Skip to content

Commit

Permalink
Add user-facing doc "SLSA Provenance"
Browse files Browse the repository at this point in the history
Fixes #786

The doc includes instruction on how to configure a pipeline/task so that
Tekton Chains can generate provenance properly.

Signed-off-by: Chuang Wang <[email protected]>
  • Loading branch information
chuangw6 committed Oct 5, 2023
1 parent e0c67ae commit f4c9ff6
Show file tree
Hide file tree
Showing 4 changed files with 328 additions and 501 deletions.
31 changes: 1 addition & 30 deletions docs/config.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,37 +10,8 @@ weight: 20
`Chains` works by observing `TaskRun` and `PipelineRun` executions, capturing relevant information, and storing it in a cryptographically-signed format.

`TaskRuns` and `PipelineRuns` can indicate inputs and outputs which are then captured and surfaced in the `Chains` payload formats, where relevant.
`Chains` uses the standard mechanisms (`Results` and `PipelineResources`) where possible, and provides a few other mechanisms to *hint* at the correct inputs and outputs. These are outlined below:
`Chains` uses the `Results` to *hint* at the correct inputs and outputs. Check out [how-to-chain-with-pipeline.md](how-to-chain-with-pipeline.md) for more details.

## Chains Type Hinting

When outputting an OCI image without using a `PipelineResource`, `Chains` will look for the following Results:

* `*IMAGE_URL` - The URL to the built OCI image
* `*IMAGE_DIGEST` - The Digest of the built OCI image

where `*` indicates any expression.
For example, if **both** `MYIMAGE_IMAGE_URL` AND `MYIMAGE_IMAGE_DIGEST` are correctly formatted to point to an OCI image, then `chains` will pick up on it and try to sign the image.

Multiple images can be specified by using different prefixes in place of `*`.

Multiple images can also be specified by using the `IMAGES` Result.
The value of the `IMAGES` result is a list of images, each qualified by digest.
The list of images can be separated by commas or by newlines.

```shell
- name: IMAGES
value: img1@sha256:digest1, img2@sha256:digest2
```

When processing a `TaskRun`, Chains will parse through the list, then sign and attest each image.
When processing a `PipelineRun`, Chains will only attest each image. Thus, if both `TaskRun` and
`PipelineRun` produce type hint results, each image will have one signature and two attestations.

For in-toto attestations, see [intoto.md](intoto.md) for description
of in-toto specific type hinting.

Note that these are provided automatically when using `PipelineResources`.

## Chains Configuration

Expand Down
Loading

0 comments on commit f4c9ff6

Please sign in to comment.