Capture step information for in-toto/slsa Provenance

[pxp928]

Feature request

Adding further detail into the taskrun payload by adding environment for each step within a taksrun. (https://slsa.dev/provenance/v0.1)

"recipe": { "type": "<URI>", "definedInMaterial": /* integer */, "entryPoint": "<STRING>", "arguments": { /* object */ }, "environment": { /* object */ }

This added information would provide more information for each step within the taskrun and capture proper entry-points, arguments and image information for each step. This update would allow for better verification via in-toto verify in the future.

Use case

This added information would make the in-toto/salsa provenance created by tekton chains be similar to the tekton provenance and capture missing information that can be used by in-toto verify

[priyawadhwa]

Hey @pxp928 thanks for opening this! Just an FYI, I have a proposal open for slsa v0.2 which will include this information (slsa-framework/slsa#179).

Until that goes in, I think the correct place for this would be in recipe.arguments -- we could create recipe.arguments.steps and include all of this extra info!

[pxp928]

Hey @priyawadhwa! Awesome I didn't realize that there were updates already happening to the slsa framework. So should I change the POC from recipe.environment to recipe.arguments.steps for the time being?

[priyawadhwa]

Yah let's do that!

[priyawadhwa]

Hey @pxp928 I'm going to close this issue because I think it's been done! Just an FYI, I just merged support for slsa-provenance v0.2 in #291, so that should be out with the next release.