Skip to content

Commit

Permalink
Add Provenance field in TaskRun&PipelineRun status
Browse files Browse the repository at this point in the history
Change 1: Add a Provenance field in TaskRun&PipelineRun status. This field
currently only contains a subfield named `ConfigSource`, but can be extended later to
have more provenance-related fields.

Change 2: Prior, tektoncd#5551 introduced
the ConfigSource to api/resolution alpha & beta package. In this PR, we moved
the ConfigSource to api/pipeline alpha & beta package for the provenance field
to reuse that type (cannot import the api/resolution alpha because of
import cycle).

Why: See the motivation and discussions in tektoncd#5550.
The tldr is that it helps pass provenance-related data in a more structured way
ConfigSource is one example.

Signed-off-by: Chuang Wang <chuangw@google.com>
  • Loading branch information
chuangw6 committed Oct 5, 2022
1 parent 7aa4a34 commit 392990d
Show file tree
Hide file tree
Showing 29 changed files with 499 additions and 176 deletions.
10 changes: 5 additions & 5 deletions docs/how-to-write-a-resolver.md
Original file line number Diff line number Diff line change
Expand Up @@ -186,11 +186,11 @@ We'll also need to add another import for this package at the top:
import (
"context"

"github.com/tektoncd/pipeline/pkg/apis/resolution/v1beta1"
// Add this one; it defines LabelKeyResolverType we use in GetSelector
// Add this one; it defines LabelKeyResolverType we use in GetSelector
"github.com/tektoncd/pipeline/pkg/resolution/common"
"github.com/tektoncd/pipeline/pkg/resolution/resolver/framework"
"knative.dev/pkg/injection/sharedmain"
pipelinev1beta1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
)
```

Expand Down Expand Up @@ -262,7 +262,7 @@ func (*myResolvedResource) Annotations() map[string]string {

// Source is the source reference of the remote data that records where the remote
// file came from including the url, digest and the entrypoint. None atm.
func (*myResolvedResource) Source() *v1beta1.ConfigSource {
func (*myResolvedResource) Source() *pipelinev1beta1.ConfigSource {
return nil
}
```
Expand All @@ -275,8 +275,8 @@ following example.
```go
// Source is the source reference of the remote data that records where the remote
// file came from including the url, digest and the entrypoint.
func (*myResolvedResource) Source() *v1beta1.ConfigSource {
return &v1beta1.ConfigSource{
func (*myResolvedResource) Source() *pipelinev1beta1.ConfigSource {
return &v1alpha1.ConfigSource{
URI: "https://github.com/user/example",
Digest: map[string]string{
"sha1": "example",
Expand Down
2 changes: 1 addition & 1 deletion docs/resolver-template/cmd/demoresolver/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,6 @@ func (*myResolvedResource) Annotations() map[string]string {

// Source is the source reference of the remote data that records where the remote
// file came from including the url, digest and the entrypoint. None atm.
func (*myResolvedResource) Source() *v1beta1.ConfigSource {
func (*myResolvedResource) Source() *pipelinev1beta1.ConfigSource {
return nil
}
98 changes: 94 additions & 4 deletions pkg/apis/pipeline/v1/openapi_generated.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions pkg/apis/pipeline/v1/pipelinerun_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -427,6 +427,9 @@ type PipelineRunStatusFields struct {
// FinallyStartTime is when all non-finally tasks have been completed and only finally tasks are being executed.
// +optional
FinallyStartTime *metav1.Time `json:"finallyStartTime,omitempty"`

// Provenance contains all the information that needs to be recorded in a provenance i.e. ConfigSource
Provenance *Provenance `json:"provenance,omitempty"`
}

// SkippedTask is used to describe the Tasks that were skipped due to their When Expressions
Expand Down
39 changes: 39 additions & 0 deletions pkg/apis/pipeline/v1/provenance.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
/*
Copyright 2022 The Tekton Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v1

// Provenance contains all the information that needs to be recorded in a provenance i.e. ConfigSource
type Provenance struct {
// Source identifies where the task/pipeline file came from.
Source *ConfigSource `json:"source,omitempty"`
}

// ConfigSource records where the task/pipeline file came from.
type ConfigSource struct {
// URI indicates the identity of the source of the config.
// Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.uri
// Example: "https://github.com/tektoncd/catalog"
URI string `json:"uri,omitempty"`

// Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
// Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.digest
// Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
Digest map[string]string `json:"digest,omitempty"`

// EntryPoint identifies the entry point into the build. This is often a path to a
// configuration file and/or a target label within that file.
// Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.entryPoint
// Example: "task/git-clone/0.8/git-clone.yaml"
EntryPoint string `json:"entryPoint,omitempty"`
}
48 changes: 48 additions & 0 deletions pkg/apis/pipeline/v1/swagger.json
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,28 @@
}
}
},
"v1.ConfigSource": {
"description": "ConfigSource records where the task/pipeline file came from.",
"type": "object",
"properties": {
"digest": {
"description": "Digest is a collection of cryptographic digests for the contents of the artifact specified by URI. Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.digest Example: {\"sha1\": \"f99d13e554ffcb696dee719fa85b695cb5b0f428\"}",
"type": "object",
"additionalProperties": {
"type": "string",
"default": ""
}
},
"entryPoint": {
"description": "EntryPoint identifies the entry point into the build. This is often a path to a configuration file and/or a target label within that file. Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.entryPoint Example: \"task/git-clone/0.8/git-clone.yaml\"",
"type": "string"
},
"uri": {
"description": "URI indicates the identity of the source of the config. Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.uri Example: \"https://github.com/tektoncd/catalog\"",
"type": "string"
}
}
},
"v1.EmbeddedTask": {
"description": "EmbeddedTask is used to define a Task inline within a Pipeline's PipelineTasks.",
"type": "object",
Expand Down Expand Up @@ -643,6 +665,10 @@
"description": "PipelineRunSpec contains the exact spec used to instantiate the run",
"$ref": "#/definitions/v1.PipelineSpec"
},
"provenance": {
"description": "Provenance contains all the information that needs to be recorded in a provenance i.e. ConfigSource",
"$ref": "#/definitions/v1.Provenance"
},
"results": {
"description": "Results are the list of results written out by the pipeline task's containers",
"type": "array",
Expand Down Expand Up @@ -692,6 +718,10 @@
"description": "PipelineRunSpec contains the exact spec used to instantiate the run",
"$ref": "#/definitions/v1.PipelineSpec"
},
"provenance": {
"description": "Provenance contains all the information that needs to be recorded in a provenance i.e. ConfigSource",
"$ref": "#/definitions/v1.Provenance"
},
"results": {
"description": "Results are the list of results written out by the pipeline task's containers",
"type": "array",
Expand Down Expand Up @@ -988,6 +1018,16 @@
}
}
},
"v1.Provenance": {
"description": "Provenance contains all the information that needs to be recorded in a provenance i.e. ConfigSource",
"type": "object",
"properties": {
"source": {
"description": "Source identifies where the task/pipeline file came from.",
"$ref": "#/definitions/v1.ConfigSource"
}
}
},
"v1.ResolverRef": {
"description": "ResolverRef can be used to refer to a Pipeline or Task in a remote location like a git repo. This feature is in beta and these fields are only available when the beta feature gate is enabled.",
"type": "object",
Expand Down Expand Up @@ -1838,6 +1878,10 @@
"type": "string",
"default": ""
},
"provenance": {
"description": "Provenance contains all the information that needs to be recorded in a provenance i.e. ConfigSource",
"$ref": "#/definitions/v1.Provenance"
},
"results": {
"description": "Results are the list of results written out by the task's containers",
"type": "array",
Expand Down Expand Up @@ -1900,6 +1944,10 @@
"type": "string",
"default": ""
},
"provenance": {
"description": "Provenance contains all the information that needs to be recorded in a provenance i.e. ConfigSource",
"$ref": "#/definitions/v1.Provenance"
},
"results": {
"description": "Results are the list of results written out by the task's containers",
"type": "array",
Expand Down
3 changes: 3 additions & 0 deletions pkg/apis/pipeline/v1/taskrun_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,9 @@ type TaskRunStatusFields struct {

// TaskSpec contains the Spec from the dereferenced Task definition used to instantiate this TaskRun.
TaskSpec *TaskSpec `json:"taskSpec,omitempty"`

// Provenance contains all the information that needs to be recorded in a provenance i.e. ConfigSource
Provenance *Provenance `json:"provenance,omitempty"`
}

// TaskRunStepSpec is used to override the values of a Step in the corresponding Task.
Expand Down
Loading

0 comments on commit 392990d

Please sign in to comment.