Skip to content

fix(release): bump pinned ko/koparse image for go 1.26.4#3689

Open
jkhelil wants to merge 3 commits into
tektoncd:mainfrom
jkhelil:fix/SRVKP-12754-release-pipeline-go1.26.4-ko-image
Open

fix(release): bump pinned ko/koparse image for go 1.26.4#3689
jkhelil wants to merge 3 commits into
tektoncd:mainfrom
jkhelil:fix/SRVKP-12754-release-pipeline-go1.26.4-ko-image

Conversation

@jkhelil

@jkhelil jkhelil commented Jul 9, 2026

Copy link
Copy Markdown
Member

Changes

tekton/build-publish-images-manifests.yaml pinned the ko/kustomize
build steps to ghcr.io/tektoncd/plumbing/ko-gcloud:v20240920-6c2a999d36,
which ships Go 1.22.1. go.mod now requires go 1.26.4 (CVE-2026-27145
stdlib fix), and no ko-gcloud digest published yet ships Go >= 1.26.4.

  • Switch the rewrite-devel-in-source and run-kustomize-ko steps to
    the plain ko image instead, which already ships Go 1.26.4 and
    includes every tool they actually use (ko, kustomize, git)
    without needing the gcloud/kubectl/yq extras that ko-gcloud bundles.
  • Bump the koparse step to its current digest.
  • Add a docker package-ecosystem entry for /tekton to
    .github/dependabot.config.yml (regenerated .github/dependabot.yml
    via ./hack/generate-dependabot.sh) so these pinned image digests are
    kept in sync with go.mod going forward instead of silently drifting
    behind the required Go toolchain version.

Verified by pulling both the old and new images and confirming
go version inside each, and that the new ko image has tar, sed,
awk, git, kustomize, and ko available.

Follow-up fix: kodata symlink rejected by ko >= v0.19

The ko image now pinned here (aligned with tektoncd/pipeline's digest)
ships ko v0.19.1, which enforces that kodata/ symlinks must not resolve
outside the kodata root (ko-build/ko#1619). The run-kustomize-ko step
symlinks cmd/${KUBE_DISTRO}/*/kodata/source.tar.gz to a tarball in an
external mktemp -d directory, which this newer ko now rejects:

Error: error processing import paths ...: tarring kodata: kodata symlink
"cmd/<distro>/operator/kodata/source.tar.gz" resolves to "/tmp/tmp.XXXXXX/source.tar.gz"
which is outside the kodata root "cmd/<distro>/operator/kodata"

We hit this exact failure in tektoncd/chains' release pipeline after a
similar Go 1.26.4-driven ko digest bump
(tektoncd/chains#1791),
and the same unfixed pattern also exists upstream in
tektoncd/pipeline's tekton/publish.yaml
(tektoncd/pipeline#10418).
Since this PR moves operator onto the same ko v0.19.1 digest, it would hit
the identical error on the next real release, so the fix is included here.

Fix: copy the tarball into each cmd/${KUBE_DISTRO}/*/kodata/ directory
instead of symlinking to it from a shared tmpdir. ko already dereferences
symlinks and embeds the resolved file's bytes into the image layer when
tarring kodata, so this has no effect on final image size — only the
symlink itself was rejected, not the underlying content.

Submitter Checklist

  • Run make test lint before submitting a PR
  • Includes tests (if functionality changed/added)
  • Includes docs (if user facing)
  • Commit messages follow commit message best practices

Release Notes

NONE

Made with Cursor

@tekton-robot tekton-robot added the release-note-none Denotes a PR that doesnt merit a release note. label Jul 9, 2026
@tekton-robot tekton-robot requested review from enarha and pratap0007 July 9, 2026 12:36
@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jul 9, 2026
@codecov-commenter

codecov-commenter commented Jul 9, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 24.48%. Comparing base (b197f1a) to head (d84800f).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3689      +/-   ##
==========================================
- Coverage   24.49%   24.48%   -0.01%     
==========================================
  Files         470      470              
  Lines       24919    24924       +5     
==========================================
- Hits         6103     6102       -1     
- Misses      18122    18126       +4     
- Partials      694      696       +2     
Flag Coverage Δ
unit-tests 24.48% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@jkhelil

jkhelil commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

/retest

jkhelil and others added 2 commits July 10, 2026 07:55
tekton/build-publish-images-manifests.yaml pinned the ko/kustomize
build steps to ko-gcloud:v20240920-6c2a999d36, which ships Go 1.22.1.
go.mod now requires go 1.26.4 (CVE-2026-27145 stdlib fix), and no
ko-gcloud digest published yet ships Go >= 1.26.4.

Switch those steps to the plain ko image instead, which already
ships Go 1.26.4 and includes every tool they actually use (ko,
kustomize, git) without needing the gcloud/kubectl/yq extras that
ko-gcloud bundles. Also bump the koparse step to its current digest.

Add a dependabot docker ecosystem entry for /tekton so these pinned
image digests are kept in sync with go.mod going forward, instead of
silently drifting behind the required Go toolchain version.

Signed-off-by: Jawed khelil <jkhelil@redhat.com>
Assisted-by: Claude Sonnet 4.5 (via Cursor)
Co-authored-by: Cursor <cursoragent@cursor.com>
tektoncd/pipeline's own release pipeline (tekton/publish.yaml) pins
the same ko image for this step, at go1.26.4. Use their exact digest
instead of a separately-picked one, so both projects stay in sync.

Signed-off-by: Jawed khelil <jkhelil@redhat.com>
Assisted-by: Claude Sonnet 4.5 (via Cursor)
Co-authored-by: Cursor <cursoragent@cursor.com>
@jkhelil jkhelil force-pushed the fix/SRVKP-12754-release-pipeline-go1.26.4-ko-image branch from 2fe3f8f to 5709594 Compare July 10, 2026 05:55
@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 10, 2026
ko v0.19.0 enforces that kodata symlinks must not resolve outside
the kodata root (ko-build/ko#1619). The run-kustomize-ko step
symlinks cmd/${KUBE_DISTRO}/*/kodata/source.tar.gz to a file in an
external tmpdir, which the newly-pinned ko v0.19.1 image now
rejects, breaking release image publishing.

Copy the tarball into each kodata/ directory instead. ko already
dereferences symlinks when tarring kodata, so this has no effect
on final image size.

Signed-off-by: Jawed khelil <jkhelil@redhat.com>
Assisted-by: Claude Sonnet 5 (via Cursor)
Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. release-note-none Denotes a PR that doesnt merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants