Skip to main content
The Pipelines as Code ConfigMap (pipelines-as-code) contains global settings that apply to all repositories unless overridden at the repository level.

Location

The ConfigMap is typically installed in the pipelines-as-code namespace: 
kubectl get configmap pipelines-as-code -n pipelines-as-code

Configuration Fields

Application Settings

application-name
string
default:"Pipelines as Code CI"
The application name used in status updates and comments. If using the GitHub App, you will need to customize this label in the GitHub App settings as well.
application-name: "Pipelines as Code CI"

Secret Management

secret-auto-create
boolean
default:"true"
Whether to automatically create a secret with the token to be used by git-clone.
secret-auto-create: "true"
secret-github-app-token-scoped
boolean
default:"true"
By default, only generate tokens scoped to the repository from where the payload comes from. This is important when the GitHub app is installed on a GitHub organization with a mix of public and private repositories where some users do not have access.Set to false if you trust every user in your organization to access any repos or are not planning to install your GitHub application globally on a GitHub Organization.
secret-github-app-token-scoped: "true"
secret-github-app-scope-extra-repos
string
If you don’t want to completely disable the scoping of the token but still want some other repos (on the same installation ID) available from the token, add extra owner/repo here.You can have multiple owner/repositories separated by commas.
secret-github-app-scope-extra-repos: "owner/private-repo1, org/repo2"

Hub Configuration

hub-url
string
default:"https://artifacthub.io"
The default hub URL to use for fetching remote tasks.
hub-url: "https://artifacthub.io"
hub-catalog-type
string
default:"artifacthub"
The default hub catalog type. Supported values: artifacthub, tektonhub.
hub-catalog-type: "artifacthub"
catalog-{N}-*
object
Additional hub catalogs configuration. You can configure multiple catalogs by incrementing the number (catalog-1-, catalog-2-, etc.).
catalog-1-id: "custom"
catalog-1-name: "tekton"
catalog-1-url: "https://api.custom.hub/v1"
catalog-1-type: "tektonhub"
remote-tasks
boolean
default:"true"
Allow fetching remote tasks from configured hubs.
remote-tasks: "true"

Dashboard Integration

tekton-dashboard-url
string
URL of the Tekton dashboard. Pipelines as Code generates URLs to PipelineRuns on the Tekton dashboard using this base URL.
tekton-dashboard-url: "https://tekton.example.com"
custom-console-name
string
Name of a custom console to use instead of the Tekton dashboard.
custom-console-name: "Console Name"
custom-console-url
string
Base URL of the custom console.
custom-console-url: "https://url"
custom-console-url-pr-details
string
Template URL for PipelineRun details. Supports variables: {{ namespace }}, {{ pr }}.
custom-console-url-pr-details: "https://url/ns/{{ namespace }}/{{ pr }}"
custom-console-url-pr-tasklog
string
Template URL for task logs. Supports variables: {{ namespace }}, {{ pr }}, {{ task }}.
custom-console-url-pr-tasklog: "https://url/ns/{{ namespace }}/{{ pr }}/logs/{{ task }}"

Error Detection and Logging

error-log-snippet
boolean
default:"true"
Enable or disable the feature to show a log snippet of the failed task when there is an error in a Pipeline.You may want to disable this if you think your pipeline may leak sensitive values.
error-log-snippet: "true"
error-log-snippet-number-of-lines
integer
default:"3"
Number of lines to display in error log snippets when error-log-snippet is set to true.The GitHub Check interface has a 65,535 character limit, so consider using a conservative value.
error-log-snippet-number-of-lines: "3"
error-detection-from-container-logs
boolean
default:"true"
Enable or disable inspection of container logs to detect error messages and expose them as annotations on Pull Requests. Only GitHub Apps is supported.
error-detection-from-container-logs: "true"
error-detection-max-number-of-lines
integer
default:"50"
How many lines to grab from the container when inspecting logs for error detection. Increasing this value may increase the watcher memory usage. Use -1 for unlimited lines.
error-detection-max-number-of-lines: "50"
error-detection-simple-regexp
string
The default regexp used for simple error detection. Must be a valid regular expression.
error-detection-simple-regexp: |
  ^(?P<filename>[^:]*):(?P<line>[0-9]+):(?P<column>[0-9]+)?([ ]*)?(?P<error>.*)

Concurrency Control

enable-cancel-in-progress-on-pull-requests
boolean
default:"false"
Global setting to control whether Pipelines as Code should automatically cancel any in-progress PipelineRuns associated with a pull request when that pull request is updated. This helps prevent multiple redundant runs from executing simultaneously.
enable-cancel-in-progress-on-pull-requests: "false"
enable-cancel-in-progress-on-push
boolean
default:"false"
Global setting to determine whether Pipelines as Code should automatically cancel in-progress PipelineRuns triggered by a push event if a new push occurs on the same branch. This prevents overlapping or redundant runs for the same branch.
enable-cancel-in-progress-on-push: "false"

Bitbucket Cloud Settings

bitbucket-cloud-check-source-ip
boolean
default:"true"
Since public Bitbucket doesn’t have the concept of webhook secrets, secure requests by querying https://ip-ranges.atlassian.com/. This only happens for public Bitbucket (when provider.url is not set in repository spec).
Disabling this could be a security issue. A malicious user could send a PR with a modified PipelineRun that grabs secrets, then send a malicious webhook payload to trigger it.
bitbucket-cloud-check-source-ip: "true"
bitbucket-cloud-additional-source-ip
string
Add extra IPs (e.g., 127.0.0.1) or networks (e.g., 127.0.0.0/16) separated by commas.
bitbucket-cloud-additional-source-ip: "192.168.1.0/24, 10.0.0.1"

Retention Policies

max-keep-run-upper-limit
integer
Defines the upper limit for the max-keep-run annotation value which a user can set on a PipelineRun. The value set on the annotation should be less than or equal to the upper limit; otherwise, the upper limit will be used while cleaning up.
max-keep-run-upper-limit: "100"
default-max-keep-runs
integer
If defined, applies to all PipelineRuns that don’t have the max-keep-runs annotation.
default-max-keep-runs: "10"

Auto-Configuration

auto-configure-new-github-repo
boolean
default:"false"
Whether to auto-configure newly created repositories. This will create a new namespace and Repository CR. Supported only with GitHub App.
auto-configure-new-github-repo: "false"
auto-configure-repo-namespace-template
string
Template to generate the namespace name for an auto-configured GitHub repository. Supported fields: {{repo_owner}}, {{repo_name}}.
auto-configure-repo-namespace-template: "{{repo_owner}}-{{repo_name}}"
auto-configure-repo-repository-template
string
Template to generate the Repository CR name for an auto-configured GitHub repository. Supported fields: {{repo_owner}}, {{repo_name}}.
auto-configure-repo-repository-template: "{{repo_owner}}-{{repo_name}}-repo-cr"

Security and Authorization

remember-ok-to-test
boolean
default:"false"
Enable or disable the feature to re-run the CI if a push event happens on a pull request after /ok-to-test has been done once.By default it is false, meaning /ok-to-test should be done on each iteration. Set to true to remember the approval across push events.
remember-ok-to-test: "false"
require-ok-to-test-sha
boolean
default:"false"
Enforces that a pull request’s commit SHA must be specified in an /ok-to-test comment. This prevents a race condition where a malicious user could push a bad commit after the /ok-to-test comment is posted but before the CI runs.
require-ok-to-test-sha: "false"
skip-push-event-for-pr-commits
boolean
default:"true"
When enabled, prevents duplicate pipeline runs when a commit appears in both a push event and a pull request. If a push event comes from a commit that is part of an open pull request, the push event will be skipped.
skip-push-event-for-pr-commits: "true"

Complete Example

apiVersion: v1
kind: ConfigMap
metadata:
  name: pipelines-as-code
  namespace: pipelines-as-code
  labels:
    app.kubernetes.io/part-of: pipelines-as-code
data:
  application-name: "My CI System"
  secret-auto-create: "true"
  secret-github-app-token-scoped: "true"
  secret-github-app-scope-extra-repos: "org/shared-repo"
  
  hub-url: "https://artifacthub.io"
  hub-catalog-type: "artifacthub"
  remote-tasks: "true"
  
  tekton-dashboard-url: "https://tekton.example.com"
  
  error-log-snippet: "true"
  error-log-snippet-number-of-lines: "5"
  error-detection-from-container-logs: "true"
  error-detection-max-number-of-lines: "100"
  
  enable-cancel-in-progress-on-pull-requests: "true"
  enable-cancel-in-progress-on-push: "false"
  
  max-keep-run-upper-limit: "50"
  default-max-keep-runs: "10"
  
  remember-ok-to-test: "true"
  require-ok-to-test-sha: "false"
  skip-push-event-for-pr-commits: "true"

Updating Configuration

To update the ConfigMap: 
kubectl edit configmap pipelines-as-code -n pipelines-as-code
Or apply changes from a file: 
kubectl apply -f pipelines-as-code-config.yaml
Most ConfigMap changes take effect immediately, but some may require restarting the Pipelines as Code controller.

Build docs developers (and LLMs) love

Get started for freeTalk to us