DNM: Release v0.37.8#2701
Closed
theakshaypant wants to merge 3 commits into
Closed
Conversation
Commit 6e36620 broke relative task path resolution for repository file paths by only allowing HTTP(S) URLs. This caused paths containing '..' to be passed unresolved to the GitHub API, which rejects them with "path must not contain '..' due to auth vulnerability issue". This fix restores the original behavior by allowing both HTTP(S) URLs and repository file paths (e.g., .tekton/pipelines/build.yaml) to have their relative paths resolved, while still excluding catalog/hub references (catalog://, hub://). Fixes: #2549 Signed-off-by: Akshay Pant <akpant@redhat.com>
Upgrade google.golang.org/grpc to v1.79.3 to fix CVE-2026-33186 (GHSA-p77j-4mvh-x3m3), a critical HTTP/2 :path validation flaw that allows bypassing authorization rules in gRPC interceptors. Upgrade github.com/tektoncd/pipeline to v1.0.1 to address CVE-2026-33211 (GHSA-j5q5-j9gm-2w5c), a path traversal in the git resolver that could expose ServiceAccount tokens. Signed-off-by: Akshay Pant <akpant@redhat.com>
Add cache transform functions for the Repository and PipelineRun informers, stripping large unnecessary fields before objects enter the informer cache. Inspired by tektoncd/pipeline#9316. For Repository objects, ManagedFields, Annotations and Status are stripped. The reconciler never reads Repository annotations or Status from the lister; Status is always fetched fresh via direct API call before updates. For PipelineRun objects, ManagedFields and large Spec and Status fields are stripped. The watcher only needs Annotations, Spec.Status (pending check), Status.Conditions, and timing fields. All other data is fetched directly from the API when needed. Benchmark results with production-realistic objects show an 89% JSON size reduction for Repository objects (5.6KB to 600B) and 94% for PipelineRun objects (10.7KB to 677B), with corresponding 8-10x reductions in heap allocation per cached object. Signed-off-by: Akshay Pant <akpant@redhat.com> Asisted-by: Claude <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request upgrades the Go version to 1.24.0 and updates several project dependencies. It introduces memory optimization by implementing cache transformation functions for Repository and PipelineRun objects, which strip non-essential fields before storage in informer caches. Additionally, the logic for resolving relative task paths has been expanded to support repository file paths alongside HTTP/S URLs, supported by new unit and integration tests. I have no feedback to provide as there were no review comments to assess.
Member
Author
|
Converting this to draft, might need to include another commit for a detected CVE for this patch release. |
Member
Author
|
Closing this for now, will reopen depending on v0.37 support requests. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📝 Description of the Change
Includes commits:
fix(resolve): restore relative task path resolution for repository pathschore(deps): update grpc and tektoncd/pipelineperf(informer): add TransformFuncs to reduce cache memory usage🔗 Linked GitHub Issue
Fixes #
🧪 Testing Strategy
🤖 AI Assistance
AI assistance can be used for various tasks, such as code generation,
documentation, or testing.
Please indicate whether you have used AI assistance
for this PR and provide details if applicable.
Important
Slop will be simply rejected, if you are using AI assistance you need to make sure you
understand the code generated and that it meets the project's standards. you
need at least know how to run the code and deploy it (if needed). See
startpaac to make it easy
to deploy and test your code changes.
If the majority of the code in this PR was generated by an AI, please add a
Co-authored-bytrailer to your commit message.For example:
Co-authored-by: Claude noreply@anthropic.com
✅ Submitter Checklist
fix:,feat:) matches the "Type of Change" I selected above.make testandmake lintlocally to check for and fix anyissues. For an efficient workflow, I have considered installing
pre-commit and running
pre-commit installtoautomate these checks.