tektoncd
diff --git a/‎.github/workflows/ci.yaml
+1 b/‎.github/workflows/ci.yaml
+1
diff --git a/‎.github/workflows/codeql-analysis.yml
+1-1 b/‎.github/workflows/codeql-analysis.yml
+1-1
diff --git a/‎.github/workflows/woke.yml
+1-1 b/‎.github/workflows/woke.yml
+1-1
diff --git a/‎.pre-commit-config.yaml
+5 b/‎.pre-commit-config.yaml
+5
diff --git a/‎cmd/entrypoint/main.go
+2-13 b/‎cmd/entrypoint/main.go
+2-13
diff --git a/‎cmd/entrypoint/spire.go
+43 b/‎cmd/entrypoint/spire.go
+43
diff --git a/‎cmd/entrypoint/spire_disable.go
+47 b/‎cmd/entrypoint/spire_disable.go
+47
diff --git a/‎docs/developers/fips.md
+15 b/‎docs/developers/fips.md
+15
diff --git a/‎docs/spire.md
+6 b/‎docs/spire.md
+6
diff --git a/‎go.mod
+6-7 b/‎go.mod
+6-7
diff --git a/‎go.sum
+12-12 b/‎go.sum
+12-12
diff --git a/‎pkg/entrypoint/entrypointer.go
+8-10 b/‎pkg/entrypoint/entrypointer.go
+8-10
diff --git a/‎pkg/entrypoint/spire.go
+38 b/‎pkg/entrypoint/spire.go
+38
@@ -50,6 +50,7 @@ jobs:
       uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837  # v6.5.0
       with:
         version: v1.64.6
+        only-new-issues: true
         args: --timeout=10m
     - name: yamllint
       run: |
 
@@ -70,7 +70,7 @@ jobs:
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
-    - uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+    - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
       with:
         path: |
           ~/.cache/go-build
 
@@ -19,7 +19,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f # v45.0.6
+        uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8 # v45.0.7
         with:
           write_output_files: true
           files: |
 
@@ -18,6 +18,11 @@ repos:
     exclude: "(.*_test.go|^examples\/v1\/pipelineruns\/beta\/isolated-workspaces.yaml$)"
 - repo: local
   hooks:
+  - id: lint-yaml
+    name: "Lint YAML files"
+    entry: bash -c 'yamllint -c .yamllint $(find . -path ./vendor -prune -o -type f -regex ".*y[a]ml" -print)'
+    language: system
+    types: [yaml]
   - id: lint-go
     name: "Run make golangci-lint"
     entry: make
 
@@ -29,16 +29,13 @@ import (
 	"time"
 
 	"github.com/tektoncd/pipeline/cmd/entrypoint/subcommands"
-	featureFlags "github.com/tektoncd/pipeline/pkg/apis/config"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
 	v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
 	"github.com/tektoncd/pipeline/pkg/credentials"
 	"github.com/tektoncd/pipeline/pkg/credentials/dockercreds"
 	"github.com/tektoncd/pipeline/pkg/credentials/gitcreds"
 	"github.com/tektoncd/pipeline/pkg/entrypoint"
 	"github.com/tektoncd/pipeline/pkg/platforms"
-	"github.com/tektoncd/pipeline/pkg/spire"
-	"github.com/tektoncd/pipeline/pkg/spire/config"
 	"github.com/tektoncd/pipeline/pkg/termination"
 )
 
@@ -59,9 +56,7 @@ var (
 	onError             = flag.String("on_error", "", "Set to \"continue\" to ignore an error and continue when a container terminates with a non-zero exit code."+
 		" Set to \"stopAndFail\" to declare a failure with a step error and stop executing the rest of the steps.")
 	stepMetadataDir        = flag.String("step_metadata_dir", "", "If specified, create directory to store the step metadata e.g. /tekton/steps/<step-name>/")
-	enableSpire            = flag.Bool("enable_spire", false, "If specified by configmap, this enables spire signing and verification")
-	socketPath             = flag.String("spire_socket_path", "unix:///spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
-	resultExtractionMethod = flag.String("result_from", featureFlags.ResultExtractionMethodTerminationMessage, "The method using which to extract results from tasks. Default is using the termination message.")
+	resultExtractionMethod = flag.String("result_from", entrypoint.ResultExtractionMethodTerminationMessage, "The method using which to extract results from tasks. Default is using the termination message.")
 )
 
 const (
@@ -131,13 +126,7 @@ func main() {
 		}
 	}
 
-	var spireWorkloadAPI spire.EntrypointerAPIClient
-	if enableSpire != nil && *enableSpire && socketPath != nil && *socketPath != "" {
-		spireConfig := config.SpireConfig{
-			SocketPath: *socketPath,
-		}
-		spireWorkloadAPI = spire.NewEntrypointerAPIClient(&spireConfig)
-	}
+	spireWorkloadAPI := initializeSpireAPI()
 
 	e := entrypoint.Entrypointer{
 		Command:         append(cmd, commandArgs...),
 
@@ -0,0 +1,43 @@
+//go:build !disable_spire
+
+/*
+Copyright 2025 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"flag"
+	"log"
+
+	"github.com/tektoncd/pipeline/pkg/spire"
+	"github.com/tektoncd/pipeline/pkg/spire/config"
+)
+
+var (
+	enableSpire = flag.Bool("enable_spire", false, "If specified by configmap, this enables spire signing and verification")
+	socketPath  = flag.String("spire_socket_path", "unix:///spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
+)
+
+func initializeSpireAPI() spire.EntrypointerAPIClient {
+	if enableSpire != nil && *enableSpire && socketPath != nil && *socketPath != "" {
+		log.Println("SPIRE is enabled in this build, enableSpire is supported")
+		spireConfig := config.SpireConfig{
+			SocketPath: *socketPath,
+		}
+		return spire.NewEntrypointerAPIClient(&spireConfig)
+	}
+	return nil
+}
@@ -0,0 +1,47 @@
+//go:build disable_spire
+
+/*
+Copyright 2025 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"flag"
+	"log"
+	"os"
+
+	"github.com/tektoncd/pipeline/pkg/result"
+)
+
+var (
+	enableSpire = flag.Bool("enable_spire", false, "If specified by configmap, this enables spire signing and verification")
+)
+
+// EntrypointerAPIClient interface maps to the spire entrypointer API to interact with spire
+type EntrypointerAPIClient interface {
+	Close() error
+	// Sign returns the signature material to be put in the RunResult to append to the output results
+	Sign(ctx context.Context, results []result.RunResult) ([]result.RunResult, error)
+}
+
+func initializeSpireAPI() EntrypointerAPIClient {
+	if enableSpire != nil && *enableSpire {
+		log.Fatal("Error: SPIRE is disabled in this build, but enableSpire was set to true. Please recompile with SPIRE support.")
+		os.Exit(1)
+	}
+	return nil
+}
@@ -0,0 +1,15 @@
+## Introduction
+FIPS compliance requires compiling the project with a Go FIPS-compliant compiler (e.g., golang-fips) and using dynamic linking.
+
+This approach works for most binaries in tektoncd/pipeline, except for the entrypoint, which must be statically compiled to ensure it runs in any environment, regardless of library locations or versions. To mark a statically compiled binary as FIPS compliant, we must eliminate cryptographic symbols (crypto/*, golang.org/x/crypto, etc.).
+
+To achieve this, we need compile-time options to disable TLS, SPIRE, and any network-related functionality.
+
+This document provides instructions on compiling the entrypoint command to ensure FIPS compliance.
+
+## Disable SPIRE during Build
+To disable SPIRE during the build process, use the following command
+
+```shell
+CGO_ENABLED=0 go build -tags disable_spire -o bin/entrypoint ./cmd/entrypoint
+```
@@ -61,6 +61,12 @@ When a TaskRun is created:
 1. The entrypointer receives an x509 SVID, containing the x509 certificate and associated private key. 
 1. The entrypointer signs the results of the TaskRun and emits the signatures and x509 certificate to the TaskRun results for later verification.
 
+## Enable SPIRE during Build
+Users can enable SPIRE support in Tekton Pipelines during the build process by using the following build tag:
+```shell
+CGO_ENABLED=0 go build -tags "!disable_spire" -o bin/entrypoint ./cmd/entrypoint
+```
+
 ## Enabling TaskRun result attestations
 
 To enable TaskRun attestations:
 
@@ -1,15 +1,14 @@
 module github.com/tektoncd/pipeline
 
 go 1.22.7
-
 toolchain go1.23.4
 
 require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/ahmetb/gen-crd-api-reference-docs v0.3.1-0.20220720053627-e327d0730470 // Waiting for https://github.com/ahmetb/gen-crd-api-reference-docs/pull/43/files to merge
 	github.com/cloudevents/sdk-go/v2 v2.15.2
 	github.com/go-git/go-git/v5 v5.13.2
-	github.com/google/go-cmp v0.6.0
+	github.com/google/go-cmp v0.7.0
 	github.com/google/go-containerregistry v0.20.2
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -30,8 +29,8 @@ require (
 	gomodules.xyz/jsonpatch/v2 v2.4.0
 	k8s.io/api v0.31.6
 	k8s.io/apimachinery v0.31.6
-	k8s.io/client-go v0.31.4
-	k8s.io/code-generator v0.31.4
+	k8s.io/client-go v0.31.6
+	k8s.io/code-generator v0.31.6
 	k8s.io/klog v1.0.0
 	k8s.io/kube-openapi v0.0.0-20240808142205-8e686545bdb8
 	knative.dev/pkg v0.0.0-20250117084104-c43477f0052b
@@ -40,12 +39,12 @@ require (
 
 require (
 	code.gitea.io/sdk/gitea v0.20.0
-	github.com/go-jose/go-jose/v3 v3.0.3
+	github.com/go-jose/go-jose/v3 v3.0.4
 	github.com/goccy/kpoward v0.1.0
 	github.com/google/cel-go v0.23.2
 	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20240108195214-a0658aa1d0cc
 	github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.15
-	github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.12
+	github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.15
 	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.15
 	github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.15
 	go.opentelemetry.io/otel v1.34.0
@@ -79,7 +78,7 @@ require (
 	dario.cat/mergo v1.0.0 // indirect
 	fortio.org/safecast v1.0.0 // indirect
 	github.com/42wim/httpsig v1.2.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.0 // indirect
 
@@ -38,7 +38,6 @@ import (
 	"github.com/tektoncd/pipeline/pkg/internal/resultref"
 	"github.com/tektoncd/pipeline/pkg/pod"
 	"github.com/tektoncd/pipeline/pkg/result"
-	"github.com/tektoncd/pipeline/pkg/spire"
 	"github.com/tektoncd/pipeline/pkg/termination"
 
 	"github.com/google/cel-go/cel"
@@ -53,8 +52,9 @@ const (
 )
 
 const (
-	breakpointExitSuffix       = ".breakpointexit"
-	breakpointBeforeStepSuffix = ".beforestepexit"
+	breakpointExitSuffix                     = ".breakpointexit"
+	breakpointBeforeStepSuffix               = ".beforestepexit"
+	ResultExtractionMethodTerminationMessage = "termination-message"
 )
 
 // DebugBeforeStepError is an error means mark before step breakpoint failure
@@ -147,7 +147,7 @@ type Entrypointer struct {
 	// StepMetadataDir is the directory for a step where the step related metadata can be stored
 	StepMetadataDir string
 	// SpireWorkloadAPI connects to spire and does obtains SVID based on taskrun
-	SpireWorkloadAPI spire.EntrypointerAPIClient
+	SpireWorkloadAPI EntrypointerAPIClient
 	// ResultsDirectory is the directory to find results, defaults to pipeline.DefaultResultPath
 	ResultsDirectory string
 	// ResultExtractionMethod is the method using which the controller extracts the results from the task pod.
@@ -444,13 +444,11 @@ func (e Entrypointer) readResultsFromDisk(ctx context.Context, resultDir string,
 		})
 	}
 
-	if e.SpireWorkloadAPI != nil {
-		signed, err := e.SpireWorkloadAPI.Sign(ctx, output)
-		if err != nil {
-			return err
-		}
-		output = append(output, signed...)
+	signed, err := signResults(ctx, e.SpireWorkloadAPI, output)
+	if err != nil {
+		return err
 	}
+	output = append(output, signed...)
 
 	// push output to termination path
 	if e.ResultExtractionMethod == config.ResultExtractionMethodTerminationMessage && len(output) != 0 {
 
@@ -0,0 +1,38 @@
+//go:build !disable_spire
+
+/*
+Copyright 2025 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package entrypoint
+
+import (
+	"context"
+
+	"github.com/tektoncd/pipeline/pkg/result"
+	"github.com/tektoncd/pipeline/pkg/spire"
+)
+
+// EntrypointerAPIClient defines the interface for SPIRE operations
+type EntrypointerAPIClient interface {
+	spire.EntrypointerAPIClient
+}
+
+func signResults(ctx context.Context, api EntrypointerAPIClient, results []result.RunResult) ([]result.RunResult, error) {
+	if api == nil {
+		return nil, nil
+	}
+	return api.Sign(ctx, results)
+}