ConfigMap Reference

Sets the application name that Pipelines-as-Code displays in status updates and comments. If you use the GitHub App, also customize this label in the GitHub App settings.

application-name: "Pipelines as Code CI"

Controls whether Pipelines-as-Code automatically creates a secret containing the Git provider token for use by the git-clone task.

secret-auto-create: "true"

Controls whether Pipelines-as-Code scopes generated tokens to only the repository that triggered the event. This setting is important when the GitHub App is installed on an organization with a mix of public and private repositories where some users should not access all repositories. Set to false if you trust every user in your organization to access all repositories, or if you are not installing your GitHub App at the organization level.

secret-github-app-token-scoped: "true"

Adds extra repositories to the token scope without disabling scoping entirely. List additional owner/repo pairs (on the same installation ID), separated by commas. Use this when your pipeline needs to access a shared library or dependency repository.

secret-github-app-scope-extra-repos: "owner/private-repo1, org/repo2"

Specifies the default hub URL that Pipelines-as-Code uses to fetch remote tasks.

hub-url: "https://artifacthub.io"

Sets the default hub catalog type. Supported values: artifacthub, tektonhub.

hub-catalog-type: "artifacthub"

Configures additional hub catalogs. You can define multiple catalogs by incrementing the number (catalog-1-, catalog-2-, etc.).

catalog-1-id: "custom"
catalog-1-name: "tekton"
catalog-1-url: "https://api.custom.hub/v1"
catalog-1-type: "tektonhub"

Controls whether Pipelines-as-Code fetches remote tasks from configured hubs.

remote-tasks: "true"

Sets the Tekton dashboard URL. Pipelines-as-Code uses this base URL to generate links to PipelineRun details in status reports.

tekton-dashboard-url: "https://tekton.example.com"

Sets the display name for a custom console to use instead of the Tekton dashboard.

custom-console-name: "Console Name"

Sets the base URL of the custom console.

custom-console-url: "https://url"

Defines the template URL for PipelineRun details. Supports variables: {{ namespace }}, {{ pr }}.

custom-console-url-pr-details: "https://url/ns/{{ namespace }}/{{ pr }}"

Defines the template URL for task logs. Supports variables: {{ namespace }}, {{ pr }}, {{ task }}.

custom-console-url-pr-tasklog: "https://url/ns/{{ namespace }}/{{ pr }}/logs/{{ task }}"

Controls whether Pipelines-as-Code shows a log snippet from the failed task when a Pipeline encounters an error. Disable this setting if your pipeline output may contain sensitive values.

error-log-snippet: "true"

Sets the number of lines to display in error log snippets when error-log-snippet is true. Keep this value conservative because the GitHub Check interface has a 65,535 character limit.

error-log-snippet-number-of-lines: "3"

Controls whether Pipelines-as-Code inspects container logs to detect error messages and exposes them as annotations on pull requests. Only GitHub Apps are supported.

error-detection-from-container-logs: "true"

Sets how many lines Pipelines-as-Code reads from the container when inspecting logs for error detection. Increasing this value may increase watcher memory usage. Use -1 for unlimited lines.

error-detection-max-number-of-lines: "50"

Sets the default regular expression used for simple error detection. Must be a valid regular expression.

error-detection-simple-regexp: |
  ^(?P<filename>[^:]*):(?P<line>[0-9]+):(?P<column>[0-9]+)?([ ]*)?(?P<error>.*)

Controls whether Pipelines-as-Code automatically cancels in-progress PipelineRuns for a pull request when that pull request receives a new push. This prevents redundant runs from consuming cluster resources.

enable-cancel-in-progress-on-pull-requests: "false"

Controls whether Pipelines-as-Code automatically cancels in-progress PipelineRuns triggered by a push event when a new push occurs on the same branch. This prevents overlapping runs for the same branch.

enable-cancel-in-progress-on-push: "false"

Controls whether Pipelines-as-Code validates incoming webhook requests against Bitbucket Cloud’s published IP ranges at https://ip-ranges.atlassian.com/. Because public Bitbucket does not support webhook secrets, IP verification is the primary security mechanism. This check applies only to public Bitbucket (when provider.url is not set in the Repository CR spec).

Disabling this setting creates a security risk. A malicious user could submit a pull request with a modified PipelineRun that exfiltrates secrets, then send a forged webhook payload to trigger it.

bitbucket-cloud-check-source-ip: "true"

Adds extra IPs (for example, 127.0.0.1) or networks (for example, 127.0.0.0/16) to the allowed list, separated by commas.

bitbucket-cloud-additional-source-ip: "192.168.1.0/24, 10.0.0.1"

Sets the maximum value that a user can specify in the max-keep-run annotation on a PipelineRun. If a user sets a value higher than this limit, Pipelines-as-Code uses the upper limit during cleanup instead.

max-keep-run-upper-limit: "100"

Sets the default cleanup retention count. Pipelines-as-Code applies this value to all PipelineRuns that do not have the max-keep-runs annotation.

default-max-keep-runs: "10"

Controls whether Pipelines-as-Code automatically creates a namespace and Repository CR for newly created repositories. Supported only with the GitHub App.

auto-configure-new-github-repo: "false"

Defines the template for generating namespace names when auto-configuring GitHub repositories. Supported fields: {{repo_owner}}, {{repo_name}}.

auto-configure-repo-namespace-template: "{{repo_owner}}-{{repo_name}}"

Defines the template for generating Repository CR names when auto-configuring GitHub repositories. Supported fields: {{repo_owner}}, {{repo_name}}.

auto-configure-repo-repository-template: "{{repo_owner}}-{{repo_name}}-repo-cr"

Controls whether Pipelines-as-Code remembers a previous /ok-to-test approval when new commits are pushed to a pull request. By default, users must issue /ok-to-test on each push. Set to true to persist the approval across push events.

remember-ok-to-test: "false"

Requires that a pull request’s commit SHA be specified in an /ok-to-test comment. This prevents a race condition where a malicious user pushes a new commit after the /ok-to-test comment but before Pipelines-as-Code starts the CI run.

require-ok-to-test-sha: "false"

Prevents duplicate PipelineRuns when a commit appears in both a push event and a pull request. When a push event arrives from a commit that belongs to an open pull request, Pipelines-as-Code skips the push event.

skip-push-event-for-pr-commits: "true"