Chuang Wang

Thanks @pritidesai @lbernick . sgtm! I'll add that!

> @chuangw6 are you still working on this? would you mind rebasing or closing? Sorry I saw this as non-urgent and switched to other stuff before. Happy to get this...

> RE: [Comment](https://github.com/tektoncd/chains/blob/d523399299ad0717fbbce81fe0b212ad688ab56c/pkg/chains/formats/intotoite6/intotoite6.go#L112-L135) "we currently don't set ConfigSource because we don't know which material the Task definition came from" We might need to preserve an entry in the `materials` that...

cc @wlynch @priyawadhwa @lcarva @bcaton85 @jagathprakash

> IIUC, this would be source information for the Run object? We don't really have a concept of that today, since all Run objects come to us directly through the...

> Could this be a good place to store information about the Task (for TaskRun attestations) and the Pipeline (for PipelineRun attestations) definitions? Currently, this information is not stored in...

> I do have a question though - The SLSA spec says the invocation field "Identifies the event that kicked off the build." while the invocation.configSource field "Describes where the...

/hold waiting for https://github.com/tektoncd/pipeline/pull/5397

> @chuangw6, I remember a comment from @priyawadhwa that if we populate configSource, we shouldn't update buildConfig. Maybe I misunderstood the comment? Yeah, I remember that. Talking to @wlynch before,...

> I'd prefer the provenance be as correct as possible based on the spec. If we can correctly set `configSource` we shouldn't need `buildConfig` anymore! That makes sense to me...