Promote the provenance field in status

config/config-feature-flags.yaml

@@ -85,7 +85,7 @@ data:
   # and PipelineRun status. This field contains metadata about resources used
   # in the TaskRun/PipelineRun such as the source from where a remote Task/Pipeline
   # definition was fetched.
-  enable-provenance-in-status: "false"
+  enable-provenance-in-status: "true"
   # Setting this flag will determine how Tekton pipelines will handle non-falsifiable provenance.
   # If set to "spire", then SPIRE will be used to ensure non-falsifiable provenance.
   # If set to "none", then Tekton will not have non-falsifiable provenance.

docs/additional-configs.md

@@ -245,10 +245,11 @@ Defaults to "ignore".
 
 - `results-from`: set this flag to "termination-message" to use the container's termination message to fetch results from. This is the default method of extracting results. Set it to "sidecar-logs" to enable use of a results sidecar logs to extract results instead of termination message.
 
-- `enable-provenance-in-status`: set this flag to "true" to enable recording
+- `enable-provenance-in-status`: Set this flag to `"true"` to enable populating
   the `provenance` field in `TaskRun` and `PipelineRun` status. The `provenance`
   field contains metadata about resources used in the TaskRun/PipelineRun such as the
-  source from where a remote Task/Pipeline definition was fetched.
+  source from where a remote Task/Pipeline definition was fetched. By default, this is set to `true`.
+  To disable populating this field, set this flag to `"false"`.
 
 For example:
 
@@ -284,7 +285,6 @@ Features currently in "alpha" are:
 | [Task-level Resource Requirements](compute-resources.md#task-level-compute-resources-configuration) | [TEP-0104](https://github.com/tektoncd/community/blob/main/teps/0104-tasklevel-resource-requirements.md)                   | [v0.39.0](https://github.com/tektoncd/pipeline/releases/tag/v0.39.0) |                               |
 | [Object Params and Results](pipelineruns.md#specifying-parameters)                                  | [TEP-0075](https://github.com/tektoncd/community/blob/main/teps/0075-object-param-and-result-types.md)                     | [v0.38.0](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0) |                               |                             |
 | [Trusted Resources](./trusted-resources.md)                                                         | [TEP-0091](https://github.com/tektoncd/community/blob/main/teps/0091-trusted-resources.md)                                 | N/A                                                                  | `trusted-resources-verification-no-match-policy`  |
-| [`Provenance` field in Status](pipeline-api.md#provenance)                                          | [issue#5550](https://github.com/tektoncd/pipeline/issues/5550)                                                             | N/A                                                                  | `enable-provenance-in-status` |
 | [Larger Results via Sidecar Logs](#enabling-larger-results-using-sidecar-logs)                      | [TEP-0127](https://github.com/tektoncd/community/blob/main/teps/0127-larger-results-via-sidecar-logs.md)                   | [v0.43.0](https://github.com/tektoncd/pipeline/releases/tag/v0.43.0) | `results-from`                |
 | [Configure Default Resolver](./resolution.md#configuring-built-in-resolvers)                        | [TEP-0133](https://github.com/tektoncd/community/blob/main/teps/0133-configure-default-resolver.md)                        | N/A                                 |                                |
 
@@ -304,7 +304,7 @@ Features currently in "beta" are:
 | [Array Results and Array Indexing](pipelineruns.md#specifying-parameters)             | [TEP-0076](https://github.com/tektoncd/community/blob/main/teps/0076-array-result-types.md)     | [v0.38.0](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0) | [v0.45.0](https://github.com/tektoncd/pipeline/releases/tag/v0.45.0) |                 |
 | [Object Parameters and Results](pipelineruns.md#specifying-parameters) | [TEP-0075](https://github.com/tektoncd/community/blob/main/teps/0075-object-param-and-result-types.md) | [v0.46.0](https://github.com/tektoncd/pipeline/releases/tag/v0.46.0) |
 | [Remote Tasks](./taskruns.md#remote-tasks) and [Remote Pipelines](./pipelineruns.md#remote-pipelines) | [TEP-0060](https://github.com/tektoncd/community/blob/main/teps/0060-remote-resolution.md) | [v0.41.0](https://github.com/tektoncd/pipeline/releases/tag/v0.41.0) |
-
+| [`Provenance` field in Status](pipeline-api.md#provenance)| [issue#5550](https://github.com/tektoncd/pipeline/issues/5550)| [v0.41.0](https://github.com/tektoncd/pipeline/releases/tag/v0.41.0)| [v0.48.0](https://github.com/tektoncd/pipeline/releases/tag/v0.48.0) | `enable-provenance-in-status`|
 
 ## Enabling larger results using sidecar logs
 

docs/pipelineruns.md

@@ -1317,7 +1317,9 @@ Your `PipelineRun`'s `status` field can contain the following fields:
     - [`kind`][kubernetes-overview] - Generally either `TaskRun` or `Run`.
     - [`apiVersion`][kubernetes-overview] - The API version for the underlying `TaskRun` or `Run`.
     - [`whenExpressions`](pipelines.md#guard-task-execution-using-when-expressions) - The list of when expressions guarding the execution of this task.
-  - `provenance` - Metadata about resources used in the PipelineRun such as the source from where a remote pipeline definition was fetched.
+  - `provenance` - Metadata about the runtime configuration and the resources used in the PipelineRun. The data in the `provenance` field will be recorded into the build provenance by the provenance generator i.e. (Tekton Chains). Currently, there are 2 subfields:
+    - `RefSource`: the source from where a remote pipeline definition was fetched.
+    - `FeatureFlags`: the configuration data of the `feature-flags` configmap.
   - `finallyStartTime`- The time at which the PipelineRun's `finally` Tasks, if any, began
   executing, in [RFC3339](https://tools.ietf.org/html/rfc3339) format.
 

pkg/apis/config/feature_flags.go

@@ -71,7 +71,7 @@ const (
 	// DefaultNoMatchPolicyConfig is the default value for "trusted-resources-verification-no-match-policy".
 	DefaultNoMatchPolicyConfig = IgnoreNoMatchPolicy
 	// DefaultEnableProvenanceInStatus is the default value for "enable-provenance-status".
-	DefaultEnableProvenanceInStatus = false
+	DefaultEnableProvenanceInStatus = true
 	// DefaultResultExtractionMethod is the default value for ResultExtractionMethod
 	DefaultResultExtractionMethod = ResultExtractionMethodTerminationMessage
 	// DefaultMaxResultSize is the default value in bytes for the size of a result

pkg/apis/config/feature_flags_test.go

@@ -65,9 +65,10 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
 				SendCloudEventsForRuns:           true,
 				EnforceNonfalsifiability:         "spire",
 				VerificationNoMatchPolicy:        config.FailNoMatchPolicy,
-				EnableProvenanceInStatus:         true,
+				EnableProvenanceInStatus:         false,
 				ResultExtractionMethod:           "termination-message",
-				MaxResultSize:                    4096,
+
+				MaxResultSize: 4096,
 			},
 			fileName: "feature-flags-all-flags-set",
 		},
@@ -85,6 +86,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
 				RequireGitSSHSecretKnownHosts:    config.DefaultRequireGitSSHSecretKnownHosts,
 				SendCloudEventsForRuns:           config.DefaultSendCloudEventsForRuns,
 				VerificationNoMatchPolicy:        config.DefaultNoMatchPolicyConfig,
+				EnableProvenanceInStatus:         config.DefaultEnableProvenanceInStatus,
 				ResultExtractionMethod:           config.DefaultResultExtractionMethod,
 				MaxResultSize:                    config.DefaultMaxResultSize,
 			},
@@ -102,6 +104,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
 				RequireGitSSHSecretKnownHosts:    config.DefaultRequireGitSSHSecretKnownHosts,
 				SendCloudEventsForRuns:           config.DefaultSendCloudEventsForRuns,
 				VerificationNoMatchPolicy:        config.DefaultNoMatchPolicyConfig,
+				EnableProvenanceInStatus:         config.DefaultEnableProvenanceInStatus,
 				ResultExtractionMethod:           config.DefaultResultExtractionMethod,
 				MaxResultSize:                    config.DefaultMaxResultSize,
 			},
@@ -119,6 +122,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
 				RequireGitSSHSecretKnownHosts:    config.DefaultRequireGitSSHSecretKnownHosts,
 				SendCloudEventsForRuns:           config.DefaultSendCloudEventsForRuns,
 				VerificationNoMatchPolicy:        config.DefaultNoMatchPolicyConfig,
+				EnableProvenanceInStatus:         config.DefaultEnableProvenanceInStatus,
 				ResultExtractionMethod:           config.DefaultResultExtractionMethod,
 				MaxResultSize:                    config.DefaultMaxResultSize,
 			},
@@ -132,6 +136,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
 				VerificationNoMatchPolicy:        config.DefaultNoMatchPolicyConfig,
 				RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
 				AwaitSidecarReadiness:            config.DefaultAwaitSidecarReadiness,
+				EnableProvenanceInStatus:         config.DefaultEnableProvenanceInStatus,
 				ResultExtractionMethod:           config.DefaultResultExtractionMethod,
 				MaxResultSize:                    config.DefaultMaxResultSize,
 			},
@@ -143,6 +148,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
 				VerificationNoMatchPolicy:        config.DefaultNoMatchPolicyConfig,
 				RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
 				AwaitSidecarReadiness:            config.DefaultAwaitSidecarReadiness,
+				EnableProvenanceInStatus:         config.DefaultEnableProvenanceInStatus,
 				ResultExtractionMethod:           config.ResultExtractionMethodSidecarLogs,
 				MaxResultSize:                    8192,
 			},

pkg/apis/config/testdata/feature-flags-all-flags-set.yaml

@@ -28,4 +28,4 @@ data:
   send-cloudevents-for-runs: "true"
   enforce-nonfalsifiability: "spire"
   trusted-resources-verification-no-match-policy: "fail"
-  enable-provenance-in-status: "true"
+  enable-provenance-in-status: "false"

pkg/apis/pipeline/v1beta1/pipelinerun_conversion_test.go

@@ -305,14 +305,7 @@ func TestPipelineRunConversion(t *testing.T) {
 							URI:    "test-uri",
 							Digest: map[string]string{"sha256": "digest"},
 						},
-						FeatureFlags: &config.FeatureFlags{
-							RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
-							EnableAPIFields:                  config.DefaultEnableAPIFields,
-							AwaitSidecarReadiness:            config.DefaultAwaitSidecarReadiness,
-							VerificationNoMatchPolicy:        config.DefaultNoMatchPolicyConfig,
-							ResultExtractionMethod:           config.DefaultResultExtractionMethod,
-							MaxResultSize:                    config.DefaultMaxResultSize,
-						},
+						FeatureFlags: config.DefaultFeatureFlags.DeepCopy(),
 					},
 				},
 			},

pkg/apis/pipeline/v1beta1/taskrun_conversion_test.go

@@ -237,14 +237,7 @@ func TestTaskRunConversion(t *testing.T) {
 							URI:    "test-uri",
 							Digest: map[string]string{"sha256": "digest"},
 						},
-						FeatureFlags: &config.FeatureFlags{
-							RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
-							EnableAPIFields:                  config.DefaultEnableAPIFields,
-							AwaitSidecarReadiness:            config.DefaultAwaitSidecarReadiness,
-							VerificationNoMatchPolicy:        config.DefaultNoMatchPolicyConfig,
-							ResultExtractionMethod:           config.DefaultResultExtractionMethod,
-							MaxResultSize:                    config.DefaultMaxResultSize,
-						},
+						FeatureFlags: config.DefaultFeatureFlags.DeepCopy(),
 					}},
 			},
 		},