Skip to content

[DNM] Release v0.37.8#2727

Open
theakshaypant wants to merge 4 commits into
release-v0.37.xfrom
release-v0.37.8
Open

[DNM] Release v0.37.8#2727
theakshaypant wants to merge 4 commits into
release-v0.37.xfrom
release-v0.37.8

Conversation

@theakshaypant
Copy link
Copy Markdown
Member

@theakshaypant theakshaypant commented May 14, 2026

📝 Description of the Change

f4d3f2d chore(deps): update tektoncd/pipeline to v1.0.2
ddeeb41 chore(deps): update go-jose to fix GHSA-78h2-9frx-2jm8
8122f6e chore(deps): update grpc and tektoncd/pipeline
cf22bd5 fix(resolve): restore relative task path resolution for repository paths

🔗 Linked GitHub Issue

Fixes #

🧪 Testing Strategy

  • Unit tests
  • Integration tests
  • End-to-end tests
  • Manual testing
  • Not Applicable

🤖 AI Assistance

AI assistance can be used for various tasks, such as code generation,
documentation, or testing.

Please indicate whether you have used AI assistance
for this PR and provide details if applicable.

  • I have not used any AI assistance for this PR.
  • I have used AI assistance for this PR.

Important

Slop will be simply rejected, if you are using AI assistance you need to make sure you
understand the code generated and that it meets the project's standards. you
need at least know how to run the code and deploy it (if needed). See
startpaac to make it easy
to deploy and test your code changes.

If the majority of the code in this PR was generated by an AI, please add a Co-authored-by trailer to your commit message.
For example:

Co-authored-by: Claude noreply@anthropic.com

✅ Submitter Checklist

  • 📝 My commit messages are clear, informative, and follow the project's How to write a git commit message guide. The Gitlint linter ensures in CI it's properly validated
  • ✨ I have ensured my commit message prefix (e.g., fix:, feat:) matches the "Type of Change" I selected above.
  • ♽ I have run make test and make lint locally to check for and fix any
    issues. For an efficient workflow, I have considered installing
    pre-commit and running pre-commit install to
    automate these checks.
  • 📖 I have added or updated documentation for any user-facing changes.
  • 🧪 I have added sufficient unit tests for my code changes.
  • 🎁 I have added end-to-end tests where feasible. See README for more details.
  • 🔎 I have addressed any CI test flakiness or provided a clear reason to bypass it.
  • If adding a provider feature, I have filled in the following and updated the provider documentation:
    • GitHub App
    • GitHub Webhook
    • Gitea/Forgejo
    • GitLab
    • Bitbucket Cloud
    • Bitbucket Data Center

@theakshaypant
fix(resolve): restore relative task path resolution for repository paths
cf22bd5 
Commit 6e36620 broke relative task path resolution for repository file
paths by only allowing HTTP(S) URLs. This caused paths containing '..'
to be passed unresolved to the GitHub API, which rejects them with
"path must not contain '..' due to auth vulnerability issue".

This fix restores the original behavior by allowing both HTTP(S) URLs
and repository file paths (e.g., .tekton/pipelines/build.yaml) to have
their relative paths resolved, while still excluding catalog/hub
references (catalog://, hub://).

Fixes: #2549

Signed-off-by: Akshay Pant <akpant@redhat.com>
@theakshaypant
chore(deps): update grpc and tektoncd/pipeline
8122f6e 
Upgrade google.golang.org/grpc to v1.79.3 to fix
CVE-2026-33186 (GHSA-p77j-4mvh-x3m3), a critical HTTP/2
:path validation flaw that allows bypassing authorization
rules in gRPC interceptors.

Upgrade github.com/tektoncd/pipeline to v1.0.1 to address
CVE-2026-33211 (GHSA-j5q5-j9gm-2w5c), a path traversal in
the git resolver that could expose ServiceAccount tokens.

Signed-off-by: Akshay Pant <akpant@redhat.com>
@theakshaypant
chore(deps): update go-jose to fix GHSA-78h2-9frx-2jm8
ddeeb41 
Update go-jose v3 and v4 to patch security vulnerability in
JWE and JWS handling.

Signed-off-by: Akshay Pant <akpant@redhat.com>
@theakshaypant
chore(deps): update tektoncd/pipeline to v1.0.2
f4d3f2d 
Upgrade github.com/tektoncd/pipeline to v1.0.2 to fix
CVE-2026-40161 (GHSA-wjxp-xrpv-xpff), a high-severity
credential exposure flaw in the git resolver API mode
that leaks configured Git API tokens to attacker-controlled
endpoints when users omit the token parameter with a
custom serverURL.

Signed-off-by: Akshay Pant <akpant@redhat.com>
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Go version to 1.24.0 and upgrades several core dependencies, including Tekton pipelines and various golang.org/x libraries. A significant functional change is made to the remote task resolution logic, which now supports resolving relative task paths from repository file paths in addition to HTTP/S URLs. This is supported by updated unit tests and a new integration test for Gitea. I have no feedback to provide as there were no review comments to assess.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@theakshaypant