feat(runners): implement Tekton Pipeline runner with native metadata discovery

[waveywaves]

Summary

• Implement the TektonPipeline runner with two-tier native metadata discovery: Tier 1 reads HOSTNAME env var and ServiceAccount namespace file (always available in K8s pods); Tier 2 makes a best-effort K8s API call to discover tekton.dev/* pod labels for rich pipeline context
• Implement all SupportedRunner interface methods: RunURI (Tekton Dashboard URL with tekton-pipeline:// fallback), Report (writes to /tekton/results/attestation-report with 3500-byte truncation), Environment (detects GKE/EKS/AKS as Managed vs self-hosted), ListEnvVars, and ResolveEnvVars (synthesizes discovered metadata as key-value entries)
• Wire factory in runner.go to pass logger to NewTektonPipeline
• Add 26 unit tests using testify suite pattern (7 discovery tests + 19 interface method tests), all passing with race detection

Design decisions

• No artificial env vars required: Unlike the previous approach (chore(runner): First cut on Tekton pipeline detection #2581), the runner discovers all metadata natively from the pod's runtime environment. Task YAML does not need to map $(context.*) variables as env vars
• Graceful degradation: If K8s API access fails (RBAC denied, missing SA token), the runner continues with Tier 1 data only — it never blocks attestation
• Functional options pattern: WithHTTPClient, WithSATokenPath, WithNamespacePath, WithCACertPath, WithResultsDir allow test injection without polluting the production API

Testing

• 26 unit tests covering discovery success, RBAC denial, missing SA token/namespace, all RunURI variants, Report truncation, Environment detection, and ResolveEnvVars
• E2E validated in a kind cluster with Tekton v1.6.0 (9/9 checks pass)
• No regressions in existing runner test suites (GitHub Actions, GitLab, etc.)

[migmartri]

@cubic-dev-ai review

[cubic-dev-ai]

@cubic-dev-ai review

@migmartri I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

1 issue found across 3 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="pkg/attestation/crafter/runners/tektonpipeline_test.go">

<violation number="1" location="pkg/attestation/crafter/runners/tektonpipeline_test.go:111">
P3: Unused `tmpDir` in test: `t.TempDir()` is called and immediately suppressed with `_ = tmpDir`. The test only exercises `taskRunNameFromHostname()` via a struct literal — no temp directory is needed. Remove both lines to avoid unnecessary filesystem allocations.</violation>
</file>

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Add one-off context when rerunning by tagging @cubic-dev-ai with guidance or docs links (including llms.txt)
• Ask questions if you need clarification on any suggestion

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P3: Unused tmpDir in test: t.TempDir() is called and immediately suppressed with _ = tmpDir. The test only exercises taskRunNameFromHostname() via a struct literal — no temp directory is needed. Remove both lines to avoid unnecessary filesystem allocations.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At pkg/attestation/crafter/runners/tektonpipeline_test.go, line 111:

<comment>Unused `tmpDir` in test: `t.TempDir()` is called and immediately suppressed with `_ = tmpDir`. The test only exercises `taskRunNameFromHostname()` via a struct literal — no temp directory is needed. Remove both lines to avoid unnecessary filesystem allocations.</comment>

<file context>
@@ -0,0 +1,650 @@
+	t.Setenv("KUBERNETES_SERVICE_PORT", serverURL.Port())
+
+	// Create temp directory for SA files
+	tmpDir := t.TempDir()
+
+	// Write SA token file
</file context>

[matiasinsaurralde]

Wandering if we would like to use context, initialize it earlier and pass it here.

[javirln]

Thanks @waveywaves for the PR! Could you please provide an example of a completed chainloop attestation that has been processed on Tekton?

[javirln]

That's basically why I would to see this: #2767 (comment) 👀

[javirln]

Although the environment variables could not be auto resolved automatically, I think it would be good to have TEKTON_TASKRUN_NAME, TEKTON_PIPELINE_NAME, TEKTON_PIPELINERUN_NAME, TEKTON_TASK_NAME, TEKTON_PIPELINE_TASK_NAME, and TEKTON_NAMESPACE as we do with the rest of the runners.

In the Dagger client for example, we "promote" the underlying environment variables because of the encapsulation of Dagger