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#​10200)
• 🔨 build(deps): bump chainguard-dev/actions from 1.6.19 to 1.6.21 (#​10199)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10194)
• 🔨 build(deps): bump github.com/sigstore/sigstore from 1.10.6 to 1.10.8 (#​10168)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.10.6 to 1.10.8 (#​10150)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.10.6 to 1.10.8 (#​10149)
• 🔨 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.6 to 1.14.7 (#​10148)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.10.6 to 1.10.8 (#​10147)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.10.6 to 1.10.8 (#​10146)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10130)
• 🔨 build(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 (#​10129)
• 🔨 build(deps): bump the all group across 1 directory with 4 updates (#​10094)
• 🔨 build(deps): bump step-security/harden-runner from 2.19.2 to 2.19.4 (#​10093)
• 🔨 build(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6 (#​10092)
• 🔨 build(deps): bump github/codeql-action from 4.35.4 to 4.35.5 (#​10091)
• 🔨 build(deps): bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6 (#​10070)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.10.5 to 1.10.6 (#​10065)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.10.5 to 1.10.6 (#​10064)
• 🔨 build(deps): bump github.com/sigstore/sigstore from 1.10.5 to 1.10.6 (#​10063)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.10.5 to 1.10.6 (#​10062)
• 🔨 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.10.5 to 1.10.6 (#​10061)
• 🔨 build(deps): bump step-security/harden-runner from 2.19.1 to 2.19.2 (#​10046)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​10041)
• 🔨 build(deps): bump k8s.io/apiextensions-apiserver from 0.35.4 to 0.35.5 (#​10034)
• 🔨 build(deps): bump k8s.io/client-go from 0.35.4 to 0.35.5 in /test/custom-task-ctrls/wait-task-beta (#​10023)
• 🔨 build(deps): bump github.com/jenkins-x/go-scm from 1.15.21 to 1.15.22 (#​10018)
• 🔨 build(deps): bump github.com/google/cel-go from 0.28.0 to 0.28.1 (#​10017)
• 🔨 build(deps): bump github/codeql-action from 4.35.2 to 4.35.4 (#​9994)
• 🔨 build(deps): bump chainguard/go from 7ec9277 to a4477c3 in /tekton in the all group (#​9993)
• 🔨 build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.19 (#​9983)
• 🔨 build(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 (#​9981)
• 🔨 build(deps): bump the all group in /tekton with 4 updates (#​9976)

Docs

Thanks

Thanks to these contributors who contributed to v1.12.1!

• ❤️ @​app/dependabot
• ❤️ @​tekton-robot
• ❤️ @​vdemeester
• ❤️ @​waveywaves

Extra shout-out for awesome release notes:

• 😍 @​tekton-robot
• 😍 @​vdemeester
• 😍 @​waveywaves

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: acceptance/go.sum

Command failed: go mod tidy
go: downloading github.com/go-openapi/testify/v2 v2.4.1
go: downloading github.com/otiai10/mint v1.5.1
go: downloading k8s.io/apiserver v0.35.5
go: downloading k8s.io/component-base v0.35.5
go: downloading golang.org/x/tools v0.45.0
go: downloading github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5
go: downloading github.com/go-openapi/testify/enable/yaml/v2 v2.4.1
go: downloading github.com/google/trillian v1.7.2
go: downloading github.com/jackc/pgx/v5 v5.7.5
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.8
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.8
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.8
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.8
go: downloading go.step.sm/crypto v0.75.0
go: downloading k8s.io/cli-runtime v0.34.2
go: downloading google.golang.org/api v0.271.0
go: downloading filippo.io/edwards25519 v1.1.1
go: downloading github.com/aws/aws-sdk-go-v2 v1.41.7
go: downloading github.com/aws/aws-sdk-go-v2/config v1.32.17
go: downloading github.com/aws/aws-sdk-go-v2/service/kms v1.50.1
go: downloading cloud.google.com/go/kms v1.26.0
go: downloading go.etcd.io/etcd/client/pkg/v3 v3.6.5
go: downloading go.etcd.io/etcd/client/v3 v3.6.5
go: downloading github.com/aws/smithy-go v1.25.1
go: downloading github.com/aws/aws-sdk-go-v2/credentials v1.19.16
go: downloading github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.23
go: downloading github.com/aws/aws-sdk-go-v2/service/signin v1.0.11
go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.30.17
go: downloading github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.21
go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.42.1
go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23
go: downloading cloud.google.com/go/iam v1.5.3
go: downloading cloud.google.com/go/longrunning v0.8.0
go: downloading github.com/googleapis/gax-go/v2 v2.17.0
go: downloading google.golang.org/genproto v0.0.0-20260128011058-8636f8732409
go: downloading cloud.google.com/go/auth v0.18.2
go: downloading github.com/shoenig/test v0.6.4
go: downloading go.etcd.io/etcd/api/v3 v3.6.5
go: downloading github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23
go: downloading github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23
go: downloading github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6
go: finding module for package knative.dev/pkg/tracing/config
go: finding module for package knative.dev/pkg/metrics
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/metrics: module knative.dev/pkg@latest found (v0.0.0-20260622140654-39ebae2ee2dc), but does not contain package knative.dev/pkg/metrics
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/tracing/config: module knative.dev/pkg@latest found (v0.0.0-20260622140654-39ebae2ee2dc), but does not contain package knative.dev/pkg/tracing/config

File name: tools/go.sum

Command failed: go mod tidy
go: downloading github.com/mattn/go-shellwords v1.0.12
go: downloading github.com/distribution/distribution/v3 v3.0.0
go: downloading github.com/DATA-DOG/go-sqlmock v1.5.2
go: downloading github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2
go: downloading github.com/onsi/ginkgo/v2 v2.28.1
go: downloading github.com/onsi/gomega v1.39.1
go: downloading github.com/redis/go-redis/v9 v9.17.2
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/bshuster-repo/logrus-logstash-hook v1.0.0
go: downloading github.com/docker/go-metrics v0.0.1
go: downloading github.com/gorilla/handlers v1.5.2
go: downloading github.com/mattn/go-sqlite3 v1.14.28
go: downloading github.com/tink-crypto/tink-go-hcvault/v2 v2.3.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2
go: downloading cloud.google.com/go/pubsub v1.50.1
go: downloading github.com/hinshun/vt10x v0.0.0-20220228203356-1ab2cad5fd82
go: downloading gopkg.in/h2non/gock.v1 v1.1.2
go: downloading github.com/gorilla/mux v1.8.1
go: downloading github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c
go: downloading github.com/redis/go-redis/extra/redisotel/v9 v9.5.3
go: downloading go.opentelemetry.io/contrib/exporters/autoexport v0.57.0
go: downloading github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f
go: downloading github.com/poy/onpar v1.1.2
go: downloading github.com/alecthomas/assert/v2 v2.11.0
go: downloading github.com/alecthomas/repr v0.5.2
go: downloading github.com/gostaticanalysis/testutil v0.5.0
go: downloading go-simpler.org/assert v0.9.0
go: downloading golang.org/x/tools/go/expect v0.1.1-deprecated
go: downloading github.com/matryer/is v1.4.0
go: downloading github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1
go: downloading github.com/google/go-replayers/grpcreplay v1.3.0
go: downloading github.com/google/go-replayers/httpreplay v1.2.0
go: downloading cloud.google.com/go/pubsub/v2 v2.3.0
go: downloading github.com/hashicorp/golang-lru/arc/v2 v2.0.5
go: downloading github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542
go: downloading github.com/redis/go-redis/extra/rediscmd/v9 v9.5.3
go: downloading golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated
go: downloading github.com/tenntenn/modver v1.0.1
go: downloading github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3
go: downloading go.opentelemetry.io/contrib/bridges/prometheus v0.57.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0
go: downloading go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0
go: downloading go.opentelemetry.io/otel/sdk/log v0.8.0
go: downloading github.com/go-toolsmith/pkgload v1.2.2
go: downloading github.com/keybase/go-keychain v0.0.1
go: downloading github.com/jcmturner/goidentity/v6 v6.0.1
go: downloading github.com/ActiveState/vt10x v1.3.1
go: downloading github.com/dave/jennifer v1.7.1
go: downloading go.opentelemetry.io/otel/log v0.8.0
go: downloading github.com/jmespath/go-jmespath/internal/testify v1.5.1
go: downloading github.com/kr/pty v1.1.8
go: downloading github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83
go: finding module for package knative.dev/pkg/tracing/config
go: finding module for package knative.dev/pkg/metrics
go: github.com/conforma/cli/tools imports
	github.com/tektoncd/cli/cmd/tkn imports
	github.com/tektoncd/cli/pkg/cmd imports
	github.com/tektoncd/cli/pkg/cmd/clustertriggerbinding tested by
	github.com/tektoncd/cli/pkg/cmd/clustertriggerbinding.test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/metrics: module knative.dev/pkg@latest found (v0.0.0-20260622140654-39ebae2ee2dc), but does not contain package knative.dev/pkg/metrics
go: github.com/conforma/cli/tools imports
	github.com/tektoncd/cli/cmd/tkn imports
	github.com/tektoncd/cli/pkg/cmd imports
	github.com/tektoncd/cli/pkg/cmd/clustertriggerbinding tested by
	github.com/tektoncd/cli/pkg/cmd/clustertriggerbinding.test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/tracing/config: module knative.dev/pkg@latest found (v0.0.0-20260622140654-39ebae2ee2dc), but does not contain package knative.dev/pkg/tracing/config

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 3:01 AM UTC · Completed 3:06 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

Looks good to me

---

Labels: Dependency update PR modifying Go module files, matching repo convention for Renovate PRs.

Previous run

Looks good to me

Previous run (2)

Looks good to me

Previous run (3)

Looks good to me

Previous run (4)

Looks good to me

Previous run (5)

Review

Findings

Medium

• [version consistency] go.mod:33 — The PR bumps go-securesystemslib from v0.10.0 to v0.11.0 in go.mod only, while acceptance/go.mod and tools/go.mod remain at v0.10.0. Under semver v0.x rules, a minor version bump can contain breaking changes. The project uses dsse and encrypted packages from this library.
  Remediation: Verify that go-securesystemslib v0.11.0 does not contain breaking changes to the dsse or encrypted APIs used in this project. If acceptance/ and tools/ modules also transitively depend on this library, consider coordinating the version bump across all three modules.

Low

• [version consistency] go.mod:19 — go-containerregistry is bumped from v0.21.5 to v0.21.6 in go.mod, but a replace directive redirects to conforma/go-containerregistry at a pinned commit hash, so the version bump has no functional effect on the root module. tools/go.mod lists go-containerregistry v0.21.5 as indirect with no replace directive, so it uses the upstream version directly.

Info

• [transitive dependency removal] go.mod:127 — Removal of github.com/aws/aws-sdk-go-v2/internal/ini as a transitive dependency is expected when the AWS SDK reorganizes its internal packages across minor versions. Benign change.

• [version consistency] acceptance/go.mod:31 — The tektoncd/pipeline version is consistent across all three go.mod files, updated from v1.12.0 to v1.12.1. Patch version bump expected to be backward-compatible.

Previous run (6)

Looks good to me

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 3:18 AM UTC · Completed 3:25 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-retro]

🤖 Finished Retro · ✅ Success · Started 3:00 PM UTC · Completed 3:08 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-retro]

Retro: PR #3351 — Automated dependency update with review agent issues

What happened: PR #3351 was an automated Konflux/MintMaker dependency update bumping github.com/tektoncd/pipeline from v1.12.0 to v1.12.1. The PR had known artifact update failures (go mod tidy could not resolve knative.dev/pkg packages), 4 failing CI checks (Tools, Acceptance, Lint, enterprise-contract), and was ultimately auto-closed without merging.

The review agent exhibited several known issues on this PR:

1. Self-triggering feedback loop — The review agent's APPROVED verdict triggered pull_request_review: [submitted] in fullsend.yaml, causing a redundant second review dispatch on the same commit. Run 1 (workflow 27858153145) approved at ~3:06 UTC; its own approval event plus a concurrent force-push triggered Run 2 (workflow 27858559391) at ~3:18 UTC. This wasted tokens and compute. → Already tracked in #1271 and #1125.

2. Approval despite medium-severity finding — Run 1 found a Medium severity version inconsistency (go-securesystemslib v0.10.0 vs v0.11.0 across go.mod files) but still submitted an APPROVED review and applied ready-for-merge. Run 2 later corrected this to requires-manual-review. → Already tracked in #1453 (consolidated in #1481).

3. Stale APPROVED review not dismissed — Run 2 removed the ready-for-merge label and applied requires-manual-review, but the original APPROVED pull_request_review from Run 1 was never dismissed. → Already tracked in #827.

4. CI status not factored into verdict — The review agent approved despite 4 failing CI checks and a known Renovate artifact failure. → Already tracked in #369 and #1424.

5. Bot warning comments not considered — The Renovate bot posted a clear artifact update failure warning, but the review agent did not factor this into its verdict. → Already tracked in #1406.

6. Retro dispatched for autoclosed bot PR — This retro was triggered for a bot-authored PR that was auto-closed without merging, which has limited learning value. → Already tracked in #2461.

No new proposals. All identified improvements are already covered by existing open issues in fullsend-ai/fullsend. This PR serves as additional evidence for the priority of those issues, particularly #1271 (self-triggering), #1453 (medium-severity approval threshold), and #369 (CI-aware review verdicts).

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:54 AM UTC · Completed 3:00 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:35 AM UTC · Completed 2:42 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

[low] version inconsistency

The PR bumps go-securesystemslib from v0.10.0 to v0.11.0 in go.mod. The acceptance/go.mod also lists go-securesystemslib as a direct dependency at v0.10.0. Since these are separate Go modules, a version skew could occur. However, this is consumed transitively via in-toto-golang and the dsse sub-package has been stable across minor versions. If CI passes, the API compatibility concern is fully mitigated.

Suggested fix: Verify CI passes. If acceptance tests also pass, no further action is needed.

[fullsend-ai-review]

[low] version inconsistency across modules

Some transitive dependency bumps (golang.org/x/crypto, golang.org/x/net, k8s.io/client-go) appear only in the main go.mod. Since these are indirect deps in sub-modules, Go's MVS will resolve them. No correctness issue unless acceptance or tools modules are built independently.

[fullsend-ai-retro]

🤖 Finished Retro · ✅ Success · Started 9:41 AM UTC · Completed 9:47 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-retro]

Retro: PR #3351 — Automated tektoncd/pipeline dependency bump

This PR was an automated dependency bump from red-hat-konflux[bot] that was broken from the start (go mod tidy failed due to removed packages in knative.dev/pkg). It was never going to merge, yet it consumed 6 review agent runs and 3 retro agent runs over 6 days before being auto-closed.

What went wrong (compound waste)

Multiple known issues compounded to create outsized waste:

1. Self-triggering loop (#1271): Review Run 1's APPROVED verdict dispatched Review Run 2 via the pull_request_review: [submitted] trigger. This repeated on Run 3→Run 4.
2. Rebase-triggered redundant reviews (#1287, #1355): Daily automated rebases triggered Runs 3, 5, and 6 despite no semantic change.
3. Approved despite failing CI (#369, #1424): All 5 formal APPROVED reviews were submitted while CI was red. The ready-for-merge label was applied on Run 1.
4. Bot warning comments ignored (#1406): The bot posted a go mod tidy failure warning immediately on PR creation; the review agent never factored this into its verdict.
5. Stale approvals not dismissed (#827): 5 APPROVED reviews accumulated and were never dismissed.
6. Retro ran on autoclosed bot PR (#2461): 3 retro runs fired (including one still in progress), all on a PR that required no retrospective.
7. Medium-severity finding auto-approved (#1453): Run 1 correctly identified a Medium-severity version inconsistency but still approved. Run 6 downgraded the same finding to Low without justification.

Waste estimate

~9 agent runs (6 review + 3 retro) on a PR that was DOA. Conservatively, only 1 review run was justifiable (and it should have resulted in requires-manual-review, not approval). The first retro run was useful in mapping issues; runs 2 and 3 were pure waste.

Prioritization signal

All identified problems map to existing open issues. The highest-impact fixes for this class of waste are:

• #1355 + #1287: Skip re-review on rebase-only changes (would have prevented 3 of 6 review runs)
• #1271: Filter self-triggering review loop (would have prevented 2 of 6 review runs)
• #369: Check CI status before approving (would have prevented all 5 incorrect approvals)
• #2461: Skip retro for autoclosed bot PRs (would have prevented 2 of 3 retro runs)

No new proposals — all improvement opportunities are already tracked.

[red-hat-konflux]

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
github.com/secure-systems-lab/go-securesystemslib	v0.10.0 -> v0.11.0
github.com/sigstore/sigstore	v1.10.5 -> v1.10.8
github.com/google/cel-go	v0.28.0 -> v0.28.1
github.com/letsencrypt/boulder	v0.20260223.0 -> v0.20260309.0

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 18 additional dependencies were updated

Details:

Package	Change
github.com/secure-systems-lab/go-securesystemslib	v0.10.0 -> v0.11.0
github.com/sigstore/sigstore	v1.10.5 -> v1.10.8
github.com/aws/aws-sdk-go-v2	v1.41.4 -> v1.41.7
github.com/aws/aws-sdk-go-v2/config	v1.32.12 -> v1.32.17
github.com/aws/aws-sdk-go-v2/credentials	v1.19.12 -> v1.19.16
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.18.20 -> v1.18.23
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.4.20 -> v1.4.23
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.7.20 -> v2.7.23
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.4.21 -> v1.4.24
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.13.7 -> v1.13.9
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.13.20 -> v1.13.23
github.com/aws/aws-sdk-go-v2/service/signin	v1.0.8 -> v1.0.11
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.13 -> v1.30.17
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.35.17 -> v1.35.21
github.com/aws/aws-sdk-go-v2/service/sts	v1.41.9 -> v1.42.1
github.com/aws/smithy-go	v1.24.2 -> v1.25.1
github.com/google/cel-go	v0.28.0 -> v0.28.1
github.com/letsencrypt/boulder	v0.20260223.0 -> v0.20260309.0

File name: tools/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 22 additional dependencies were updated

Details:

Package	Change
github.com/aws/aws-sdk-go-v2	v1.41.4 -> v1.41.7
github.com/aws/aws-sdk-go-v2/config	v1.32.12 -> v1.32.17
github.com/aws/aws-sdk-go-v2/credentials	v1.19.12 -> v1.19.16
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.18.20 -> v1.18.23
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.4.20 -> v1.4.23
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.7.20 -> v2.7.23
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.4.21 -> v1.4.24
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.13.7 -> v1.13.9
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.13.20 -> v1.13.23
github.com/aws/aws-sdk-go-v2/service/signin	v1.0.8 -> v1.0.11
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.13 -> v1.30.17
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.35.17 -> v1.35.21
github.com/aws/aws-sdk-go-v2/service/sts	v1.41.9 -> v1.42.1
github.com/aws/smithy-go	v1.24.2 -> v1.25.1
github.com/google/cel-go	v0.28.0 -> v0.28.1
github.com/letsencrypt/boulder	v0.20260223.0 -> v0.20260309.0
github.com/secure-systems-lab/go-securesystemslib	v0.10.0 -> v0.11.0
github.com/sigstore/sigstore	v1.10.5 -> v1.10.8
github.com/sigstore/sigstore/pkg/signature/kms/aws	v1.10.5 -> v1.10.8
github.com/sigstore/sigstore/pkg/signature/kms/azure	v1.10.5 -> v1.10.8
github.com/sigstore/sigstore/pkg/signature/kms/gcp	v1.10.5 -> v1.10.8
github.com/sigstore/sigstore/pkg/signature/kms/hashivault	v1.10.5 -> v1.10.8

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:08 AM UTC · Completed 2:15 AM UTC
Commit: 47d3320 · View workflow run →