Skip to main content

Overview

Pipelines-as-Code automatically executes PipelineRuns when Git events occur (pushes, pull requests). This guide covers authorization, execution monitoring, error handling, and lifecycle management.

How Execution Works

1
Event Occurs
2
A developer pushes code or opens a pull request.
3
Repository Matching
4
PAC finds the Repository CR matching the event’s repository URL.
5
PipelineRun Discovery
6
PAC scans the .tekton/ directory for PipelineRun definitions.
7
Event Matching
8
PipelineRuns with matching annotations are selected (see Event Matching).
9
Authorization Check
10
PAC verifies the user has permission to run pipelines.
11
Execution
12
Matched PipelineRuns are created in the Repository CR’s namespace.
PipelineRuns are fetched from the source branch by default. Configure pipelinerun_provenance: "default_branch" in the Repository CR to always use the default branch.

ACL Permissions

Only authorized users can trigger PipelineRuns. A user is authorized if they are:
  • Repository owner
  • Repository collaborator
  • Organization member (public or private)
  • Has push permissions to the repository

Unauthorized Users

When an unauthorized user opens a PR, PAC:
  1. Posts a Pending status check
  2. Comments that the user lacks permissions
  3. Waits for an authorized user to comment /ok-to-test
GitHub bot users (detected via the GitHub API) are silently ignored unless explicitly authorized.

/ok-to-test Command

Authorized users can approve external PRs: 
Looks good! Thanks for the contribution.

/ok-to-test

SHA Validation (GitHub only)

Cluster administrators can require SHA validation for /ok-to-test: 
apiVersion: v1
kind: ConfigMap
metadata:
  name: pipelines-as-code
  namespace: pipelines-as-code
data:
  require-ok-to-test-sha: "true"
Users must then include the commit SHA: 
/ok-to-test 1a2b3c4
This prevents time-of-check/time-of-use attacks where an attacker pushes new code immediately after approval.

Draft Pull Requests (GitHub)

By default, PAC runs on draft PRs. To skip drafts: 
annotations:
  pipelinesascode.tekton.dev/on-cel-expression: |
    event == "pull_request" && !body.pull_request.draft
PipelineRuns trigger only when the PR is marked “Ready for Review.”

Monitoring Execution

Using tkn pac CLI

View logs for the latest PipelineRun: 
tkn pac logs -n my-namespace -L
Select a specific PipelineRun: 
tkn pac logs -n my-namespace
You’ll be prompted to choose from recent runs.

Using Tekton Dashboard

If the Tekton Dashboard is installed, PAC posts a direct link in the GitHub Checks tab.

Using OpenShift Console

On OpenShift, PAC links to the Pipeline view in the Console.

Git Provider UI

Check the Checks tab on pull requests:GitHub ChecksEach PipelineRun appears as a separate check with:
  • Status (pending, success, failure)
  • Task-by-task results
  • Log snippets
  • Execution time

Error Handling

YAML Parsing Errors

If PAC encounters invalid YAML in .tekton/:
  1. Comment on PR: Details the error
  2. Namespace Events: Error logged in namespace event stream
  3. Controller Logs: Error appears in PAC controller logs
Example Error Comment: YAML Error Comment
YAML syntax errors halt execution of all PipelineRuns, even valid ones. Validation errors only affect the invalid PipelineRun.
Check namespace events: 
kubectl get events -n my-namespace --sort-by='.lastTimestamp'

Subsequent PR Updates

Error comments are updated on new commits:
  • New errors replace the comment
  • Fixed errors leave the comment (not deleted)

Cancelling PipelineRuns

Cancel In-Progress (Automatic)

Automatically cancel older runs when new commits are pushed: 
metadata:
  annotations:
    pipelinesascode.tekton.dev/cancel-in-progress: "true"
Behavior:
  • Only cancels runs for the same PR or same branch (push events)
  • Different PRs are isolated from each other
  • Cancellation happens after the new PipelineRun starts
  • Not compatible with concurrency_limit
Closed PR Cancellation: If a PR is closed/declined, all in-progress PipelineRuns are cancelled.

Cancel via GitOps Command

Cancel all PipelineRuns on a PR: 
/cancel
Cancel a specific PipelineRun: 
/cancel my-pipeline-name
See GitOps Commands for more details.

Restarting PipelineRuns

GitHub Apps: Re-Run Button

Click Re-Run in the Checks tab: GitHub Re-Run You can:
  • Re-run a single pipeline
  • Re-run all checks

GitOps Commands

Restart failed PipelineRuns: 
/retest
Restart a specific PipelineRun: 
/retest my-pipeline-name
Force restart (even if succeeded): 
/test my-pipeline-name
See GitOps Commands for complete details.

Skip CI

Skip automatic pipeline execution by including skip commands in commit messages: 
docs: update README [skip ci]
Supported skip commands (case-sensitive):
  • [skip ci]
  • [ci skip]
  • [skip tkn]
  • [tkn skip]

How It Works

  • No PipelineRuns created when PR opened/updated
  • Neutral status check posted (“CI skipped”)
  • Can still trigger manually with GitOps commands

GitOps Override

Skip commands can be overridden: 
# Commit with skip command
git commit -m "docs: update guide [skip ci]"
git push
# No pipelines run automatically

# Later, manually trigger via PR comment:
# /test

When to Use Skip Commands

  • Documentation-only changes
  • README updates
  • Comment/formatting changes
  • WIP commits
  • Minor typo fixes

Execution Namespace

PipelineRuns always execute in the namespace of the Repository CR. 
apiVersion: "pipelinesascode.tekton.dev/v1alpha1"
kind: Repository
metadata:
  name: my-repo
  namespace: my-namespace  # PipelineRuns run here
spec:
  url: "https://github.com/owner/repo"
For security, explicitly target the namespace in PipelineRuns: 
annotations:
  pipelinesascode.tekton.dev/target-namespace: "my-namespace"

Status Updates

GitHub

GitHub Apps:
  • Detailed Checks with task-by-task status
  • Log snippets on failures
  • Task execution time
  • Secrets automatically redacted
GitHub Webhooks:
  • Commit status (pending, success, failure)
  • Link to logs

GitLab

Commit status updates:
  1. Try source project (fork)
  2. Fallback to target project
  3. Comment if both fail

Forgejo/Gitea

Commit status on pull requests with overall pass/fail.

Best Practices

1
Use OWNERS files
2
Define authorized users in version control:
3
approvers:
  - team-lead
  - senior-dev
reviewers:
  - developer1
  - developer2
4
Configure comment strategy
5
Reduce notification noise:
6
spec:
  settings:
    github:
      comment_strategy: "update"  # Single comment, updated on each run
7
Set concurrency limits
8
Prevent resource exhaustion:
9
spec:
  concurrency_limit: 3
10
Enable auto-cancellation
11
Save resources on rapid commits:
12
annotations:
  pipelinesascode.tekton.dev/cancel-in-progress: "true"
13
Use default branch provenance
14
Enforce pipeline review process:
15
spec:
  settings:
    pipelinerun_provenance: "default_branch"

Troubleshooting

PipelineRuns not triggering

1
Check authorization
2
Verify the user is authorized:
3
# Check OWNERS file
curl https://raw.githubusercontent.com/owner/repo/main/OWNERS
4
Verify Repository CR
5
kubectl get repository -n my-namespace
kubectl describe repository my-repo -n my-namespace
6
Check event matching
7
Ensure annotations match the event:
8
annotations:
  pipelinesascode.tekton.dev/on-event: "[pull_request]"  # Must match event type
  pipelinesascode.tekton.dev/on-target-branch: "[main]"  # Must match target branch
9
Review PAC controller logs
10
kubectl logs -n pipelines-as-code -l app.kubernetes.io/name=controller

GitHub bot issues

If GitHub bots aren’t triggering:
  1. Bots are silently ignored unless authorized
  2. Add bots to OWNERS or Repository CR policy:
spec:
  settings:
    policy:
      pull_request:
        - "dependabot[bot]"
        - "renovate[bot]"

Draft PR not skipping

Add CEL expression: 
annotations:
  pipelinesascode.tekton.dev/on-cel-expression: |
    event == "pull_request" && !body.pull_request.draft

Next Steps

GitOps Commands

Control pipelines with /test, /retest, and /cancel commands

Event Matching

Advanced event matching with CEL expressions

Pipeline Resolution

Remote task and pipeline resolution

Repository CRD

Configure authorization policies

Build docs developers (and LLMs) love

Get started for freeTalk to us