use downward api

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>

Author: javirln

app/cli/pkg/action/workflow_run_list.go

@@ -193,6 +193,7 @@ func humanizedRunnerType(in v1.CraftingSchema_Runner_RunnerType) string {
 		*v1.CraftingSchema_Runner_CIRCLECI_BUILD.Enum():          "CircleCI Build",
 		*v1.CraftingSchema_Runner_DAGGER_PIPELINE.Enum():         "Dagger Pipeline",
 		*v1.CraftingSchema_Runner_TEAMCITY_PIPELINE.Enum():       "TeamCity Pipeline",
+		*v1.CraftingSchema_Runner_TEKTON_PIPELINE.Enum():         "Tekton Pipeline",
 	}
 
 	hrt, ok := mapping[in]

app/cli/pkg/action/workflow_run_list_test.go

@@ -64,6 +64,10 @@ func (s *workflowRunListSuite) TestHumanizedRunnerType() {
 			name:           "teamcity runner",
 			testInput:      v1.CraftingSchema_Runner_TEAMCITY_PIPELINE,
 			expectedOutput: "TeamCity Pipeline",
+		}, {
+			name:           "tekton runner",
+			testInput:      v1.CraftingSchema_Runner_TEKTON_PIPELINE,
+			expectedOutput: "Tekton Pipeline",
 		}, {
 			name:           "unknown runner",
 			testInput:      -34,

pkg/attestation/crafter/runners/tektonpipeline.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2024-2025 The Chainloop Authors.
+// Copyright 2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -18,14 +18,27 @@ package runners
 import (
 	"fmt"
 	"os"
+	"strings"
 
 	schemaapi "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
 )
 
-type TektonPipeline struct{}
+const (
+	// Default path for Downward API labels
+	defaultLabelsPath = "/etc/podinfo/labels"
+	// Default Tekton dashboard URL
+	defaultDashboardURL = "https://dashboard.tekton.dev"
+)
+
+type TektonPipeline struct {
+	// Path to the Downward API labels file (configurable for testing)
+	labelsPath string
+}
 
 func NewTektonPipeline() *TektonPipeline {
-	return &TektonPipeline{}
+	return &TektonPipeline{
+		labelsPath: defaultLabelsPath,
+	}
 }
 
 func (r *TektonPipeline) ID() schemaapi.CraftingSchema_Runner_RunnerType {
@@ -42,70 +55,143 @@ func (r *TektonPipeline) CheckEnv() bool {
 	return false
 }
 
+// ListEnvVars returns environment variables collected from Downward API labels
 func (r *TektonPipeline) ListEnvVars() []*EnvVarDefinition {
-	return []*EnvVarDefinition{
-		// PipelineRun context (optional - only present when running in a Pipeline)
-		{"TEKTON_PIPELINE_RUN", true},
-		{"TEKTON_PIPELINE_RUN_UID", true},
-		{"TEKTON_PIPELINE", true},
+	// Parse labels and convert to environment variable definitions
+	labels := r.parseLabels()
+	if len(labels) == 0 {
+		return []*EnvVarDefinition{}
+	}
+
+	var envVars []*EnvVarDefinition
+
+	// Map Tekton labels to environment variables (all optional)
+	labelMappings := map[string]string{
+		"tekton.dev/pipelineRun":    "TEKTON_PIPELINE_RUN",
+		"tekton.dev/pipelineRunUID": "TEKTON_PIPELINE_RUN_UID",
+		"tekton.dev/pipeline":       "TEKTON_PIPELINE",
+		"tekton.dev/taskRun":        "TEKTON_TASKRUN_NAME",
+		"tekton.dev/taskRunUID":     "TEKTON_TASKRUN_UID",
+		"tekton.dev/task":           "TEKTON_TASK_NAME",
+	}
+
+	for labelKey, envVarName := range labelMappings {
+		if _, exists := labels[labelKey]; exists {
+			envVars = append(envVars, &EnvVarDefinition{
+				Name:     envVarName,
+				Optional: true,
+			})
+		}
+	}
+
+	// Add namespace if available
+	if ns := r.getNamespace(); ns != "" {
+		envVars = append(envVars, &EnvVarDefinition{
+			Name:     "TEKTON_NAMESPACE",
+			Optional: true,
+		})
+	}
+
+	return envVars
+}
+
+// parseLabels reads and parses the Downward API labels file
+// Returns a map of label key-value pairs
+func (r *TektonPipeline) parseLabels() map[string]string {
+	labels := make(map[string]string)
+
+	data, err := os.ReadFile(r.labelsPath)
+	if err != nil {
+		return labels
+	}
+
+	// Parse labels in format: key="value"
+	// Labels are separated by newlines
+	lines := strings.Split(string(data), "\n")
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if line == "" {
+			continue
+		}
 
-		// TaskRun context (optional - should be set by users following best practices)
-		{"TEKTON_TASKRUN_NAME", true},
-		{"TEKTON_TASKRUN_UID", true},
-		{"TEKTON_TASK_NAME", true},
+		// Split on first = to get key and quoted value
+		parts := strings.SplitN(line, "=", 2)
+		if len(parts) != 2 {
+			continue
+		}
 
-		// Namespace (optional - can be read from service account or set explicitly)
-		{"TEKTON_NAMESPACE", true},
+		key := strings.TrimSpace(parts[0])
+		value := strings.Trim(strings.TrimSpace(parts[1]), `"`)
+		labels[key] = value
 	}
+
+	return labels
 }
 
 func (r *TektonPipeline) RunURI() string {
+	labels := r.parseLabels()
+	namespace := r.getNamespace()
+
+	if namespace == "" {
+		return ""
+	}
+
+	// Get dashboard URL from environment variable or use default
+	dashboardURL := os.Getenv("TEKTON_DASHBOARD_URL")
+	if dashboardURL == "" {
+		dashboardURL = defaultDashboardURL
+	}
+
 	// Priority 1: If we have PipelineRun context, construct PipelineRun URL
-	if pipelineRun := os.Getenv("TEKTON_PIPELINE_RUN"); pipelineRun != "" {
-		namespace := r.getNamespace()
-		if namespace != "" {
-			// Use Tekton Dashboard URL format
-			// Users can customize dashboard URL via environment variable
-			dashboardURL := os.Getenv("TEKTON_DASHBOARD_URL")
-			if dashboardURL == "" {
-				dashboardURL = "https://dashboard.tekton.dev"
-			}
-			return fmt.Sprintf("%s/#/namespaces/%s/pipelineruns/%s", dashboardURL, namespace, pipelineRun)
-		}
+	if pipelineRun, ok := labels["tekton.dev/pipelineRun"]; ok && pipelineRun != "" {
+		return fmt.Sprintf("%s/#/namespaces/%s/pipelineruns/%s", dashboardURL, namespace, pipelineRun)
 	}
 
 	// Priority 2: If we have TaskRun context, construct TaskRun URL
-	if taskRun := os.Getenv("TEKTON_TASKRUN_NAME"); taskRun != "" {
-		namespace := r.getNamespace()
-		if namespace != "" {
-			dashboardURL := os.Getenv("TEKTON_DASHBOARD_URL")
-			if dashboardURL == "" {
-				dashboardURL = "https://dashboard.tekton.dev"
-			}
-			return fmt.Sprintf("%s/#/namespaces/%s/taskruns/%s", dashboardURL, namespace, taskRun)
-		}
+	if taskRun, ok := labels["tekton.dev/taskRun"]; ok && taskRun != "" {
+		return fmt.Sprintf("%s/#/namespaces/%s/taskruns/%s", dashboardURL, namespace, taskRun)
 	}
 
 	return ""
 }
 
-// getNamespace attempts to get the namespace from multiple sources
+// getNamespace attempts to get the namespace from the service account
 func (r *TektonPipeline) getNamespace() string {
-	// Priority 1: Environment variable
-	if namespace := os.Getenv("TEKTON_NAMESPACE"); namespace != "" {
-		return namespace
-	}
-
-	// Priority 2: Read from service account (standard Kubernetes location)
+	// Read from service account (standard Kubernetes location)
 	if data, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace"); err == nil {
-		return string(data)
+		return strings.TrimSpace(string(data))
 	}
 
 	return ""
 }
 
 func (r *TektonPipeline) ResolveEnvVars() (map[string]string, []*error) {
-	return resolveEnvVars(r.ListEnvVars())
+	result := make(map[string]string)
+	labels := r.parseLabels()
+
+	// Map Tekton labels to environment variable names
+	labelMappings := map[string]string{
+		"tekton.dev/pipelineRun":    "TEKTON_PIPELINE_RUN",
+		"tekton.dev/pipelineRunUID": "TEKTON_PIPELINE_RUN_UID",
+		"tekton.dev/pipeline":       "TEKTON_PIPELINE",
+		"tekton.dev/taskRun":        "TEKTON_TASKRUN_NAME",
+		"tekton.dev/taskRunUID":     "TEKTON_TASKRUN_UID",
+		"tekton.dev/task":           "TEKTON_TASK_NAME",
+	}
+
+	for labelKey, envVarName := range labelMappings {
+		if value, ok := labels[labelKey]; ok && value != "" {
+			result[envVarName] = value
+		}
+	}
+
+	// Add namespace if available
+	if ns := r.getNamespace(); ns != "" {
+		result["TEKTON_NAMESPACE"] = ns
+	}
+
+	// No errors since all variables are optional
+	return result, nil
 }
 
 func (r *TektonPipeline) WorkflowFilePath() string {