Support SLSA 1.0 provenance storage

[chitrangpatel]

The formatting for slsa v1.0 provenance was added in Chains Release 0.17.0. However, before declaring that Chains now produces SLSA v1.0 provenance, we need to add support for storage.

This issue highlights all the storage options we need to add support for:

• [x] tekton
• [x] gcs
• [ ] pubsub
• [ ] docdb
• [x] oci
• [ ] grafeas (Opened an issue for Grafeas to provide us support: https://github.com/grafeas/grafeas/issues/601)

/kind feature

[tekton-robot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[annelled]

Hi @chitrangpatel I would like to follow up on the status of this ticket since it has been marked as stale.

Has support for storage for OCI been added? I see that the documentation states that "Tekton Chains supports both SLSA v0.2 and v1.0 provenance for both task-level and pipeline-level provenance."

[chitrangpatel]

A lot of these should apply as is to the new provenance type as well. We haven't verified that though. I t might be worth trying if storing the provenance in OCI works out of the box.

[annelled]

@chitrangpatel thank you for your response. I can confirm that we were able to store attestations as OCI (GCR) in the SLSA v1.0 format.

[chitrangpatel]

Thank you for reporting that! I've checked that off the list.