chore(deps): update grpc and tektoncd/pipeline

[theakshaypant]

📝 Description of the Change

Upgrade google.golang.org/grpc to v1.79.3 to fix
CVE-2026-33186 (GHSA-p77j-4mvh-x3m3), a critical HTTP/2 :path validation flaw that allows bypassing authorization rules in gRPC interceptors.

Upgrade github.com/tektoncd/pipeline to v1.0.1 to address CVE-2026-33211 (GHSA-j5q5-j9gm-2w5c), a path traversal in the git resolver that could expose ServiceAccount tokens.

🔗 Linked GitHub Issue

N/A

🧪 Testing Strategy

• Unit tests
• Integration tests
• End-to-end tests
• Manual testing
• Not Applicable

🤖 AI Assistance

AI assistance can be used for various tasks, such as code generation,
documentation, or testing.

Please indicate whether you have used AI assistance
for this PR and provide details if applicable.

• I have not used any AI assistance for this PR.
• I have used AI assistance for this PR.

Important

Slop will be simply rejected, if you are using AI assistance you need to make sure you
understand the code generated and that it meets the project's standards. you
need at least know how to run the code and deploy it (if needed). See
startpaac to make it easy
to deploy and test your code changes.

If the majority of the code in this PR was generated by an AI, please add a Co-authored-by trailer to your commit message.
For example:

Co-authored-by: Claude noreply@anthropic.com

✅ Submitter Checklist

• 📝 My commit messages are clear, informative, and follow the project's How to write a git commit message guide. The Gitlint linter ensures in CI it's properly validated
• ✨ I have ensured my commit message prefix (e.g., fix:, feat:) matches the "Type of Change" I selected above.
• ♽ I have run make test and make lint locally to check for and fix any
  issues. For an efficient workflow, I have considered installing
  pre-commit and running pre-commit install to
  automate these checks.
• 📖 I have added or updated documentation for any user-facing changes.
• 🧪 I have added sufficient unit tests for my code changes.
• 🎁 I have added end-to-end tests where feasible. See README for more details.
• 🔎 I have addressed any CI test flakiness or provided a clear reason to bypass it.
• If adding a provider feature, I have filled in the following and updated the provider documentation:
  • GitHub App
  • GitHub Webhook
  • Gitea/Forgejo
  • GitLab
  • Bitbucket Cloud
  • Bitbucket Data Center

[gemini-code-assist]

Code Review

This pull request updates various dependencies in go.mod and go.sum to their latest versions, including Go 1.24.0. I have identified a critical issue where the update to github.com/go-jose/go-jose/v4 is being effectively blocked by an existing replace directive in the go.mod file, which pins the dependency to an older version. You must remove or update this replace directive to ensure the security update is correctly applied.

[gemini-code-assist]

The update to github.com/go-jose/go-jose/v4 v4.1.3 is currently being overridden by a replace directive at line 150 which pins the version to v4.0.5. This prevents the security update from taking effect. You should remove or update the replace directive to allow the project to use the intended version.

[zakisk]

why two PRs? #2643

[theakshaypant]

why two PRs? #2643

This one is for v0.37 and the other one is for v0.42. While the grpc version bump is the same is both, the pipeline version is different in both so created 2 separate PRs.

[chmouel]

lgtm