[release-v0.39] chore(deps): bump tektoncd/pipeline to v1.6.2

[theakshaypant]

📝 Description of the Change

Addresses CVE-2026-40161 (GHSA-wjxp-xrpv-xpff), a high-severity vulnerability where the git resolver API mode leaks system-configured API tokens to user-controlled serverURL endpoints. Also includes path traversal hardening for volume mount validation using filepath.Clean.

🔗 Linked GitHub Issue

Fixes #

🧪 Testing Strategy

• Unit tests
• Integration tests
• End-to-end tests
• Manual testing
• Not Applicable

🤖 AI Assistance

AI assistance can be used for various tasks, such as code generation,
documentation, or testing.

Please indicate whether you have used AI assistance
for this PR and provide details if applicable.

• I have not used any AI assistance for this PR.
• I have used AI assistance for this PR.

Important

Slop will be simply rejected, if you are using AI assistance you need to make sure you
understand the code generated and that it meets the project's standards. you
need at least know how to run the code and deploy it (if needed). See
startpaac to make it easy
to deploy and test your code changes.

If the majority of the code in this PR was generated by an AI, please add a Co-authored-by trailer to your commit message.
For example:

Co-authored-by: Claude noreply@anthropic.com

✅ Submitter Checklist

• 📝 My commit messages are clear, informative, and follow the project's How to write a git commit message guide. The Gitlint linter ensures in CI it's properly validated
• ✨ I have ensured my commit message prefix (e.g., fix:, feat:) matches the "Type of Change" I selected above.
• ♽ I have run make test and make lint locally to check for and fix any
  issues. For an efficient workflow, I have considered installing
  pre-commit and running pre-commit install to
  automate these checks.
• 📖 I have added or updated documentation for any user-facing changes.
• 🧪 I have added sufficient unit tests for my code changes.
• 🎁 I have added end-to-end tests where feasible. See README for more details.
• 🔎 I have addressed any CI test flakiness or provided a clear reason to bypass it.
• If adding a provider feature, I have filled in the following and updated the provider documentation:
  • GitHub App
  • GitHub Webhook
  • Gitea/Forgejo
  • GitLab
  • Bitbucket Cloud
  • Bitbucket Data Center

[gemini-code-assist]

Code Review

This pull request updates the Go version and the github.com/tektoncd/pipeline dependency. Feedback was provided regarding a likely typo in the Go version directive and the removal of the toolchain specification. Additionally, the reviewer noted that the path traversal hardening mentioned in the PR description is missing from the actual code changes.

[gemini-code-assist]

The go directive version 1.24.13 appears to be a typo, as it is an unusually high patch version for Go 1.24. Additionally, the removal of the toolchain directive reduces control over the specific Go version used for builds. It is recommended to use the minor version in the go directive and specify the patch version in the toolchain directive.

go 1.24

toolchain go1.24.2

[theakshaypant]

This was automatically updated after running the go mod tidy command. The same version is used by tektoncd/pipeline Ref.

[gemini-code-assist]

The pull request description states that this change includes path traversal hardening for volume mount validation using filepath.Clean. However, the current diff only contains changes to go.mod and go.sum. Please include the missing implementation for the hardening logic to ensure the security improvements are applied as intended.

[theakshaypant]

The fix comes from the dependency update.