Billy Lynch
Billy Lynch
This change creates a new `Signer` interface which encapsulates jwt.SigningMethod + the key material use to sign JWT tokens. This allows clients to modify how JWT tokens are signed by...
Sample run: https://prow.tekton.dev/view/gs/tekton-prow/pr-logs/pull/tektoncd_chains/575/pull-tekton-chains-integration-tests/1575147898453102592 Raw ``` examples_test.go:94: Got attestation: {"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://slsa.dev/provenance/v0.2","subject":[{"name":"gcr.io/foo/bar","digest":{"sha256":"05f95b26ed10668b7183c1e2da98610e91372fa9f510046d4ce5812addad86b5"}}],"predicate":{"builder":{"id":"https://tekton.dev/chains/v2"},"buildType":"tekton.dev/v1beta1/TaskRun","invocation":{"configSource":{},"parameters":{}},"buildConfig":{"steps":[{"entryPoint":"","arguments":null,"environment":{"container":"create-dir-builtimage-ksczd","image":"docker-pullable://cgr.dev/chainguard/busybox@sha256:19f02276bf8dbdd62f069b922f10c65262cc34b710eea26ff928129a736be791"},"annotations":null},{"entryPoint":"","arguments":null,"environment":{"container":"git-source-sourcerepo-p74f2","image":"docker-pullable://gcr.io/tekton-nightly/github.com/tektoncd/pipeline/cmd/git-init@sha256:884f27a9280dde5f9559705c32c001d07abca3a9216d4806805661da5d42a9da"},"annotations":null},{"entryPoint":"set -e\ncat \u003c\u003cEOF \u003e $(inputs.resources.sourcerepo.path)/index.json\n{\n\"schemaVersion\": 2,\n\"manifests\": [\n {\n \"mediaType\": \"application/vnd.oci.image.index.v1+json\",\n \"size\": 314,\n \"digest\": \"sha256:05f95b26ed10668b7183c1e2da98610e91372fa9f510046d4ce5812addad86b5\"\n }\n]\n}\n","arguments":null,"environment":{"container":"build-and-push","image":"docker-pullable://busybox@sha256:ad9bd57a3a57cc95515c537b89aaa69d83a6df54c4050fcf2b41ad367bec0cd5"},"annotations":null},{"entryPoint":"cat $(inputs.resources.sourcerepo.path)/index.json","arguments":null,"environment":{"container":"echo","image":"docker-pullable://busybox@sha256:ad9bd57a3a57cc95515c537b89aaa69d83a6df54c4050fcf2b41ad367bec0cd5"},"annotations":null},{"entryPoint":"/ko-app/imagedigestexporter","arguments":["-images","[{\"name\":\"builtImage\",\"type\":\"image\",\"url\":\"gcr.io/foo/bar\",\"digest\":\"\",\"OutputImageDir\":\"/workspace/sourcerepo\"}]"],"environment":{"container":"image-digest-exporter-7k758","image":"docker-pullable://gcr.io/tekton-nightly/github.com/tektoncd/pipeline/cmd/imagedigestexporter@sha256:1a91b0a4b47c485acb8621b911c399c248edfb4e59f0d9979103752c3799da7a"},"annotations":null}]},"metadata":{"buildStartedOn":"2022-09-28T16:09:26Z","buildFinishedOn":"2022-09-28T16:09:40Z","completeness":{"parameters":false,"environment":false,"materials":false},"reproducible":false},"materials":[{"uri":"git+https://github.com/GoogleContainerTools/[email protected]","digest":{"sha1":"6ed7aad5e8a36052ee5f6079fc91368e362121f7"}}]}} examples_test.go:153: Reading expected provenance from testdata/intoto/task-output-image.json...
A bunch of v1alpha1 types have been removed in [Pipelines 0.38](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0). This is blocking upgrade of the Pipelines dep - https://github.com/tektoncd/chains/pull/516 We should move our dependency to v1beta1.
We should add some basic e2e test running against real pipelines to verify things are working as expected. No preference on github actions vs https://github.com/tektoncd/chains/blob/main/test/e2e_test.go - whatever is easier!
Needed to grant access to dependabot alerts, protected branch configs, etc. /cc @priyawadhwa
**Description** We should add more details about Kubernetes based OIDC tokens in certificates to ID pods / service accounts. Currently we only include the service account / cluster, i.e. ```...
# Expected Behavior If a TaskRun fails due to a user misconfiguration, pipelines controller should surface the reason. (e.g. `/usr/bin/env: No such file or directory`) # Actual Behavior ## TaskRun...
# Changes These should be drop in replacements with full shells. Grype Output: gcr.io/go-containerregistry/crane:debug | cgr.dev/chainguard/crane:latest-dev -- | -- 1 Critical5 High10 Medium11 Negligible2 Unknown | 1 Medium golang:1.18.7 |...
We've talked about this on and off in the s3c working groups and also in the [Artifacts proposal](https://docs.google.com/document/d/13qxkpC0m5zTEWJ_oprA2ZO9D0wj_Q4xyz_UMiJchujU/edit?resourcekey=0-13bMrFgBumiIkEEGBQRfVw#heading=h.tvwq6yuf3x2e) for the last couple of months, but I don't think an issue...
### Feature request Previously you used to be able to reference OCI bundles via a simple `bundle` field: ```yaml taskRef: bundle: docker.io/myrepo/mycatalog@sha256:abc123 ``` but this has been marked as deprecated....