Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Red Hat OpenShift Pipelines release notes

Note

For additional information about the OpenShift Pipelines lifecycle and supported platforms, refer to the OpenShift Operator Life Cycles and Red Hat OpenShift Container Platform Life Cycle Policy.

Release notes contain information about new and deprecated features, breaking changes, and known issues. The following release notes apply for the most recent OpenShift Pipelines releases on OpenShift Container Platform.

Red Hat OpenShift Pipelines is a cloud-native CI/CD experience based on the Tekton project which provides:

  • Standard Kubernetes-native pipeline definitions (CRDs).
  • Serverless pipelines with no CI server management overhead.
  • Extensibility to build images using any Kubernetes tool, such as S2I, Buildah, JIB, and Kaniko.
  • Portability across any Kubernetes distribution.
  • Powerful CLI for interacting with pipelines.
  • Integrated user experience with the Developer perspective of the OpenShift Container Platform web console.

For an overview of Red Hat OpenShift Pipelines, see Understanding OpenShift Pipelines.

1.1. Compatibility and support matrix
Copy link

Some features in this release are currently in Technology Preview. These experimental features are not intended for production use.

In the table, features are marked with the following statuses:

TP

Technology Preview

GA

General Availability

Expand
Table 1.1. Compatibility and support matrix
Red Hat OpenShift Pipelines VersionComponent VersionOpenShift VersionSupport Status

Operator

Pipelines

Triggers

CLI

Chains

Hub

Pipelines as Code

Results

Manual Approval Gate

  

1.17

0.65.x

0.30.x

0.39.x

0.23.x (GA)

1.19.x (TP)

0.29.x (GA)

0.13.x (TP)

0.4.x (TP)

4.15, 4.16, 4.17, 4.18

GA

1.16

0.62.x

0.29.x

0.38.x

0.22.x (GA)

1.18.x (TP)

0.28.x (GA)

0.12.x (TP)

0.3.x (TP)

4.15, 4.16, 4.17, 4.18

GA

1.15

0.59.x

0.27.x

0.37.x

0.20.x (GA)

1.17.x (TP)

0.27.x (GA)

0.10.x (TP)

0.2.x (TP)

4.14, 4.15, 4.16

GA

1.14

0.56.x

0.26.x

0.35.x

0.20.x (GA)

1.16.x (TP)

0.24.x (GA)

0.9.x (TP)

NA

4.12, 4.13, 4.14, 4.15, 4.16

GA

For questions and feedback, you can send an email to the product team at pipelines-interest@redhat.com.

With this update, Red Hat OpenShift Pipelines General Availability (GA) 1.17 is available on OpenShift Container Platform 4.15 and later versions.

Note

To use the OpenShift Pipelines, you must use, at a minimum, the following OpenShift Container Platform releases:

  • For OpenShift Container Platform version 4.15: 4.15.42 or a later version
  • For OpenShift Container Platform version 4.16: 4.16.26 or a later version
  • For OpenShift Container Platform version 4.17: 4.17.7 or a later version

1.2.1. New features
Copy link

In addition to fixes and stability improvements, the following sections highlight what is new in Red Hat OpenShift Pipelines 1.17:

1.2.1.1. Pipelines
Copy link

  • With this release, you can configure multiple Git providers by using the Git resolver, or you can add multiple configurations for the same Git provider, in the TektonConfig custom resource (CR). You can then specify a Git configuration to use in different task runs and pipeline runs by using the configKey parameter.

    Example of multiple Git provider configurations

    apiVersion: operator.tekton.dev/v1alpha1
kind: TektonConfig
metadata:
  name: config
spec:
# ...
  pipeline:
    git-resolver-config:
      # configuration 1
      fetch-timeout: "1m"
      default-url: "https://github.com/tektoncd/catalog.git"
      default-revision: "main"
      scm-type: "github"
      server-url: ""
      api-token-secret-name: ""
      api-token-secret-key: ""
      api-token-secret-namespace: "default"
      default-org: ""
      # configuration 2
      test1.fetch-timeout: "5m"
      test1.default-url: ""
      test1.default-revision: "stable"
      test1.scm-type: "github"
      test1.server-url: "api.internal-github.com"
      test1.api-token-secret-name: "test1-secret"
      test1.api-token-secret-key: "token"
      test1.api-token-secret-namespace: "test1"
      test1.default-org: "tektoncd"
      # configuration 3
      test2.fetch-timeout: "10m"
      test2.default-url: ""
      test2.default-revision: "stable"
      test2.scm-type: "gitlab"
      test2.server-url: "api.internal-gitlab.com"
      test2.api-token-secret-name: "test2-secret"
      test2.api-token-secret-key: "pat"
      test2.api-token-secret-namespace: "test2"
      test2.default-org: "tektoncd-infra"
# ...
    Copy to Clipboard Toggle word wrap

    Example of using a test1 configuration in a pipeline run

    apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  name: example
spec:
  pipelineRef:
    resolver: git
    params:
    # ...
    - name: configKey
      value: test1
# ...
    Copy to Clipboard Toggle word wrap

  • With this update, you can now monitor the running PipelineRun resources at the namespace, pipeline, and pipeline run level, in addition to the cluster level. You can configure the level through the TektonConfig custom resource by setting the metrics.running-pipelinerun.level parameter value to namespace, pipeline, or pipelinerun. The default value is empty, which sets the monitoring at cluster level.

    Example of monitoring the running pipeline run at the namespace level

    apiVersion: operator.tekton.dev/v1alpha1
kind: TektonConfig
metadata:
  name: config
spec:
  pipeline:
    # ...
    metrics.running-pipelinerun.level: namespace
# ...
    Copy to Clipboard Toggle word wrap

  • With this update, after the execution of a pipeline run or task run, the YAML manifest of the resource contains a label showing the ID of the user who executed it. For a PipelineRun resource, the label is tekton.dev/PipelineRunUID. For a TaskRun resource, the label is tekton.dev/TaskRunUID.
  • With this update, when you use the spec.pipeline.performance spec in the TektonConfig CR to specify performance tuning values such as threads-per-controller, kube-api-qps, and kube-api-burst, OpenShift Pipelines applies these values to the resolver controller as well as the other controllers.

1.2.1.2. Operator
Copy link

  • With this update, you can run the skopeo-copy command with additional arguments, for example, --all and --preserve-digests. You can pass these arguments as a space-separated string, as shown in the following example:

    Example command

    $ tkn task start skopeo-copy -p ARGS="--all --preserve-digests"
    Copy to Clipboard Toggle word wrap

  • With this update, OpenShift Pipelines applies the ephemeral volume setting of any security context constraint (SCC) that you apply to a pipeline or task.

1.2.1.3. Pipelines as Code
Copy link

  • With this update, the pipelines_as_code_running_pipelineruns_count metric is added to show the number of running PipelineRun resources in Pipelines as Code. The metric can be filtered by repository or by namespace.
  • With this update, the pipelines_as_code_pipelinerun_duration_seconds_sum metric is added to show the total duration in seconds taken by all PipelineRun resources in Pipelines as Code. The metric can be filtered by repository, namespace, PipelineRun status, and PipelineRun status change reason.

1.2.1.4. Tekton Results
Copy link

  • With this update, you can configure Tekton Results to include certain labels and annotations from the YAML manifests of pipelines and tasks in the summary fields column in the results tables. By default, the value of the tekton.dev/pipeline label is used. To make this change, modify the TektonResult CR as shown in the following example:

    Example of configuring summary labels and annotations in the TektonResult CR

    apiVersion: operator.tekton.dev/v1
kind: TektonResult
metadata:
  name: result
spec:
  options:
    deployments:
      tekton-results-watcher:
        spec:
          template:
            spec:
              containers:
              - name: watcher
                args:
                - "--summary_labels=org.tekton.sample_label,tekton.dev/pipeline"
                - "--summary_annotations=org.tekton.sample_annotation"
    Copy to Clipboard Toggle word wrap

1.2.1.5. Tekton Chains
Copy link

  • With this update, you can configure the TektonConfig custom resource (CR) to generate the x509 key pair of the ecdsa type and use it with Tekton Chains to sign artifacts. You can generate the key pair by setting the generateSigningSecret field in the TektonConfig custom resource (CR) to true:

    Example of creating an ecdsa key pair

    apiVersion: operator.tekton.dev/v1
kind: TektonConfig
metadata:
  name: config
spec:
# ...
  chain:
    disabled: false
    generateSigningSecret: true
# ...
    Copy to Clipboard Toggle word wrap

  • Before this update, if you did not configure Tekton Chains in the TektonConfig CR, the Operator would not pass any default Chains configuration. With this update, if you do not configure Tekton Chains in the TektonConfig CR, the Operator sets the Tekton Chains configuration with these default properties: 

    apiVersion: operator.tekton.dev/v1
kind: TektonConfig
metadata:
  name: config
spec:
# ...
  chain:
    artifacts.taskrun.format: in-toto
    artifacts.taskrun.storage: oci
    artifacts.oci.storage: oci
    artifacts.oci.format: simplesigning
    artifacts.pipelinerun.format: in-toto
    artifacts.pipelinerun.storage: oci
# ...
    Copy to Clipboard Toggle word wrap
  • With this update, Tekton Chains now supports extracting the mongo-server-url URL from a specified file that can have any name. You can now use the storage.docdb.mongo-server-url-path parameter pointing to a valid file path within the container.

1.2.2. Breaking changes
Copy link

  • With this update, the deprecated ClusterTask resource is removed from the Operator. As an alternative, you can use the cluster resolver to access tasks that OpenShift Pipelines installs in the openshift-pipelines namespace.

    Important

    Before upgrading to OpenShift Pipelines 1.17, if you configured any pipelines that use ClusterTask resources, you must edit them to use the tasks in the openshift-pipelines namespace. Otherwise, after the upgrade, the pipelines will fail.

    For more information about using the tasks in the openshift-pipelines namespace, see Tasks provided in the OpenShift Pipelines namespace.

  • With this update, the community cluster tasks are removed from the Operator. As an alternative, you can download them from the Tekton catalog (GitHub resource). The community cluster tasks are planned to be added as tasks in a future release. The following list shows the removed community cluster tasks:

    • argocd-task-sync-and-wait
    • git-cli
    • helm-upgrade-from-repo
    • helm-upgrade-from-source
    • jib-maven
    • kubeconfig-creator
    • pull-request
    • trigger-jenkins-job

1.2.3. Fixed issues
Copy link

  • With this update, the Pipelines as Code controller no longer processes the GitLab push event if the push event payload contains no commit. Instead, it correctly displays an error message warning the user that no commit is attached.
  • With this update, the Pipelines as Code controller no longer processes the GitLab tag delete event, which caused the controller to crash. Instead, it correctly displays an error message warning the user that deleting the tag event is not supported.
  • Before this update, some of the standard variables, header values, and body fields, for example the body.eventKey field, were not being resolved in PipelineRun resources for the Bitbucket server. With this update, the issue is fixed.
  • With this update, the skopeo-copy task supports copying multiple images by using the url.txt file if the SOURCE_IMAGE_URL and DESTINATION_IMAGE_URL parameters are left empty.
  • Before this update, running the tkn pac create repo command on an empty repository resulted in the . period symbol being generated as the name of the pipeline run in the template. With this update, the issue is fixed, and the REPO_NAME.git is now used as the pipeline run name.
  • With this update, the pipeline run failure handling is fixed to accurately report validation failures in the status.message field and consistently trigger finally tasks, even if a task fails the validation.
  • Before this update, when a pod failed because of an out-of-memory error, the task run did not immediately fail. Instead, it was unresponsive for some time and then failed. With this update, the task run immediately fails.
  • Before this update, if a CustomRun resource referred to a pipeline or task resource that returned an array as a result, a result type mismatch was reported in the log. With this update, the array result is processed correctly.
  • Before this update, when a task run failed, in some cases the statuses of some of the steps in the task were not recorded correctly in the TaskRun YAML manifest. With this update, the statuses are correctly recorded.
  • Before this update, if a step in a task failed, the subsequent steps were sometimes not marked as skipped in the YAML manifest of the task run or pipeline run. With this update, the steps are marked as skipped. c
  • Before this update, if a pipeline run included a task that failed validation, a subsequent finally task did not run, even though it is expected to run after any failures of the previous tasks. With this update, the finally task runs.
  • Before this update, when using Pipelines as Code with GitLab, if the .tekton directory contained more than 20 files, some pipeline runs failed to start. With this update, the pipeline runs start correctly.
  • Before this update, when using Pipelines as Code with BitBucket, an incorrect payload in a BitBucket event could cause the Pipelines as Code controller to crash. With this update, the controller does not crash, validates payload before processing it, and correctly reports the error.
  • Before this update, when using Pipelines as Code, when you deleted a pipeline run before it was completed, temporary Git authentication secrets remained in the OpenShift Container Platform namespace. Because of this issue, the quota for secrets could be reached, and in this case new pipeline runs failed to start. With this update, Pipelines as Code deletes temporary secrets properly.
  • Before this update, when using Pipelines as Code with Bitbucket Cloud, tag-related events were not matched when a pipeline run was configured for on-target-branch, for example: on-target-branch: [refs/tags/*]. This issue happened because the Bitbucket Cloud events payload related to a tag does not contain a refs/tags prefix. With this update, Pipelines as Code matches the tag events correctly.
  • Before this update, when a task run was canceled, Tekton Chains did not record the specification of the task. With this update, Tekton Chains records the specification of the task.
  • Before this update, in Tekton Chains, the recorded steps in the specification of a task (TaskRun.Status.steps) could mismatch, even when the task run properly executed all steps in the task. With this update, the steps in the task specification and the steps executed in the task run are recorded correctly.
  • Before this update, when a pipeline run ended because of a timeout, the log output sometimes contained error messages that were not valid and the status of the pipeline run was not reported correctly. With this update, such messages do not appear in the log and the status is reported correctly.
  • Before this update, when you specified a workspace to be mounted in one or several steps of a task, OpenShift Pipelines mounted the workspace for all steps in the task. With this update, the workspace is mounted only in the steps where it is specified.
  • Before this update, when using Pipelines as Code, if the OpenShift Container Platform cluster was very busy, some pipeline runs failed to execute because the concurrency queue was out of order and Pipelines as Code did not recover properly. With this update, Pipelines as Code properly manages the concurrency queue and executes all pipeline runs.
  • Before this update, if you specified default container resource requirements in the TektonConfig CR and then applied a LimitRange setting to a pipeline or task, the LimitRange setting was sometimes not applied because the default requirements overrode it. With this update, the LimitRange setting overrides the default container resource requirements.
  • Before this update, if a pipeline run or task run failed to execute because of a validation error, OpenShift Pipelines recorded and displayed a generic Failed status for the pipeline run or task run. With this update, OpenShift Pipelines records a Failed Validation status.
  • Before this update, when you used the tkn bundle command to read the content of a large-sized Tekton bundle, the command might fail. With this update, the tkn command-line utilities correctly handles large Tekton bundles.
  • Before this update, when you used the tkn command-line utility to view a completed pipeline run, tasks that were skipped because of conditions you set up in the pipeline were displayed as Succeeded(Completed). With this update, they are no longer displayed as completed.

With this update, Red Hat OpenShift Pipelines General Availability (GA) 1.17.1 is available on OpenShift Container Platform 4.15 and later versions.

1.2.4.1. Fixed issues
Copy link

  • Before this update, if you defined a matrix task that included both regular parameters and matrix parameters, the tekton-pipelines-controller component crashed and logged a segmentation fault message. If the task was not removed, the component continued to crash and did not run any pipelines. With this update, the controller no longer crashes in such cases.
  • Before this update, in some cases the Tekton Chains controller repeatedly crashed, making the Tekton Chains component unusable. With this update, the controller no longer crashes.

  • Before this update, the buildah task in the openshift-pipelines namespace did not allow spaces in the BUILD_EXTRA_ARGS parameter. With this update, the buildah task allows passing spaces in the BUILD_EXTRA_ARGS parameter.

    Example of the BUILD_EXTRA_ARGS parameter with spaces in its value

    # ...
   - name: BUILD_EXTRA_ARGS
     value: '--build-arg EXAMPLE="abc def"'
# ...
    Copy to Clipboard Toggle word wrap

With this update, Red Hat OpenShift Pipelines General Availability (GA) 1.17.2 is available on OpenShift Container Platform 4.12, OpenShift Container Platform 4.14 through to 4.18.

1.2.5.1. Fixed issues
Copy link

  • Before this update, the skopeo-copy task required you to explicitly set the source_image_url and destination_image_url parameters. This requirement prevented the use of the images_url workspace with a url.txt file for batch image copying. With this update, both parameters default to empty values and are excluded from strict validation, allowing the task to fall back to the url.txt method as intended.
  • Before this update, when you used matrixed tasks in a fan-out and fan-in pattern, the PipelineRun execution failed with the following error: invalid result reference in pipeline task 'printer': unable to validate result referencing pipeline task 'platforms': task spec not found. This issue occurred when a downstream task attempted to reference aggregated results from a matrixed task by using the following syntax: $(tasks.<taskName>.results.<resultName>[*]). With this update, OpenShift Pipelines correctly resolves and validates result references from matrixed tasks. This enables dynamic fan-out and fan-in task orchestration using arrays and matrix expressions without triggering validation errors.
  • Before this update, there was no upgrade path from OpenShift Pipelines 1.16.x to later versions. With this update, the issue is fixed.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat