// Use when creating a new task version, bumping version labels, writing migration scripts, or when versioning/migration CI checks fail. Covers version labels, CHANGELOG.md, migration scripts with pmt modify, and kustomized variant updates.
Use when CI behaves unexpectedly, when you need to understand how Tekton bundles are built, or when understanding non-obvious behavior with templated workflows, Checkton, migration validation, kustomize checks, or trusted artifacts generation.
Use when a scan task fails in a pipeline, when task results have unexpected values, when understanding scan output formats, or when debugging bundle build failures.
Use before pushing a PR for review, when CI checks fail, or when reviewing someone else's PR. Pre-push checklist covering all CI requirements, commit conventions, and documentation for task catalog PRs.
Use when creating task variants (remote, trusted-artifacts), working with recipe.yaml files, or when the check-ta CI workflow fails. Covers both Go generators, the recipe format, and the generation pipeline.
Use when writing tests for a Tekton task, running tests locally, debugging test failures in CI, or understanding the three testing layers (Kind cluster, Tekton integration, ShellSpec).
| name | task-versioning-and-migration |
| description | Use when creating a new task version, bumping version labels, writing migration scripts, or when versioning/migration CI checks fail. Covers version labels, CHANGELOG.md, migration scripts with pmt modify, and kustomized variant updates. |
Versioning in this repo involves coordinating the app.kubernetes.io/version label, CHANGELOG.md, and optional migration scripts in the migrations/ directory. When a task interface changes or a critical bug is fixed, you create a new version and optionally a migration script to help users update their pipelines automatically.
| Action | Command/File | Notes |
|---|---|---|
| Bump version | Edit task/<name>/<name>.yaml, update label app.kubernetes.io/version | Format: x.y or x.y.z |
| Create migration | mkdir -p task/<name>/migrations && touch task/<name>/migrations/<version>.sh | Filename must match version label |
| Create migration helper | ./hack/create-task-migration.sh -t <task-name> | Generates template script |
| Validate locally | ./hack/versioning.py check | Checks version label + CHANGELOG |
| Check migration | bash ./hack/validate-migration.sh | Requires kind + pmt installed |
| Add CHANGELOG | ./hack/versioning.py new-changelog task/<name>/ | Creates or updates CHANGELOG.md |
The app.kubernetes.io/version label in task YAML metadata controls versioning:
metadata:
labels:
app.kubernetes.io/version: "0.2"
# or
app.kubernetes.io/version: "0.2.1"
x.y or x.y.z (integers only, no strings like "v0.2")migrations/0.2.sh for version 0.2Migrations use pmt modify (NOT yq -i) to update Konflux standard pipelines.
File structure:
task/<task-name>/
├── <task-name>.yaml # with updated app.kubernetes.io/version label
└── migrations/
└── <version>.sh # e.g., 0.2.sh
Script template:
#!/usr/bin/env bash
set -euo pipefail
pipeline_file="$1"
# pmt modify is idempotent - safe to run multiple times
pmt modify -f "$pipeline_file" task <task-name> add-param my-new-param "default-value"
Requirements:
$1 = pipeline file path (Pipeline or PipelineRun)pmt modify commands (NEVER yq -i)Testing the script locally:
pmt modify -f /path/to/.tekton/component-a-pull.yaml task clair-scan add-param my-param "value"
Each task MUST have a CHANGELOG.md at task/<name>/CHANGELOG.md.
Format: Follow keepachangelog.com format
Example:
# Changelog
All notable changes to this project will be documented in this file.
## [Unreleased]
## [0.2] - 2025-05-20
### Added
- New parameter: `my-new-param`
### Changed
- Updated base image from ubi8 to ubi9
## [0.1] - 2025-04-15
### Added
- Initial release
Rules:
When bumping a task version and adding a migration, the user must do all of these steps — in order:
app.kubernetes.io/version label to the new version (e.g. 0.2 → 0.3)task/<name>/migrations/<version>.sh using pmt modify commands-oci-ta variant: create a matching migration in task/<name>-oci-ta/migrations/<version>.shtask/<name>/CHANGELOG.md: add an entry for the new version under the appropriate section-min variant): run hack/build-manifests.sh to regenerate the variant YAMLbash ./hack/validate-migration.sh (requires kind + Tekton + pmt)shellcheck task/<name>/migrations/<version>.shNothing is optional — CI enforces all of steps 1–4. Steps 5–7 prevent CI failures before push.
Note: The repo supports both flat (task/<name>/<name>.yaml) and legacy versioned (task/<name>/<ver>/<name>.yaml) structures. The version is determined by the app.kubernetes.io/version label, NOT the directory.
Create a new version when:
Include a migration script and updated CHANGELOG.md.
Kustomized variants (like clair-scan-min) reference their base task via kustomization.yaml:
# task/clair-scan-min/kustomization.yaml
bases:
- ../../clair-scan
patchesStrategicMerge:
- patch.yaml
When base task bumps version:
hack/build-manifests.sh to regenerate kustomized variantsIf a task has an -oci-ta variant, it MUST also get a migration script. The validate-migration.sh CI check enforces this automatically.
Structure:
task/<task-name>/
└── migrations/
└── 0.2.sh
task/<task-name>-oci-ta/
└── migrations/
└── 0.2.sh
| Mistake | Fix |
|---|---|
| Migration filename doesn't match version label | Ensure app.kubernetes.io/version exactly matches migrations/<ver>.sh filename |
Used yq -i in migration | Replace with pmt modify commands. See pmt README for all subcommands. |
| Forgot CHANGELOG.md | ./hack/versioning.py new-changelog task/<name>/ |
| Modified an existing migration file | Not allowed. Create a new version instead. |
| Base task bumped, -min variant stale | Run hack/build-manifests.sh after any kustomization changes |
| Missing OCI-TA migration | Create migration in both base and -oci-ta directories |
| Version label has "v" prefix | Remove: use 0.2, not v0.2 |