chains
chains copied to clipboard
tektoncd
Supply Chain Security in Tekton Pipelines
# Changes Support storing pipelinerun level provenance in grafeas backend. There are 3 main aspects of the PR: - created different BUILD Notes for storing both taskrun and pipelinerun level...
Bumps [gocloud.dev/pubsub/kafkapubsub](https://github.com/google/go-cloud) from 0.26.0 to 0.27.0. Release notes Sourced from gocloud.dev/pubsub/kafkapubsub's releases. v0.27.0 ANNOUNCEMENT: In the next release we plan to switch over from using OpenCensus to using OpenTelemetry; see...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
# Changes Related to https://github.com/tektoncd/chains/issues/476 Prior, the StorageOpts key for OCI artifact was the first 12 characters of the digest. Now, we set it to be the full representation of...
Sample run: https://prow.tekton.dev/view/gs/tekton-prow/pr-logs/pull/tektoncd_chains/575/pull-tekton-chains-integration-tests/1575147898453102592 Raw ``` examples_test.go:94: Got attestation: {"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://slsa.dev/provenance/v0.2","subject":[{"name":"gcr.io/foo/bar","digest":{"sha256":"05f95b26ed10668b7183c1e2da98610e91372fa9f510046d4ce5812addad86b5"}}],"predicate":{"builder":{"id":"https://tekton.dev/chains/v2"},"buildType":"tekton.dev/v1beta1/TaskRun","invocation":{"configSource":{},"parameters":{}},"buildConfig":{"steps":[{"entryPoint":"","arguments":null,"environment":{"container":"create-dir-builtimage-ksczd","image":"docker-pullable://cgr.dev/chainguard/busybox@sha256:19f02276bf8dbdd62f069b922f10c65262cc34b710eea26ff928129a736be791"},"annotations":null},{"entryPoint":"","arguments":null,"environment":{"container":"git-source-sourcerepo-p74f2","image":"docker-pullable://gcr.io/tekton-nightly/github.com/tektoncd/pipeline/cmd/git-init@sha256:884f27a9280dde5f9559705c32c001d07abca3a9216d4806805661da5d42a9da"},"annotations":null},{"entryPoint":"set -e\ncat \u003c\u003cEOF \u003e $(inputs.resources.sourcerepo.path)/index.json\n{\n\"schemaVersion\": 2,\n\"manifests\": [\n {\n \"mediaType\": \"application/vnd.oci.image.index.v1+json\",\n \"size\": 314,\n \"digest\": \"sha256:05f95b26ed10668b7183c1e2da98610e91372fa9f510046d4ce5812addad86b5\"\n }\n]\n}\n","arguments":null,"environment":{"container":"build-and-push","image":"docker-pullable://busybox@sha256:ad9bd57a3a57cc95515c537b89aaa69d83a6df54c4050fcf2b41ad367bec0cd5"},"annotations":null},{"entryPoint":"cat $(inputs.resources.sourcerepo.path)/index.json","arguments":null,"environment":{"container":"echo","image":"docker-pullable://busybox@sha256:ad9bd57a3a57cc95515c537b89aaa69d83a6df54c4050fcf2b41ad367bec0cd5"},"annotations":null},{"entryPoint":"/ko-app/imagedigestexporter","arguments":["-images","[{\"name\":\"builtImage\",\"type\":\"image\",\"url\":\"gcr.io/foo/bar\",\"digest\":\"\",\"OutputImageDir\":\"/workspace/sourcerepo\"}]"],"environment":{"container":"image-digest-exporter-7k758","image":"docker-pullable://gcr.io/tekton-nightly/github.com/tektoncd/pipeline/cmd/imagedigestexporter@sha256:1a91b0a4b47c485acb8621b911c399c248edfb4e59f0d9979103752c3799da7a"},"annotations":null}]},"metadata":{"buildStartedOn":"2022-09-28T16:09:26Z","buildFinishedOn":"2022-09-28T16:09:40Z","completeness":{"parameters":false,"environment":false,"materials":false},"reproducible":false},"materials":[{"uri":"git+https://github.com/GoogleContainerTools/[email protected]","digest":{"sha1":"6ed7aad5e8a36052ee5f6079fc91368e362121f7"}}]}} examples_test.go:153: Reading expected provenance from testdata/intoto/task-output-image.json...
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.49.0 to 1.50.0. Release notes Sourced from github.com/golangci/golangci-lint's releases. v1.50.0 Changelog 890a8265 Normalize exclude-rules paths for Windows (#2387) db4955a3 build(deps): bump github.com/OpenPeeDeeP/depguard from 1.1.0 to 1.1.1 (#3186)...
Bumps [github.com/tektoncd/pipeline](https://github.com/tektoncd/pipeline) from 0.40.1 to 0.40.2. Release notes Sourced from github.com/tektoncd/pipeline's releases. Tekton Pipeline release v0.40.2 "Himalayan Sonny" -Docs @ v0.40.2 -Examples @ v0.40.2 Installation one-liner kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.40.2/release.yaml...
Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.26.0 to 0.27.0. Release notes Sourced from gocloud.dev's releases. v0.27.0 ANNOUNCEMENT: In the next release we plan to switch over from using OpenCensus to using OpenTelemetry; see...
Bumps [gocloud.dev/docstore/mongodocstore](https://github.com/google/go-cloud) from 0.26.0 to 0.27.0. Release notes Sourced from gocloud.dev/docstore/mongodocstore's releases. v0.27.0 ANNOUNCEMENT: In the next release we plan to switch over from using OpenCensus to using OpenTelemetry; see...
A bunch of v1alpha1 types have been removed in [Pipelines 0.38](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0). This is blocking upgrade of the Pipelines dep - https://github.com/tektoncd/chains/pull/516 We should move our dependency to v1beta1.
We should add some basic e2e test running against real pipelines to verify things are working as expected. No preference on github actions vs https://github.com/tektoncd/chains/blob/main/test/e2e_test.go - whatever is easier!