Kubernetes controller for supply chain security. Watches TaskRun and PipelineRun completions, signs them, generates attestations (in-toto, SLSA), and stores signatures in configurable backends (OCI, Tekton annotations, GCS, Grafeas, DocDB, Archivista, PubSub).
# Build
make bin/controller
# Unit tests (no cluster needed)
make test-unit
make test-unit-verbose-and-race
make test-unit PKG=./pkg/chains/storage/... # single package (fast)
# Lint — must pass before every PR
make golangci-lint # all packages
make golangci-lint PKG=./pkg/chains/... # single package (fast)
make yamllint # YAML linting
# Code generation — after changing pkg/config types
make generated
# Dependency update — after go.mod changes
make vendor
# Deploy locally (requires cluster + Tekton Pipelines installed)
ko apply -f config/E2E tests require a live cluster and are tagged //go:build e2e.
See DEVELOPMENT.md for cluster setup.
-
Single binary. Only
cmd/controller— no CLI, no webhook binary. The controller registers both TaskRun and PipelineRun reconcilers. -
Vendored dependencies. All builds use
-mod=vendor. Runmake vendor(callshack/update-deps.sh) after anygo.modchange. -
Knative controller runtime. Reconcilers use
knative.dev/pkg, notcontroller-runtime. Status conditions usecondSet.Manage(status).MarkTrue/MarkFalse. -
ConfigMap-driven configuration. All runtime config lives in
pkg/config/and is loaded from thechains-configConfigMap. See docs/config.md for all keys. -
Sigstore ecosystem. Signing uses cosign/Fulcio/Rekor. KMS providers (AWS, Azure, GCP, Vault) are registered at startup in
cmd/controller/main.go.
cmd/controller/ → Binary entrypoint, registers reconcilers + KMS
pkg/reconciler/taskrun/ → TaskRun controller — watches completions
pkg/reconciler/pipelinerun/ → PipelineRun controller
pkg/chains/ → Core signing orchestration (ObjectSigner)
pkg/chains/signing/ → Signer interface + x509/KMS implementations
pkg/chains/formats/ → Attestation formats (simple, SLSA v1/v2alpha)
pkg/chains/storage/ → Storage backends (oci, tekton, gcs, grafeas…)
pkg/config/ → ConfigMap parsing + deepcopy codegen
pkg/artifacts/ → Artifact/signable abstractions
config/ → Kubernetes manifests (deployment, RBAC, ConfigMaps)
test/ → E2E tests (Go + shell) and test data
- Pull requests must follow the repository PR template defined in
.github/pull_request_template.md. - Commit messages should follow Tekton community standards.
make golangci-lintmust pass with zero issues.make test-unitmust pass with zero failures.- Run
make generatedand commit results after changingpkg/config/types. - Commits require
Signed-off-by(DCO).
CLAUDE.md points to AGENTS.md, and .claude/skills points to .agents/skills.
This works on Linux, macOS, and GitHub; on Windows, enable symlinks when cloning:
git clone -c core.symlinks=true https://github.com/tektoncd/chains.gitAlternatively, set core.symlinks=true in your git config before checkout.
- Commit messages: Conventional commits with component scopes, line length validation, DCO Signed-off-by, and Assisted-by trailers.
- Release notes: Gather PRs between tags, categorize, output formatted markdown, optionally update GitHub release.