build(deps): bump the all group across 1 directory with 4 updates

[dependabot]

Bumps the all group with 4 updates in the /tekton/ci/custom-tasks/pr-status-updater directory: github.com/jenkins-x/go-scm, github.com/tektoncd/pipeline, k8s.io/apimachinery and k8s.io/client-go.

Updates github.com/jenkins-x/go-scm from 1.15.16 to 1.15.17

Release notes

Sourced from github.com/jenkins-x/go-scm's releases.

1.15.17

Changes in version 1.15.17

Chores

• release 1.15.17 (jenkins-x-bot)
• add variables (jenkins-x-bot)

Other Changes

These commits did not use Conventional Commits formatted messages:

• Extract shared stash group membership loop (Thibault Gagnaux)
• Consolidate stash identity helper usage (Thibault Gagnaux)
• Support collaborator checks via repo groups (Thibault Gagnaux)
• Unify stash user identity matching (Thibault Gagnaux)
• Clarify IsMember user matching logic (Thibault Gagnaux)
• Continue group scan on lookup errors (Thibault Gagnaux)
• Refactor stash org path helpers (Thibault Gagnaux)
• Encode group names in member lookup (Thibault Gagnaux)

Commits

• 1782b05 chore: release 1.15.17
• 99a76d2 chore: add variables
• c84fd3f Merge pull request #523 from tricktron/fix-group-access
• db7f8cb Extract shared stash group membership loop
• 2d747c6 Consolidate stash identity helper usage
• 495f4a4 Support collaborator checks via repo groups
• d961f6d Unify stash user identity matching
• 78f7b5d Clarify IsMember user matching logic
• 06348b4 Continue group scan on lookup errors
• 8b4d37e Refactor stash org path helpers
• Additional commits viewable in compare view

Updates github.com/tektoncd/pipeline from 1.7.0 to 1.9.0

Release notes

Sourced from github.com/tektoncd/pipeline's releases.

Tekton Pipeline release v1.9.0 LTS "Devon Rex Dreadnought"

🎉 hostUsers support and digest validation for http resolver 🎉

-Docs @ v1.9.0 -Examples @ v1.9.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a692b1410db6e04e5e4a25aec2e361118647fe42c5ad8d7ef3e087b5cd11463d6

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a692b1410db6e04e5e4a25aec2e361118647fe42c5ad8d7ef3e087b5cd11463d6
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.0/release.yaml
REKOR_UUID=108e9186e8c5677a692b1410db6e04e5e4a25aec2e361118647fe42c5ad8d7ef3e087b5cd11463d6
Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.9.0@sha256:" + .digest.sha256')
Download the release file
curl -L "$RELEASE_FILE" > release.yaml
For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ feat: add ServiceAccount inheritance to Affinity Assistants (#9253)

... (truncated)

Changelog

Sourced from github.com/tektoncd/pipeline's changelog.

Tekton Pipeline Releases

Release Frequency

Tekton Pipelines follows the Tekton community [release policy][release-policy] as follows:

• Versions are numbered according to semantic versioning: vX.Y.Z
• A new release is produced on a monthly basis
• Four releases a year are chosen for long term support (LTS). All remaining releases are supported for approximately 1 month (until the next release is produced)
  • LTS releases take place in January, April, July and October every year
  • The first Tekton Pipelines LTS release will be v0.41.0 in October 2022
  • Releases happen towards the middle of the month, between the 13th and the 20th, depending on week-ends and readiness

Tekton Pipelines produces nightly builds, publicly available on gcr.io/tekton-nightly.

Transition Process

Before release v0.41 Tekton Pipelines has worked on the basis of an undocumented support period of four months, which will be maintained for the releases between v0.37 and v0.40.

Release Process

Tekton Pipeline releases are made of YAML manifests and container images. Manifests are published to cloud object-storage as well as [GitHub][tekton-pipeline-releases]. Container images are signed by [Sigstore][sigstore] via [Tekton Chains][tekton-chains]; signatures can be verified through the [public key][chains-public-key] hosted by the Tekton Chains project.

Further documentation available:

• The Tekton Pipeline [release process][tekton-releases-docs]
• [Installing Tekton][tekton-installation]
• Standard for [release notes][release-notes-standards]

Release

v1.9 (LTS)

• Latest Release: [v1.9.0][v1.9-0] (2026-01-30) ([docs][v1.9-0-docs], [examples][v1.9-0-examples])
• Initial Release: [v1.9.0][v1.9-0] (2026-01-30)
• End of Life: 2027-01-30
• Patch Releases: [v1.9.0][v1.9-0]

v1.6 (LTS)

... (truncated)

Commits

• 0cc7987 fix: validate taskRef.apiVersion format for custom tasks
• 13a014c build(deps): bump go.uber.org/zap from 1.27.0 to 1.27.1
• 80ce1d5 build(deps): bump github.com/google/cel-go from 0.26.0 to 0.27.0
• a7bac62 chore(ci): update cherry-pick workflow to fix multi-commit PRs
• 0decf9d ci: add KOCACHE to speed up ko builds in GitHub Actions
• d2b0894 taskrun: include actual result size in error when exceeding maxResultSize
• 2a1f938 build(deps): bump github/codeql-action from 4.31.9 to 4.32.0
• 1569c03 build(deps): bump the all group in /tekton with 3 updates
• 19a8e88 build(deps): bump chainguard-dev/actions from 1.5.12 to 1.5.13
• ad67dce build(deps): bump actions/checkout from 6.0.1 to 6.0.2
• Additional commits viewable in compare view

Updates k8s.io/apimachinery from 0.34.3 to 0.35.1

Commits

• 72d71ea Merge remote-tracking branch 'origin/master' into release-1.35
• e2a2dbc Bump golang.org/x/crypto to v0.45.0
• 2e9c228 Merge pull request #135131 from Dev1622/sig-storage/mock-expand-flake-fix
• f274aac vendor: update vendor and license metadata after replacing BeTrue usage in cs...
• 9445443 Resolve lint restriction on BeTrue by introducing Succeed() with contextual e...
• 52154f7 Update vendored dependencies
• 5a348c5 KEP-5471: Extend tolerations operators (#134665)
• 6f89492 Merge pull request #133648 from richabanker/merged-discovery
• c77dde2 util/sort: Add MergePreservingRelativeOrder for topological sorting
• 729c13d Merge pull request #134624 from yt2985/podcertificates-beta
• Additional commits viewable in compare view

Updates k8s.io/client-go from 0.34.3 to 0.35.1

Commits

• b464ad8 Update dependencies to v0.35.1 tag
• 2d83546 Merge remote-tracking branch 'origin/master' into release-1.35
• 56b4af2 Merge pull request #135591 from p0lyn0mial/upstream-watchlist-reflector-log-f...
• 891f94c Merge remote-tracking branch 'origin/master' into release-1.35
• 65ffe04 Merge pull request #135580 from serathius/client-go-transformer
• 2fe4ac2 downgrade reflector watchlist fallback log to V(4)
• 97256a6 Bump golang.org/x/crypto to v0.45.0
• 46360b5 Merge pull request #135131 from Dev1622/sig-storage/mock-expand-flake-fix
• 171ef8c Use transformer in consistency checker
• 3878a64 vendor: update vendor and license metadata after replacing BeTrue usage in cs...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign anithapriyanatarajan after the PR has been reviewed.
You can assign the PR to them by writing /assign @anithapriyanatarajan in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[anithapriyanatarajan]

@dependabot rebase