zregvart
commented
12 months ago With #1933 one can provide annotations on the tkn bundle push command. Note that labels are considered deprecated. For the use cases outlined here there are standard annotations that can be used.
For example:
tkn bundle push registry.io/repository/my-bundle:1.0 -f my-task.yaml \
--annotate org.opencontainers.image.source=git@git.myorg.io:tekton/tasks.git \
--annotate org.opencontainers.image.revision=git-commit-id
Feature request
When pushing a Tekton bundle using the
tkn bundlecommand, users should have an option to add labels to the artifact pointing to the git source for the bundle including the immutable reference and context directory within the source.These labels could either be added using a single command which would get the relevant information from the context or using multiple commands requiring users to explicitly specify the references for the label content.
Use case
The source and history of Tekton tasks can be beneficial when debugging Pipelines. Users should be able to view the bundles in OCI registries to easily track the sources.
Tekton bundles can be easily copied from one image registry to another. As this happens, the original provenance can easily be lost. Since the image labels would be copied with the artifacts, provenance should be easily tracked assuming a well-intending entity made the copy (i.e. registry copies with intentional modification to the labels would be out of scope from a threat model).
UI Example
If the bundle is generated from within the context of a git repository, then it could be possible to collect the repo and commit references and the context can additionally be added based on the file used as the bundle's source
The following examples would not be supported as
tknwouldn't be able to validate that the sources are related to the git invocation information from$CWD.