tektoncd · tekton-robot · Mar 19, 2025 · Feb 20, 2025 · Feb 20, 2025 · Feb 20, 2025
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -26,6 +26,18 @@ jobs:
     - name: build
       run: |
         go build -v ./...
+  buildFips:
+    name: buildFips
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34  # v5.3.0
+      with:
+        go-version-file: "go.mod"
+    - name: build
+      run: |
+        go build -v -tags "disable_spire,disable_tls" ./cmd/entrypoint
+        echo "Build finished with exit code: $?"
   linting:
     needs: [build]
     name: lint

diff --git a/cmd/entrypoint/main.go b/cmd/entrypoint/main.go
@@ -29,12 +29,12 @@ import (
 	"time"
 
 	"github.com/tektoncd/pipeline/cmd/entrypoint/subcommands"
-	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
-	v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
+	v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/types"
 	"github.com/tektoncd/pipeline/pkg/credentials"
 	"github.com/tektoncd/pipeline/pkg/credentials/dockercreds"
 	"github.com/tektoncd/pipeline/pkg/credentials/gitcreds"
 	"github.com/tektoncd/pipeline/pkg/entrypoint"
+	"github.com/tektoncd/pipeline/pkg/entrypoint/pipeline"
 	"github.com/tektoncd/pipeline/pkg/platforms"
 	"github.com/tektoncd/pipeline/pkg/termination"
 )

diff --git a/cmd/entrypoint/runner.go b/cmd/entrypoint/runner.go
@@ -31,7 +31,10 @@ import (
 	"syscall"
 
 	"github.com/tektoncd/pipeline/pkg/entrypoint"
-	"github.com/tektoncd/pipeline/pkg/pod"
+)
+
+const (
+	TektonHermeticEnvVar = "TEKTON_HERMETIC"
 )
 
 // TODO(jasonhall): Test that original exit code is propagated and that
@@ -111,7 +114,7 @@ func (rr *realRunner) Run(ctx context.Context, args ...string) error {
 	// main process and all children
 	cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
 
-	if os.Getenv("TEKTON_RESOURCE_NAME") == "" && os.Getenv(pod.TektonHermeticEnvVar) == "1" {
+	if os.Getenv("TEKTON_RESOURCE_NAME") == "" && os.Getenv(TektonHermeticEnvVar) == "1" {
 		dropNetworking(cmd)
 	}
 

diff --git a/pkg/apis/config/feature_flags.go b/pkg/apis/config/feature_flags.go
@@ -17,13 +17,10 @@ limitations under the License.
 package config
 
 import (
-	"context"
 	"fmt"
 	"os"
 	"strconv"
 	"strings"
-
-	corev1 "k8s.io/api/core/v1"
 )
 
 const (
@@ -450,21 +447,6 @@ func setVerificationNoMatchPolicy(cfgMap map[string]string, defaultValue string,
 	return nil
 }
 
-// NewFeatureFlagsFromConfigMap returns a Config for the given configmap
-func NewFeatureFlagsFromConfigMap(config *corev1.ConfigMap) (*FeatureFlags, error) {
-	return NewFeatureFlagsFromMap(config.Data)
-}
-
-// GetVerificationNoMatchPolicy returns the "trusted-resources-verification-no-match-policy" value
-func GetVerificationNoMatchPolicy(ctx context.Context) string {
-	return FromContextOrDefaults(ctx).FeatureFlags.VerificationNoMatchPolicy
-}
-
-// IsSpireEnabled checks if non-falsifiable provenance is enforced through SPIRE
-func IsSpireEnabled(ctx context.Context) bool {
-	return FromContextOrDefaults(ctx).FeatureFlags.EnforceNonfalsifiability == EnforceNonfalsifiabilityWithSpire
-}
-
 type PerFeatureFlag struct {
 	// Name of the feature flag
 	Name string

diff --git a/pkg/apis/config/featureflags_validation.go b/pkg/apis/config/featureflags_validation.go
@@ -1,3 +1,5 @@
+//go:build !disable_tls
+
 /*
 Copyright 2021 The Tekton Authors
 

diff --git a/pkg/apis/config/metrics.go b/pkg/apis/config/metrics.go
@@ -18,7 +18,6 @@ package config
 
 import (
 	corev1 "k8s.io/api/core/v1"
-	"knative.dev/pkg/metrics"
 )
 
 const (
@@ -109,12 +108,6 @@ type Metrics struct {
 	ThrottleWithNamespace   bool
 }
 
-// GetMetricsConfigName returns the name of the configmap containing all
-// customizations for the storage bucket.
-func GetMetricsConfigName() string {
-	return metrics.ConfigMapName()
-}
-
 // Equals returns true if two Configs are identical
 func (cfg *Metrics) Equals(other *Metrics) bool {
 	if cfg == nil && other == nil {

diff --git a/pkg/apis/config/metrics_notls.go b/pkg/apis/config/metrics_notls.go
@@ -0,0 +1,7 @@
+//go:build disable_tls
+
+package config
+
+// GetMetricsConfigName returns the name of the configmap containing all
+// customizations for the storage bucket.
+func GetMetricsConfigName() string { panic("not supported when tls is disabled") }
diff --git a/pkg/apis/config/metrics_tls.go b/pkg/apis/config/metrics_tls.go
@@ -0,0 +1,31 @@
+//go:build !disable_tls
+
+package config
+
+import (
+	"context"
+
+	corev1 "k8s.io/api/core/v1"
+	"knative.dev/pkg/metrics"
+)
+
+// GetMetricsConfigName returns the name of the configmap containing all
+// customizations for the storage bucket.
+func GetMetricsConfigName() string {
+	return metrics.ConfigMapName()
+}
+
+// NewFeatureFlagsFromConfigMap returns a Config for the given configmap
+func NewFeatureFlagsFromConfigMap(config *corev1.ConfigMap) (*FeatureFlags, error) {
+	return NewFeatureFlagsFromMap(config.Data)
+}
+
+// GetVerificationNoMatchPolicy returns the "trusted-resources-verification-no-match-policy" value
+func GetVerificationNoMatchPolicy(ctx context.Context) string {
+	return FromContextOrDefaults(ctx).FeatureFlags.VerificationNoMatchPolicy
+}
+
+// IsSpireEnabled checks if non-falsifiable provenance is enforced through SPIRE
+func IsSpireEnabled(ctx context.Context) bool {
+	return FromContextOrDefaults(ctx).FeatureFlags.EnforceNonfalsifiability == EnforceNonfalsifiabilityWithSpire
+}
diff --git a/pkg/apis/config/resolver/store.go b/pkg/apis/config/resolver/store.go
@@ -1,3 +1,5 @@
+//go:build !disable_tls
+
 /*
 Copyright 2022 The Tekton Authors
 

diff --git a/pkg/apis/config/spire_config.go b/pkg/apis/config/spire_config.go
@@ -1,3 +1,5 @@
+//go:build !disable_tls
+
 /*
 Copyright 2022 The Tekton Authors
 

diff --git a/pkg/apis/config/store.go b/pkg/apis/config/store.go
@@ -1,3 +1,5 @@
+//go:build !disable_tls
+
 /*
 Copyright 2019 The Tekton Authors
 

diff --git a/pkg/apis/pipeline/v1/types/artifacts_types.go b/pkg/apis/pipeline/v1/types/artifacts_types.go
@@ -0,0 +1,135 @@
+/*
+Copyright 2025 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package types
+
+import (
+	"github.com/google/go-cmp/cmp"
+)
+
+// Algorithm Standard cryptographic hash algorithm
+type Algorithm string
+
+// Artifact represents an artifact within a system, potentially containing multiple values
+// associated with it.
+type Artifact struct {
+	// The artifact's identifying category name
+	Name string `json:"name,omitempty"`
+	// A collection of values related to the artifact
+	Values []ArtifactValue `json:"values,omitempty"`
+	// Indicate if the artifact is a build output or a by-product
+	BuildOutput bool `json:"buildOutput,omitempty"`
+}
+
+// ArtifactValue represents a specific value or data element within an Artifact.
+type ArtifactValue struct {
+	Digest map[Algorithm]string `json:"digest,omitempty"` // Algorithm-specific digests for verifying the content (e.g., SHA256)
+	Uri    string               `json:"uri,omitempty"`    // Location where the artifact value can be retrieved
+}
+
+// TaskRunStepArtifact represents an artifact produced or used by a step within a task run.
+// It directly uses the Artifact type for its structure.
+type TaskRunStepArtifact = Artifact
+
+// Artifacts represents the collection of input and output artifacts associated with
+// a task run or a similar process. Artifacts in this context are units of data or resources
+// that the process either consumes as input or produces as output.
+type Artifacts struct {
+	Inputs  []Artifact `json:"inputs,omitempty"`
+	Outputs []Artifact `json:"outputs,omitempty"`
+}
+
+func (a *Artifacts) Merge(another *Artifacts) {
+	inputMap := make(map[string][]ArtifactValue)
+	var newInputs []Artifact
+
+	for _, v := range a.Inputs {
+		inputMap[v.Name] = v.Values
+	}
+	if another != nil {
+		for _, v := range another.Inputs {
+			_, ok := inputMap[v.Name]
+			if !ok {
+				inputMap[v.Name] = []ArtifactValue{}
+			}
+			for _, vv := range v.Values {
+				exists := false
+				for _, av := range inputMap[v.Name] {
+					if cmp.Equal(vv, av) {
+						exists = true
+						break
+					}
+				}
+				if !exists {
+					inputMap[v.Name] = append(inputMap[v.Name], vv)
+				}
+			}
+		}
+	}
+
+	for k, v := range inputMap {
+		newInputs = append(newInputs, Artifact{
+			Name:   k,
+			Values: v,
+		})
+	}
+
+	outputMap := make(map[string]Artifact)
+	var newOutputs []Artifact
+	for _, v := range a.Outputs {
+		outputMap[v.Name] = v
+	}
+
+	if another != nil {
+		for _, v := range another.Outputs {
+			_, ok := outputMap[v.Name]
+			if !ok {
+				outputMap[v.Name] = Artifact{Name: v.Name, Values: []ArtifactValue{}, BuildOutput: v.BuildOutput}
+			}
+			// only update buildOutput to true.
+			// Do not convert to false if it was true before.
+			if v.BuildOutput {
+				art := outputMap[v.Name]
+				art.BuildOutput = v.BuildOutput
+				outputMap[v.Name] = art
+			}
+			for _, vv := range v.Values {
+				exists := false
+				for _, av := range outputMap[v.Name].Values {
+					if cmp.Equal(vv, av) {
+						exists = true
+						break
+					}
+				}
+				if !exists {
+					art := outputMap[v.Name]
+					art.Values = append(art.Values, vv)
+					outputMap[v.Name] = art
+				}
+			}
+		}
+	}
+
+	for _, v := range outputMap {
+		newOutputs = append(newOutputs, Artifact{
+			Name:        v.Name,
+			Values:      v.Values,
+			BuildOutput: v.BuildOutput,
+		})
+	}
+	a.Inputs = newInputs
+	a.Outputs = newOutputs
+}