Add Provenance field in TaskRun&PipelineRun status

Change 1: Add a Provenance field in TaskRun&PipelineRun status that
currently only contains configsource data, but can be extended later to
have more provenance-related fields.

Change 2: Prior, tektoncd#5551 introduced
the ConfigSource to api/resolution alpha & beta package. In this PR, we moved
the ConfigSource to api/pipeline alpha & beta package for the provenance field
to reuse that type (cannot import the api/resolution alpha because of
import cycle).

Why: See the motivation and discussions in tektoncd#5550.
The tldr is that it helps pass provenance-related data in a more structured way
ConfigSource is one example.

Signed-off-by: Chuang Wang <chuangw@google.com>

Author: chuangw6

docs/how-to-write-a-resolver.md

@@ -191,7 +191,7 @@ import (
 
   "github.com/tektoncd/pipeline/pkg/resolution/resolver/framework"
   "knative.dev/pkg/injection/sharedmain"
-  "github.com/tektoncd/pipeline/pkg/apis/resolution/v1alpha1"
+  pipelinev1beta1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 )
 ```
 
@@ -263,7 +263,7 @@ func (*myResolvedResource) Annotations() map[string]string {
 
 // Source is the source reference of the remote data that records where the remote 
 // file came from including the url, digest and the entrypoint. None atm.
-func (*myResolvedResource) Source() *v1alpha1.ConfigSource {
+func (*myResolvedResource) Source() *pipelinev1beta1.ConfigSource {
 	return nil
 }
 ```
@@ -276,7 +276,7 @@ following example.
 ```go
 // Source is the source reference of the remote data that records where the remote 
 // file came from including the url, digest and the entrypoint.
-func (*myResolvedResource) Source() *v1alpha1.ConfigSource {
+func (*myResolvedResource) Source() *pipelinev1beta1.ConfigSource {
 	return &v1alpha1.ConfigSource{
 		URI: "https://github.com/user/example",
 		Digest: map[string]string{

docs/resolver-template/cmd/demoresolver/main.go

@@ -17,6 +17,7 @@ import (
 	"context"
 	"errors"
 
+	pipelinev1beta1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 	"github.com/tektoncd/pipeline/pkg/apis/resolution/v1alpha1"
 	"github.com/tektoncd/pipeline/pkg/resolution/common"
 	"github.com/tektoncd/pipeline/pkg/resolution/resolver/framework"
@@ -94,6 +95,6 @@ func (*myResolvedResource) Annotations() map[string]string {
 
 // Source is the source reference of the remote data that records where the remote
 // file came from including the url, digest and the entrypoint. None atm.
-func (*myResolvedResource) Source() *v1alpha1.ConfigSource {
+func (*myResolvedResource) Source() *pipelinev1beta1.ConfigSource {
 	return nil
 }

go.sum

@@ -427,6 +427,9 @@ type PipelineRunStatusFields struct {
 	// FinallyStartTime is when all non-finally tasks have been completed and only finally tasks are being executed.
 	// +optional
 	FinallyStartTime *metav1.Time `json:"finallyStartTime,omitempty"`
+
+	// Provenance contains all the information that needs to be recorded in a provenance i.e. ConfigSource
+	Provenance *Provenance `json:"provenance,omitempty"`
 }
 
 // SkippedTask is used to describe the Tasks that were skipped due to their When Expressions

pkg/apis/pipeline/v1/openapi_generated.go

@@ -0,0 +1,37 @@
+/*
+Copyright 2022 The Tekton Authors
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// Provenance contains all the information that needs to be recorded in a provenance i.e. ConfigSource
+type Provenance struct {
+	Source *ConfigSource `json:"source,omitempty"`
+}
+
+// ConfigSource records where the task/pipeline file came from.
+type ConfigSource struct {
+	// URI indicating the identity of the source of the config.
+	// https://github.com/in-toto/attestation/blob/main/spec/field_types.md#ResourceURI
+	// Example: https://github.com/tektoncd/catalog
+	URI string `json:"uri,omitempty"`
+
+	// Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+	// https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
+	// Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
+	Digest map[string]string `json:"digest,omitempty"`
+
+	// EntryPoint identifying the entry point into the build. This is often a path to a
+	// configuration file and/or a target label within that file.
+	// Example: "task/git-clone/0.8/git-clone.yaml"
+	EntryPoint string `json:"entryPoint,omitempty"`
+}

pkg/apis/pipeline/v1/pipelinerun_types.go

@@ -169,6 +169,28 @@
         }
       }
     },
+    "v1.ConfigSource": {
+      "description": "ConfigSource records where the task/pipeline file came from.",
+      "type": "object",
+      "properties": {
+        "digest": {
+          "description": "Digest is a collection of cryptographic digests for the contents of the artifact specified by URI. https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet Example: {\"sha1\": \"f99d13e554ffcb696dee719fa85b695cb5b0f428\"}",
+          "type": "object",
+          "additionalProperties": {
+            "type": "string",
+            "default": ""
+          }
+        },
+        "entryPoint": {
+          "description": "EntryPoint identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. Example: \"task/git-clone/0.8/git-clone.yaml\"",
+          "type": "string"
+        },
+        "uri": {
+          "description": "URI indicating the identity of the source of the config. https://github.com/in-toto/attestation/blob/main/spec/field_types.md#ResourceURI Example: https://github.com/tektoncd/catalog",
+          "type": "string"
+        }
+      }
+    },
     "v1.EmbeddedTask": {
       "description": "EmbeddedTask is used to define a Task inline within a Pipeline's PipelineTasks.",
       "type": "object",
@@ -643,6 +665,10 @@
           "description": "PipelineRunSpec contains the exact spec used to instantiate the run",
           "$ref": "#/definitions/v1.PipelineSpec"
         },
+        "provenance": {
+          "description": "Provenance contains all the information that needs to be recorded in a provenance i.e. ConfigSource",
+          "$ref": "#/definitions/v1.Provenance"
+        },
         "results": {
           "description": "Results are the list of results written out by the pipeline task's containers",
           "type": "array",
@@ -692,6 +718,10 @@
           "description": "PipelineRunSpec contains the exact spec used to instantiate the run",
           "$ref": "#/definitions/v1.PipelineSpec"
         },
+        "provenance": {
+          "description": "Provenance contains all the information that needs to be recorded in a provenance i.e. ConfigSource",
+          "$ref": "#/definitions/v1.Provenance"
+        },
         "results": {
           "description": "Results are the list of results written out by the pipeline task's containers",
           "type": "array",
@@ -988,6 +1018,15 @@
         }
       }
     },
+    "v1.Provenance": {
+      "description": "Provenance contains all the information that needs to be recorded in a provenance i.e. ConfigSource",
+      "type": "object",
+      "properties": {
+        "source": {
+          "$ref": "#/definitions/v1.ConfigSource"
+        }
+      }
+    },
     "v1.ResolverRef": {
       "description": "ResolverRef can be used to refer to a Pipeline or Task in a remote location like a git repo. This feature is in alpha and these fields are only available when the alpha feature gate is enabled.",
       "type": "object",
@@ -1838,6 +1877,10 @@
           "type": "string",
           "default": ""
         },
+        "provenance": {
+          "description": "Provenance contains all the information that needs to be recorded in a provenance i.e. ConfigSource",
+          "$ref": "#/definitions/v1.Provenance"
+        },
         "results": {
           "description": "Results are the list of results written out by the task's containers",
           "type": "array",
@@ -1900,6 +1943,10 @@
           "type": "string",
           "default": ""
         },
+        "provenance": {
+          "description": "Provenance contains all the information that needs to be recorded in a provenance i.e. ConfigSource",
+          "$ref": "#/definitions/v1.Provenance"
+        },
         "results": {
           "description": "Results are the list of results written out by the task's containers",
           "type": "array",

pkg/apis/pipeline/v1/provenance.go

@@ -231,6 +231,9 @@ type TaskRunStatusFields struct {
 
 	// TaskSpec contains the Spec from the dereferenced Task definition used to instantiate this TaskRun.
 	TaskSpec *TaskSpec `json:"taskSpec,omitempty"`
+
+	// Provenance contains all the information that needs to be recorded in a provenance i.e. ConfigSource
+	Provenance *Provenance `json:"provenance,omitempty"`
 }
 
 // TaskRunStepSpec is used to override the values of a Step in the corresponding Task.