Skip to content

release-draft-oci task: wget fails to query GitHub API due to untrusted CA certificates #3185

@vdemeester

Description

@vdemeester

Problem

During the Tekton Pipelines v1.10.0 release, the create-draft-release-oci task failed to enrich release notes with PR details from the GitHub API. The wget calls to api.github.com fail with TLS certificate errors:

ERROR: The certificate of 'api.github.com' is not trusted.
ERROR: The certificate of 'api.github.com' hasn't got a known issuer.

This affects multiple PRs (#9426, #9398, #9390, #9386, #9367, #9278, #9043, #9009) — their descriptions are missing from the generated draft release notes.

The pipeline still reports Succeeded because the wget errors are non-fatal, but the release notes are incomplete and require manual editing.

Root Cause

The base image used in the create-draft-release-oci task has stale/outdated CA certificates, so TLS validation against api.github.com fails.

Expected Behavior

The task image should have up-to-date CA certificates so that GitHub API calls succeed and release notes are automatically enriched with PR titles and descriptions.

Environment

  • Cluster: dogfooding (OKE/Oracle)
  • Namespace: default
  • PipelineRun: release-draft-oci-run-5hglj
  • TaskRun: release-draft-oci-run-5hglj-create-draft-release
  • Release: Tekton Pipelines v1.10.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions