chore(deps): bump the go_modules group across 1 directory with 6 updates

[dependabot]

Bumps the go_modules group with 6 updates in the /e2e directory:

Package	From	To
github.com/tektoncd/pipeline	1.7.0	1.9.2
github.com/cloudflare/circl	1.6.2	1.6.3
github.com/containerd/containerd	1.7.25	1.7.29
github.com/docker/cli	29.0.3+incompatible	29.2.0+incompatible
github.com/go-git/go-git/v5	5.16.4	5.16.5
google.golang.org/grpc	1.78.0	1.79.3

Updates github.com/tektoncd/pipeline from 1.7.0 to 1.9.2

Release notes

Sourced from github.com/tektoncd/pipeline's releases.

Tekton Pipeline release v1.9.2 "Devon Rex Dreadnought"

-Docs @ v1.9.2 -Examples @ v1.9.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a6c7ee52741b34d7b7e9a3277e775365533a3669a49c3be92b372bcbda73ee439

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a6c7ee52741b34d7b7e9a3277e775365533a3669a49c3be92b372bcbda73ee439
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.2/release.yaml
REKOR_UUID=108e9186e8c5677a6c7ee52741b34d7b7e9a3277e775365533a3669a49c3be92b372bcbda73ee439
Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.9.2@sha256:" + .digest.sha256')
Download the release file
curl -L "$RELEASE_FILE" > release.yaml
For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

⚠️ Security Fixes

• GHSA-j5q5-j9gm-2w5c (Critical): Path traversal in git resolver allows reading arbitrary files from the resolver pod. Fixed by validating the pathInRepo parameter to prevent directory traversal.

... (truncated)

Changelog

Sourced from github.com/tektoncd/pipeline's changelog.

Tekton Pipeline Releases

Release Frequency

Tekton Pipelines follows the Tekton community [release policy][release-policy] as follows:

• Versions are numbered according to semantic versioning: vX.Y.Z
• A new release is produced on a monthly basis
• Four releases a year are chosen for long term support (LTS). All remaining releases are supported for approximately 1 month (until the next release is produced)
  • LTS releases take place in January, April, July and October every year
  • The first Tekton Pipelines LTS release will be v0.41.0 in October 2022
  • Releases happen towards the middle of the month, between the 13th and the 20th, depending on week-ends and readiness

Tekton Pipelines produces nightly builds, publicly available on gcr.io/tekton-nightly.

Transition Process

Before release v0.41 Tekton Pipelines has worked on the basis of an undocumented support period of four months, which will be maintained for the releases between v0.37 and v0.40.

Release Process

Tekton Pipeline releases are made of YAML manifests and container images. Manifests are published to cloud object-storage as well as [GitHub][tekton-pipeline-releases]. Container images are signed by [Sigstore][sigstore] via [Tekton Chains][tekton-chains]; signatures can be verified through the [public key][chains-public-key] hosted by the Tekton Chains project.

Further documentation available:

• The Tekton Pipeline [release process][tekton-releases-docs]
• [Installing Tekton][tekton-installation]
• Standard for [release notes][release-notes-standards]

Release

v1.10

• Latest Release: [v1.10.2][v1.10-2] (2026-03-18) ([docs][v1.10-2-docs], [examples][v1.10-2-examples])
• Initial Release: [v1.10.0][v1.10-0] (2026-02-27)
• End of Life: 2026-03-27
• Patch Releases: [v1.10.0][v1.10-0], [v1.10.1][v1.10-1], [v1.10.2][v1.10-2]

v1.9 (LTS)

... (truncated)

Commits

• 3ca7bc6 fix: prevent path traversal in git resolver pathInRepo parameter
• edc64bb Fix panic in GenerateDeterministicNameFromSpec with long resolver names
• 5a40b3f tekton: update plumbing ref to latest commit
• 6941291 ci: add CI summary fan-in job for branch protection
• e3bd070 tekton: update plumbing ref to include full image references fix
• 11f5bb2 fix(pipelines): allow pipeline param defaults to use non-param variables
• 0cc7987 fix: validate taskRef.apiVersion format for custom tasks
• 13a014c build(deps): bump go.uber.org/zap from 1.27.0 to 1.27.1
• 80ce1d5 build(deps): bump github.com/google/cel-go from 0.26.0 to 0.27.0
• a7bac62 chore(ci): update cherry-pick workflow to fix multi-commit PRs
• Additional commits viewable in compare view

Updates github.com/cloudflare/circl from 1.6.2 to 1.6.3

Release notes

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.6.3

Fix a bug on ecc/p384 scalar multiplication.

What's Changed

• sign/mldsa: Check opts for nil value by @​armfazh in cloudflare/circl#582
• ecc/p384: Point addition must handle point doubling case. by @​armfazh in cloudflare/circl#583
• Release CIRCL v1.6.3 by @​armfazh in cloudflare/circl#584

Full Changelog: cloudflare/circl@v1.6.2...v1.6.3

Commits

• 24ae53c Release CIRCL v1.6.3
• 581020b Rename method to oddMultiplesProjective.
• 12209a4 Removing unused cmov for jacobian points.
• fcba359 ecc/p384: use of complete projective formulas for scalar multiplication.
• 5e1bae8 ecc/p384: handle point doubling in point addition with Jacobian coordinates.
• 3416046 Check opts for nil value.
• See full diff in compare view

Updates github.com/containerd/containerd from 1.7.25 to 1.7.29

Release notes

Sourced from github.com/containerd/containerd's releases.

containerd 1.7.29

Welcome to the v1.7.29 release of containerd!

The twenty-ninth patch release for containerd 1.7 contains various fixes and updates including security patches.

Security Updates

• containerd

  • GHSA-pwhc-rpq9-4c8w
  • GHSA-m6hq-p25p-ffr2

• runc

  • GHSA-qw9x-cqr3-wc7r
  • GHSA-cgrx-mc8f-2prm
  • GHSA-9493-h29p-rfm2

Highlights

Image Distribution

• Update differ to handle zstd media types (#12018)

Runtime

• Update runc binary to v1.3.3 (#12480)
• Fix lost container logs from quickly closing io (#12375)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Phil Estes
• Austin Vazquez
• Sebastiaan van Stijn
• ningmingxiao
• Maksym Pavlenko
• StepSecurity Bot
• wheat2018

Changes

• 442cb34bd Merge commit from fork
• 0450f046e Fix directory permissions
• e5cb6ddb7 Merge commit from fork

... (truncated)

Commits

• 442cb34 Merge commit from fork
• e5cb6dd Merge commit from fork
• 9772966 Merge pull request #12486 from dmcgowan/prepare-v1.7.29
• 1fc2daa Prepare release notes for v1.7.29
• 93f710a Merge pull request #12480 from k8s-infra-cherrypick-robot/cherry-pick-12475-t...
• 68d04be Merge pull request #12471 from austinvazquez/1_7_update_ci_go_and_images
• 3f5f9f8 runc: Update runc binary to v1.3.3
• 667409f ci: bump Go 1.24.9, 1.25.3
• 294f8c0 Update GHA runners to use latest images for basic binaries build
• cf66b41 Update GHA runners to use latest image for most jobs
• Additional commits viewable in compare view

Updates github.com/docker/cli from 29.0.3+incompatible to 29.2.0+incompatible

Commits

• 0b9d198 Merge pull request #6764 from vvoland/update-docker
• 9c9ec73 vendor: github.com/moby/moby/client v0.2.2
• bab3e81 vendor: github.com/moby/moby/api v1.53.0
• 2e64fc1 Merge pull request #6367 from thaJeztah/template_slicejoin
• 1f2ba2a Merge pull request #6760 from thaJeztah/container_create_fix_error
• e34a342 templates: make "join" work with non-string slices and map values
• a86356d Merge pull request #6763 from thaJeztah/bump_mapstructure
• 771660a vendor: github.com/go-viper/mapstructure/v2 v2.5.0
• 9cff36b Merge pull request #6762 from thaJeztah/bump_x_deps
• 08ed2bc cli/command/container: make injecting config.json failures a warning
• Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.16.5

What's Changed

• build: Update module golang.org/x/crypto to v0.45.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1744
• build: Bump Go test versions to 1.23-1.25 (v5) by @​pjbgf in go-git/go-git#1746
• [v5] git: worktree, Don't delete local untracked files when resetting worktree by @​Ch00k in go-git/go-git#1800
• Expand packfile checks by @​pjbgf in go-git/go-git#1836

Full Changelog: go-git/go-git@v5.16.4...v5.16.5

Commits

• 48a1ae0 Merge pull request #1836 from go-git/check-v5
• 42bdf1f storage: filesystem, Verify idx matches pack file
• 4146a56 plumbing: format/idxfile, Verify idxfile's checksum
• 63d78ec plumbing: format/packfile, Add new ErrMalformedPackFile
• 25f1624 Merge pull request #1800 from Ch00k/no-delete-untracked-v5
• 600fb13 git: worktree, Don't delete local untracked files when resetting worktree
• 390a569 Merge pull request #1746 from pjbgf/bump-go
• 61c8b85 build: Bump Go test versions to 1.23-1.25 (v5)
• e5a05ec Merge pull request #1744 from go-git/renovate/releases/v5.x-go-golang.org-x-c...
• 1495930 plumbing: Remove use of non-constant format strings
• Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.78.0 to 1.79.3

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.79.3

Security

• server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error. (#8981)

Release 1.79.2

Bug Fixes

• stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (grpc/grpc-go#8874)

Release 1.79.1

Bug Fixes

• grpc: Remove the -dev suffix from the User-Agent header. (grpc/grpc-go#8902)

Release 1.79.0

API Changes

• mem: Add experimental API SetDefaultBufferPool to change the default buffer pool. (#8806)
  • Special Thanks: @​vanja-p
• experimental/stats: Update MetricsRecorder to require embedding the new UnimplementedMetricsRecorder (a no-op struct) in all implementations for forward compatibility. (#8780)

Behavior Changes

• balancer/weightedtarget: Remove handling of Addresses and only handle Endpoints in resolver updates. (#8841)

New Features

• experimental/stats: Add support for asynchronous gauge metrics through the new AsyncMetricReporter and RegisterAsyncReporter APIs. (#8780)
• pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
  • This is enabled by default, and can be turned off using the environment variable GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (#8864)
• xds: Implement :authority rewriting, as specified in gRFC A81. (#8779)
• balancer/randomsubsetting: Implement the random_subsetting LB policy, as specified in gRFC A68. (#8650)
  • Special Thanks: @​marek-szews

Bug Fixes

• credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (#8726)
  • Special Thanks: @​Atul1710
• xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in CONNECTING state. (#8813)
• health: Fix a bug where health checks failed for clients using legacy compression options (WithDecompressor or RPCDecompressor). (#8765)
  • Special Thanks: @​sanki92
• transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (#8769)
  • Special Thanks: @​joybestourous
• server: Propagate status detail headers, if available, when terminating a stream during request header processing. (#8754)
  • Special Thanks: @​joybestourous

Performance Improvements

• credentials/alts: Optimize read buffer alignment to reduce copies. (#8791)
• mem: Optimize pooling and creation of buffer objects. (#8784)
• transport: Reduce slice re-allocations by reserving slice capacity. (#8797)

Commits

• dda86db Change version to 1.79.3 (#8983)
• 72186f1 grpc: enforce strict path checking for incoming requests on the server (#8981)
• 97ca352 Changing version to 1.79.3-dev (#8954)
• 8902ab6 Change the version to release 1.79.2 (#8947)
• a928670 Cherry-pick #8874 to v1.79.x (#8904)
• 06df363 Change version to 1.79.2-dev (#8903)
• 782f2de Change version to 1.79.1 (#8902)
• 850eccb Change version to 1.79.1-dev (#8851)
• 765ff05 Change version to 1.79.0 (#8850)
• 68804be Cherry pick #8864 to v1.79.x (#8896)
• Additional commits viewable in compare view

[konflux-ci-qe-bot]

@dependabot[bot]: The following matrix E2E test has Failed, say /retest to rerun failed tests.

Total child pipelines: 2
Failed child pipelines: 2

Failed child pipelines

PipelineRun Name	Status	Rerun command	Build Log	Test Log
tsf-e2e-4.20-kdlpx	Failed	/retest	View Pipeline Log	View Test Logs
tsf-e2e-4.21-ps8nt	Failed	/retest	View Pipeline Log	View Test Logs