How Tekton builds, tests, and releases itself — and where we're heading.
This roadmap covers the infrastructure, CI/CD, and tooling that supports the
tektoncd project. It is organized by workstream and prioritized using
NOW / NEXT / SOON / LATER buckets.
| Bucket | Meaning |
|---|---|
| NOW | Actively being worked on or ready to start |
| NEXT | Next up once NOW items land, well-defined |
| SOON | Planned, needs design or prerequisites |
| LATER | Aspirational, important but not urgent |
Goal: Remove all Prow components from the dogfooding cluster. The cluster stays — Prow goes. CI jobs already run on GitHub Actions.
- Migrate label sync to Tekton CronJob or Terraform (#3180)
- Replace Tide — Phase 1: Build prerequisites
- Label management bot (#3179) — replace Prow's
/lgtm,/approveplugins with a lightweight service (GHA workflow, PaC task, or standalone bot). Must handle: slash commands,lgtmreset on push,approvedsticky across pushes, OWNERS file lookup. - Label enforcement status check (#2841) — GHA workflow that
validates merge-readiness labels on every PR event:
- Required:
approved+lgtm+kind/* - Blocking:
do-not-merge/*
- Required:
- Design decisions (resolved):
- Keep labels:
lgtm(reset on push) +approved(sticky) +kind/*enforced via status checks. No change to contributor workflow. - Keep OWNERS/OWNERS_ALIASES: CODEOWNERS has no reviewer vs approver distinction and no aliases. OWNERS is supported by PaC natively, which matters for the long-term PaC migration.
- Label bot implementation: GHA (
issue_comment-triggered for security), PaC task, or lightweight service — to be decided. Long-term target is PaC. Could be a reusable workflow in plumbing.
- Keep labels:
- Research remaining:
- Audit current Tide config per repo (merge methods, required checks, branch patterns)
- Label management bot (#3179) — replace Prow's
- Replace Tide — Phase 2: Pilot (#3177)
- Enable GitHub Merge Queue on one repo (e.g. plumbing itself)
- Configure merge queue to require the label enforcement status check
- Validate contributor workflow, iterate on rough edges
- Dependency: label bot + label status check must be working
- Migrate Terraform branch protection to repository rulesets (#3181) — natural companion to merge queue rollout (touch repo config once)
- Replace Tide — Phase 3: Rollout (#3177)
- Enable merge queue across all tektoncd repos
- Disable Tide
- Complete migration out of Prow — umbrella issue (#3183)
- Decommission Prow components from the cluster (#3182) — remove deployments, CRDs, and configuration once all functions are migrated
Migrate tektoncd project to Tekton(#159 — closed, largely done)Dogfooding Roadmap epic(#912 — closed, replaced by project board)
Goal: Know what's happening on the dogfooding cluster, preserve execution history, and make it easy to investigate failures.
- Integrate Tekton Results with Dashboard — Results is deployed but the
Dashboard doesn't query it yet. Wire up the external-logs feature so
historical logs survive PipelineRun garbage collection.
- Related: tektoncd/results#82, tektoncd/dashboard#3800
- Persistent log storage (#3176) — configure Results log backend (OCI Object Storage) so logs are stored long-term
- Improve cluster health monitoring (#3119) — alerting for failed CronJobs, PipelineRuns, and TaskRuns. Extend the existing cluster health monitor ([#3170]–[#3172]) with better signal and less noise.
- Deploy monitoring stack (#235) — Prometheus + Grafana (or lightweight alternative) for metrics on the dogfooding cluster. Dashboards for PipelineRun success rates, durations, queue times.
- Cross-repo CI health dashboard — a single view showing which repos have failing nightlies, flaky tests, or broken CI. Today you have to check each repo individually.
Goal: Make the CI/CD infrastructure leaner, cheaper, and easier to maintain. Standardize reusable workflows across repos.
- Move nightly builds to GHA and reduce frequency (#2670)
- Standardize reusable workflows across repos:
- Remove stale image build cronjobs (#3115)
- Remove
test-runnerimage (#3117)
- Reduce maintained images (#1839) — audit which images plumbing still builds and determine which can be dropped or moved to their respective repos
- Skip expensive tests when unnecessary (#2845) — path-based filtering for integration tests
- Implement label check via GHA (#2841)
- PR coverage reports via GHA (#2839)
- Reduce infrastructure spending (#2156) — ongoing cost optimization
- Reduce storage/registry spending (#2157)
- Remove public access from non-LTS images (#2524)
- Upgrade tkn version (#3044)
Goal: Improve the security posture of Tekton's build and release infrastructure. Move towards SLSA compliance.
- Run zizmor on GitHub Actions (#3260) — scan GHA workflows for security findings
- Release signing (#884) — automated release pipelines should converge repos toward a shared, signed release process
- Enable commit signing via GitHub Merge Queue (#1091) — meets SLSA L3 verified history requirements. Becomes straightforward once Tide is replaced by GitHub Merge Queue (#3177)
- Image vulnerability scanning (#62) — scan release and nightly images
- Lock down access to Tekton infrastructure (#1258) — restrict direct cluster access, require audited/temporary access for releases and emergencies. Automated releases make this much more achievable.
- Dependency update automation (#3018) — Renovate for commit-SHA-pinned dependencies across repos
Goal: Make it easy for contributors and maintainers to understand, debug, and work with Tekton CI/CD infrastructure.
- Document the current CI/CD architecture — what runs where (GHA vs dogfooding vs PaC), how releases work, how to debug failures. Much of this is tribal knowledge today.
- Automation for managing bots in issues and PRs (#3219) — reduce manual toil for maintainers
- Fix "latest release" link (#3064)
- Contributor onboarding guide for plumbing — how to add a new CI job, how to modify release pipelines, how the dogfooding cluster is structured
- Self-service CI configuration — make it easy for repo maintainers to add/modify their own CI without deep plumbing knowledge
Goal: Move suitable CI workloads from GitHub Actions back to Tekton, running on the dogfooding cluster via Pipelines-as-Code. Eat our own dog food for the lightweight stuff.
- PaC multi-namespace setup: today PaC is only configured for release
pipelines (in their own namespace). Need separate
RepositoryCRs in different namespaces (e.g.release-pipelines,ci-pipelines) so release and CI workloads are isolated. - Resource governance for PaC workloads (requests/limits) to prevent OOM issues on the shared cluster.
| Run on dogfooding/PaC | Stay on GHA |
|---|---|
| Unit tests | E2E tests (Kind clusters, heavy compute) |
| Linting | Multi-arch docker builds |
| Coverage | |
| Label/bot automation (#3179, #3180) | |
| Slash commands (#3121–#3127) | |
| Release pipelines (already there) |
- Migrate slash commands to dogfooding (#3121) — umbrella for:
- PaC multi-namespace configuration — set up
ci-pipelinesnamespace with separateRepositoryCRs for CI workloads - Migrate bot/label automation from Prow to Tekton tasks on dogfooding (#3179, #3180)
- Pilot: move unit tests for one repo to PaC — prove the model works end-to-end (trigger on PR, run on dogfooding, report status to GitHub)
- Automated release pipeline convergence (#58) — standardize release pipelines across repos using shared PaC definitions
- Expand PaC CI to all repos — unit tests, linting, coverage for all
tektoncdrepos running on dogfooding - Self-service PaC onboarding — make it trivial for a repo to opt in
| # | Title | Notes |
|---|---|---|
| #3185 | release-draft-oci: wget CA cert failure | Bug, fix independently |
| #3116 | Nightly multi-arch tests failing | Per-repo concern, but plumbing may need to help |
| #2041 | Tekton-powered job status inaccurate | Bug, may be resolved by PaC migration |
| #1804 | Plumbing unit tests pending | Bug |
| #1530 | Migrate resources to v1 | Cleanup |
| #1474 | CI not responding to retry commands | Likely obsolete (Prow era) |
Closed during this roadmap exercise (April 2026):
| # | Title | Reason |
|---|---|---|
| #159 | Migrate tektoncd to Tekton | Completed — tracked by newer issues |
| #282 | Deploy build bot automatically | Obsolete |
| #413 | Coordinated releases | Not planned — each project releases independently |
| #495 | Multi-arch tests/builds | Per-repo concern, arm64 available on GHA |
| #561 | Catlin IDE lints | Catlin is dead, wrong repo |
| #568 | Reduce cost of conditions | Completed — Condition CRD removed |
| #578 | Automate TEP OWNERS | Not planned — TEP process quiet |
| #580 | Z hardware connectivity | Obsolete, sub-task of #495 |
| #598 | Fix peribolos webhook | Superseded by Terraform migration |
| #853 | Hub API automation | Hub replaced by ArtifactHub |
| #1122 | Resource requests/limits | Revisit when workloads move to PaC |
| #1204 | Performance tests | Per-repo concern |