v0.45.0

v0.45.0 Release 🎉

This release adds the describe subcommand for customrun, migrates tracing from OpenCensus to OpenTelemetry, removes the deprecated chains command, adds support for Pipelines v1.12.0, and includes dependency updates to address multiple critical CVEs.

Changelog 📋

• ce6edf3 New version v0.45.0

What's Changed

• Bump chainguard-dev/actions from 1.6.1 to 1.6.3 by @dependabot[bot] in #2742
• Bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 by @dependabot[bot] in #2753
• chore: referencing the setup-kind script from the plumbing repo instead of copying it by @infernus01 in #2590
• Nominate divyansh42 as cli approver by @vdemeester in #2761
• Move piyush-garg to alumni by @vdemeester in #2760
• docs: Update CLI docs for v0.44.0 release by @pratap0007 in #2748
• Bump github/codeql-action from 4.32.3 to 4.32.5 by @dependabot[bot] in #2755
• Bump step-security/harden-runner from 2.14.2 to 2.15.0 by @dependabot[bot] in #2757
• Bump actions/setup-go from 6.2.0 to 6.3.0 by @dependabot[bot] in #2754
• Bump github.com/google/go-containerregistry from 0.21.0 to 0.21.2 by @dependabot[bot] in #2759
• Bump github.com/docker/cli from 29.2.1+incompatible to 29.3.0+incompatible in the go-docker-dependencies group by @dependabot[bot] in #2763
• Bump golang.org/x/term from 0.40.0 to 0.41.0 by @dependabot[bot] in #2766
• Bump github.com/golangci/golangci-lint/v2 from 2.10.1 to 2.11.3 in /tools by @dependabot[bot] in #2765
• Add CI summary fan-in job to presubmit CI by @vdemeester in #2741
• feat: add cherry-pick command workflow by @vdemeester in #2682
• Bump chainguard-dev/actions from 1.6.3 to 1.6.5 by @dependabot[bot] in #2756
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 by @dependabot[bot] in #2758
• Bump the go-k8s-dependencies group with 3 updates by @dependabot[bot] in #2752
• Change all occurences of GCS buckets with OCI buckets by @adityavshinde in #2768
• Add long flag --display-name to display the log of pipelinerun by @icloudnote in #2450
• feat: add describe subcommand in customrun command by @pratap0007 in #2712
• Cleanup/remove deprecate chains cmd by @adityavshinde in #2769
• Bump google.golang.org/grpc from 1.78.0 to 1.79.3 by @dependabot[bot] in #2775
• Bump github.com/tektoncd/pipeline from 1.9.1 to 1.9.2 by @dependabot[bot] in #2781
• Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @dependabot[bot] in #2789
• Bump knative and components version by @khrm in #2788
• Migrate tracing from OpenCensus to OpenTelemetry by @khrm in #2799
• Bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 by @dependabot[bot] in #2800
• Bump github.com/docker/cli from 29.3.0+incompatible to 29.3.1+incompatible in the go-docker-dependencies group across 1 directory by @dependabot[bot] in #2783
• Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.42.0 to 1.43.0 by @dependabot[bot] in #2801
• Bump github.com/letsencrypt/boulder from 0.20251110.0 to 0.20260406.0 by @dependabot[bot] in #2796
• (deps) Bump go version to 1.25.8 to fix CVE-2026-25679 by @divyansh42 in #2803
• Bump github.com/google/go-containerregistry from 0.21.3 to 0.21.4 by @dependabot[bot] in #2797
• Bump github.com/sigstore/cosign/v2 from 2.6.2 to 2.6.3 by @dependabot[bot] in #2798
• Bump step-security/harden-runner from 2.15.0 to 2.17.0 by @dependabot[bot] in #2808
• Bump github.com/fatih/color from 1.18.0 to 1.19.0 by @dependabot[bot] in #2777
• Bump github.com/golangci/golangci-lint/v2 from 2.11.3 to 2.11.4 in /tools by @dependabot[bot] in #2778
• Bump github/codeql-action from 4.32.5 to 4.35.1 by @dependabot[bot] in #2784
• Bump actions/setup-go from 6.3.0 to 6.4.0 by @dependabot[bot] in #2786
• Bump github.com/sigstore/sigstore from 1.10.4 to 1.10.5 by @dependabot[bot] in #2805
• Bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 by @dependabot[bot] in #2809
• Bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.42.0 to 1.43.0 by @dependabot[bot] in #2802
• Bump actions/upload-artifact from 7.0.0 to 7.0.1 by @dependabot[bot] in #2816
• Bump step-security/harden-runner from 2.17.0 to 2.19.0 by @dependabot[bot] in #2815
• Bump the go-k8s-dependencies group with 3 updates by @dependabot[bot] in #2811
• Bump github.com/letsencrypt/boulder from 0.20260406.0 to 0.20260413.0 by @dependabot[bot] in #2812
• Bump github.com/google/go-containerregistry from 0.21.4 to 0.21.5 by @dependabot[bot] in #2813
• Bump chainguard-dev/actions from 1.6.5 to 1.6.15 by @dependabot[bot] in #2814
• Bump github/codeql-action from 4.35.1 to 4.35.2 by @dependabot[bot] in #2817
• Bump github.com/docker/cli from 29.4.0+incompatible to 29.4.1+incompatible in the go-docker-dependencies group by @dependabot[bot] in #2820
• Bump github.com/tektoncd/pipeline from 1.11.0 to 1.11.1 by @dependabot[bot] in #2823
• Bump github.com/tektoncd/chains from 0.26.2 to 0.26.3 by @dependabot[bot] in #2827
• Bump chainguard-dev/actions from 1.6.15 to 1.6.16 by @dependabot[bot] in #2829
• Bump go.uber.org/zap from 1.27.1 to 1.28.0 by @dependabot[bot] in #2830
• Bump github.com/letsencrypt/boulder from 0.20260413.0 to 0.20260420.0 by @dependabot[bot] in #2821
• Bump github.com/tektoncd/pipeline from 1.11.1 to 1.12.0 by @dependabot[bot] in #2836
• Bump google.golang.org/grpc from 1.80.0 to 1.81.0 by @dependabot[bot] in #2837
• Bump chainguard-dev/actions from 1.6.16 to 1.6.19 by @dependabot[bot] in #2839
• Bump github.com/golangci/golangci-lint/v2 from 2.11.4 to 2.12.1 in /tools by @dependabot[bot] in #2834
• Bump step-security/harden-runner from 2.19.0 to 2.19.1 by @dependabot[bot] in #2840
• Strip Go symbol table from release binaries by @alliasgher in #2843
• Bump github/codeql-action from 4.35.2 to 4.35.3 by @dependabot[bot] in #2838
• Bump github.com/golangci/golangci-lint/v2 from 2.12.1 to 2.12.2 in /tools by @dependabot[bot] in #2842
• Bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 by @dependabot[bot] in #2844
• Bump github.com/docker/cli from 29.4.1+incompatible to 29.4.3+incompatible in the go-docker-dependencies group across 1 directory by @dependabot[bot] in #2833
• Update tekton hub to 1.24.0 by @divyansh42 in #2845
• Bump golang.org/x/crypto from 0.50.0 to 0.51.0 by @dependabot[bot] in #2847

New Contributors

• @adityavshinde made their first contribution in #2768
• @alliasgher made their first contribution in #2843

Full Changelog: v0.44.0...v0.45.0

v0.42.2

v0.42.2 Release 🎉

This patch release addresses the following CVEs: CVE-2026-33186, CVE-2026-33810, CVE-2025-61729 and CVE-2025-61726.

Changelog

• 1e1782f New version v0.42.2

Full Changelog: v0.42.1...v0.42.2

v0.37.6

v0.37.6 Release 🎉

This patch release addresses CVE-2026-25679

Changelog

• 0be7186 New version v0.37.6

Full Changelog: v0.37.5...v0.37.6

v0.37.5

v0.37.5 Release 🎉

This patch release addresses the following CVEs: CVE-2026-34986 and CVE-2026-33186.

Changelog

• 40a7331 New version v0.37.5

Full Changelog: v0.37.4...v0.37.5

v0.44.1

v0.44.1 Release 🎉

This patch release addresses the following CVEs: CVE-2026-34986, CVE-2026-33211, and CVE-2026-33186.

Changelog

• feb2d5a New version v0.44.1

Full Changelog: v0.44.0...v0.44.1

v0.37.4

v0.37.4 Release 🎉

This patch release addresses CVE-2025-61726.

Changelog

• e2c95ec New version v0.37.4

Full Changelog: v0.37.3...v0.37.4

v0.43.1

v0.43.1 Release 🎉

This patch release addresses CVE-2025-66506 and fixes the "failed to watch: context canceled" error encountered during log streaming.

Changelog

• 9374f62 New version v0.43.1

Full Changelog: v0.43.0...v0.43.1

v0.44.0

v0.44.0 Release 🎉

This release introduces support for Pipelines v1.9.1, Triggers v0.35.0, and Chains v0.26.2, along with dependency updates to fix multiple critical CVEs.

Changelog 📋

• 2e0e403 New version v0.44.0

What's Changed

• Bump golangci/golangci-lint-action from 9.0.0 to 9.1.0 by @dependabot[bot] in #2661
• Bump actions/setup-go from 6.0.0 to 6.1.0 by @dependabot[bot] in #2662
• Bump chainguard-dev/actions from 1.5.9 to 1.5.10 by @dependabot[bot] in #2663
• Bump github/codeql-action from 4.31.3 to 4.31.5 by @dependabot[bot] in #2664
• Update README and choco with latest release by @pratap0007 in #2666
• Bump github.com/docker/cli from 29.0.2+incompatible to 29.0.3+incompatible in the go-docker-dependencies group by @dependabot[bot] in #2665
• Bump actions/checkout from 5.0.0 to 6.0.0 by @dependabot[bot] in #2660
• Bump github.com/tektoncd/hub from 1.23.1 to 1.23.2 by @dependabot[bot] in #2659
• Bump github.com/golangci/golangci-lint/v2 from 2.6.2 to 2.7.0 in /tools by @dependabot[bot] in #2671
• Bump go.uber.org/zap from 1.27.0 to 1.27.1 by @dependabot[bot] in #2657
• Bump github.com/golangci/golangci-lint/v2 from 2.7.0 to 2.7.2 in /tools by @dependabot[bot] in #2676
• Bump step-security/harden-runner from 2.13.2 to 2.13.3 by @dependabot[bot] in #2677
• Bump actions/checkout from 6.0.0 to 6.0.1 by @dependabot[bot] in #2679
• Bump github.com/spf13/cobra from 1.10.1 to 1.10.2 by @dependabot[bot] in #2673
• Bump github.com/docker/cli from 29.0.4+incompatible to 29.1.1+incompatible in the go-docker-dependencies group by @dependabot[bot] in #2668
• Bump github.com/tektoncd/hub from 1.23.2 to 1.23.4 by @dependabot[bot] in #2672
• Bump actions/upload-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #2684
• Bump step-security/harden-runner from 2.13.3 to 2.14.0 by @dependabot[bot] in #2685
• Bump github/codeql-action from 4.31.5 to 4.31.8 by @dependabot[bot] in #2683
• Bump golangci/golangci-lint-action from 9.1.0 to 9.2.0 by @dependabot[bot] in #2680
• Bump the go-k8s-dependencies group with 3 updates by @dependabot[bot] in #2687
• Bump github/codeql-action from 4.31.8 to 4.31.9 by @dependabot[bot] in #2690
• Bump github.com/docker/cli from 29.1.2+incompatible to 29.1.3+incompatible in the go-docker-dependencies group by @dependabot[bot] in #2686
• Bump golang.org/x/term from 0.37.0 to 0.38.0 by @dependabot[bot] in #2689
• Bump github.com/golangci/golangci-lint/v2 from 2.7.2 to 2.8.0 in /tools by @dependabot[bot] in #2694
• Bump github.com/tektoncd/hub from 1.23.4 to 1.23.6 by @dependabot[bot] in #2692
• Bump github.com/tektoncd/pipeline from 1.6.0 to 1.7.0 by @dependabot[bot] in #2693
• Fix fialed to watch context canceled error when streaming logs by @pratap0007 in #2681
• Bump github/codeql-action from 4.31.9 to 4.31.10 by @dependabot[bot] in #2697
• Bump chainguard-dev/actions from 1.5.10 to 1.5.12 by @dependabot[bot] in #2702
• Bump actions/setup-go from 6.1.0 to 6.2.0 by @dependabot[bot] in #2703
• Bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in #2707
• Bump github/codeql-action from 4.31.10 to 4.31.11 by @dependabot[bot] in #2708
• Bump chainguard-dev/actions from 1.5.12 to 1.5.13 by @dependabot[bot] in #2709
• Bump step-security/harden-runner from 2.14.0 to 2.14.1 by @dependabot[bot] in #2710
• Bump chainguard-dev/actions from 1.5.13 to 1.5.14 by @dependabot[bot] in #2714
• Bump github.com/sigstore/cosign/v2 from 2.6.1 to 2.6.2 by @pratap0007 in #2715
• Bump github.com/docker/cli from 29.1.3+incompatible to 29.1.4+incompatible in the go-docker-dependencies group by @dependabot[bot] in #2696
• Bump github.com/sigstore/sigstore from 1.9.6-0.20250729224751-181c5d3339b3 to 1.10.4 by @dependabot[bot] in #2706
• Bump github.com/sigstore/rekor from 1.4.2 to 1.5.0 by @dependabot[bot] in #2705
• Bump github.com/sigstore/fulcio from 1.7.1 to 1.8.5 by @dependabot[bot] in #2700
• Bump github.com/theupdateframework/go-tuf/v2 from 2.2.0 to 2.4.1 by @dependabot[bot] in #2711
• Bump github.com/tektoncd/pipeline from 1.7.0 to 1.9.0 by @dependabot[bot] in #2720
• Bump golang.org/x/term from 0.38.0 to 0.39.0 by @dependabot[bot] in #2721
• Bump github.com/tektoncd/chains from 0.26.0 to 0.26.2 by @dependabot[bot] in #2722
• Update goreleaser version to v2.13.3 by @pratap0007 in #2726
• Bump github/codeql-action from 4.31.11 to 4.32.2 by @dependabot[bot] in #2724
• Bump step-security/harden-runner from 2.14.1 to 2.14.2 by @dependabot[bot] in #2723
• Bump chainguard-dev/actions from 1.5.14 to 1.5.16 by @dependabot[bot] in #2725
• Bump golang.org/x/term from 0.39.0 to 0.40.0 by @dependabot[bot] in #2727
• Bump github/codeql-action from 4.32.2 to 4.32.3 by @dependabot[bot] in #2731
• Bump chainguard-dev/actions from 1.5.16 to 1.6.1 by @dependabot[bot] in #2732
• fix: update the release script to fetch tasks from artifacthub by @pratap0007 in #2719
• Bump github.com/golangci/golangci-lint/v2 from 2.8.0 to 2.10.0 in /tools by @dependabot[bot] in #2733
• Bump the go-k8s-dependencies group with 3 updates by @dependabot[bot] in #2729
• Bump github.com/golangci/golangci-lint/v2 from 2.10.0 to 2.10.1 in /tools by @dependabot[bot] in #2735
• Bump github.com/tektoncd/triggers from 0.34.0 to 0.35.0 by @dependabot[bot] in #2730
• Bump github.com/tektoncd/pipeline from 1.9.0 to 1.9.1 by @dependabot[bot] in #2737
• Bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 by @dependabot[bot] in #2736
• Bump github.com/google/go-containerregistry from 0.20.7 to 0.21.0 by @dependabot[bot] in #2738
• Makefile: fix lint-go with workflow version and project Go toolchain by @pratap0007 in #2734
• Switch hub dependency org to openshift-pipelines by @pratap0007 in #2739

Full Changelog: v0.43.0...v0.44.0

v0.37.3

v0.37.3 Release 🎉

This patch release fixes CVEs CVE-2025-66506, CVE-2025-12044, CVE-2025-11621 and CVE-2025-66564.

Changelog

• 085896b New version v0.37.3

Full Changelog: v0.37.2...v0.37.3

v0.42.1

v0.42.1 Release 🎉

This patch release fixes CVEs CVE-2025-47913, CVE-2025-66564, CVE-2025-66506, CVE-2025-12044 and CVE-2025-11621.

Changelog

• e3c8b70 New version v0.42.1

Full Changelog: v0.42.0...v0.42.1