[Tep-0091] Mark as implemented

[Yongxuanzhang]

Tep-0091 is implemented as tektoncd/pipeline#5527, this commit adds implementation PRs.

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign dlorenc after the PR has been reviewed.
You can assign the PR to them by writing /assign @dlorenc in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• teps/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[afrittoli]

Thank you @Yongxuanzhang !
In the TEP it says that resources will be verified both when applied to the cluster as well as when referenced - but I don't see an example of resources applied to the cluster in the docs https://tekton.dev/vault/pipelines-main/trusted-resources/ - it seems to refer to the remote resolution case only. Could you confirm whether the current implementation matches the TEP?

Note: API Resources (Task, Pipeline) will be verified both when applied to the cluster and when referenced in taskRun/pipelineRun. When the Run is created, referenced resources will be resolved and verified again to confirm continued verification. This will prevent the Run of a resource that was verifiable when created but is no longer verifiable, perhaps due to key revocation, a security breach, or discovery of a new vulnerability since the time of the initial verification.

Thank you!

[Yongxuanzhang]

Thank you @Yongxuanzhang ! In the TEP it says that resources will be verified both when applied to the cluster as well as when referenced - but I don't see an example of resources applied to the cluster in the docs https://tekton.dev/vault/pipelines-main/trusted-resources/ - it seems to refer to the remote resolution case only. Could you confirm whether the current implementation matches the TEP?

Note: API Resources (Task, Pipeline) will be verified both when applied to the cluster and when referenced in taskRun/pipelineRun. When the Run is created, referenced resources will be resolved and verified again to confirm continued verification. This will prevent the Run of a resource that was verifiable when created but is no longer verifiable, perhaps due to key revocation, a security breach, or discovery of a new vulnerability since the time of the initial verification.

Thank you!

Oh thanks for reminding me of this!! Yes you're right that for now we currently support verification of reference local tasks but not when we apply these resources. I will close this for now and add it !