Skip to content

fix: validate taskRef.apiVersion format for custom tasks #9045

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: validate taskRef.apiVersion format for custom tasks #9045

wants to merge 1 commit into from

Conversation

@waveywaves
Copy link
Member

@waveywaves waveywaves commented Sep 29, 2025

Changes

add validation to ensure taskRef.apiVersion follows the correct format (group/version) when specified. Previously, invalid apiVersion values like 'invalid-api-version' were accepted, causing PipelineRuns to create unhandled CustomRuns that would timeout. Now Pipeline creation fails immediately with a clear error message when an invalid apiVersion is provided.

Fixes #9044

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
  • Has Tests included if any functionality added or changed
  • pre-commit Passed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

@tekton-robot tekton-robot added the release-note-none Denotes a PR that doesnt merit a release note. label Sep 29, 2025
@tekton-robot
Copy link
Collaborator

tekton-robot commented Sep 29, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from waveywaves after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Sep 29, 2025
@tekton-robot
Copy link
Collaborator

tekton-robot commented Sep 29, 2025

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/pipeline/v1/pipeline_validation.go 99.3% 99.3% 0.0
pkg/apis/pipeline/v1beta1/pipeline_validation.go 99.0% 99.0% 0.0

@waveywaves
Copy link
Member Author

waveywaves commented Oct 8, 2025

/retest

1 similar comment
@waveywaves
Copy link
Member Author

waveywaves commented Oct 8, 2025

/retest

@waveywaves waveywaves added this to the v1.6.0 (LTS) milestone Oct 16, 2025
@waveywaves waveywaves force-pushed the fix-invalid-taskref-apiversion-validation branch from 3797773 to e40bda6 Compare October 16, 2025 20:14
@waveywaves waveywaves added the kind/bug Categorizes issue or PR as related to a bug. label Oct 16, 2025
@waveywaves
fix: validate taskRef.apiVersion format for custom tasks
cbab5ca 
Add validation to ensure taskRef.apiVersion follows the correct format
(group/version) when specified. Previously, invalid apiVersion values
like 'invalid-api-version' were accepted, causing PipelineRuns to create
unhandled CustomRuns that would timeout. Now Pipeline creation fails
immediately with a clear error message when an invalid apiVersion is provided.

Fixes tektoncd#9044
@waveywaves waveywaves force-pushed the fix-invalid-taskref-apiversion-validation branch from e40bda6 to cbab5ca Compare October 16, 2025 21:00
aThorp96
aThorp96 reviewed Oct 20, 2025
View reviewed changes
Copy link
Member

@aThorp96 aThorp96 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One suggested change, two general questions

Valid formats are "group/version" where group contains at least one dot

Is this strictly true? I know addon api groups conventionally use a dot, but as far as I can tell k8s doesn't pose that as a restriction.

pkg/apis/pipeline/v1/pipeline_validation.go
Comment on lines +378 to +388
// Validate apiVersion format for custom tasks
if pt.TaskRef != nil && pt.TaskRef.APIVersion != "" {
if !isValidAPIVersion(pt.TaskRef.APIVersion) {
errs = errs.Also(apis.ErrInvalidValue(fmt.Sprintf("invalid apiVersion format %q, must be in the format \"group/version\"", pt.TaskRef.APIVersion), "taskRef.apiVersion"))
}
}
if pt.TaskSpec != nil && pt.TaskSpec.APIVersion != "" {
if !isValidAPIVersion(pt.TaskSpec.APIVersion) {
errs = errs.Also(apis.ErrInvalidValue(fmt.Sprintf("invalid apiVersion format %q, must be in the format \"group/version\"", pt.TaskSpec.APIVersion), "taskSpec.apiVersion"))
}
}
Copy link
Member

@aThorp96 aThorp96 Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Duplicate check 😁

Suggested change
// Validate apiVersion format for custom tasks
if pt.TaskRef != nil && pt.TaskRef.APIVersion != "" {
if !isValidAPIVersion(pt.TaskRef.APIVersion) {
errs = errs.Also(apis.ErrInvalidValue(fmt.Sprintf("invalid apiVersion format %q, must be in the format \"group/version\"", pt.TaskRef.APIVersion), "taskRef.apiVersion"))
}
}
if pt.TaskSpec != nil && pt.TaskSpec.APIVersion != "" {
if !isValidAPIVersion(pt.TaskSpec.APIVersion) {
errs = errs.Also(apis.ErrInvalidValue(fmt.Sprintf("invalid apiVersion format %q, must be in the format \"group/version\"", pt.TaskSpec.APIVersion), "taskSpec.apiVersion"))
}
}
// Validate apiVersion format for custom tasks
if pt.TaskRef != nil && pt.TaskRef.APIVersion != "" {
if !isValidAPIVersion(pt.TaskRef.APIVersion) {
errs = errs.Also(apis.ErrInvalidValue(fmt.Sprintf("invalid apiVersion format %q, must be in the format \"group/version\"", pt.TaskRef.APIVersion), "taskRef.apiVersion"))
}
}

pkg/apis/pipeline/v1/pipeline_validation.go
// isValidAPIVersion validates the format of an apiVersion string.
// Valid formats are "group/version" where group contains at least one dot.
// For custom tasks, apiVersion must always be in the "group/version" format.
func isValidAPIVersion(apiVersion string) bool {
Copy link
Member

@aThorp96 aThorp96 Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this also validate that the apiVersion and Kind are registered in the cluster or something? A CustomRun will still be created when the apiVersion and kind dosn't exist in the cluster, however the CustomRun is simply never updated with any status so the pipelinerun times out. E.g. in the below screenshots I modified one of the examples to use a bogus apiVersion which was syntactically correct.

Image Image

I suppose being registered in the cluster is not sufficient since I've seen people mistakenly use "apiVersion": "tekton.dev/v1", "kind": "Task" in a TaskRef. Maybe that level of validation should be somewhere else? WDYT?

@vdemeester vdemeester modified the milestones: v1.6.0 (LTS), v1.7.0 Oct 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@afrittoli afrittoli Awaiting requested review from afrittoli

@dibyom dibyom Awaiting requested review from dibyom

1 more reviewer

@aThorp96 aThorp96 aThorp96 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

kind/bug Categorizes issue or PR as related to a bug. release-note-none Denotes a PR that doesnt merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

Tekton Community Roadmap
Status: Todo

Milestone

v1.7.0

Development

Successfully merging this pull request may close these issues.

bug: pipeline fails silently with invalid taskRef.apiVersion instead of providing a error

4 participants

@waveywaves @tekton-robot @aThorp96 @vdemeester