Use cluster issuer as default builder id

.github/workflows/goclean.yml

@@ -3,40 +3,42 @@ name: goclean
 on:
   push:
     paths:
-      - '**.go'
-      - 'go.mod'
-      - 'go.sum'
+      - "**.go"
+      - "go.mod"
+      - "go.sum"
     branches:
       - main
       - release-*
   pull_request:
     paths:
-      - '**.go'
-      - 'go.mod'
-      - 'go.sum'
+      - "**.go"
+      - "go.mod"
+      - "go.sum"
     branches:
       - main
       - release-*
   schedule:
-    - cron: '41 20 * * 1'
+    - cron: "41 20 * * 1"
 
 jobs:
   goclean:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3 # check-out repository
+      - uses: actions/checkout@v3 # check-out repository
 
-    - name: Setup Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: '1.20.0'
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: "1.21"
 
-    - name: go vet
-      run: |
-        # Use in-place vendored dependencies.
-        go vet -mod=vendor ./...
+      - name: go vet
+        run: |
+          # Use in-place vendored dependencies.
+          go vet -mod=vendor ./...
 
-    # If this workflow fails, run `go fmt` on your tree and resubmit.
-    # We ignore vendor/ files whose format we don't control.
-    - name: go fmt
-      run: if [ "$(gofmt -l . | grep -v vendor/ | grep -v third_party/ | wc -l)" -gt 0 ]; then exit 1; fi
+      # If this workflow fails, run `go fmt` on your tree and resubmit.
+      # We ignore vendor/ files whose format we don't control.
+      - name: go fmt
+        run:
+          if [ "$(gofmt -l . | grep -v vendor/ | grep -v third_party/ | wc -l)"
+          -gt 0 ]; then exit 1; fi

.github/workflows/lint.yaml

@@ -19,7 +19,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
-          go-version: "1.20"
+          go-version: "1.21"
 
       - uses: actions/checkout@v3
 

docs/config.md

@@ -1,21 +1,25 @@
-<!--
----
-linkTitle: "Chains Configuration"
-weight: 20
+## <!--
+
+linkTitle: "Chains Configuration" weight: 20
+
 ---
+
 -->
 
 # Chains Configuration
 
-`Chains` works by observing `TaskRun` and `PipelineRun` executions, capturing relevant information, and storing it in a cryptographically-signed format.
+`Chains` works by observing `TaskRun` and `PipelineRun` executions, capturing
+relevant information, and storing it in a cryptographically-signed format.
 
-`TaskRuns` and `PipelineRuns` can indicate inputs and outputs which are then captured and surfaced in the `Chains` payload formats, where relevant.
-`Chains` uses the `Results` to _hint_ at the correct inputs and outputs. Check out [slsa-provenance.md](slsa-provenance.md) for more details.
+`TaskRuns` and `PipelineRuns` can indicate inputs and outputs which are then
+captured and surfaced in the `Chains` payload formats, where relevant. `Chains`
+uses the `Results` to _hint_ at the correct inputs and outputs. Check out
+[slsa-provenance.md](slsa-provenance.md) for more details.
 
 ## Chains Configuration
 
-Chains uses a `ConfigMap` called `chains-config` in the `tekton-chains` namespace for configuration.
-Supported keys include:
+Chains uses a `ConfigMap` called `chains-config` in the `tekton-chains`
+namespace for configuration. Supported keys include:
 
 ### TaskRun Configuration
 
@@ -41,7 +45,8 @@ Supported keys include:
 
 > NOTE:
 >
-> - For grafeas storage backend, currently we only support Container Analysis. We will make grafeas server address configurabe within a short time.
+> - For grafeas storage backend, currently we only support Container Analysis.
+>   We will make grafeas server address configurabe within a short time.
 > - `slsa/v1` is an alias of `in-toto` for backwards compatibility.
 > - `slsa/v2alpha2` corresponds to the slsav1.0 spec.
 
@@ -72,34 +77,71 @@ Supported keys include:
 
 #### docstore
 
-You can read about the go-cloud docstore URI format [here](https://gocloud.dev/howto/docstore/). Tekton Chains supports the following docstore services:
+You can read about the go-cloud docstore URI format
+[here](https://gocloud.dev/howto/docstore/). Tekton Chains supports the
+following docstore services:
 
 - `firestore`
 - `dynamodb`
 - `mongo`
 
 #### MongoDB
 
-With MongoDB you will need to add a `MONGO_SERVER_URL` env var with the MongoDB connection URI to the `tekton-chains-controller`, the go-cloud URI is just to point at the db and collection
+With MongoDB you will need to add a `MONGO_SERVER_URL` env var with the MongoDB
+connection URI to the `tekton-chains-controller`, the go-cloud URI is just to
+point at the db and collection
 
 #### Grafeas
 
-You can read more about Grafeas notes and occurrences [here](https://github.com/grafeas/grafeas/blob/master/docs/grafeas_concepts.md). To create occurrences, we have to create notes first that are used to link occurrences. Two types of occurrences will be created: `ATTESTATION` Occurrence and `BUILD` Occrrence. The configurable `noteid` is used as the prefix of the note name. Under the hood, the suffix `-simplesigning` will be appended for the `ATTESTATION` note, and the suffix `-intoto` will be appended for the `BUILD` note. If the `noteid` field is not configured, `tekton-<NAMESPACE>` will be used as the prefix.
+You can read more about Grafeas notes and occurrences
+[here](https://github.com/grafeas/grafeas/blob/master/docs/grafeas_concepts.md).
+To create occurrences, we have to create notes first that are used to link
+occurrences. Two types of occurrences will be created: `ATTESTATION` Occurrence
+and `BUILD` Occrrence. The configurable `noteid` is used as the prefix of the
+note name. Under the hood, the suffix `-simplesigning` will be appended for the
+`ATTESTATION` note, and the suffix `-intoto` will be appended for the `BUILD`
+note. If the `noteid` field is not configured, `tekton-<NAMESPACE>` will be used
+as the prefix.
 
 ### In-toto Configuration
 
-| Key                         | Description                                    | Supported Values                                                                | Default                             |
-| :-------------------------- | :--------------------------------------------- | :------------------------------------------------------------------------------ | :---------------------------------- |
-| `builder.id`                | The builder ID to set for in-toto attestations |                                                                                 | `https://tekton.dev/chains/v2`      |
-| `builddefinition.buildtype` | The buildType for in-toto attestations         | `https://tekton.dev/chains/v2/slsa`, `https://tekton.dev/chains/v2/slsa-tekton` | `https://tekton.dev/chains/v2/slsa` |
+| Key                         | Description                                    | Supported Values                                                                | Default                              |
+| :-------------------------- | :--------------------------------------------- | :------------------------------------------------------------------------------ | :----------------------------------- |
+| `builder.id`                | The builder ID to set for in-toto attestations |                                                                                 | [Cluster's OIDC Issuer](#builder-id) |
+| `builddefinition.buildtype` | The buildType for in-toto attestations         | `https://tekton.dev/chains/v2/slsa`, `https://tekton.dev/chains/v2/slsa-tekton` | `https://tekton.dev/chains/v2/slsa`  |
 
-> NOTE:
-> Considerations for the builddefinition.buildtype parameter:
+> NOTE: Considerations for the builddefinition.buildtype parameter:
 >
-> - It is only valid for `slsa/v2alpha2` configurations (see TaskRun or PipelineRun configuration).
+> - It is only valid for `slsa/v2alpha2` configurations (see TaskRun or
+>   PipelineRun configuration).
 > - The parameter can take one of two values:
->   - `https://tekton.dev/chains/v2/slsa`: This buildType strictly conforms to the slsav1.0 spec.
->   - `https://tekton.dev/chains/v2/slsa-tekton`: This buildType also conforms to the slsav1.0 spec, but adds additional informaton specific to Tekton. This information includes the PipelinRun/TaskRun labels and annotations as internalParameters. It also includes capturing each pipeline task in a PipelinRun under resolvedDependencies.
+>   - `https://tekton.dev/chains/v2/slsa`: This buildType strictly conforms to
+>     the slsav1.0 spec.
+>   - `https://tekton.dev/chains/v2/slsa-tekton`: This buildType also conforms
+>     to the slsav1.0 spec, but adds additional informaton specific to Tekton.
+>     This information includes the PipelinRun/TaskRun labels and annotations as
+>     internalParameters. It also includes capturing each pipeline task in a
+>     PipelinRun under resolvedDependencies.
+
+#### Builder ID
+
+By default, Tekton Chains uses the Cluster OIDC issuer as the Builder ID to
+identify the cluster performing the build.
+
+This can vary depending on how the cluster is deployed - see
+https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection
+for more details.
+
+Examples:
+
+- GKE:
+  `https://containers.googleapis.com/v1/projects/123456789012/locations/us-east1/clusters/cluster-1`
+- EKS:
+  `https://oidc.eks.us-east-1.amazonaws.com/id/12345678901234567890123456789012`
+- AKS:
+  `https://eastus.oic.prod-aks.azure.com/00000000-0000-0000-0000-000000000000/00000000-0000-0000-0000-000000000000/`
+- Kind/Local: `https://kubernetes.default.svc` (NOTE: this isn't a real URL and
+  won't give you much useful information)
 
 ### Sigstore Features Configuration
 
@@ -110,7 +152,9 @@ You can read more about Grafeas notes and occurrences [here](https://github.com/
 | `transparency.enabled` | Whether to enable automatic binary transparency uploads.           | `true`, `false`, `manual` | `false`                      |
 | `transparency.url`     | The URL to upload binary transparency attestations to, if enabled. |                           | `https://rekor.sigstore.dev` |
 
-**Note**: If `transparency.enabled` is set to `manual`, then only `TaskRuns` and `PipelineRuns` with the following annotation will be uploaded to the transparency log:
+**Note**: If `transparency.enabled` is set to `manual`, then only `TaskRuns` and
+`PipelineRuns` with the following annotation will be uploaded to the
+transparency log:
 
 ```yaml
 chains.tekton.dev/transparency-upload: "true"

go.mod

@@ -1,10 +1,13 @@
 module github.com/tektoncd/chains
 
-go 1.20
+go 1.21
+
+toolchain go1.21.2
 
 require (
 	cloud.google.com/go/compute/metadata v0.2.3
 	cloud.google.com/go/storage v1.35.1
+	github.com/golang-jwt/jwt/v5 v5.0.0
 	github.com/golangci/golangci-lint v1.55.2
 	github.com/google/addlicense v1.1.1
 	github.com/google/go-cmp v0.6.0
@@ -33,6 +36,7 @@ require (
 	gocloud.dev/docstore/mongodocstore v0.34.0
 	gocloud.dev/pubsub/kafkapubsub v0.34.0
 	golang.org/x/crypto v0.15.0
+	golang.org/x/oauth2 v0.13.0
 	google.golang.org/grpc v1.59.0
 	google.golang.org/protobuf v1.31.0
 	k8s.io/api v0.28.3
@@ -220,7 +224,6 @@ require (
 	github.com/gofrs/flock v0.8.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
-	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
@@ -440,7 +443,6 @@ require (
 	golang.org/x/exp/typeparams v0.0.0-20230307190834-24139beb5833 // indirect
 	golang.org/x/mod v0.13.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/oauth2 v0.13.0 // indirect
 	golang.org/x/sync v0.5.0 // indirect
 	golang.org/x/sys v0.14.0 // indirect
 	golang.org/x/term v0.14.0 // indirect