Skip to main content

tkn pac resolve

Resolve a PipelineRun as if it were executed by Pipelines-as-Code, allowing local testing before pushing to Git.

Synopsis

tkn pac resolve [flags]

Description

The resolve command processes PipelineRun templates the same way PAC does on the service:
  1. Reads template files from .tekton/ or specified paths
  2. Substitutes variables (repo_url, revision, etc.)
  3. Inlines remote tasks from Tekton Hub or Artifact Hub
  4. Generates secrets if needed (e.g., git_auth_secret)
  5. Outputs resolved YAML ready to apply to cluster
This allows you to test pipelines locally without creating commits or pull requests.

Usage Examples

# Resolve single template
tkn pac resolve -f .tekton/pull-request.yaml

Required Flags

-f, --filename
string[]
required
Template file, directory, or URL
  • Single file: -f .tekton/pull-request.yaml
  • Multiple files: -f file1.yaml -f file2.yaml
  • Directory: -f .tekton/ (processes all .yaml files)
  • Multiple directories: -f .tekton/ -f tasks/

Flags

-p, --params
string[]
Parameters to substitute (format: key=value)Examples:
  • -p revision=main
  • -p repo_url=https://github.com/org/repo
  • -p image_name=quay.io/myorg/myapp
Multiple values:
tkn pac resolve -f .tekton/pr.yaml \
  -p revision=main \
  -p repo_url=https://github.com/org/repo \
  -p repo_owner=myorg \
  -p repo_name=myapp
-o, --output
string
Output file path (default: stdout)
-s, --skip
string[]
Skip inlining these tasks (use them as-is)Tasks must exist in the namespace to use them:
tkn pac resolve -f .tekton/pr.yaml -s custom-task -s internal-task
-t, --providerToken
string
Provider token for git-auth-secret generationCan also be set via PAC_PROVIDER_TOKEN environment variable
--no-secret
boolean
default:"false"
Don’t generate git-auth-secret even if {{ git_auth_secret }} is found
--no-generate-name
boolean
default:"false"
Don’t add generateName field for PipelineRun uniqueness
-B, --v1beta1
boolean
default:"false"
Output as Tekton v1beta1 formatUseful when targeting clusters where bundle conversion doesn’t work correctly

Auto-Detection

When run from a Git repository, parameters are auto-detected:
ParameterAuto-Detected From
repo_urlGit remote URL
revisionCurrent commit SHA
repo_ownerRepository owner from URL
repo_nameRepository name from URL
Auto-detected values can be overridden with -p flags.

Parameter Substitution

Template variables are replaced with actual values:

Template

.tekton/pull-request.yaml
params:
- name: url
  value: "{{ repo_url }}"
- name: revision  
  value: "{{ revision }}"
- name: repo_owner
  value: "{{ repo_owner }}"

Resolved

params:
- name: url
  value: "https://github.com/myorg/myapp"
- name: revision
  value: "a3c5e8d9f2b1c4e6d8a7f5e3b2c1d9a8"
- name: repo_owner
  value: "myorg"

Remote Task Inlining

Remote tasks are automatically fetched and embedded:

Template

tasks:
- name: fetch-repository
  taskRef:
    name: git-clone
    resolver: hub

Resolved

tasks:
- name: fetch-repository
  taskSpec:
    description: Clone a git repository
    params:
    - name: url
      type: string
    # ... full task definition inlined ...

Git Auth Secret Generation

If {{ git_auth_secret }} is found in templates:
  1. Prompts for token (or uses PAC_PROVIDER_TOKEN env var)
  2. Creates Secret YAML for Git authentication
  3. Substitutes {{ git_auth_secret }} with secret name
  4. Outputs secret along with PipelineRun

Example

$ tkn pac resolve -f .tekton/pr.yaml

? Enter your Git provider token: ****

---
apiVersion: v1
kind: Secret
metadata:
  name: git-auth-abc123
type: kubernetes.io/basic-auth
data:
  username: Z2l0
  password: <base64-encoded-token>
---
apiVersion: tekton.dev/v1
kind: PipelineRun
# ...
Skip secret generation: 
tkn pac resolve -f .tekton/pr.yaml --no-secret
Provide token via environment: 
export PAC_PROVIDER_TOKEN=ghp_xxxxxxxxxxxx
tkn pac resolve -f .tekton/pr.yaml

Output Example

$ tkn pac resolve -f .tekton/pull-request.yaml -o /tmp/resolved.yaml

PipelineRun has been written to /tmp/resolved.yaml

$ cat /tmp/resolved.yaml

---
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  generateName: myapp-pr-
  namespace: ""
spec:
  pipelineSpec:
    tasks:
    - name: fetch-repository
      taskSpec:
        description: Clone a git repository
        params:
        - name: url
          type: string
          description: Repository URL
        - name: revision
          type: string
          description: Revision to checkout
        steps:
        - name: clone
          image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:latest
          script: |
            #!/usr/bin/env sh
            git clone $(params.url) /workspace/output
            cd /workspace/output
            git checkout $(params.revision)
      params:
      - name: url
        value: https://github.com/myorg/myapp
      - name: revision
        value: a3c5e8d9f2b1c4e6d8a7f5e3b2c1d9a8
  workspaces:
  - name: source
    emptyDir: {}

Common Workflows

Test Before Pushing

# Resolve and validate
tkn pac resolve -f .tekton/pr.yaml

# If looks good, test on cluster
tkn pac resolve -f .tekton/pr.yaml | kubectl apply -f -

# Watch execution
tkn pr logs -f --last

# If successful, commit and push
git add .tekton/
git commit -m "Add pipeline"
git push

Debug Parameters

# Test with different parameters
tkn pac resolve -f .tekton/pr.yaml \
  -p revision=feature-branch \
  -p environment=staging

Test Multiple Templates

# Test all templates in .tekton/
tkn pac resolve -f .tekton/ -o /tmp/all-resolved.yaml

# Review
cat /tmp/all-resolved.yaml

# Apply if valid
kubectl apply -f /tmp/all-resolved.yaml

Use Existing Cluster Tasks

# Skip inlining for tasks that exist in cluster
tkn pac resolve -f .tekton/pr.yaml \
  -s custom-lint \
  -s internal-security-scan

Generate v1beta1 for Legacy Clusters

# Output as v1beta1
tkn pac resolve -f .tekton/pr.yaml --v1beta1 -o resolved-v1beta1.yaml

# Apply to older Tekton cluster
kubectl apply -f resolved-v1beta1.yaml

Limitations

The following features are not supported in resolve:
  • Local task directories: Tasks from local directories referenced in annotations cannot be resolved
  • Provider-specific features: Some Git provider specific features may not work
  • Webhook payloads: Cannot simulate full webhook payloads

Git Clone Requirement

The resolved PipelineRun must be able to access the repository at the specified SHA: 
# Push your changes first
git push origin feature-branch

# Then resolve with that SHA
tkn pac resolve -f .tekton/pr.yaml -p revision=$(git rev-parse HEAD)

Troubleshooting

No Files Specified

Error: you need to at least specify a file with -f
Solution: 
tkn pac resolve -f .tekton/pull-request.yaml

File Not Found

Error: stat .tekton/pr.yaml: no such file or directory
Solutions:
  • Check file path: ls .tekton/
  • Use absolute path: tkn pac resolve -f $PWD/.tekton/pr.yaml
  • Check current directory: pwd

Cannot Connect to Cluster

Couldn't get kubeConfiguration namespace
This is not an error - resolve works without cluster access. Some features (like checking existing secrets) won’t work.

Remote Task Resolution Failed

Error: failed to get task git-clone from hub
Solutions:
  • Check internet connectivity
  • Verify task name exists on Hub: https://hub.tekton.dev/
  • Use --skip to skip problematic tasks

Invalid Template Syntax

Error: error unmarshaling JSON: invalid character
Solution: Validate YAML syntax: 
yamllint .tekton/pull-request.yaml

Environment Variables

PAC_PROVIDER_TOKEN
string
Git provider token for secret generation
export PAC_PROVIDER_TOKEN=ghp_xxxxxxxxxxxx
tkn pac resolve -f .tekton/pr.yaml

See Also

Build docs developers (and LLMs) love

Get started for freeTalk to us