build(deps): bump github.com/tektoncd/pipeline from 1.6.1 to 1.6.2

[dependabot]

Bumps github.com/tektoncd/pipeline from 1.6.1 to 1.6.2.

Release notes

Sourced from github.com/tektoncd/pipeline's releases.

Tekton Pipeline release v1.6.2 "Sphynx Sentinels"

-Docs @ v1.6.2 -Examples @ v1.6.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a7755d52e49ce9ea7ccaf894ffae2779afa04cf7d882635593a2c220a5c7a0a26

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a7755d52e49ce9ea7ccaf894ffae2779afa04cf7d882635593a2c220a5c7a0a26
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.6.2/release.yaml
REKOR_UUID=108e9186e8c5677a7755d52e49ce9ea7ccaf894ffae2779afa04cf7d882635593a2c220a5c7a0a26
Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.6.2@sha256:" + .digest.sha256')
Download the release file
curl -L "$RELEASE_FILE" > release.yaml
For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

⚠️ Security Fixes

• GHSA-wjxp-xrpv-xpff / CVE-2026-40161 (HIGH): Git resolver API mode leaks system-configured API token to user-controlled serverURL. A user who can create TaskRuns can exfiltrate the system Git API token by pointing the resolver at an attacker-controlled server.

• GHSA-94jr-7pqp-xhcq / CVE-2026-40938 (HIGH): Git resolver unsanitized revision parameter enables argument injection. A malicious revision value can inject arbitrary flags into the git CLI, potentially leading to remote code execution on the resolver pod.

• GHSA-rx35-6rhx-7858 / CVE-2026-40923 (Medium): VolumeMount path restriction bypass via missing filepath normalization. Paths like /tekton/../sensitive bypass the /tekton/ prefix restriction check.

• GHSA-rmx9-2pp3-xhcr / CVE-2026-25542 (Medium): VerificationPolicy regex pattern bypass via substring matching. Unanchored patterns allow partial matches, letting unsigned resources pass verification.

• GHSA-m2cx-gpqf-qf74 / CVE-2026-40924 (Medium): HTTP resolver unbounded response body read enables OOM denial of service. A malicious URL returning a very large response can exhaust the resolver pod's memory. Response body is now limited to 1 MiB.

... (truncated)

Changelog

Sourced from github.com/tektoncd/pipeline's changelog.

Tekton Pipeline Releases

Release Frequency

Tekton Pipelines follows the Tekton community [release policy][release-policy] as follows:

• Versions are numbered according to semantic versioning: vX.Y.Z
• A new release is produced on a monthly basis
• Four releases a year are chosen for long term support (LTS). All remaining releases are supported for approximately 1 month (until the next release is produced)
  • LTS releases take place in January, April, July and October every year
  • The first Tekton Pipelines LTS release will be v0.41.0 in October 2022
  • Releases happen towards the middle of the month, between the 13th and the 20th, depending on week-ends and readiness

Tekton Pipelines produces nightly builds, publicly available on gcr.io/tekton-nightly.

Transition Process

Before release v0.41 Tekton Pipelines has worked on the basis of an undocumented support period of four months, which will be maintained for the releases between v0.37 and v0.40.

Release Process

Tekton Pipeline releases are made of YAML manifests and container images. Manifests are published to cloud object-storage as well as [GitHub][tekton-pipeline-releases]. Container images are signed by [Sigstore][sigstore] via [Tekton Chains][tekton-chains]; signatures can be verified through the [public key][chains-public-key] hosted by the Tekton Chains project.

Further documentation available:

• The Tekton Pipeline [release process][tekton-releases-docs]
• [Installing Tekton][tekton-installation]
• Standard for [release notes][release-notes-standards]

Release

v1.12 (LTS)

• Latest Release: [v1.12.0][v1.12-0] (2026-05-04) ([docs][v1.12-0-docs], [examples][v1.12-0-examples])
• Initial Release: [v1.12.0][v1.12-0] (2026-05-04)
• End of Life: 2027-05-04
• Patch Releases: [v1.12.0][v1.12-0]

v1.9 (LTS)

... (truncated)

Commits

• 99f5732 fix: set GOTOOLCHAIN=auto in publish task for Go version compatibility
• 43cc433 fix: trim whitespace from source URI before pattern matching
• c9eef11 fix: limit HTTP resolver response body size to prevent OOM DoS
• 0ea0634 fix: strip resolver prefixes and use non-capturing group for pattern anchoring
• 3090efa fix: normalize VolumeMount paths before /tekton/ restriction check
• 060e18c fix: prevent git argument injection via revision parameter (GHSA-94jr-7pqp-xhcq)
• 3f60a5d Security: reject system API token with user-controlled serverURL
• 6765156 fix(e2e): replace ubuntu with busybox in dind-sidecar test Dockerfile
• d855289 fix(e2e): improve dind-sidecar probe configuration for reliability
• 00055c0 fix: pin registry image and relax log-based cache assertion
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[kusari-inspector]

⚠️ Workspace Mapping Required

Hello! We noticed that your GitHub organization is not yet mapped to a Kusari workspace. Kusari Inspector now requires installations to be associated with a Kusari workspace.

⚠️ NOTE: Only the admin who installed the Kusari GitHub App can complete these steps. If the admin is unable to complete these steps, please contact support@kusari.dev

To complete the setup:

1. Visit https://console.us.kusari.cloud/auth/github and log in via github
2. If you have only one workspace, it will be automatically selected for you
3. Once the mapping is complete, return here and create a new comment with: @kusari-inspector re-run

This will trigger the analysis to run again.

For more information, or if you need help, visit https://github.com/kusaridev/community/discussions

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
gomod/github.com/tektoncd/pipeline	1.6.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Dependency-Update-Tool 🟢 10 update tool detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices 🟢 5 badge detected: Passing Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 SAST 🟢 10 SAST tool is run on all commits Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected License 🟢 10 license file detected Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Fuzzing ⚠️ 0 project is not fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 52 contributing companies or organizations

Scanned Files

• go.mod