diff --git a/.github/workflows/chatops_retest.yaml b/.github/workflows/chatops_retest.yaml
new file mode 100644
index 0000000000..f428dd76a1
--- /dev/null
+++ b/.github/workflows/chatops_retest.yaml
@@ -0,0 +1,14 @@
+name: Rerun Failed Actions
+
+permissions:
+  contents: read
+
+on:
+  repository_dispatch:
+    types: [retest-command]
+
+jobs:
+  retest:
+    name: Rerun Failed Actions
+    uses: tektoncd/plumbing/.github/workflows/_chatops_retest.yml@8441d6ffad5bf64f631ed0e67e46192fdedaca47
+    secrets: inherit
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000000..3b6c054510
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,98 @@
+name: ci
+
+on: [pull_request] # yamllint disable-line rule:truthy
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull-request.number || github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+  checks: write # Used to annotate code in the PR
+
+jobs:
+  build:
+    name: build
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34  # v5.3.0
+      with:
+        go-version-file: "go.mod"
+    - name: build
+      run: |
+        go build -v ./...
+  linting:
+    needs: [build]
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34  # v5.3.0
+      with:
+        go-version-file: "go.mod"
+    - name: gofmt
+      run: |
+        gofmt_out=$(gofmt -d $(find * -name '*.go' ! -path 'vendor/*' ! -path 'third_party/*'))
+        if [[ -n "$gofmt_out" ]]; then
+            failed=1
+        fi
+        echo "$gofmt_out"
+    - name: golangci-lint
+      uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837  # v6.5.0
+      with:
+        version: v1.64.6
+        only-new-issues: true
+        args: --timeout=10m
+    - name: yamllint
+      run: |
+        apt update && apt install -y yamllint
+        yamllint -c .yamllint $(find . -path ./vendor -prune -o -type f -regex ".*y[a]ml" -print | tr '\n' ' ')
+    - name: check-license
+      run: |
+        go install github.com/google/go-licenses@v1.0.0
+        go-licenses check ./...
+  tests:
+    needs: [build]
+    name: test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34  # v5.3.0
+      with:
+        go-version-file: "go.mod"
+    - name: build
+      run: |
+        make test-unit-verbose-and-race
+  generated:
+    needs: [build]
+    name: Check generated code
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34  # v5.3.0
+      with:
+        go-version-file: "go.mod"
+    - name: generated
+      run: |
+        go install github.com/google/go-licenses@v1.0.0 # Not sure why it is needed here
+        ./hack/verify-codegen.sh
+  multi-arch-build:
+    needs: [build]
+    name: Multi-arch build
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34  # v5.3.0
+      with:
+        go-version-file: "go.mod"
+    - name: make cross
+      run: |
+        make cross
+  e2e-tests:
+    needs: [build]
+    uses: ./.github/workflows/e2e-matrix.yml
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index c6a09b284c..64e1d34af5 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -11,12 +11,23 @@
 #
 name: "CodeQL"
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main]
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+      - '**/*.yaml'
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [main]
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+      - '**/*.yaml'
   schedule:
     - cron: '30 20 * * 2'
 
@@ -37,12 +48,21 @@ jobs:
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Setup go
+      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34  # v5.3.0
+      with:
+        go-version-file: "go.mod"
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -50,21 +70,10 @@ jobs:
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
-    # setup cache to speed up the action
-    - uses: actions/cache@v4
-      with:
-        path: |
-          ~/.cache/go-build
-          ~/.cache/pip
-          ~/go/pkg/mod
-        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-
-
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     # - name: Autobuild
-    #   uses: github/codeql-action/autobuild@v3
+    #   uses: github/codeql-action/autobuild@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -81,4 +90,4 @@ jobs:
         make bin/tkn
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
diff --git a/.github/workflows/e2e-matrix.yml b/.github/workflows/e2e-matrix.yml
new file mode 100644
index 0000000000..76f71db6b5
--- /dev/null
+++ b/.github/workflows/e2e-matrix.yml
@@ -0,0 +1,85 @@
+name: Tekton Integration
+# Adapted from https://github.com/mattmoor/mink/blob/master/.github/workflows/minkind.yaml
+
+on: [workflow_call]
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  e2e-tests:
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.k8s-name }}-${{ matrix.feature-flags }}-${{ github.event.pull_request.number || github.ref }}
+      cancel-in-progress: true
+    name: e2e tests
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false # Keep running if one leg fails.
+      matrix:
+        k8s-name:
+        - k8s-oldest
+        - k8s-plus-one
+
+        include:
+        - k8s-name: k8s-oldest
+          k8s-version: v1.28.x
+        - k8s-name: k8s-plus-one
+          k8s-version: v1.29.x
+    env:
+      KO_DOCKER_REPO: registry.local:5000/tekton
+      CLUSTER_DOMAIN: c${{ github.run_id }}.local
+      ARTIFACTS: ${{ github.workspace }}/artifacts
+
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34  # v5.3.0
+      with:
+        go-version-file: "go.mod"
+    - uses: ko-build/setup-ko@v0.8
+
+    - name: Install Dependencies
+      working-directory: ./
+      run: |
+        echo '::group:: install go-junit-report'
+        go install github.com/jstemmer/go-junit-report@v0.9.1
+        echo '::endgroup::'
+
+        echo '::group:: created required folders'
+        mkdir -p "${ARTIFACTS}"
+        echo '::endgroup::'
+
+        echo "${GOPATH}/bin" >> "$GITHUB_PATH"
+
+    - name: Run tests
+      run: |
+        ./hack/setup-kind.sh \
+          --registry-url $(echo ${KO_DOCKER_REPO} | cut -d'/' -f 1) \
+          --cluster-suffix c${{ github.run_id }}.local \
+          --nodes 3 \
+          --k8s-version ${{ matrix.k8s-version }} \
+          --e2e-script ./test/e2e-tests.sh \
+          --e2e-env ./test/e2e-tests-kind-prow.env
+
+    - name: Upload test results
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ matrix.k8s-version }}-${{ matrix.feature-flags }}
+        path: ${{ env.ARTIFACTS }}
+
+    - uses: chainguard-dev/actions/kind-diag@main
+      if: ${{ failure() }}
+      with:
+        artifact-name: ${{ matrix.k8s-version }}-${{ matrix.feature-flags }}-logs
+
+    - name: Dump Artifacts
+      if: ${{ failure() }}
+      run: |
+        if [[ -d ${{ env.ARTIFACTS }} ]]; then
+          cd ${{ env.ARTIFACTS }}
+          for x in $(find . -type f); do
+            echo "::group:: artifact $x"
+            cat $x
+            echo '::endgroup::'
+          done
+        fi
diff --git a/.github/workflows/slash.yml b/.github/workflows/slash.yml
new file mode 100644
index 0000000000..ddaf9abc5e
--- /dev/null
+++ b/.github/workflows/slash.yml
@@ -0,0 +1,17 @@
+name: Slash Command Routing
+
+permissions:
+  contents: read
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  check_comments:
+    if: ${{ github.event.issue.pull_request }}
+    permissions:
+      issues: write # for peter-evans/slash-command-dispatch to create issue reaction
+      pull-requests: write # for peter-evans/slash-command-dispatch to create PR reaction
+    uses: tektoncd/plumbing/.github/workflows/_slash.yml@8441d6ffad5bf64f631ed0e67e46192fdedaca47
+    secrets: inherit
diff --git a/Makefile b/Makefile
index d5a09cf37c..513469a0f5 100644
--- a/Makefile
+++ b/Makefile
@@ -118,9 +118,10 @@ lint-yaml: ${YAML_FILES}  ; $(info $(M) running yamllint…) ## runs yamllint on
 	@yamllint -c .yamllint $(YAML_FILES)
 
 ## Tests
-TEST_UNIT_TARGETS := test-unit-verbose test-unit-race
+TEST_UNIT_TARGETS := test-unit-verbose test-unit-race test-unit-verbose-and-race
 test-unit-verbose: ARGS=-v
 test-unit-race:    ARGS=-race
+test-unit-verbose-and-race: ARGS=-v -race
 $(TEST_UNIT_TARGETS): test-unit
 .PHONY: $(TEST_UNIT_TARGETS) test-unit
 test-unit: ; $(info $(M) running unit tests…) ## Run unit tests
diff --git a/go.mod b/go.mod
index 4ad2adad59..664207acc3 100644
--- a/go.mod
+++ b/go.mod
@@ -26,7 +26,7 @@ require (
 	github.com/tektoncd/chains v0.24.0
 	github.com/tektoncd/hub v1.20.0
 	github.com/tektoncd/pipeline v0.69.0
-	github.com/tektoncd/plumbing v0.0.0-20250116154805-bf07e665a460
+	github.com/tektoncd/plumbing v0.0.0-20250313115811-582146ce551e
 	github.com/tektoncd/triggers v0.31.0
 	github.com/theupdateframework/go-tuf v0.7.0
 	go.opencensus.io v0.24.0
diff --git a/go.sum b/go.sum
index 7381a0ee29..2f5674e9a5 100644
--- a/go.sum
+++ b/go.sum
@@ -1314,8 +1314,8 @@ github.com/tektoncd/hub v1.20.0 h1:/I5QAglWk62rlfFwN8+ekmQHyaULZpB9hIjqWzyqLbs=
 github.com/tektoncd/hub v1.20.0/go.mod h1:cYjg75tI2IBHAuwmae+8lLKdriv2JoAfnxnVbx6b9+s=
 github.com/tektoncd/pipeline v0.69.0 h1:1KgeNXfsuebg/HQ0lEKO79CDFqKUPrA7gSad5ZbeiHE=
 github.com/tektoncd/pipeline v0.69.0/go.mod h1:n8pgdQTRngXJC06Rii2zunb2GxBz/ZHE5n8AZFx4MdM=
-github.com/tektoncd/plumbing v0.0.0-20250116154805-bf07e665a460 h1:J9Gk3j1x4Yi1qzcUn0w4KekxVdD7qTMdoGCChw3G32A=
-github.com/tektoncd/plumbing v0.0.0-20250116154805-bf07e665a460/go.mod h1:Ks1fp1nPnhJxxT810eOkq2skeIiDuYjq3cIgpS5Gxk4=
+github.com/tektoncd/plumbing v0.0.0-20250313115811-582146ce551e h1:3Zws3++VzABI9V2LLBjW2E7C1RcTKvI/8IHljCHf5V4=
+github.com/tektoncd/plumbing v0.0.0-20250313115811-582146ce551e/go.mod h1:KTAEcFHz49nBdj/+ZX9LjVGjP5aaXm0JFnpqNnMNPuM=
 github.com/tektoncd/triggers v0.31.0 h1:UiOn9sjavdJDEoAT+FZf+L3I1QQvzI31oJm8+GpNa7s=
 github.com/tektoncd/triggers v0.31.0/go.mod h1:Oi+Umveu/vIefYAeS6XOa907tecAvx26sW7J62005tg=
 github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg=
diff --git a/hack/setup-kind.sh b/hack/setup-kind.sh
new file mode 100755
index 0000000000..e694814088
--- /dev/null
+++ b/hack/setup-kind.sh
@@ -0,0 +1,328 @@
+#!/usr/bin/env bash
+
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Attribution:
+# Adapted for Tekton from https://github.com/mattmoor/mink/blob/master/hack/setup-kind.sh
+
+set -o errexit
+set -o nounset
+set -o pipefail
+set -x
+
+# Print error message and exit 1
+# Parameters: $1..$n - error message to be displayed
+function abort() {
+  echo "error: $*"
+  exit 1
+}
+
+# Defaults
+K8S_VERSION="v1.28.x"
+REGISTRY_NAME="registry.local"
+REGISTRY_PORT="5000"
+CLUSTER_SUFFIX="cluster.local"
+NODE_COUNT="1"
+REGISTRY_AUTH="0"
+ESTARGZ_SUPPORT="0"
+E2E_SCRIPT="test/e2e-tests.sh"
+E2E_ENV=""
+
+while [[ $# -ne 0 ]]; do
+  parameter="$1"
+  case "${parameter}" in
+    --k8s-version)
+      shift
+      K8S_VERSION="$1"
+      ;;
+    --registry-url)
+      shift
+      REGISTRY_NAME="$(echo "$1" | cut -d':' -f 1)"
+      REGISTRY_PORT="$(echo "$1" | cut -d':' -f 2)"
+      ;;
+    --cluster-suffix)
+      shift
+      CLUSTER_SUFFIX="$1"
+      ;;
+    --nodes)
+      shift
+      NODE_COUNT="$1"
+      ;;
+    --authenticated-registry)
+      REGISTRY_AUTH="1"
+      ;;
+    --e2e-script)
+      shift
+      E2E_SCRIPT="$1"
+      ;;
+    --e2e-env)
+      shift
+      E2E_ENV="$1"
+      ;;
+    *) abort "unknown option ${parameter}" ;;
+  esac
+  shift
+done
+
+# If E2E_ENV is set but the file doesn't exist, fall back on the old approach of invoking presubmit-tests.sh directly.
+if [[ "${E2E_ENV}" != "" && ! -f "${E2E_ENV}" ]]; then
+  ./test/presubmit-tests.sh --integration-tests
+  exit $?
+fi
+
+# The version map correlated with this version of KinD
+case ${K8S_VERSION} in
+  v1.25.x)
+    K8S_VERSION="1.25.16"
+    KIND_IMAGE_SHA="sha256:5da57dfc290ac3599e775e63b8b6c49c0c85d3fec771cd7d55b45fae14b38d3b"
+    KIND_IMAGE="kindest/node:${K8S_VERSION}@${KIND_IMAGE_SHA}"
+    ;;
+  v1.26.x)
+    K8S_VERSION="1.26.15"
+    KIND_IMAGE_SHA="sha256:84333e26cae1d70361bb7339efb568df1871419f2019c80f9a12b7e2d485fe19"
+    KIND_IMAGE="kindest/node:${K8S_VERSION}@${KIND_IMAGE_SHA}"
+    ;;
+  v1.27.x)
+    K8S_VERSION="1.27.13"
+    KIND_IMAGE_SHA="sha256:17439fa5b32290e3ead39ead1250dca1d822d94a10d26f1981756cd51b24b9d8"
+    KIND_IMAGE="kindest/node:${K8S_VERSION}@${KIND_IMAGE_SHA}"
+    ;;
+  v1.28.x)
+    K8S_VERSION="1.28.9"
+    KIND_IMAGE_SHA="sha256:dca54bc6a6079dd34699d53d7d4ffa2e853e46a20cd12d619a09207e35300bd0"
+    KIND_IMAGE="kindest/node:${K8S_VERSION}@${KIND_IMAGE_SHA}"
+    ;;
+  v1.29.x)
+    K8S_VERSION="1.29.4"
+    KIND_IMAGE_SHA="sha256:3abb816a5b1061fb15c6e9e60856ec40d56b7b52bcea5f5f1350bc6e2320b6f8"
+    KIND_IMAGE="kindest/node:${K8S_VERSION}@${KIND_IMAGE_SHA}"
+    ;;
+  v1.30.x)
+    K8S_VERSION="1.30.0"
+    KIND_IMAGE_SHA="sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a794b52890dd8bcd692e"
+    KIND_IMAGE="kindest/node:${K8S_VERSION}@${KIND_IMAGE_SHA}"
+    ;;
+  *) abort "Unsupported version: ${K8S_VERSION}" ;;
+esac
+
+#############################################################
+#
+#    Setup KinD cluster.
+#
+#############################################################
+echo '--- Setup KinD Cluster'
+
+cat > kind.yaml <<EOF
+apiVersion: kind.x-k8s.io/v1alpha4
+kind: Cluster
+nodes:
+- role: control-plane
+  image: "${KIND_IMAGE}"
+EOF
+
+for i in $(seq 1 1 "${NODE_COUNT}");
+do
+  cat >> kind.yaml <<EOF
+- role: worker
+  image: "${KIND_IMAGE}"
+EOF
+done
+
+function containerd_config() {
+  # The bulk of this is to enable stargz support:
+  # https://github.com/containerd/stargz-snapshotter/blob/v0.2.0/README.md#quick-start-with-kubernetes
+  if [[ "${ESTARGZ_SUPPORT}" = "1" ]] ; then
+    cat <<EOF
+  # Plug stargz snapshotter into containerd
+  # Containerd recognizes stargz snapshotter through specified socket address.
+  # The specified address below is the default which stargz snapshotter listen to.
+  [proxy_plugins]
+    [proxy_plugins.stargz]
+      type = "snapshot"
+      address = "/run/containerd-stargz-grpc/containerd-stargz-grpc.sock"
+
+  # Use stargz snapshotter through CRI
+  [plugins."io.containerd.grpc.v1.cri".containerd]
+    snapshotter = "stargz"
+    disable_snapshot_annotations = false
+EOF
+  return
+  fi
+
+  # Default configuration
+  cat <<EOF
+  [plugins."io.containerd.grpc.v1.cri".containerd]
+    # Support many layered images: https://kubernetes.slack.com/archives/CEKK1KTN2/p1602770111199000
+    disable_snapshot_annotations = true
+EOF
+}
+
+cat >> kind.yaml <<EOF
+kubeadmConfigPatches:
+  # This is needed in order to support projected volumes with service account tokens.
+  # See: https://kubernetes.slack.com/archives/CEKK1KTN2/p1600268272383600
+  - |
+    apiVersion: kubeadm.k8s.io/v1beta2
+    kind: ClusterConfiguration
+    metadata:
+      name: config
+    apiServer:
+      extraArgs:
+        "service-account-issuer": "kubernetes.default.svc"
+        "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key"
+    networking:
+      dnsDomain: "${CLUSTER_SUFFIX}"
+
+  # This is needed to avoid filling our disk.
+  # See: https://kubernetes.slack.com/archives/CEKK1KTN2/p1603391142276400
+  - |
+    kind: KubeletConfiguration
+    metadata:
+      name: config
+    imageGCHighThresholdPercent: 90
+
+containerdConfigPatches:
+- |-
+$(containerd_config)
+
+  # Support a local registry
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."$REGISTRY_NAME:$REGISTRY_PORT"]
+    endpoint = ["http://$REGISTRY_NAME:$REGISTRY_PORT"]
+EOF
+
+echo '--- kind.yaml'
+cat kind.yaml
+
+# Check the version of kind
+kind --version
+
+# Check we can talk to docker
+docker ps
+
+# Create a cluster!
+kind create cluster --config kind.yaml
+
+#############################################################
+#
+#    Setup metallb
+#
+#############################################################
+echo '--- Setup metallb'
+
+kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.10/config/manifests/metallb-native.yaml
+kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)"
+
+network=$(docker network inspect kind -f "{{(index .IPAM.Config 0).Subnet}}" | cut -d '.' -f1,2)
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: metallb-system
+  name: config
+data:
+  config: |
+    address-pools:
+    - name: default
+      protocol: layer2
+      addresses:
+      - $network.255.1-$network.255.250
+EOF
+
+#############################################################
+#
+#    Setup container registry
+#
+#############################################################
+echo '--- Setup container registry'
+
+EXTRA_ARGS=()
+if [[ "${REGISTRY_AUTH}" == "1" ]]; then
+  # Configure Auth
+  USERNAME="user-${RANDOM}"
+  PASSWORD="pass-${RANDOM}"
+
+  AUTH_DIR=$(mktemp -d)
+
+  # Docker removed htpasswd in a patch release, so pin to 2.7.0 so this works.
+  docker run \
+	 --entrypoint htpasswd \
+	 registry:2.7.0 -Bbn "${USERNAME}" "${PASSWORD}" > "${AUTH_DIR}/htpasswd"
+
+  # Run a registry protected with htpasswd
+  EXTRA_ARGS=(
+    -v "${AUTH_DIR}:/auth"
+    -e "REGISTRY_AUTH=htpasswd"
+    -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"
+    -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd"
+  )
+
+fi
+
+docker run -d --restart=always \
+       "${EXTRA_ARGS[@]}" \
+       -p "$REGISTRY_PORT:$REGISTRY_PORT" --name "$REGISTRY_NAME" registry:2
+
+# Connect the registry to the KinD network.
+docker network connect "kind" "$REGISTRY_NAME"
+
+# Make the $REGISTRY_NAME -> 127.0.0.1, to tell `ko` to publish to
+# local reigstry, even when pushing $REGISTRY_NAME:$REGISTRY_PORT/some/image
+echo "127.0.0.1 $REGISTRY_NAME" | sudo tee -a /etc/hosts
+
+# Create a registry-credentials secret and attach it to the list of service accounts in the namespace.
+function sa_ips() {
+  local ns="${1}"
+  shift
+
+  # Create a secret resource with the contents of the docker auth configured above.
+  kubectl -n "${ns}" create secret generic registry-credentials \
+	  --from-file=.dockerconfigjson=${HOME}/.docker/config.json \
+	  --type=kubernetes.io/dockerconfigjson
+
+  for sa in "${@}" ; do
+    # Ensure the service account exists.
+    kubectl -n "${ns}" create serviceaccount "${sa}" || true
+
+    # Attach the secret resource to the service account in the namespace.
+    kubectl -n "${ns}" patch serviceaccount "${sa}" -p '{"imagePullSecrets": [{"name": "registry-credentials"}]}'
+  done
+}
+
+if [[ "${REGISTRY_AUTH}" == "1" ]]; then
+
+  # This will create ~/.docker/config.json
+  docker login "http://$REGISTRY_NAME:$REGISTRY_PORT/v2/" -u "${USERNAME}" -p "${PASSWORD}"
+
+  sa_ips "default" "default"
+fi
+
+export KO_DOCKER_REPO=kind.local
+
+echo '--- Debug file system'
+pwd
+ls -al
+
+
+if [[ "${E2E_SCRIPT}" == "" ]]; then
+  echo "Nothing else to do"
+  exit 0
+else
+  if [[ "${E2E_ENV}" != "" ]]; then
+    set -o allexport
+    source "${E2E_ENV}"
+    set +o allexport
+  fi
+  "${E2E_SCRIPT}"
+fi
diff --git a/hack/verify-codegen.sh b/hack/verify-codegen.sh
index 8d1dc0c2d9..ee0cd18c1e 100755
--- a/hack/verify-codegen.sh
+++ b/hack/verify-codegen.sh
@@ -20,7 +20,6 @@ set -o pipefail
 
 source $(git rev-parse --show-toplevel)/vendor/github.com/tektoncd/plumbing/scripts/library.sh
 
-export GO111MODULE=on
 readonly TMP_DIFFROOT="$(mktemp -d ${REPO_ROOT_DIR}/tmpdiffroot.XXXXXX)"
 
 cleanup() {
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 25464ff470..e9225d9802 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1631,8 +1631,8 @@ github.com/tektoncd/pipeline/pkg/spire/config
 github.com/tektoncd/pipeline/pkg/substitution
 github.com/tektoncd/pipeline/test
 github.com/tektoncd/pipeline/test/diff
-# github.com/tektoncd/plumbing v0.0.0-20250116154805-bf07e665a460
-## explicit; go 1.22
+# github.com/tektoncd/plumbing v0.0.0-20250313115811-582146ce551e
+## explicit; go 1.23
 github.com/tektoncd/plumbing/scripts
 # github.com/tektoncd/triggers v0.31.0
 ## explicit; go 1.22