Capture Remote StepAction Location in TaskRun Status

Prior to this, we captured remote Task and pipeline origin
information (uri and digest) in the TaskRun/PipelineRun Status.
This allowed Chains to pull this information and insert it into
the intoto provenance. A similar capability was missing for the
newly implemented StepActions. This PR fixes that gap.

Fixes #8091

docs/pipeline-api.md

@@ -3437,7 +3437,7 @@ ParamType
 <h3 id="tekton.dev/v1.Provenance">Provenance
 </h3>
 <p>
-(<em>Appears on:</em><a href="#tekton.dev/v1.PipelineRunStatusFields">PipelineRunStatusFields</a>, <a href="#tekton.dev/v1.TaskRunStatusFields">TaskRunStatusFields</a>)
+(<em>Appears on:</em><a href="#tekton.dev/v1.PipelineRunStatusFields">PipelineRunStatusFields</a>, <a href="#tekton.dev/v1.StepState">StepState</a>, <a href="#tekton.dev/v1.TaskRunStatusFields">TaskRunStatusFields</a>)
 </p>
 <div>
 <p>Provenance contains metadata about resources used in the TaskRun/PipelineRun
@@ -4841,6 +4841,18 @@ string
 </tr>
 <tr>
 <td>
+<code>provenance</code><br/>
+<em>
+<a href="#tekton.dev/v1.Provenance">
+Provenance
+</a>
+</em>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
 <code>terminationReason</code><br/>
 <em>
 string
@@ -12759,7 +12771,7 @@ ParamType
 <h3 id="tekton.dev/v1beta1.Provenance">Provenance
 </h3>
 <p>
-(<em>Appears on:</em><a href="#tekton.dev/v1beta1.PipelineRunStatusFields">PipelineRunStatusFields</a>, <a href="#tekton.dev/v1beta1.TaskRunStatusFields">TaskRunStatusFields</a>)
+(<em>Appears on:</em><a href="#tekton.dev/v1beta1.PipelineRunStatusFields">PipelineRunStatusFields</a>, <a href="#tekton.dev/v1beta1.StepState">StepState</a>, <a href="#tekton.dev/v1beta1.TaskRunStatusFields">TaskRunStatusFields</a>)
 </p>
 <div>
 <p>Provenance contains metadata about resources used in the TaskRun/PipelineRun
@@ -14410,6 +14422,18 @@ string
 </tr>
 <tr>
 <td>
+<code>provenance</code><br/>
+<em>
+<a href="#tekton.dev/v1beta1.Provenance">
+Provenance
+</a>
+</em>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
 <code>inputs</code><br/>
 <em>
 <a href="#tekton.dev/v1beta1.Artifact">

go.mod

@@ -1,6 +1,7 @@
 module github.com/tektoncd/pipeline
 
 go 1.22
+
 toolchain go1.22.4
 
 require (

pkg/apis/pipeline/v1/swagger.json

@@ -1671,6 +1671,9 @@
             "$ref": "#/definitions/v1.Artifact"
           }
         },
+        "provenance": {
+          "$ref": "#/definitions/v1.Provenance"
+        },
         "results": {
           "type": "array",
           "items": {

pkg/apis/pipeline/v1/taskrun_types.go

@@ -364,6 +364,7 @@ type StepState struct {
 	Container             string                `json:"container,omitempty"`
 	ImageID               string                `json:"imageID,omitempty"`
 	Results               []TaskRunStepResult   `json:"results,omitempty"`
+	Provenance            *Provenance           `json:"provenance,omitempty"`
 	TerminationReason     string                `json:"terminationReason,omitempty"`
 	Inputs                []TaskRunStepArtifact `json:"inputs,omitempty"`
 	Outputs               []TaskRunStepArtifact `json:"outputs,omitempty"`

pkg/apis/pipeline/v1beta1/swagger.json

@@ -2433,6 +2433,9 @@
             "$ref": "#/definitions/v1beta1.Artifact"
           }
         },
+        "provenance": {
+          "$ref": "#/definitions/v1beta1.Provenance"
+        },
         "results": {
           "type": "array",
           "items": {

pkg/apis/pipeline/v1beta1/taskrun_conversion.go

@@ -345,6 +345,12 @@ func (ss StepState) convertTo(ctx context.Context, sink *v1.StepState) {
 	sink.ImageID = ss.ImageID
 	sink.Results = nil
 
+	if ss.Provenance != nil {
+		new := v1.Provenance{}
+		ss.Provenance.convertTo(ctx, &new)
+		sink.Provenance = &new
+	}
+
 	if ss.ContainerState.Terminated != nil {
 		sink.TerminationReason = ss.ContainerState.Terminated.Reason
 	}
@@ -379,6 +385,11 @@ func (ss *StepState) convertFrom(ctx context.Context, source v1.StepState) {
 		new.convertFrom(ctx, r)
 		ss.Results = append(ss.Results, new)
 	}
+	if source.Provenance != nil {
+		new := Provenance{}
+		new.convertFrom(ctx, *source.Provenance)
+		ss.Provenance = &new
+	}
 	for _, o := range source.Outputs {
 		new := TaskRunStepArtifact{}
 		new.convertFrom(ctx, o)

pkg/apis/pipeline/v1beta1/taskrun_conversion_test.go

@@ -126,6 +126,27 @@ func TestTaskRunConversion(t *testing.T) {
 					},
 				},
 			},
+		}, {
+			name: "taskrun with provenance in step state",
+			in: &v1beta1.TaskRun{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "foo",
+					Namespace: "bar",
+				},
+				Spec: v1beta1.TaskRunSpec{},
+				Status: v1beta1.TaskRunStatus{
+					TaskRunStatusFields: v1beta1.TaskRunStatusFields{
+						Steps: []v1beta1.StepState{{
+							Provenance: &v1beta1.Provenance{
+								RefSource: &v1beta1.RefSource{
+									URI:    "test-uri",
+									Digest: map[string]string{"sha256": "digest"},
+								},
+							},
+						}},
+					},
+				},
+			},
 		}, {
 			name: "taskrun conversion all non deprecated fields",
 			in: &v1beta1.TaskRun{

pkg/apis/pipeline/v1beta1/taskrun_types.go

@@ -372,6 +372,7 @@ type StepState struct {
 	ContainerName         string                `json:"container,omitempty"`
 	ImageID               string                `json:"imageID,omitempty"`
 	Results               []TaskRunStepResult   `json:"results,omitempty"`
+	Provenance            *Provenance           `json:"provenance,omitempty"`
 	Inputs                []TaskRunStepArtifact `json:"inputs,omitempty"`
 	Outputs               []TaskRunStepArtifact `json:"outputs,omitempty"`
 }

pkg/pod/entrypoint.go

@@ -352,8 +352,8 @@ func IsContainerStep(name string) bool { return strings.HasPrefix(name, stepPref
 // represents a sidecar.
 func IsContainerSidecar(name string) bool { return strings.HasPrefix(name, sidecarPrefix) }
 
-// trimStepPrefix returns the container name, stripped of its step prefix.
-func trimStepPrefix(name string) string { return strings.TrimPrefix(name, stepPrefix) }
+// TrimStepPrefix returns the container name, stripped of its step prefix.
+func TrimStepPrefix(name string) string { return strings.TrimPrefix(name, stepPrefix) }
 
 // TrimSidecarPrefix returns the container name, stripped of its sidecar
 // prefix.

pkg/pod/status.go

@@ -139,7 +139,6 @@ func MakeTaskRunStatus(ctx context.Context, logger *zap.SugaredLogger, tr v1.Tas
 	}
 
 	trs.PodName = pod.Name
-	trs.Steps = []v1.StepState{}
 	trs.Sidecars = []v1.SidecarState{}
 
 	var stepStatuses []corev1.ContainerStatus
@@ -360,17 +359,28 @@ func setTaskRunStatusBasedOnStepStatus(ctx context.Context, logger *zap.SugaredL
 				terminationReason = getTerminationReason(state.Terminated.Reason, terminationFromResults, exitCode)
 			}
 		}
-
-		trs.Steps = append(trs.Steps, v1.StepState{
+		stepState := v1.StepState{
 			ContainerState:    *state,
-			Name:              trimStepPrefix(s.Name),
+			Name:              TrimStepPrefix(s.Name),
 			Container:         s.Name,
 			ImageID:           s.ImageID,
 			Results:           taskRunStepResults,
 			TerminationReason: terminationReason,
 			Inputs:            sas.Inputs,
 			Outputs:           sas.Outputs,
-		})
+		}
+		foundStep := false
+		for i, ss := range trs.Steps {
+			if ss.Name == stepState.Name {
+				stepState.Provenance = ss.Provenance
+				trs.Steps[i] = stepState
+				foundStep = true
+				break
+			}
+		}
+		if !foundStep {
+			trs.Steps = append(trs.Steps, stepState)
+		}
 	}
 
 	return merr