chore(deps): bump the all group with 4 updates

[dependabot]

Bumps the all group with 4 updates: github.com/fsnotify/fsnotify, github.com/in-toto/in-toto-golang, github.com/tektoncd/pipeline and google.golang.org/grpc.

Updates github.com/fsnotify/fsnotify from 1.10.0 to 1.10.1

Release notes

Sourced from github.com/fsnotify/fsnotify's releases.

v1.10.1

Changes and fixes

• inotify: don't remove sibling watches sharing a path prefix (#754)

• inotify, windows: don't rename sibling watches sharing a path prefix (#755)

#754: fsnotify/fsnotify#754 #755: fsnotify/fsnotify#755

Changelog

Sourced from github.com/fsnotify/fsnotify's changelog.

1.10.1 2026-05-04

Changes and fixes

• inotify: don't remove sibling watches sharing a path prefix (#754)

• inotify, windows: don't rename sibling watches sharing a path prefix (#755)

#754: fsnotify/fsnotify#754 #755: fsnotify/fsnotify#755

Commits

• 76b01a6 Release 1.10.1
• fec150b Update changelog
• 162b421 inotify, windows: don't rename sibling watches sharing a path prefix (#755)
• 224257f inotify: don't remove sibling watches sharing a path prefix (#754)
• e0c956c windows: document directory Write events and stabilize tests (#745)
• See full diff in compare view

Updates github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0

Release notes

Sourced from github.com/in-toto/in-toto-golang's releases.

v0.11.0

What's Changed

• chore(deps): bump the all group with 2 updates by @​dependabot[bot] in in-toto/in-toto-golang#453
• chore(deps): bump the all group across 1 directory with 2 updates by @​dependabot[bot] in in-toto/in-toto-golang#452
• chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3 by @​dependabot[bot] in in-toto/in-toto-golang#457
• chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @​dependabot[bot] in in-toto/in-toto-golang#459
• match: Replace ^ with ! for negation in character classes by @​adityasaky in in-toto/in-toto-golang#462

Full Changelog: in-toto/in-toto-golang@v0.10.0...v0.11.0

Commits

• 36d782f Merge pull request #462 from in-toto/fix-negation-character
• 4a09e3b match: Replace ^ with ! for negation in character classes
• c3302e8 Merge pull request #459 from in-toto/dependabot/go_modules/github.com/go-jose...
• 016e87e chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4
• 5b9df76 Merge pull request #457 from in-toto/dependabot/go_modules/google.golang.org/...
• 595b3fe chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3
• e396d24 Merge pull request #452 from in-toto/dependabot/github_actions/all-502588e1ca
• 142b779 Merge pull request #453 from in-toto/dependabot/go_modules/all-d8ef5820aa
• f741bcc chore(deps): bump the all group with 2 updates
• c374dc9 chore(deps): bump the all group across 1 directory with 2 updates
• See full diff in compare view

Updates github.com/tektoncd/pipeline from 1.11.1 to 1.12.0

Release notes

Sourced from github.com/tektoncd/pipeline's releases.

Tekton Pipeline release v1.12.0 "Exotic Shorthair Elektrobots LTS"

🎉 TEP-0137 Notifications Controllers, Security Hardening & Performance 🎉

-Docs @ v1.12.0 -Examples @ v1.12.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a39f7d12f2628ed2d38cc94bc8d69e8fc8e629606157b65a2042cc796a84a81b2

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a39f7d12f2628ed2d38cc94bc8d69e8fc8e629606157b65a2042cc796a84a81b2
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.12.0/release.yaml
REKOR_UUID=108e9186e8c5677a39f7d12f2628ed2d38cc94bc8d69e8fc8e629606157b65a2042cc796a84a81b2
Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.12.0@sha256:" + .digest.sha256')
Download the release file
curl -L "$RELEASE_FILE" > release.yaml
For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Upgrade Notices

🚨 TEP-0137: CloudEvents now sent by dedicated events controller (ACTION REQUIRED)

CloudEvents for PipelineRuns and TaskRuns are now sent by the dedicated tekton-events-controller and no longer by the PipelineRun/TaskRun controllers. Operators must ensure the tekton-events-controller Deployment is running.

New events added:

• dev.tekton.event.pipelinerun.queued.v1 — sent when a PipelineRun is created but not yet processed
• dev.tekton.event.taskrun.queued.v1 — sent when a TaskRun is created but not yet processed

CloudEvent delivery visibility is available via kubectl describe pipelinerun/taskrun (CloudEventSent/CloudEventFailed k8s Events).

... (truncated)

Changelog

Sourced from github.com/tektoncd/pipeline's changelog.

Tekton Pipeline Releases

Release Frequency

Tekton Pipelines follows the Tekton community [release policy][release-policy] as follows:

• Versions are numbered according to semantic versioning: vX.Y.Z
• A new release is produced on a monthly basis
• Four releases a year are chosen for long term support (LTS). All remaining releases are supported for approximately 1 month (until the next release is produced)
  • LTS releases take place in January, April, July and October every year
  • The first Tekton Pipelines LTS release will be v0.41.0 in October 2022
  • Releases happen towards the middle of the month, between the 13th and the 20th, depending on week-ends and readiness

Tekton Pipelines produces nightly builds, publicly available on gcr.io/tekton-nightly.

Transition Process

Before release v0.41 Tekton Pipelines has worked on the basis of an undocumented support period of four months, which will be maintained for the releases between v0.37 and v0.40.

Release Process

Tekton Pipeline releases are made of YAML manifests and container images. Manifests are published to cloud object-storage as well as [GitHub][tekton-pipeline-releases]. Container images are signed by [Sigstore][sigstore] via [Tekton Chains][tekton-chains]; signatures can be verified through the [public key][chains-public-key] hosted by the Tekton Chains project.

Further documentation available:

• The Tekton Pipeline [release process][tekton-releases-docs]
• [Installing Tekton][tekton-installation]
• Standard for [release notes][release-notes-standards]

Release

v1.12 (LTS)

• Latest Release: [v1.12.0][v1.12-0] (2026-05-04) ([docs][v1.12-0-docs], [examples][v1.12-0-examples])
• Initial Release: [v1.12.0][v1.12-0] (2026-05-04)
• End of Life: 2027-05-04
• Patch Releases: [v1.12.0][v1.12-0]

v1.9 (LTS)

... (truncated)

Commits

• 7798558 build(deps): bump chainguard-dev/actions from 1.6.15 to 1.6.17
• 81f98f7 build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetr...
• d635dcb test: add e2e test for TaskRun pending status
• 8709b51 perf: remove unnecessary SetDefaults from TaskRun done path
• fec1273 perf: reduce reconcile churn for completed PipelineRuns
• 428471f build(deps): bump actions/checkout from 6.0.0 to 6.0.2
• 5a597bb build(deps): bump go.uber.org/zap from 1.27.1 to 1.28.0
• 245b626 build(deps): bump step-security/harden-runner from 2.13.2 to 2.19.0
• 6cf3274 build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.5 to 1.14.6
• 0b4440d [TEP-0137] Deprecate send-cloudevents-for-runs feature flag
• Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.80.0 to 1.81.0

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.81.0

Behavior Changes

• balancer/rls: Switch gauge metrics to asynchronous emission (once per collection cycle) to reduce telemetry noise and align with other gRPC language implementations. (#8808)

Dependencies

• Minimum supported Go version is now 1.25. (#8969)

Bug Fixes

• xds: Use the leaf cluster's security config for the TLS handshake instead of the aggregate cluster's config. (#8956)
• transport: Send a RST_STREAM when receiving an END_STREAM when the stream is not already half-closed. (#8832)
• xds: Fix ADS resource name validation to prevent a panic. (#8970)

New Features

• grpc/stats: Add support for custom labels in per-call metrics (gRFC A108). (#9008)
• xds: Add support for Server Name Indication (SNI) and SAN validation (gRFC A101). Disabled by default. To enable, set GRPC_EXPERIMENTAL_XDS_SNI=true environment variable. (#9016)
• xds: Add support to control which fields get propagated from ORCA backend metric reports to LRS load reports (gRFC A85). Disabled by default. To enable, set GRPC_EXPERIMENTAL_XDS_ORCA_LRS_PROPAGATION=true. (#9005)
• xds: Add metrics to track xDS client connectivity and cached resource state (gRFC A78). (#8807)
• stats/otel: Enhance grpc.subchannel.disconnections metric by adding disconnection reason to the grpc.disconnect_error label (gRFC A94). This provides granular insights into why subchannels are closing. (#8973)
• mem: Add mem.Buffer.Slice() API to slice the buffer like a slice. (#8977)
  • Special Thanks: @​ash2k

Performance Improvements

• alts: Pool read buffers to lower memory utilization when sockets are unreadable. (#8964)
• transport: Pool HTTP/2 framer read buffers to reduce idle memory consumption. Currently limited to Linux for ALTS and non-encrypted transports (TCP, Unix). To disable, set GRPC_GO_EXPERIMENTAL_HTTP_FRAMER_READ_BUFFER_POOLING=false and report any issues. (#9032)

Commits

• cb18228 Change version to 1.81.0 (#9062)
• 96748f9 Cherry-pick #9105 to 1.81.x (#9106)
• 9183222 Cherry pick #9055, #9032 to v1.81.x (#9095)
• 5cba6da Revert "deps: update dependencies for all modules (#9065)" (#9067)
• af8a936 deps: update dependencies for all modules (#9065)
• cdc60df transport: optimize heap allocations in ready reader and update syscall conne...
• 208d053 xds/resolver: pass complete XDSConfig in RPC context for HTTP filters (gRFC A...
• 50fe1cc test: Fix flaky test TestServerStreaming_ClientCallRecvMsgTwice in `end2end...
• d574bad build(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 (#9050)
• b8bf4d0 build(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 in /inte...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[anithapriyanatarajan]

/lgtm

[anithapriyanatarajan]

/approve

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: anithapriyanatarajan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [anithapriyanatarajan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment